This document summarizes a webcast on cybersecurity risks and strategies for managing them. It discusses the development of the NIST cybersecurity framework to encourage voluntary adoption of best practices. It also notes incentives recommended to the President to promote framework adoption, such as cyber insurance, grants, liability limitations, and streamlined regulations. The document then provides brief biographies of the three speakers on the webcast, who are experts on cybersecurity law and policy from large law firms and companies.
This document discusses the importance of protecting personally identifiable information (PII) and complying with relevant laws and regulations. It covers what constitutes PII, why protection is critical to avoid identity theft, financial penalties, and reputational damage. Key aspects of PII management discussed include the storage, sensitivity, encryption of data, multi-jurisdictional issues, data ownership, procedures, and system needs across the data lifecycle. Major US privacy laws like FCRA and GLBA that regulate how PII is collected and used are also summarized.
ALERT: Health Care Cybersecurity Reform and Regulations on the HorizonPatton Boggs LLP
The White House has proposed new cybersecurity legislation that would significantly impact healthcare organizations. The proposals would grant the Department of Homeland Security primary authority over cybersecurity for critical infrastructure like healthcare. This would require healthcare providers to develop cybersecurity plans subject to DHS and third party audits. The proposals would also standardize national data breach notification and preempt state laws, expanding the definition of a breach. Additionally, new tools are proposed to aid law enforcement in cybercrime prosecution. Congress is currently considering these proposals and various bills on cybersecurity reform, so increased regulation of healthcare cybersecurity is imminent.
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
This document summarizes a presentation about cyber security and data breaches. It discusses statistics about data breaches in 2012, including that 92% were perpetrated by outsiders and 76% were caused by weak or stolen passwords. It also discusses the costs of data breaches to organizations, noting they averaged $5.4 million in 2012. The document outlines topics like what constitutes a data security breach, why a response plan is needed, how to respond to a breach, and regulatory requirements around notification of breaches.
The document provides an overview of the General Data Protection Regulation (GDPR). It discusses key aspects of GDPR such as what it is, who it applies to, lawful bases for processing data, data subject rights, and steps for achieving compliance. Specifically, GDPR is a new EU privacy law that gives more control to individuals over their personal data and imposes fines on companies that don't comply. It applies broadly to any organization that handles EU citizens' data.
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-regulations-and-requirements-2021/
This document discusses privacy issues related to personal information collected by companies. It notes that while no comprehensive privacy law exists, some sectors have legislation governing privacy and data protection. The document also summarizes some recent legal cases involving privacy violations, such as companies failing to protect customer data or illegally collecting children's information. It concludes by advising both businesses and consumers to be careful about data collection and use common sense to protect personal privacy.
Denny Russell gave a presentation on creating effective compliance and e-discovery policies. He discussed what compliance is, the types of policies organizations need, best practices for policy enforcement, and challenges organizations may face. He also covered e-discovery requirements and how tools in Domino like journaling and archiving can help organizations manage electronic records and comply with retention policies and legal obligations.
Presented at: 2nd Annual Gulf Cooperation Council e-Participation & e-Governance Forum – Organised by: Abu Dhabi University Knowledge Group and UAE Telecommunications Regulatory Authority.
9 – 11 September 2013 | Dusit Thani Hotel | Abu Dhabi | UAE.
This document discusses the importance of protecting personally identifiable information (PII) and complying with relevant laws and regulations. It covers what constitutes PII, why protection is critical to avoid identity theft, financial penalties, and reputational damage. Key aspects of PII management discussed include the storage, sensitivity, encryption of data, multi-jurisdictional issues, data ownership, procedures, and system needs across the data lifecycle. Major US privacy laws like FCRA and GLBA that regulate how PII is collected and used are also summarized.
ALERT: Health Care Cybersecurity Reform and Regulations on the HorizonPatton Boggs LLP
The White House has proposed new cybersecurity legislation that would significantly impact healthcare organizations. The proposals would grant the Department of Homeland Security primary authority over cybersecurity for critical infrastructure like healthcare. This would require healthcare providers to develop cybersecurity plans subject to DHS and third party audits. The proposals would also standardize national data breach notification and preempt state laws, expanding the definition of a breach. Additionally, new tools are proposed to aid law enforcement in cybercrime prosecution. Congress is currently considering these proposals and various bills on cybersecurity reform, so increased regulation of healthcare cybersecurity is imminent.
Cyber-Security: A Shared Responsibility -- November 2013Amy Purcell
This document summarizes a presentation about cyber security and data breaches. It discusses statistics about data breaches in 2012, including that 92% were perpetrated by outsiders and 76% were caused by weak or stolen passwords. It also discusses the costs of data breaches to organizations, noting they averaged $5.4 million in 2012. The document outlines topics like what constitutes a data security breach, why a response plan is needed, how to respond to a breach, and regulatory requirements around notification of breaches.
The document provides an overview of the General Data Protection Regulation (GDPR). It discusses key aspects of GDPR such as what it is, who it applies to, lawful bases for processing data, data subject rights, and steps for achieving compliance. Specifically, GDPR is a new EU privacy law that gives more control to individuals over their personal data and imposes fines on companies that don't comply. It applies broadly to any organization that handles EU citizens' data.
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Financial Poise
The United States has no federal data security or privacy law covering all businesses or all U.S. citizens. Instead, federal agencies and individual states have created their own patchwork of laws and regulations which must be evaluated for their application to a business.
This webinar will help you navigate the overlapping and sometimes confusing system of laws and regulations which may impact your business, ranging from emerging state-level privacy legislation to the numerous data breach notification statutes to cybersecurity regulations with extraterritorial effect.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-regulations-and-requirements-2021/
This document discusses privacy issues related to personal information collected by companies. It notes that while no comprehensive privacy law exists, some sectors have legislation governing privacy and data protection. The document also summarizes some recent legal cases involving privacy violations, such as companies failing to protect customer data or illegally collecting children's information. It concludes by advising both businesses and consumers to be careful about data collection and use common sense to protect personal privacy.
Denny Russell gave a presentation on creating effective compliance and e-discovery policies. He discussed what compliance is, the types of policies organizations need, best practices for policy enforcement, and challenges organizations may face. He also covered e-discovery requirements and how tools in Domino like journaling and archiving can help organizations manage electronic records and comply with retention policies and legal obligations.
Presented at: 2nd Annual Gulf Cooperation Council e-Participation & e-Governance Forum – Organised by: Abu Dhabi University Knowledge Group and UAE Telecommunications Regulatory Authority.
9 – 11 September 2013 | Dusit Thani Hotel | Abu Dhabi | UAE.
The document summarizes information from a charity regulation conference on February 5, 2018. It discusses new rules on disqualification of trustees and senior managers taking effect in August 2018, which will expand the list of criminal offenses that result in automatic disqualification from certain charity roles. The document provides guidance on identifying roles covered by the new rules, determining if current or prospective individuals may be affected, supporting waiver applications, and updating recruitment policies and practices.
The document provides an overview of data protection and the General Data Protection Regulation (GDPR). It discusses key principles of data protection law including definitions of personal data, data controllers, processors, and the rights of data subjects. It outlines obligations around obtaining and processing personal data lawfully and with consent. The GDPR introduces stricter rules around security, breach notification, rights of individuals, and increased fines for non-compliance. Businesses need to audit their data practices, put appropriate security measures in place, and may need to appoint a data protection officer to comply with the new regulation.
