In the past month, the National Institute of Standards and Technology has issued a draft update to its flagship cybersecurity framework as well as new standalone guidance on how organizations can plan to recover from cybersecurity events. The publication of these documents demonstrates NIST’s ongoing focus on providing substantive guidance to the private and public sectors alike on cybersecurity risk management. In this post we summarize the highlights of each of these new NIST publications.
Cybersecurity risk continues to evolve at an astonishingly rapid rate, prompting companies to review and adjust their plans to deal with the fast-moving threats posed by an increasingly connected world. At the same time, cybersecurity law and regulation around the world are coming of age. In this complex and uncertain environment, it is not surprising that lawyers are increasingly being asked to guide on governance, counsel on compliance and risk allocation, and lead in the event of a cyber incident.
Drawing on our work with clients across the globe, Hogan Lovells’ cross-practice team of cybersecurity lawyers has launched Ready, Set, Respond, a new set of online cybersecurity resources.
The Department of Health and Human Services Office for Civil Rights is taking an aggressive stand on HIPAA enforcement and targeting violations related to security risk assessments and business associate agreements. Three resolution agreements posted in the last month make clear that the agency expects entities subject to HIPAA to take appropriate steps to secure their data, regardless of the size or type of the entity.
The Evolving Legal Framework Regulating Commercial Data Security Standards, an article by Hogan Lovells associate Bret Cohen, was featured in the January/February 2014 cybersecurity law issue of the Maryland Bar Journal. The article covers the sources of regulation and potential legal liability in the U.S. for businesses who experience data security breaches, including general consumer protection laws, state data security laws, federal sectoral laws, and consumer class action litigation.
The Organization for Economic Cooperation and Development (OECD) has released a revision of its 1980 Privacy Guidelines. The fundamental elements of the original guidelines, the Fair Information Practice Principles (FIPPs), remain in place, but the OECD recognizes the revolutionary changes in technology since the first OECD Guidelines, and the importance of the digital economy and […]
Development of the new Cybersecurity Framework is now in full swing. President Obama’s Executive Order on Improving Critical Infrastructure Cybersecurity (which we previously covered) calls on NIST to lead the development of a Cybersecurity Framework that will provide “a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address […]
Hogan Lovells partner Harriet Pearson has authored an article in Bloomberg BNA’s Privacy and Security Law Report. In “Cybersecurity: the Corporate Counsel’s Agenda” she describes why cybersecurity has become the biggest concern of general counsel and corporate board members. She then lays out a ten-point agenda for corporate counsel to help their companies manage cybersecurity risk.
A financial services industry group recently released guidance on managing the risks associated with using social media such as Facebook and Twitter. The guidance, titled “Social Media Risks and Mitigation,” was released this week by BITS, a division of the Financial Services Roundtable, which represents 100 of the largest financial services companies. The guidance includes tips on managing numerous concerns specific to financial institutions, which are increasingly using social media in their marketing and customer relationship activities.
News of an innovative client program, a strategic risk management relationship with Hogan Lovells offering proactive resources and advice to manage privacy and data security risks, as well as just in time support and access to counseling in the event of an information breach.