1 Contents Introduction 2 Powerful forces have led to recent developments and have made cyber security a top-tier issue for the long-term 4 A ten-point agenda for corporate counsel 8 Conclusion 14 NOVEMBER Cybersecurity: The Corporate Counsel s Agenda
2 2 Hogan Lovells Executive summary Introduction Recent attention on cyber attacks has raised the stakes for corporate cybersecurity efforts. This White Paper describes relevant technology and public policy developments and puts them into context for business lawyers. It then recommends a ten-part cybersecurity agenda for corporate counsel that addresses the issues and helps to manage risk. Imagine this scenario: The corporate IT director reports that malware has been discovered on your company s computer systems, and it is likely that sensitive personal information, as well as business plans and intellectual property of the company, have been exposed. U.S. state data security breach notification laws have been triggered and, once the required notices go out, media inquiries and letters from the Federal Trade Commission and State Attorneys General arrive, seeking information about the incident and the company s cybersecurity practices. A letter comes from a prominent legislator asking questions about the incident. Corporate partners inquire about contractual data security and privacy obligations, and the potential impact of the incident on their systems, data, and business. It is time for a regular SEC filing, which requires evaluating whether to report the incident as a material risk. Shareholder representatives and plaintiffs lawyers are organizing themselves to pursue actions related to the incident and its effect on the company, its operations and revenues, and individuals privacy. And the Board wants to know what steps the Office of General Counsel has taken to assess and mitigate the legal risks. This not-so-improbable scenario, and others like it, makes it imperative for corporate counsel to focus (or re-focus) on the issues surrounding cybersecurity. These materials are written as a general guide only. They should not be relied upon as a substitute for specific legal advice.
3 Cybersecurity: The Corporate Counsel s Agenda 3 Cybersecurity, simply put, is whether and how electronic data and systems are protected from attack, loss, or other compromise. 1 Signaling the degree to which cybersecurity-related concerns now occupy senior government officials, on September 19, 2012, Commerce Committee Chair Senator Rockefeller (D-WV) personally contacted the chief executives of America s 500 largest companies to ask about their company s cybersecurity practices and their views on the role of the federal government to help protect commercial critical infrastructure. 2 For business, Senator Rockefeller s letter was only the latest cybersecurity-related development in the legislative, judicial, and regulatory spheres. U.S. government efforts to address the inherent vulnerability of computerized systems began in the late 1990s, intensified in recent years, and will continue to progress in 2013 and beyond. 3 And while the United States seems to have taken the lead among governments to address these issues, particularly as it relates to the private sector s role, other nations also now are engaged. 4 1 A broader and more-nuanced definition can be found in the Obama Administration s Cyberspace Policy Review: Assuring a Trusted and Resilient Information and Communications Infrastructure (2009), available at Review_final.pdf. 2 Industry sectors typically considered critical infrastructure include transport, telecommunications, energy,and financial systems, but the scope of what ultimately is included varies and is frequently subject to considerable discussion. For more on Senator s Rockefeller s inquiry, see Harriet Pearson & Lance Bultena, Senate Commerce Committee s Probe of Fortune 500 Corporate Cybersecurity Is Unprecedented, Hogan Lovells Focus on Regulation (Sept. 26, 2012), 3 For example, prior to year s-end President Obama is widely expected to issue an Executive Order directing agency-industry work to develop recommended cybersecurity practices for key industries. See, e.g., Jennifer Martinez, White House to Meet Industry Groups on Cyber Order, Hillicon Valley (Oct. 17, 2012), available at hillicon-valley/technology/ white-house-to-meet-with-industrygroups-on-cyber-order. 4 Comprehensive national cybersecurity strategies that include a role or responsibility for the private sector have been or are under development in key markets such as the United Kingdom, Canada, and Australia. Countries such as India, China and Russia have taken significant and sometimes controversial steps to protect domestic critical infrastructures. And multi-jurisidictional entities such as the OECD and the European Union also are deliberating on measures that they can take in this area. See, e.g., Neelie Kroes, Vice-President of the European Commission, Securing Our Cyber-World, Address at the Top Level Conference on Cyber Security of Industrial Control Systems and Smart Grids/Amsterdam (Oct. 16, 2012), available at press-release_speech _en.htm. The frequency and severity of cybersecurity incidents involving business have increased in recent years, 5 triggering the governmental activity. Ongoing efforts by both the private and public sectors to prevent and address incidents raise two key questions: What constitutes a reasonable corporate defense and response? Which public or other authorities are in a position to guide and sanction corporate cybersecurity activities? So it comes as no surprise that these issues have taken on new importance for senior corporate leaders. For example, a recent survey 6 of 