GDPR and EA Commissioning a web site part 2 - Legal EnvironmentAllen Woods
Second of 8 slide decks aimed at small to medium enterprises on factors to consider when commissioning a web site. This slide deck focusing on a changing legal environment brought about because of legislation like the EU GDPR
The document provides guidance to companies on becoming compliant with the General Data Protection Regulation (GDPR). It explains what GDPR is and how it strengthens data protection rules in the EU. It then outlines the key changes under GDPR and presents a process flow for how a company can achieve compliance, including awareness campaigns, assessing risks and current state, implementing changes, updating policies and notices, and ongoing training. It identifies areas companies should analyze like marketing, IT, legal, and provides questions they should ask to validate compliance. The deadline for compliance is May 25, 2018.
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
A general talk on privacy in early 2009, with quite a few slides summarizing the US National Research Council\'s report "Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment" that was issued in late 2008
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
The document discusses data security breach risk management and response planning. It provides statistics on data breaches in 2012, the average costs of breaches, and common types of breaches. It also discusses why a response plan is needed, what constitutes a data security breach under various state laws, and outlines steps to take in responding to a breach, including investigating the incident, understanding notification laws, notifying affected parties, answering inquiries, issuing press releases, and offering assistance.
GDPR (General Data Protection Rules) were implemented in May 2018 across Europe, and they have confused ordinary people and business gurus alike,
This simple PowerPoint presentation destroys and dismantles some of the myths of GDPR, making it more accessible & easily understandable.
Produced by Terence O'Sullivan (TheEmploymentLawyer/TJOS.ie) in October 2018
This document discusses key privacy and data security questions that in-house counsel should address. It covers the current regulatory environment, including the GDPR, CCPA, and Ohio Data Protection Act. It defines important concepts like personal data and data subject rights. It also outlines enforcement mechanisms and penalties for noncompliance, such as fines under the GDPR and private rights of action under the CCPA. In-house counsel are encouraged to understand their company's risks and compliance, have strategies for responding to incidents, and potentially form a privacy or data security committee.
This document summarizes key points from a presentation on current cybersecurity legal risks and requirements in Canada. It discusses the evolving privacy litigation landscape and lessons learned from privacy breach cases. Recent amendments to PIPEDA introduced mandatory breach notification requirements, including notifying affected individuals and the Privacy Commissioner if a breach creates a real risk of significant harm. Organizations must also keep records of all breaches. Non-compliance can result in penalties such as fines. The presentation emphasizes having an incident response plan and being prepared to properly respond to and document any privacy breaches.
This document discusses cyber risks and cyber liability insurance. It summarizes that many major companies have experienced data breaches in recent years. It outlines common cyber risks like computer intrusions, loss of physical devices, and social media issues. It recommends basic loss control techniques and identifies what cyber liability insurance can cover, such as first and third party losses from network security breaches, privacy breaches, and internet media liability. Coverage limits start at $100,000 with premiums as low as $250.
This document provides an overview of the General Data Protection Regulation (GDPR). It discusses what personal data is, the rights to privacy and data protection under the GDPR and European law. It explains that the GDPR applies broadly to any company that processes personal data of EU residents, regardless of location. Companies have obligations around obtaining permission for data processing, providing transparency around data usage, implementing security measures, and designating a data protection officer if required. The GDPR aims to better protect privacy and give individuals more control over their personal data.
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...Kenneth Riley
Following the adoption of GDPR in the European Union, the United States has seen their own privacy regulatory landscape evolve and develop. Beginning in California and expanding to Nevada, Maine, and beyond, ensuing organizational and technical compliance with these stringent regulations has become a priority for many organizations. These regulations have come with additional reputational and regulatory risk (e.g. fines), increased consumer rights, and an enhanced focus on how companies use data as a commodity. This webinar will unpack the key complexities surrounding those regulations, speak to how technology advancements can assist in compliance and overall privacy program maturity, and discuss how Internal Audit can prepare for and drive a proactive approach to privacy.
Personal Data Privacy and Information SecurityCharles Mok
The document discusses personal data protection, privacy, and information security issues in Hong Kong. It provides an overview of Hong Kong's Personal Data Protection Ordinance, which regulates the handling of personal data and establishes six data protection principles. It notes incidents of data leakage in Hong Kong and emerging issues around topics like social media, online anonymity, and information security threats potentially posed by governments. Resources on privacy and information security in Hong Kong are also listed.
In the last several years, substantial data breaches or hacker attacks in the U.S. have shown no signs of abating. Neither have the class actions that typically follow in their wake. Bradley Arant discusses litigation trends in data breach class actions. The video will touch on evolving issues in these cases, including recent loosening of consumer standing requirements (in cases after the Supreme Court’s Clapper decision), class certification and other issues raised in the Target litigation. We will also provide an overview of recent settlements of data breach class actions and what they might mean for later cases. The webinar will address several issues pending before the Supreme Court this term that could have significant impact, including whether a statutory violation without other injury confers Article III standing, and the extent to which statistical evidence can be used to justify class certification.
This document summarizes key legal issues related to privacy, data security, and data breaches in cloud computing. It discusses US federal laws governing compelled government disclosure, data security requirements, and data breach notification. It also discusses state privacy and security breach laws. Finally, it provides recommendations for how companies can manage legal risks when using cloud computing through contracts specifying issues like data ownership, security standards, and breach responsibilities.
Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
Data Breaches: The Cost of Being Unpreparedhaynormania
This document summarizes a panel discussion on data breaches. The panelists, who have experience in law, banking security, public relations, and identity theft protection, discuss challenges of responding to data breaches, the importance of advance preparation, and the need for a coordinated response, transparency, and assistance for affected individuals. They note that breaches are increasing in frequency and complexity, while regulations and consumer expectations are also rising.
The document summarizes information from a charity regulation conference on February 5, 2018. It discusses new rules on disqualification of trustees and senior managers taking effect in August 2018, which will expand the list of criminal offenses that result in automatic disqualification from certain charity roles. The document provides guidance on identifying roles covered by the new rules, determining if current or prospective individuals may be affected, supporting waiver applications, and updating recruitment policies and practices.
The document provides an overview of data protection and the General Data Protection Regulation (GDPR). It discusses key principles of data protection law including definitions of personal data, data controllers, processors, and the rights of data subjects. It outlines obligations around obtaining and processing personal data lawfully and with consent. The GDPR introduces stricter rules around security, breach notification, rights of individuals, and increased fines for non-compliance. Businesses need to audit their data practices, put appropriate security measures in place, and may need to appoint a data protection officer to comply with the new regulation.
GDPR and EA Commissioning a web site part 2 - Legal EnvironmentAllen Woods
Second of 8 slide decks aimed at small to medium enterprises on factors to consider when commissioning a web site. This slide deck focusing on a changing legal environment brought about because of legislation like the EU GDPR
The document provides guidance to companies on becoming compliant with the General Data Protection Regulation (GDPR). It explains what GDPR is and how it strengthens data protection rules in the EU. It then outlines the key changes under GDPR and presents a process flow for how a company can achieve compliance, including awareness campaigns, assessing risks and current state, implementing changes, updating policies and notices, and ongoing training. It identifies areas companies should analyze like marketing, IT, legal, and provides questions they should ask to validate compliance. The deadline for compliance is May 25, 2018.
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Financial Poise
There is no federal law governing privacy and data security applicable to all US citizens. Rather, individual states and regulatory agencies have created a patchwork of protections that may overlap in certain industries.
