Last week, the U.S. District Court for the Eastern District of Virginia ordered Capital One to produce a forensic investigation report in multidistrict litigation arising out of the cyber incident Capital One announced in July 2019. The court found that the report was not protected by the work product doctrine because Capital One had not shown that “but for” the litigation the report would not have been prepared in substantially the same form. The opinion offers some lessons for companies entering into arrangements with forensic experts in advance of cyber events.
Continuing its focus on COVID-19’s impact on its regulated entities, on April 13, the New York Department of Financial Services released new cybersecurity guidance in response to the COVID-19 pandemic. The guidance highlights the heightened cybersecurity risks from the current crisis and NYDFS’ expectations that its regulated entities address those risks as large portions of their workforce have shifted to remote working arrangements.
COVID-19 has impacted organizations’ relationships with their IT service providers, who often play an important role in securing their data and systems. Under current conditions, some service providers may face challenges in performing this work. Potential non-performance has significant consequences for service providers and their clients alike. To prepare for these challenges, entities that have contracts with service providers—and service providers themselves—should carefully review their existing agreements and any force majeure-type provisions in particular. This post includes our COVID-19 service provider risk mitigation checklist.
On March 11, the Word Health Organization officially characterized the coronavirus (COVID-19) outbreak as a pandemic. During the outbreak, many employers around the world are seeking to prioritize the well-being and safety of their employees by asking them to work remotely instead of risking exposure while commuting and working in populated office spaces. Organizations need to take into account increased risks to the security of their networks, systems, and data during this time.
Companies should take note of two imminent developments in New York in the area of cybersecurity regulation: enforcement of the New York Department of Financial Services Cybersecurity Regulation and the effective date of the Stop Hacks and Improve Electronic Data Security Act. The Regulation and the Act both contain prescriptive cybersecurity requirements and new breach notification obligations on regulated organizations. The Act has a particularly broad reach, impacting any company that owns or licenses private information of New York residents.
In today’s connected world, businesses face constant pressure to improve their cybersecurity practices and to confirm that they are meeting industry standards. To continue helping businesses achieve those goals, the SEC Office of Compliance Inspections and Examination published on January 27 its latest Examination Observations related to cybersecurity and operational resiliency practices.
In a legislative environment charitably described as challenging, the fact that the Senate recently passed cybersecurity legislation by unanimous consent is noteworthy and highlights the bipartisan nature of this issue. The DHS Cyber Hunt and Incident Response Act responds to the recent spate of ransomware attacks against government agencies and private sector organizations. It would require the Department of Homeland Security to form “cyber hunt” and incident response teams that could be called upon to assist federal, state, and local entities to respond to a ransomware or other type of cybersecurity incident or to identify vulnerabilities in their systems that may increase the likelihood and success of a future attack. While continued government attention to the availability of cybersecurity capabilities should be welcomed by the private sector, the extent to which businesses will directly benefit from this legislation is unclear given its focus.
On July 25, New York Governor Andrew Cuomo signed into law a pair of bills establishing new requirements for businesses that process certain personal information related to New York residents. The changes include expanding the scope of information covered by New York’s data breach notification law; defining breaches to include incidents involving unauthorized access to covered information, even where the information is not acquired; and requiring consumer reporting agencies who suffer breaches of social security numbers to offer up to 5 years of identity theft services. Businesses maintaining the private information of New York residents also will now be required to proactively develop “reasonable safeguards” within their organization as part of a new “reasonable security requirement.”