1,957 general counsel and 11,340 corporate directors indicated that cybersecurity and data protection for the first time rank as top-of-mind concerns, edging out perennial priorities like operational risk and FCPA compliance. But now that the issues are on boards radar screens, to what should limited corporate resources be directed so that key business assets are protected and legal and other risks are minimized? Unsurprisingly given the emerging nature of the challenge, the answer to how business should address cybersecurity-related risk is evolving. Against this backdrop, this paper speaks primarily to the business lawyer. Most analyses in this field even those with a legal bent discuss the military, national security, or technical aspects of cybersecurity, or they focus on a narrow legal issue such as antitrust or breach response. But general counsel and other senior lawyers are responsible to issue spot and counsel on the big picture of business and legal cybersecurity risk. This paper puts the cybersecurity legal issues into that broader context and recommends a comprehensive action plan for general counsel and other corporate counsel. 5 See expert analyses cited infra note Corporate Board Member & FTI Consulting, Inc., 2012 Law and the Boardroom Study: Legal Risks on the Radar (Aug. 2012), available at
4 4 Hogan Lovells Powerful forces have led to recent developments and have made cyber security a top-tier issue for the long-term Almost all facets of modern business and society rely on the availability and proper functioning of what s loosely known as cyberspace: the globally interconnected digital information and communications infrastructure. Consider some telling statistics. Internet access has grown from 361 million users in 2000 to 2.4 billion users in The volume of digital data created in just the next two days will be more than that created from the dawn of history to the year Instrumentation of more and more things that communicate and connect to each other opens up opportunities to make whole systems such as transport or the energy grid more automated and responsive. Cloud computing enables data to be processed offpremises more easily and cheaply than ever before and has proven an attractive computing option for all types of organizations. The consumerization of technology means that many of your employees want to use their smartphones and other devices for work and may already be doing so, even if your company hasn t yet developed a bring-your-own-device program. And many Internet users are engaged in social networking of some type, leaving very visible digital tracks. The fact that these technologies have rapidly become embedded in key parts of the economy and are now viewed as indispensable by most is a key reason why cybersecurity is now a national and economic security issue, as noted by the White House: Cyberspace touches nearly every part of our daily lives. It s the broadband networks beneath us and the wireless signals around us, the local networks in our schools and hospitals and businesses, and the massive grids that power our nation. It s the classified military and intelligence networks that keep us safe, and the World Wide Web that has made us more interconnected than at 7 For Internet usage cites, see com/stats.htm. 8 Estimate according to Google is consistent with other similar such estimates. See Mg Siegler, Eric Schmidt: Every 2 Days We Create as Much Information as We Did up to 2003, TechCrunch (Aug. 4, 2010), techcrunch.com/2010/08/04/schmidt-data/. any time in human history. We must secure our cyberspace to ensure that we can continue to grow the nation s economy and protect our way of life. 9 The pervasiveness of these information and communications technologies means that the private sector which in the United States owns and operates 85 percent or more of the critical infrastructure 10 is now vulnerable to a wide range of cyber-related risks. Several factors contribute to this vulnerability: Many of the technologies now in use were not necessarily engineered for security when first released, yet they have been pressed into service for mission-critical operations. Many of these technologies, when first installed, operated in an environment in which the major sources of known risk were careless insiders, hobbyist hackers, or petty cybercriminals. And before 2005 or so, relatively few regulatory requirements imposed specific obligations to protect sensitive information or to report data security breaches. It is now widely understood, however, that sophisticated cybercriminals and geopolitically motivated actors are targeting multiple industries to steal data or, perhaps worse, to attempt to plant the seeds of disruptive future attacks See White House, Cybersecurity, cybersecurity (last visited Nov. 4, 2012). 10 Estimates of private-sector ownership of the so-called critical infrastructure vary, but in the United States the figure usually cited is 85 percent or more. See, e.g., Dep t of Homeland Security, Critical Infrastructure Sector Partnerships, (last visited Nov. 4, 2012). In countries in which the electricity grid, communication networks and broader energy sector are nationalized, the government may own and operate the majority of the most critical systems 11 Industry and university reports on the cyber-risk landscape abound. See, e.g., Symantec, Internet Security Threat Report: 2011 Trends, McAfee Labs, 2012 Threats Predictions, Georgia Tech, Emerging Cyber Threats Report 2013, IBM X-Force 2012 Mid-Year Trend and Risk Report, common/ssi/ecm/en/wgl03014usen/wgl03014usen.pdf; Verizon, 2012 Data Breach Investigations Report, resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf.