This webinar provides an overview of the many privacy and data security laws and regulations which may impact your business, from the state law protecting personal information to regulations covering the financial services industry to state breach notification laws.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/introduction-to-us-privacy-and-data-security-2020/
A general talk on privacy in early 2009, with quite a few slides summarizing the US National Research Council\'s report "Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment" that was issued in late 2008
Privacy and Data Security: Risk Management and AvoidanceAmy Purcell
The document discusses data security breach risk management and response planning. It provides statistics on data breaches in 2012, the average costs of breaches, and common types of breaches. It also discusses why a response plan is needed, what constitutes a data security breach under various state laws, and outlines steps to take in responding to a breach, including investigating the incident, understanding notification laws, notifying affected parties, answering inquiries, issuing press releases, and offering assistance.
GDPR (General Data Protection Rules) were implemented in May 2018 across Europe, and they have confused ordinary people and business gurus alike,
This simple PowerPoint presentation destroys and dismantles some of the myths of GDPR, making it more accessible & easily understandable.
Produced by Terence O'Sullivan (TheEmploymentLawyer/TJOS.ie) in October 2018
This document discusses key privacy and data security questions that in-house counsel should address. It covers the current regulatory environment, including the GDPR, CCPA, and Ohio Data Protection Act. It defines important concepts like personal data and data subject rights. It also outlines enforcement mechanisms and penalties for noncompliance, such as fines under the GDPR and private rights of action under the CCPA. In-house counsel are encouraged to understand their company's risks and compliance, have strategies for responding to incidents, and potentially form a privacy or data security committee.
This document summarizes key points from a presentation on current cybersecurity legal risks and requirements in Canada. It discusses the evolving privacy litigation landscape and lessons learned from privacy breach cases. Recent amendments to PIPEDA introduced mandatory breach notification requirements, including notifying affected individuals and the Privacy Commissioner if a breach creates a real risk of significant harm. Organizations must also keep records of all breaches. Non-compliance can result in penalties such as fines. The presentation emphasizes having an incident response plan and being prepared to properly respond to and document any privacy breaches.
This document discusses cyber risks and cyber liability insurance. It summarizes that many major companies have experienced data breaches in recent years. It outlines common cyber risks like computer intrusions, loss of physical devices, and social media issues. It recommends basic loss control techniques and identifies what cyber liability insurance can cover, such as first and third party losses from network security breaches, privacy breaches, and internet media liability. Coverage limits start at $100,000 with premiums as low as $250.
This document provides an overview of the General Data Protection Regulation (GDPR). It discusses what personal data is, the rights to privacy and data protection under the GDPR and European law. It explains that the GDPR applies broadly to any company that processes personal data of EU residents, regardless of location. Companies have obligations around obtaining permission for data processing, providing transparency around data usage, implementing security measures, and designating a data protection officer if required. The GDPR aims to better protect privacy and give individuals more control over their personal data.
[Title Redacted for Privacy Purposes]: How Internal Audit Can Help Drive Priv...Kenneth Riley
Following the adoption of GDPR in the European Union, the United States has seen their own privacy regulatory landscape evolve and develop. Beginning in California and expanding to Nevada, Maine, and beyond, ensuing organizational and technical compliance with these stringent regulations has become a priority for many organizations. These regulations have come with additional reputational and regulatory risk (e.g. fines), increased consumer rights, and an enhanced focus on how companies use data as a commodity. This webinar will unpack the key complexities surrounding those regulations, speak to how technology advancements can assist in compliance and overall privacy program maturity, and discuss how Internal Audit can prepare for and drive a proactive approach to privacy.
Personal Data Privacy and Information SecurityCharles Mok
The document discusses personal data protection, privacy, and information security issues in Hong Kong. It provides an overview of Hong Kong's Personal Data Protection Ordinance, which regulates the handling of personal data and establishes six data protection principles. It notes incidents of data leakage in Hong Kong and emerging issues around topics like social media, online anonymity, and information security threats potentially posed by governments. Resources on privacy and information security in Hong Kong are also listed.
In the last several years, substantial data breaches or hacker attacks in the U.S. have shown no signs of abating. Neither have the class actions that typically follow in their wake. Bradley Arant discusses litigation trends in data breach class actions. The video will touch on evolving issues in these cases, including recent loosening of consumer standing requirements (in cases after the Supreme Court’s Clapper decision), class certification and other issues raised in the Target litigation. We will also provide an overview of recent settlements of data breach class actions and what they might mean for later cases. The webinar will address several issues pending before the Supreme Court this term that could have significant impact, including whether a statutory violation without other injury confers Article III standing, and the extent to which statistical evidence can be used to justify class certification.
This document summarizes key legal issues related to privacy, data security, and data breaches in cloud computing. It discusses US federal laws governing compelled government disclosure, data security requirements, and data breach notification. It also discusses state privacy and security breach laws. Finally, it provides recommendations for how companies can manage legal risks when using cloud computing through contracts specifying issues like data ownership, security standards, and breach responsibilities.
Bradley's panel reacts to and addresses a hypothetical cyber incident involving a widespread compromise of consumer healthcare and financial information. Amy Leopard (Healthcare), Mike Pennington (Litigation), John Goodman (Litigation), Elena Lovoy (Financial Services), and moderator Paige Boshell (Intellectual Property, Financial Services) will offer legal and practical strategies to proactively respond to and resolve a specified data breach. Highlights will include customer notice strategies, attorney-client privilege and litigation avoidance strategies, and coordination with third parties, including external PR and forensic investigators, vendors, regulators, and law enforcement.
Data Breaches: The Cost of Being Unpreparedhaynormania
This document summarizes a panel discussion on data breaches. The panelists, who have experience in law, banking security, public relations, and identity theft protection, discuss challenges of responding to data breaches, the importance of advance preparation, and the need for a coordinated response, transparency, and assistance for affected individuals. They note that breaches are increasing in frequency and complexity, while regulations and consumer expectations are also rising.
Matt Blaine, Dennis Garcia, Ann Gorr, & Donald Knight - #InfoGov17 - Navigati...ARMA International
Those folks who are already deeply entrenched in the Information Governance realm recognize the importance that IG plays in defining and supporting the continued success of our organizations. However, the Corporate Legal Department (CLD) / Office of the General Counsel (OGC) is often viewed as an island unto itself within the overarching Corporation/Enterprise. With its unique requirements, the CLD/OGC teams routinely encounter roadblocks when attempting to acquire the IG Tools that they require to support their internal legal operations, interact with the business units which they advise, and collaborate with external parties, and yet, navigate the processes to meet the IG Goals developed by the Enterprise IT Team.
During this session, we will be exploring key strategies that can be adopted/embraced in your quest to bring about an Information Governance roadmap to the Office of the General Counsel / Corporate Legal Department that will place your organization on the road to IG excellence.
Join our seasoned legal technology panelists and subject matter experts including Matt Blaine, Esq. (Davison, Eastman, Muñoz, Lederman & Paone, P.A.), Dennis Garcia, Esq. (Microsoft Corporate, External & Legal Affairs (CELA)), Ann Gorr (Legal Technology Consultant @ Ann Gorr, LLC), and Don Knight (PNC Bank, Legal Department) as they discuss key areas of focus and IG approaches to assist those who design, deploy, and support technology projects within the CLD/OGC environment.
Collin County Bench Bar Conference: Cybersecurity Mitigation & Compliance Str...Shawn Tuma
Presentation to the Collin County Bench Bar Foundation's 2015 Bench Bar Conference. Focused on the latest cybersecurity trends and strategies for mitigation of cyber risk and compliance.
Cybersecurity & Data Protection: Thinking About Risk & ComplianceShawn Tuma
Cybersecurity & Data Protection: Thinking About Risk & Compliance is a presentation that Frisco business lawyer Shawn Tuma delivered to the Corporate Counsel Section of the Collin County Bar Association. The presentation date was May 29, 2015.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
Part of the webinar series: CORPORATE & REGULATORY COMPLIANCE BOOTCAMP 2022 - PART I
See more at https://www.financialpoise.com/webinars/
Data Security And Privacy Risks In Cloud Computing William A Tanenbaum Sourc...William Tanenbaum
This document discusses data security and privacy risks associated with cloud computing. It identifies 8 key risks: 1) regulatory requirements regarding data security and privacy, 2) practical data hazards like weak access protection, 3) meeting legal holds for litigation documents, 4) complying with European data privacy laws, 5) low-cost cloud providers having limited protections and liability, 6) tier 1 cloud providers still potentially falling short of legal obligations, 7) insufficient control over software changes, and 8) responsibility for costs of database breaches. The document is presented by William Tanenbaum, chair of the technology and outsourcing group at Kaye Scholer LLP, to highlight legal and practical risks companies should consider regarding data security and privacy
Whitepaper: The Enlightened Legal Hold 2014Zapproved
Three years after the Pension Committee opinion, Judge Shira Scheindlin's message is still loud and clear: The courts do not want to waste time and squander resources on motion practice, depositions and reams of submissions growing out of inexcusable failures to properly preserve relevant ESI.
Now is the time for enlightened legal holds, an age when counsel have the judgment to distinguish what must be preserved, the knowledge to negotiate and lucidly communicate the scope, and the skills and tools to select and instruct on reasonable and effective methods of preservation.
Download the white paper to discover:
How to avoid the 5 Deadly Sins of Legal Holds
Why a legal hold is an organic, bespoke process
How to know if you are 'over-preserving'
9 key elements of a sound legal hold
When to expect higher standards, raised stakes, and new vulnerabilities
The Enlightened Legal Hold serves as a guide for organizations of any size in tackling the task of preservation that at times can seem overwhelming. The 2014 version includes updated citations and other improvements to guide you on your path to Preservation Nirvana.
ISSA North Texas - SecureWorld Expo Dallas - Cybersecurity Legal Issues: What...Shawn Tuma
This presentation was delivered by Shawn E. Tuma, Cybersecurity and Data Privacy Attorney, to ISSA North Texas on October 8, 2016.
This presentation was significantly updated from past presentations and included a discussion of the groundbreaking New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies.
The main points of this presentation are:
(1) Cybersecurity events create a crisis situation and should be treated as such;
(2) Cybersecurity incidents are as much legal events as they are IT or Business / Public Relations events;
(3) Companies must have a cybersecurity breach response plan in place and tested, in advance;
(4) While consumer class action data breach litigation is a significant threat to companies and their leadership, it is not as great of a threat as regulatory enforcement by agencies such as the FTC and SEC, or the shareholder derivative claims for officer and director liability; and
(5) The odds are that all company will be breached, but preparation and diligence can help minimize the likelihood that such a breach from being a catastrophic event.
This presentation addresses the role of attorneys as the first responders in leading their clients through cybersecurity and data loss crisis events. The discussion begins by looking at the risk business have of being the victim of a cybersecurity or data loss incident and examining the nature of such incidents and the crisis environment they create. Then, because of this crisis environment, the need for leadership in helping keep the parties calm, rational, and making deliberate, calculated decisions.
The discussion then explains why cybersecurity events are legal events and legal counsel is the natural leader that should fulfill this role and how they can do so. It will then discuss the process legal counsel will take, including assembling the key players in such an event, both internally and externally. It discusses the obligations for responding to such an event, the steps that must be taken, those that must be considered, and certain factors that go into the decision-making process. It briefly addresses the costs of such an incident and the liability issues that can arise from such an incident and failing to properly respond to the incident. This section includes a discussion of the cybersecurity lawsuit landscape, cybersecurity regulatory landscape, and the issue of cybersecurity-related officer and director liability stemming from shareholder derivative lawsuits based on cybersecurity incidents.
It concludes with a discussion of the steps that companies can take to prepare for and be in a better position to respond to and mitigate the negative repercussions of such an incident.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
This document provides information about the Legaltech Toronto 2015 conference, which focuses on legal technologies and how legal professionals can adapt to rapid changes in the legal landscape brought about by increasing digitization. The two-day conference will include sessions on topics like artificial intelligence, BYOD policies, eDiscovery, project management tools, data security, and using technology to increase law firm efficiency. It lists speakers, session times and topics, and provides information on exhibitor and sponsorship opportunities. The executive advisory committee and sponsors are also acknowledged.
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data LossShawn Tuma
Shawn Tuma is a cybersecurity lawyer with expertise in data privacy law. He is a partner at Scheef & Stone LLP, a commercial law firm in Texas. Tuma has extensive experience advising businesses on cybersecurity issues and data breaches. He serves on several boards and committees related to cybersecurity law and policy. The document provides an overview of Tuma's background and experience in cybersecurity law.
Joseph T. Ruble is an experienced executive vice president, general counsel, and chief administrative officer with over 25 years of experience advising publicly traded companies. He has a proven track record of leading strategic planning, corporate development, legal operations, and human resources at a $750 million revenue company with over 3,000 employees globally. Ruble has extensive experience in mergers and acquisitions, securities law, litigation, and building compliance programs internationally.
A Brave New World of Cyber Security and Data BreachJim Brashear
This document summarizes the key cybersecurity risks faced by organizations and provides recommendations for improving cybersecurity practices. It discusses how cyber attacks have become a major threat and concern for boards of directors. Common cyber attacks like data breaches, phishing, and hacking are described. The document recommends that organizations adopt frameworks like NIST and COSO to conduct risk assessments and oversee cybersecurity. It also stresses the importance of having an incident response plan and testing cybersecurity preparedness. Legal issues around data privacy laws, regulatory enforcement, and directors' liability for cyber incidents are covered as well. Overall, the document advocates for organizations to prioritize cybersecurity awareness, protections, and governance.
EVERFI/Jackson Lewis: How to Comply with GDPR Requirements: What every U.S. C...Michele Collu
This document summarizes a webinar about how U.S. companies can comply with the General Data Protection Regulation (GDPR). The webinar was presented by several attorneys from Jackson Lewis P.C., including Preston Clark, Joseph Lazzarotti, Jason Gavejian, and Mary Costigan. They discussed key aspects of GDPR compliance, such as definitions of personal data, the territorial scope and jurisdiction of GDPR, requirements for data protection officers, individual rights and responsibilities, data security obligations, and potential enforcement actions for noncompliance. The goal was to help companies understand GDPR requirements and take initial steps to assess how it applies to their operations.
Protecting Accounting Firms and their Clients - Eric Vanderburg - JurInnovEric Vanderburg
This document discusses cybersecurity threats facing accounting firms and their clients. It provides examples of major data breaches in recent years that impacted millions of customer accounts. While many firms believe they are protected, the document cites statistics showing that most have no formal cybersecurity or internet use policies. It also discusses new regulations and standards, like the HIPAA Omnibus Rules and a recent Executive Order, that require firms to improve their cybersecurity practices to safeguard sensitive data. The role of a Virtual Chief Security Officer is introduced to help firms address these growing risks and compliance requirements.