5 Cybersecurity: The Corporate Counsel s Agenda 5 Further complicating the landscape for business, data security and privacy laws in the United States already explicitly apply to companies, particularly those in key sectors such as financial services, health care, and energy. Perhaps the most significant such laws because they bring even harmless incidents to the attention of enforcement agencies, media, and potential plaintiffs are the now-pervasive state and federal laws requiring disclosure of the suspected breaches of sensitive personal information, such as social security numbers or health-related data. In addition to private plaintiffs attempting to claim damages from security breaches involving data about them, enforcement agencies such as the Federal Trade Commission increasingly pursue companies who have experienced a security breach, claiming that cybersecurity programs insufficient to prevent a cyber attack violate the FTC Act and other authorities Since 2005, the FTC has brought more than thirty-five data security cases charging companies or individuals with violations of the FTC Act, imposing remedies that frequently include long-term FTC oversight and corporate commitment to a revamped data security and privacy program. For a current listing of such cases, see ftc.gov/legal-resources/29/35. In the first judicial challenge to the FTC s A wide array of new cybersecurity, data security, and related privacy legislation also was pursued in the most recent Congress; while nothing passed both chambers, committed leaders (such as Senator Rockefeller) have already stated their intentions to continue efforts to drive further action by the private sector, given the severity of cyber threats to U.S. national security. The measures likely to be re-introduced and considered include those that would: facilitate greater industrygovernment information sharing (e.g., by offering liability protection); set national standards for data breach notification; and promote (or perhaps, if a crisis occurs, mandate) certain measures to be taken by the private sector to protect critical industry sectors such as transportation, communications, and financial services. authority to pursue such actions, Wyndham Hotels and its amici have argued that the Commission has exceeded its statutory authority under the unfairness prong of the FTC Act but even invalidation of that element of its authority would leave the FTC with considerable ability to pursue deceptive practices and potentially for it or Congress to reframe its unfairness authority. See Brief of U.S. Chamber of Commerce, Retail Litigation Center and American Hotel & Lodging Association as Amici Curae Supporting Defendants, FTC v. Wyndham Worldwide Corp., No. CV PHX PGR (D. Ariz. filed Oct. 5, 2012), available at chamberlitigation.com/federal-trade-commission-ftc-v-wyndhamworldwide-corp-et-al.
6 6 Hogan Lovells Perhaps the most telling development, in terms of signaling the maturation of this issue as a board-level topic, was the Securities and Exchange Commission s issuance of disclosure guidance in October The SEC explained that public companies should disclose the risk of cyber incidents if such risks may materially affect a registrant s products, services, relationships with customers or suppliers, or competitive conditions, or they would render investment in the company speculative or risky. While the Guidance is not binding and interprets existing legal obligations, nonetheless at least twenty-one Dow 30 companies discussed cybersecurity or data breaches in their 2011 Form 10-K risk factor disclosures. With such legislative and regulatory focus, it is not surprising that 2012 marks the first time that general counsel and corporate board members, ranked cybersecurity and data security as their number one issue of concern Division of Corporation Finance, SEC, CF Disclosure Guidance: Topic Number 2: Cybersecurity (Oct. 13, 2011), available at gov/divisions/corpfin/guidance/cfguidance-topic2.htm. 14 See 2012 Law and the Boardroom Study, supra note 6, at 2.