DAMA Webinar: The Data Governance of Personal (PII) DataDATAVERSITY
To do effective data governance, analysts should preview the amount of data their organization is collecting and consider if it is all necessary information to run the business or just “nice to have” data. Today companies are collecting a variety of Personally identifiable information (PII), combining it with location information, and using it to both personalize their own services and to sell to advertisers for behavioral marketing. Data brokers are tracking cell phone applications and insurance companies are installing devices to monitor driving habits. At the same time, however, hackers are embedding malicious software in company computers, opening a virtual door for criminals to rifle through an organization’s valuable personal and financial information.
This presentation explores:
•What company data should be tagged as “sensitive” data?
•Who within the company has access to personal data?
•Is the company breaking any privacy laws by storing PII data?
•Is the data secure from both internal and external hackers?
•What happens if there is an external data breech?
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cy...Shawn Tuma
Leadership Through the Firestorm - Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss. This is a keynote speech delivered by Shawn Tuma to the Paralegal Division of the State Bar of Texas on June 17, 2016.
Privacy and Technology in Your Practice: Why it Matters & Where is the Riskduffeeandeitzen
This document summarizes a presentation on privacy and technology issues for law firms. It discusses why data breaches are a risk for law firms, as they hold valuable corporate and client data. Several types of attacks that could lead to breaches are described, such as insider threats, vendor threats, phishing, and ransomware. Compliance with breach notification laws, privacy laws, and professional responsibility rules is also discussed. The costs of breaches and implications for a law firm's practice are reviewed. Initial takeaways from a recent major data breach are provided. Questions from attendees are answered relating to privacy, cybersecurity, legal technology, cloud computing contracts, and maintaining competence regarding technology.
Preservation and Proportionality: Lowering the Burden of Preserving Data in C...Zapproved
The spotlight has turned to the issue of proportionality as it may be applied to the preservation of potentially relevant information. The postPension Committee world has moved beyond asking “if” litigants need to preserve information to a focus on “how.”
One need look no further than the testimony before the Dallas mini-conference in September and followed shortly thereafter by the debate stirred by the Pippins v. KPMG opinion.
Litigants are struggling to balance the increasing demands of preservation being driven by the exponential increase in electronically stored information (ESI) and the perceived rise in sanctions for spoliation. In order to control the increasing cost and “monumental inefficiency” that can result from traditional approaches to data preservation, the stakeholders in the U.S. legal system are searching for a solution founded on the principles of both reasonableness and proportionality as embodied in the Federal Rules of Civil Procedure.
The goal of this paper is to explore options for providing more objective “guideposts” for litigants facing the uncertainty of future discovery demands.
Similar to Cybersecurity: Managing Risk Around New Data Threats (20)
This document summarizes a live webinar on compliance strategy and performance. The webinar featured speakers from Ethisphere and Convercent discussing key data and benchmarks, emerging best practices, and predictions for 2016. Topics included budget and visibility trends in compliance, the impact of mergers and acquisitions on misconduct, challenges in accessing and centralizing compliance data, and measuring return on investment and culture of compliance. State of the program reporting was also covered, noting variation in frequency, content, format and audiences.
This document summarizes a webinar on data protection updates regarding the Safe Harbor agreement and its practical impact for companies. The webinar discusses available data transfer solutions in the wake of the Safe Harbor agreement being invalidated, requirements for data protection notifications, a summary of the Schrems v Data Commissioner case, and the likelihood of a new Safe Harbor or EU-US Privacy Shield framework being established. Alternative mechanisms for international data transfers such as unambiguous consent, binding corporate rules, and model clauses are also covered.
Corruption In China: Recovery-Led InvestigationsEthisphere
This document summarizes a webinar discussing challenges with conducting internal investigations in China and the benefits of a "recovery-led" approach. The webinar featured speakers from Control Risks and TE Connectivity discussing case studies where terminating individuals for corruption backfired due to lack of planning. The "recovery-led" approach focuses on business continuity, local legal factors, and resolving issues in the long-term interests of the company rather than just fact-finding.
Key Steps to Creating a Strong Compliance Culture Through Effective LeadershipEthisphere
This document summarizes a presentation on creating an effective compliance culture through leadership. It discusses how US and global guidelines emphasize the importance of strong leadership and culture. Recent enforcement actions have faulted companies for lack of oversight and failing to address misconduct. The presentation outlines best practices for compliance leaders, including engaging the board, collaborating with senior management, implementing incentives, and developing a strategic communications plan to push the compliance message throughout the organization.
Building on the Foundation of Ethics and Compliance to Achieve SustainabilityEthisphere
This document summarizes a webinar discussing how leading companies build upon the foundations of ethics and compliance to achieve sustainability. Speakers from Microsoft, Petco, and Voya Financial discuss their company's ethics and compliance programs and how their ethics/compliance and sustainability teams collaborate. They address increasing transparency expectations and challenges in global supply chains. The webinar aims to demonstrate how sustainability teams can learn from ethics/compliance and identify shared systems and controls.
Special Challenges of Doing Business in RussiaEthisphere
This document discusses the challenges of doing business in Russia. It summarizes recent US sanctions against Russia and their implications. It also discusses Russia's reaction to the sanctions and legal developments in Russia around anti-corruption laws. Recent Foreign Corrupt Practices Act cases involving bribery in Russia by HP and Diebold are also summarized. The document outlines special challenges like corruption, hidden ownership, and use of sham intermediaries when working in Russia.
Russian Sanctions: What the U.S. and OFAC Directives Mean for Global CompaniesEthisphere
The document provides an overview and summary of recent U.S. sanctions imposed in response to the Russian actions in Ukraine and the implications for global companies. It discusses the sanctions that have designated individuals and entities in Russia, examines entities that may be considered "owned or controlled" by designated persons, and outlines steps companies can take to mitigate risks from potential expansion of sanctions to other sectors of the Russian economy.
Risk Containment: Tailoring Contract Provisions with Third Parties to Minimiz...Ethisphere
This document discusses risk containment strategies for tailoring contract provisions with third parties to minimize risks under the Foreign Corrupt Practices Act (FCPA) and maximize compliance safeguards. It recommends including core provisions like anti-corruption representations and warranties, audit rights, and termination rights. Government expectations for diligence, oversight and preventative measures with third parties are high given most FCPA cases involve third parties and companies are liable for their actions.
Reputation Risk: Why Companies Need to CareEthisphere
Thank you for the insightful presentation. Managing reputation risk is clearly crucial in today's environment of heightened transparency and stakeholder expectations.
Doing Business in Mexico: Compliance Implications of the Pact for MexicoEthisphere
This document summarizes a webcast on business compliance implications of reforms in Mexico. It discusses reforms in anticorruption, energy, and telecommunications. For anticorruption, it notes stalled legislation and risks of low enforcement. For energy, it outlines the opening of the oil sector to foreign firms and compliance provisions in contracts. For telecommunications, it discusses allowing foreign investment and risks of mergers and acquisitions. Throughout, it provides strategies for companies to mitigate compliance risks like training and cultural considerations for acquired firms. Speakers from AT&T, Halliburton and Baker & McKenzie address these topics.
Optimizing Compliance Programs in Organizations: A Top Down ApproachEthisphere
This document provides a summary of a presentation on optimizing compliance programs in organizations using a top-down approach. The presentation discusses challenges with siloed compliance programs and the benefits of an integrated, enterprise-wide approach. It emphasizes taking a risk-based approach with board oversight and continuous monitoring. The presentation also compares external, internal, and regulatory audits and argues for differentiating their roles while increasing integration among compliance functions.
Hotline Confidential: Is Your Company Using Best Practices for Whistleblower ...Ethisphere
This document summarizes a webinar on best practices for whistleblower compliance programs. It discusses examining whistleblower statutes to ensure compliance, reviewing best practices for establishing a hotline, and discussing employee training on hotlines and anti-retaliation policies. The webinar examines laws like Sarbanes-Oxley, Dodd-Frank, and the False Claims Act and recommends developing an accessible internal reporting process, promptly addressing complaints, maintaining confidentiality, and documenting all reports and investigations.
Whistleblower Best Practices: What Do Compliance and Business Leaders Need to...Ethisphere
Greg Radinsky, Cynthia Jackson, and Joan Meyer spoke at a webcast on May 15, 2015 about whistleblower best practices. They discussed key themes such as the goal of promptly uncovering misconduct through whistleblower programs. U.S. expectations include encouraging internal reporting and protecting whistleblowers. An effective program provides reporting channels, screens reports by priority, trains employees, conducts awareness campaigns, and monitors performance. However, some countries have laws conflicting with U.S. standards regarding anonymity, data privacy, and labor issues that must be addressed for global rollouts.
Essential Elements of Global Compliance ProgramsEthisphere
This document summarizes a webcast on essential elements of global compliance programs presented by Baker & McKenzie on June 4, 2015. It discusses increasing global enforcement trends, including growing cooperation between authorities. Effective compliance programs are being rewarded with reduced penalties. The presentation outlines key elements of compliance programs, including risk assessment, standards and controls, training, oversight, monitoring, and periodic re-assessment. It also provides an example of compliance requirements under Spanish law.
Anti-Corruption and Third Parties: Mitigating the RisksEthisphere
This document summarizes a webcast on mitigating corruption risks from third parties. It discusses how corruption from third parties can harm businesses through extortion, disrupted operations, and reputational and legal risks. It outlines anti-bribery laws in countries like the US, UK, and Brazil that prohibit bribery through third parties. It provides tips for assessing third party risks, such as checking backgrounds, behaviors, due diligence, and contracts. Resources on anti-corruption guidelines and compliance programs are also listed.
Corporate Cyber Attacks: Managing Risk to Avoid Reputation HarmEthisphere
This document summarizes a presentation on cybersecurity preparedness and response. It discusses establishing an investigation-ready environment through centralized logging, application whitelisting, data mapping and internet access point identification. It also recommends having a rapid response team and incident response plan in place. During an incident, it advises responding quickly to investigative requests and working with investigators on remediation. Post-incident, it recommends determining notification requirements, developing a public message and conducting lessons learned.
Conflict Minerals: The First Year and What's to ComeEthisphere
The document summarizes a webinar presented by Baker & McKenzie on the topic of conflict minerals. It discusses filings in the first year of SEC conflict minerals rules, trends observed, informal SEC comments, ongoing litigation challenging the rules, and expectations for years 2 and 3. It also outlines what companies can expect in terms of conflict minerals report format, listing smelters and suppliers, determining conflict-free status, and implementing audits.
Conflict Minerals Update: Making Sense of the Appellate Court Decision and SE...Ethisphere
The document summarizes a webcast discussing a recent appellate court decision and SEC statement regarding conflict minerals reporting requirements.
The appellate court upheld most of the SEC's conflict minerals rules but found that requirements to describe products as "not DRC conflict free" violated the First Amendment. In response, the SEC limited its stay of the rules and a CF director statement said companies still must file reports by June 2 but need not use the constitutionally problematic descriptions. The statement provides guidance on complying with the upheld portions of the rules. There remains uncertainty around further appeals and rulemaking but companies should plan to file by the June 2 deadline.
Anny Serafina Love - Letter of Recommendation by Kellen Harkins, MS.AnnySerafinaLove
This letter, written by Kellen Harkins, Course Director at Full Sail University, commends Anny Love's exemplary performance in the Video Sharing Platforms class. It highlights her dedication, willingness to challenge herself, and exceptional skills in production, editing, and marketing across various video platforms like YouTube, TikTok, and Instagram.
Discover timeless style with the 2022 Vintage Roman Numerals Men's Ring. Crafted from premium stainless steel, this 6mm wide ring embodies elegance and durability. Perfect as a gift, it seamlessly blends classic Roman numeral detailing with modern sophistication, making it an ideal accessory for any occasion.
https://rb.gy/usj1a2
Unveiling the Dynamic Personalities, Key Dates, and Horoscope Insights: Gemin...my Pandit
Explore the fascinating world of the Gemini Zodiac Sign. Discover the unique personality traits, key dates, and horoscope insights of Gemini individuals. Learn how their sociable, communicative nature and boundless curiosity make them the dynamic explorers of the zodiac. Dive into the duality of the Gemini sign and understand their intellectual and adventurous spirit.
How to Implement a Real Estate CRM SoftwareSalesTown
To implement a CRM for real estate, set clear goals, choose a CRM with key real estate features, and customize it to your needs. Migrate your data, train your team, and use automation to save time. Monitor performance, ensure data security, and use the CRM to enhance marketing. Regularly check its effectiveness to improve your business.
How to Implement a Strategy: Transform Your Strategy with BSC Designer's Comp...Aleksey Savkin
The Strategy Implementation System offers a structured approach to translating stakeholder needs into actionable strategies using high-level and low-level scorecards. It involves stakeholder analysis, strategy decomposition, adoption of strategic frameworks like Balanced Scorecard or OKR, and alignment of goals, initiatives, and KPIs.
Key Components:
- Stakeholder Analysis
- Strategy Decomposition
- Adoption of Business Frameworks
- Goal Setting
- Initiatives and Action Plans
- KPIs and Performance Metrics
- Learning and Adaptation
- Alignment and Cascading of Scorecards
Benefits:
- Systematic strategy formulation and execution.
- Framework flexibility and automation.
- Enhanced alignment and strategic focus across the organization.
IMPACT Silver is a pure silver zinc producer with over $260 million in revenue since 2008 and a large 100% owned 210km Mexico land package - 2024 catalysts includes new 14% grade zinc Plomosas mine and 20,000m of fully funded exploration drilling.
Zodiac Signs and Food Preferences_ What Your Sign Says About Your Tastemy Pandit
Know what your zodiac sign says about your taste in food! Explore how the 12 zodiac signs influence your culinary preferences with insights from MyPandit. Dive into astrology and flavors!
How MJ Global Leads the Packaging Industry.pdfMJ Global
MJ Global's success in staying ahead of the curve in the packaging industry is a testament to its dedication to innovation, sustainability, and customer-centricity. By embracing technological advancements, leading in eco-friendly solutions, collaborating with industry leaders, and adapting to evolving consumer preferences, MJ Global continues to set new standards in the packaging sector.
Easily Verify Compliance and Security with Binance KYCAny kyc Account
Use our simple KYC verification guide to make sure your Binance account is safe and compliant. Discover the fundamentals, appreciate the significance of KYC, and trade on one of the biggest cryptocurrency exchanges with confidence.
Event Report - SAP Sapphire 2024 Orlando - lots of innovation and old challengesHolger Mueller
Holger Mueller of Constellation Research shares his key takeaways from SAP's Sapphire confernece, held in Orlando, June 3rd till 5th 2024, in the Orange Convention Center.
Best practices for project execution and deliveryCLIVE MINCHIN
A select set of project management best practices to keep your project on-track, on-cost and aligned to scope. Many firms have don't have the necessary skills, diligence, methods and oversight of their projects; this leads to slippage, higher costs and longer timeframes. Often firms have a history of projects that simply failed to move the needle. These best practices will help your firm avoid these pitfalls but they require fortitude to apply.