7 Cybersecurity: The Corporate Counsel s Agenda 7 An excerpt from the 2012 Law and the Boardroom Study notes that: Today, there is arguably no more insidious threat to a public company than that of cyber risk; it s invisible, ever-changing, and pervasive making it very difficult for boards to manage.... [The] level of concern has nearly doubled in the last four years: In 2008, only 25% of directors and 23% of GCs noted data security as an area of high concern. 15 A strong consensus thus has emerged in the United States that neither the private sector nor government is doing enough. It is now a given that more must be done to protect key operations and data against cyber threats. 16 The concern is growing. And the U.S. concern has prompted other national governments to begin similar efforts and dialogues with industry efforts that have the potential to create inconsistent and even conflicting requirements for international companies Id. 16 The lack of information on the full range of corporate responses to cybersecurity risk is perhaps not surprising given the sensitivity of these issues. Thus reports based on even very limited survey samples are widely cited as proof that corporate boards and management are inattentive to cybersecurity risk. See, e.g., Jody Westby, Boards Are Still Clueless About Cybersecurity, Forbes (May 16, 2012), available at (citing Jody Westby, Carnegie Mellon University, Governance of Enterprise Security: CyLab 2012 Report (May 16, 2012), available at RPT-2012-FINAL.pdf). 17 A full treatment of this issue, and its potential to create trade barriers, is beyond the scope of this White Paper. For an example of how the issue can manifest in a significant manner, consider the Indian government s attempts to protect its communications infrastructure by imposing sourcing standards meant to increase supply chain security. See Joji Thomas Philip & Kalyan Parbat, India Impact Seen on Results of Global Telecomm Gear Firms, Economic Times (Aug. 20, 2010), available at news/ _1_telecom-gear-chinese-vendors-security-concerns.
8 8 Hogan Lovells A ten-point agenda for corporate counsel The complex and dynamic nature of cybersecurity challenges even the most security-conscious and seasoned organizations. Consider the recent wellpublicized cyber incidents involving security technology companies, government contractors, and the federal government. 18 No security or compliance program will prevent all incidents; residual risks always will remain. However, companies can and should take actions in advance of a cyber incident. The business rationale for doing so is clear; an effective program that adjusts to address new risks is a must to protect against IP theft and operational disruption. And the presence of an effective cybersecurity program is likely required or expected by regulators or other key constituents (such as investors) or shortly will be. No doubt, much of the needed work inside companies will be done by IT Security and related technical and business personnel. But particularly because the environment is dynamic and the standard of care not well understood the role of counsel is vital and strategic. This much is clear: As with other areas of legal risk, having and documenting a compliance program can reduce the potential liability from even a single incident. 19 Given that a body of cybersecurity baseline best practices and standards exists, counsel can play a key role to help the organization identify and implement such practices, and document those steps. The Ten-Point Agenda offered below can help in-house attorneys develop their own approach to cybersecurity. The Agenda draws on the practical experiences of multiple organizations and considers a wide array of legal, regulatory, and policy developments underway in the United States and beyond. While it will no doubt evolve, the Agenda offers a good starting yardstick against which 18 An illustrative list of breaches involving the federal government and various companies is available at resources/10-big-federal-security-breaches/doc.pdf. 19 The U.S. Sentencing Guidelines set out the key elements of corporate compliance programs, the existence of which can demonstrate institutional commitment to compliance and thus reduce the potential liability associated with a single incident. Lawyers and compliance officers frequently help design, guide and implement corporate compliance programs that are consistent with the recognized Guidelines. corporate counsel can assess their own cybersecurityrelated actions. 1. Fulfill Fiduciary Duty of Board and Management In the event of a cybersecurity-related incident, some commentators have observed that lawsuits might challenge whether corporate board and management have met their fiduciary and statutory duty to safeguard the company s stock price and assets. 20 A documented and generally effective cybersecurity program can, as discussed previously, assist in the defense of such claims. While a detailed description of what such a program looks like is beyond the scope of this White Paper, the key questions an organization s senior leadership should be able to ask itself, and answer satisfactorily, include: Does our organization fully understand its cybersecurity risk profile and related legal obligations? Is a sufficiently skilled cybersecurity leadership team in place to support our organization s risk profile and strategy? Is it a multi-disciplinary team involving the IT organization, physical security (since, for example, a cyber-attack or data breach can be facilitated by unauthorized physical access to key persons or assets), HR, enterprise risk, compliance, communications (for crisis response) and legal? Are our resources allocated such that our highestvalue assets are protected? Is the program documented sufficiently? Are cybersecurity measures and thinking embedded and integrated throughout the business (i.e., before key data or assets are moved, or new initiatives undertaken, are cybersecurity-related risks and obligations considered)? 20 See, e.g., Westby, supra note 16. Claims might arise under the general fiduciary duty to protect assets, under the Sarbanes-Oxley obligation to provide meaningful assurance about the security of information assets, and under numerous specific data security laws.