At Techbox Square, in Singapore, we're not just creative web designers and developers, we're the driving force behind your brand identity. Contact us today.
The APCO Geopolitical Radar - Q3 2024 The Global Operating Environment for Bu...APCO
The Radar reflects input from APCO’s teams located around the world. It distils a host of interconnected events and trends into insights to inform operational and strategic decisions. Issues covered in this edition include:
Taurus Zodiac Sign: Unveiling the Traits, Dates, and Horoscope Insights of th...my Pandit
Dive into the steadfast world of the Taurus Zodiac Sign. Discover the grounded, stable, and logical nature of Taurus individuals, and explore their key personality traits, important dates, and horoscope insights. Learn how the determination and patience of the Taurus sign make them the rock-steady achievers and anchors of the zodiac.
4. Edward R. McNicholas
Co-Chair, Privacy, Data Security, and Information Law
practice, Sidley Austin LLP
Leslie Thornton
Vice President & General Counsel, WGL Holdings, Inc.
& Washington Gas Light Company
Jeffrey C. Sharer
Partner, Sidley Austin LLP
SPEAKING TODAY
5. Speaker: Edward R. McNicholas
EDWARD R. MCNICHOLAS is a global coordinator of Sidley’s Privacy, Data Security, and Information
Law practice. His practice focused on clients facing complex information technology, constitutional and
privacy issues in civil and white-collar criminal matters. Ed has significant experience with a wide-range
of complex Internet and information law matters involving privacy and data protection, electronic
surveillance, cybersecurity, cloud computing, trade secrets, online advertising, “big data” and national
security. Examples of his matters include:
– a constitutional challenge to portions of the HIPAA final rules (Adheris v. Sebelius, (D.D.C.
2013)),
– a consumer class action challenging Internet advertising cookie techniques (In re: Google Inc.
Cookie Placement Consumer Privacy Litigation, MDL No. 2358 (D. Del. 2012-13)),
– defense of a telecommunications carrier against alleged participation in NSA surveillance (In
re National Security Agency Telecommunications Records Litigation, MDL 1791 (N.D.Cal. and
9th Cir. 2006-12)), and
– briefing in more than a dozen cases before the U.S. Supreme Court.
His practice has been recognized by numerous rankings including Chambers USA (since 2008),
Chambers Global (since 2011), and the US Legal 500.
Prior to joining Sidley, Mr. McNicholas served as an Associate Counsel to President Clinton. In that
capacity, he advised senior White House staff regarding various Independent Counsel, congressional
and grand jury investigations. Mr. McNicholas received his J.D. (cum laude) from Harvard Law School,
where he was an editor of the Harvard Law Review. He received his A.B. (summa cum laude) from
Princeton University, and served as a clerk for the Honorable Paul Niemeyer on the U.S. Court of
Appeals for the Fourth Circuit.
5
6. Speaker: Leslie Thornton
Leslie Thornton has been Vice President and General Counsel of WGL Holdings, Inc. and
Washington Gas Light Company since January 1, 2012, having joined the company as
Counsel to the Chairman in November 2011. Prior to joining the company, Ms. Thornton
served as a partner with prominent Washington D.C. law firms.
Ms. Thornton also served as Chief of Staff to U.S. Secretary of Education Richard W.
Riley, after starting her service in 1992 as Deputy Chief of Staff and Counselor. During
her nearly eight years with the Clinton Administration, Ms. Thornton advised the
Secretary on all administration and agency matters serving as the liaison between the
Secretary and the White House on policy, political, ethics, personnel and other issues.
Holding a top secret clearance, Ms. Thornton served as her agency's representative in the
Continuity of Operations of Government program. In 1995, Ms. Thornton was selected
by the White House in 1995 to serve on the President's White House Budget Working
Group, and in 1996 was selected to serve in a senior role on President Clinton's
Presidential Debate Team.
Ms. Thornton is a member of numerous associations and boards
in the Washington, D.C. community, and has been widely published
in legal and other newspapers including the Legal Times,
The Wall Street Journal, and the Boson Globe. She holds a
Bachelor of Arts from the University of Pennsylvania and
a law degree from Georgetown University.
6
7. Speaker: Jeffrey C. Sharer
JEFFREY SHARER is a partner in Sidley currently very cold Chicago office. He
concentrates his practice in litigation and regulatory enforcement matters as
well as in matters related to electronic discovery, computer forensics, and
information governance. Jeffrey frequently advises and advocates on behalf
of clients in matters related to the governance, preservation, and discovery
of electronically stored information. In litigation, Jeffrey has handled matters
at all stages of the Electronic Discovery Reference Model, with particular
emphasis on the development and implementation of best practices and on
the use of artificial intelligence, statistical sampling, and related tools and
techniques to reduce costs and burdens and increase quality of results and
defensibility of process throughout the discovery lifecycle. Jeffrey also
advises in the areas of records retention, data privacy, and information
governance, including defensible deletion of data stores.
Jeffrey is a member of Sidley’s Electronic Discovery Task Force; a longtime
member of The Sedona Conference, the nation’s leading nonpartisan law and
policy think tank in the area of electronic discovery. He holds degrees from
the University of Chicago Law School, and the University of Michigan.
7
9. Where are we on cybersecurity?
• Congressional action remains pending
• Focus on implementation of President Obama’s
Executive Order 13636 (February 2013)
– Development of NIST “Cybersecurity Framework” and
programs to encourage voluntary adoption of the
framework
– DHS designation of CI companies (with right of
reconsideration)
– Establishment of regulatory standards by agencies with
statutory authority
– Increased threat information sharing to CI operators
9
10. NIST Framework
• Implements Feb. 2, 2013 Executive Order
• Final framework due in February 2014
• Discussion Framework:
– Provide common language for expressing,
understanding, and managing cybersecurity risk
internally and externally
– Develop consistent approach: Identify, Protect, Detect,
Respond, Recover
– Prioritize actions for reducing cybersecurity risk
– Create tools to align policy, business, and technological
approaches to managing risk
10
11. Incentives Recommended to President
• Cybersecurity Insurance — build underwriting
practices that promote the adoption of cyber risk-
reducing measures and risk-based pricing and foster
a competitive cyber insurance market.
• Grants — leverage federal grant programs.
• Process Preference — consider expediting and
prioritizing existing government service delivery;
technical assistance to critical infrastructure; incident
response situations.
• Liability Limitation — reduced tort liability, limited
indemnity, higher burdens of proof, or the creation of
a federal legal privilege that preempts State
disclosure requirements.
11
12. Incentives – cont’d
• Streamline Regulations — make compliance easier;
eliminate overlaps among existing laws and
regulation; enable equivalent adoption across
regulatory structures; reduce audit burdens.
• Public Recognition — optional public recognition.
• Rate Recovery for Price Regulated Industries —
dialogue with federal, state, and local regulators and
sector specific agencies on whether the regulatory
agencies that set utility rates should consider allowing
utilities recovery for cybersecurity investments.
• Cybersecurity Research — emphasize research and
development to meet the most pressing cybersecurity
challenges where commercial solutions are not
currently available.