9 Cybersecurity: The Corporate Counsel s Agenda 9 2. Address Disclosure Obligations and Appropriate Communications In the United States, the Securities & Exchange Commission s recent Guidance on cybersecurity-related disclosure has helped focus public attention on whether and how public companies are communicating cybersecurity-related issues to investors and other interested constituents. 21 Recommended Actions for Corporate Counsel: Assess cybersecurity legal, policy, regulatory, and reputational risk landscape. Ensure consultations involve experts with direct visibility to cyber-attack patterns and sources, as the methods and targets of these evolve quickly. Confirm that organization s Enterprise Risk Management program has considered all relevant cybersecurity risks including legal and policy risks identified. Confirm that enterprise security program meets standard of care expected of the organization given its industry and maturity: Are the most important assets protected? Are the fundamentals in place? Ensure periodic update of cybersecurity risk assessment, given dynamic environment. Particularly but not exclusively because of this consideration, cybersecurity-related internal and external communications by employees and other individuals associated with a public company should be done with discipline, for example with the benefit of training on how to communicate factually and without speculation. The ease with which inappropriate communication can spread in today s social media-rich environment, as well as the temptation created for potential whistleblowers by the Dodd-Frank Act, suggests that early attention to and guidance on appropriate communications will serve the company well. In light of SEC Guidance on this topic, review 10-K and other relevant public filings of the organization and its peer companies (in terms of industry, size and sophistication). Evolve the organization s public filings and other communications as necessary. Train Investor Relations, Communications, IT Security team (especially first responders and incident teams), and other personnel likely to have cybersecurityrelated information to communicate only factually and to seek help when needed. 21 Recent business press speculated about data compromises at prominent companies such as Coca-Cola that were not reported to shareholders. See Ben Elgin et al., Coca-Cola Gets Hacked and Doesn t Tell Anyone, Bloomberg News (Nov. 4, 2012), available at bloomberg.com/news/ /coke-hacked-and-doesn-t-tell.html.
10 10 Hogan Lovells 3. Guide Participation in Public-Private Partnerships and Law Enforcement Interactions Participation in appropriate industry and governmentindustry fora is recognized as a useful part of an organization s cybersecurity program. Such initiatives allow for the sharing of threat information and response strategies, as well as best practices. Frequently law enforcement will be involved in such initiatives, or will get involved in a bilateral discussion with a company during the course of an investigation. Company personnel who are likely to participate in such initiatives should be trained, per Agenda Item 2 above, on how to protect company confidential information and interests while engaging in these fora. Furthermore, the organization should have a strategy for its participation in such fora that optimizes its investment and avoids conflicts with, for example, governmental clients or authorities in its global markets. Review and confirm whether the company s industry and government information-sharing partnership strategy is sound, and managed to benefit the organization (and will not put it at undue risk). Questions to ask include: Who is engaged? With whom? What information is being shared? What is done with incoming information? 4. Achieve Regulatory Compliance Depending on an organization s industry and geographic presence, a number of data security and privacy laws and regulations may apply to it, such as HIPAA/ HITECH, Gramm-Leach-Bliley Act, and state-level data security and data breach notification laws. While an effective regulatory compliance program is helpful to avoid broader types of liability, at the same time organizations should avoid over-investing in check-thebox compliance efforts to the detriment of moreeffective cybersecurity measures. Assess security-related regulatory compliance obligations. Assess sufficiency and efficiency of existing regulatory compliance efforts; streamline as needed. For compliance with breach notification laws, ensure training and preparation of incident response team and confirm that process followed is fully coordinated with (if not part of) cyber incident responses. Update information-sharing protocols to include legal oversight and training of relevant personnel. Appoint or identify legal counsel to assist with issues arising out of industry or law enforcement interactions. Ensure appropriate personnel have law enforcement contacts and relationships before an urgent situation requires them.