12
15. Cybersecurity and Information Governance
• Increasing threats of data breach and other cyberincidents,
along with other risks and costs associated with electronic
information systems (such as electronic discovery in legal
and regulatory proceedings), are driving greater focus on
governance of data across organization
• Cyberthreats, in particular, increase both risk and severity
of potential loss associated with over-retention of customer
PII and other sensitive information
• Loss of protected or sensitive information in data breach
can result in notification obligations, regulatory or civil
exposure, damage to reputation, and other harm to
company
• Risks are only growing with passage of time, especially as
concepts such as purpose limitations and the so-called
“right to be forgotten” gain legislative traction
15
16. Information Governance At 30,000 Feet
• For most organizations, mitigation of cyberrisk
through effective information governance requires
cross-functional approach
• Stakeholders at most organizations include (at least)
legal and compliance; IT; RIM; privacy; security; and
business
• People, process, and technology
• Surging emphasis on remediation – often referred to
as “defensible disposition” – of data that does not
have ongoing business value and is not subject to
legal or regulatory retention requirements (including
litigation holds)
16
17. Mitigating Risk Through Defensible Disposition
• As a general rule, if data has no business value and is
not subject to legal or regulatory retention
requirements, it can (and usually should) be deleted
in the normal course of business
• Organizations have wide latitude: Legal standards
are reasonableness, proportionality, and good faith
• Recent benchmarking of Global 1000 companies
estimated that for corporate information at any given
time, 1% is on legal hold, 5% is subject to regulatory
retention requirements, and 25% has current
business value—this means that approximately 70%
of data that organizations are managing and storing,
and that is at risk of loss through data breach or
other security incident, is unnecessary
17
19. Questions about Simulation Lessons
• On November 13-14, 2013, the so-called GridEx II exercise tested
governmental and industry crisis response plans, and included both
cybersecurity and physical security components.
– Are these sorts of exercises helpful? If so, what did you take away from it?
– How do you manage both the low probability / enormous risks of
cybersecurity issues, and the more mundane but significant risks of
activist or less-sophisticated hackers?
• The report on the first GridEx exercise, noted that “Significant horizontal
communication occurs across industry, but vertical information sharing to
NERC and government agencies is limited due to concerns about
compliance implications.” That nicely sums up one of the key information
sharing issues that inhibit cybersecurity preparation.
– Has the information sharing gotten more or less risky for companies?
– Have the Snowden revelations altered the wisdom of sharing cybersecurity
information with the government?
19
20. Managing Risk Questions
• Does cybersecurity governance need to fit into an overall
information governance strategy? How are they integrated?
• Businesses must adapt to a rapidly evolving technology
environment, but the legal restrictions are developing
slowly. How do you manage this tension?
• How significant a role does insurance play in your management of
the cybersecurity threat?
• The SAFETY Act (www.SafetyAct.Gov) was designed to support
development and deployment of effective anti-terrorism
technologies by designating and certifying Qualified Anti-
Terrorism Technologies (“QATTs”) that receive important legal
liability protections against claims arising out of an act of
terrorism. Is that an effective piece of cybersecurity risk
management strategies?
20
21. Legal Standards Questions
• We continue to have a regime of multiple state data breach laws
with slightly different tests. Are these statutes helpful? Would a
preemptive federal test be better?
• Is it better to have multiple, voluntary cybersecurity standards
and widespread variation or would standardization be better?
• The Massachusetts information security regulations take the
unique tact of specifying ISO-based minimum measures. Is this
helpful because it is definite or an overly-simplistic check-box
approach? Which should companies follow?
• Payment card security is almost entirely self- regulatory via the
PCI-DSS. Would this approach work for cybsecurity?
• Have the SEC guidance requiring disclosure of material incidents
helped to increase the level of cybersecurity?
21
22. Future Developments Questions
• Have you altered your approach to privacy / security
in light of the coming Internet of Things, such as
smart electrical meters? How?
• How should companies factor in these complex
cybsecurity issues in moving to the cloud? What do
you think are the biggest concerns with cloud
computing? Has it made you less likely to move to
the cloud?
• What is the top item on your cybsecurity agenda for
2014?
22
24. Cybersecurity Questions GCs Should Ask
• Are we “critical infrastructure” operators?
• Do we have IP assets, trade secrets, account records,
consumer data that could be subject to cyber-attack?
Could our facilities be misused as part of an attack?
• What past incidents have we experienced? Are our
incident response procedures effective and well
understood throughout the organization?
• Do we have an up-to-date cybersecurity risk
assessment in hand?
• Who is responsible and accountable for cybersecurity,
and does he/she have sufficient resources?
• Is the Board of Directors adequately focused on
cybersecurity; has it established satisfactory internal
controls and governance structures?
24
25. More Cybersecurity Questions
• Do we know what existing and prospective laws apply
to cybersecurity?
• Are we subject to specific cybersecurity regulation?
• Do we know what our contracts say about
cybersecurity; do our existing customer / vendor
contracts protect us on cybersecurity? Obligate us?
• Do we have relevant government contracts?
• Do we know the necessary government points of
contact? Do we have appropriately cleared persons?
• Who is monitoring NIST developments and best
industry practices?
• What do we need to include in our SEC filings on
cybersecurity?
25
26. More Cybersecurity Questions
• Do we have special international exposure and/or
obligations?
• Are we going to participate in the voluntary White
House and NIST cybersecurity framework?
• Could the White House cybersecurity “incentives”
benefit us? Hurt us?
• Do we have good cybersecurity awareness and
personal responsibility throughout our company?
• Do we understand what our legal exposure and
potential liability is?
• Have we considered cyber-insurance?
• Are we at risk for FTC “failure to secure”
enforcement?
26
27. More Cybersecurity Questions
• Do we have an effective information governance
function and are the right stakeholders involved?
• Do our information governance systems effectively
mitigate risk of loss from data breach or other
incident?
• Have we considered and addressed defensible
disposition of legacy data stores and other sources
that have outlived business value and legal and
regulatory requirements?
27
28. Lawyer To-Do List For Cybersecurity
Ensuring legal risks are considered in cybersecurity risk
assessments
Oversight and readiness for incident response
Have you vetted and tested your response ability?
Are you mitigating risk in the ordinary course through effective
information governance?
Analyzing and explaining the complex legal environment
Coordination of relationships with government
Development of standards and internal policies
Managing protections and obligations in contracts,
customer and vendor relationships
Addressing “Hack Back” options
Managing legal/reputational issues
Required disclosures and reporting
Risks and rewards of cooperation with government
Privilege and selective waivers
Securities issues
28
29. Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, New York, Los Angeles, San Francisco, Palo Alto, Dallas,
London, Hong Kong, Houston, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley
Austin (NY) LLP, a Delaware limited liability partnership (New York); Sidley Austin (CA) LLP, a Delaware limited liability partnership (Los Angeles, San Francisco, Palo Alto);
Sidley Austin (TX) LLP, a Delaware limited liability partnership (Dallas, Houston); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin
LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership
of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are
referred to herein collectively as Sidley Austin, Sidley, or the firm.
For purposes of compliance with New York State Bar rules, Sidley Austin LLP’s headquarters are 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South
Dearborn, Chicago, IL 60603, 312.853.7000.
Questions?
Edward McNicholas: 202.736.8010 eMcNicholas@sidley.com
Jeffrey C. Sharer: 312.853.7028 jcSharer@sidley.com
www.Sidley.com/InfoLaw
This presentation has been prepared by Sidley Austin LLP as of January 2014 for educational and informational
purposes only. It does not constitute legal advice. This information is not intended to create, and receipt of it does
not constitute, a lawyer-client relationship. Readers should not act upon this without seeking personalized advice
from professional advisers.
BEIJING BOSTON BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG HOUSTON LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.
30. January 17, 2014
Information Lifecycle Governance –
Minimize Risks & Improve Readiness
All upcoming Ethisphere events can be found
at:
http://ethisphere.com/events/
PLEASE JOIN US FOR