11 Cybersecurity: The Corporate Counsel s Agenda Provide Counsel to Cybersecurity Program As organizations evolve their cybersecurity programs, they frequently implement additional measures that may, in some or many jurisdictions, require legal analysis or prudential measures that would benefit from counsel s involvement. For example, a desire to conduct more-robust network and systems monitoring may raise employee privacy and industrial relations issues. Another example: Security-related policies and practices contemplated for bring-your-own-device programs should be reviewed by counsel for various legal issues including but not limited to privacy. Appoint or identify legal counsel to become familiar with the security program and legal issues potentially raised by its implementation. Be prepared to bring novel issues of policy and legal risk to senior management team and/or board. 6. Prepare to Handle Incidents and Crisis No security program is perfect; incidents will take place. The key to handling them well is preparation that can prevent an incident from becoming a crisis. Counsel is an essential part of a security response team and should participate and help guide periodic tabletop sessions that help prepare the organization. Legalspecific issues that bear advance planning include considering when and how the attorney-client privilege will be asserted in the event of an incident and how incident documentation will occur and be retained. Appoint or identify legal counsel to participate in and counsel the incident response team and process. They should be or become familiar with cybersecurity concepts, fact patterns, and terms. Identify and qualify further key internal and external resources (e.g., forensics, outside counsel, communications). Ensure the team and process are exercised regularly to prepare for incidents. Consider involving senior management in a tabletop exercise. Consider in advance key legal issues particularly implicated during an incident, such as when to use attorney-client privilege; when and how to escalate communications to senior management; and what criteria should be used to disclose an incident.
12 12 Hogan Lovells 7. Manage Cybersecurity-Related Transactional Risk At least three major types of transactions implicate cybersecurity-related risk: Mergers & acquisitions in which assets to be acquired or disposed may have cybersecurity-related risks that should be understood and addressed (e.g., a cybersecurity program in need of updating; the existence of prior incidents that probably compromised key intellectual property or other assets; or pending litigation or other actions associated with a cybersecurity incident). Vendor/supplier contracts should include provisions that establish the responsibility of parties for safeguarding the relevant systems and data. If warranted, supply chain security provisions may be explored, if product integrity is a significant issue in the industry. Customer/client contracts can anticipate likely issues and attempt to allocate responsibility for incidents (in business-to-business context) or to establish a preferred venue for claims disputes (e.g., arbitration instead of class actions). Create or update due diligence checklist and approach for cybersecurity issues. Review key contractual provisions used in vendor/ supplier, and customer/client transactions. Initiate and support review of vendor oversight program, to embed new cybersecurity risk considerations into approach. 8. Effectively Use Insurance Many more and better cyber-risk insurance products are available today compared to when the first such products appeared on the market a little over a decade ago. While these products should be purchased carefully, given exclusions and conditions imposed, they can be valuable ways to protect an organization. Commission review of availability and efficacy of cyber-risk insurance for organization s purposes. Include advance legal review of insurance contract especially exclusions.
13 Cybersecurity: The Corporate Counsel s Agenda Monitor and Strategically Engage in Public Policy Cybersecurity legislative and regulatory efforts are certain to continue in the United States and elsewhere. Key issues include: whether and how to set cybersecurity standards for commercial critical infrastructure (CCI); which industries are considered to constitute CCI; and how to incent more robust information-sharing (e.g., create liability protections and strengthen protection of information shared with government). A reasonable corporate response to this landscape can include: simple monitoring (to ensure advance awareness of emerging standards); advocacy via associations (to promote industry-wide considerations); and more active advocacy via smaller coalitions (to ensure that positions on key issues are socialized with key policymakers and industry leaders). Commission work to inform and develop the company s cybersecurity policy position and priorities, if not already articulated. Ask the following: Is the organization sufficiently aware of regulatory, standards, and legislative initiatives globally, to anticipate impacts on the business? 10. Discharge Professional Duty of Care By virtue of their work, corporate counsel are entrusted with particularly sensitive information, and are expected to protect it. Earlier this year, the American Bar Association amended section 1.6 of the Model Rules of Professional Conduct to add a new section on lawyers obligation to maintain reasonable security of client information. 22 The new language supplements the existing duty of confidentiality, and reflects the ABA s recognition of the increased risk of inadvertent or targeted compromise of systems and data held by lawyers. Even if the Model Rules had not been amended, however, it stands to reason that corporate as well as outside counsel should take precautions to protect client and related information, particularly when using or relying upon , social media, cloud, and other digital capabilities. Organize a Continuing Legal Education session for the in-house legal team on the topic of cybersecurity and in particular the role and responsibilities of lawyers and other key individuals to practice safe computing. Review the organization s social media policy with in-house legal team, and discuss if applicable particular considerations for lawyers. Confirm outside counsel s sensitivity to these matters. What mix of monitoring, association work, and more active advocacy should the organization employ to protect its interests? What are the most damaging and most helpful steps Congress or relevant regulators might take, and how likely is the organization s current strategy to prevent or obtain the desired result on these more important issues? 22 The amended rule is available at org/2012/06/2012am105a/.
14 14 Hogan Lovells Conclusion The cybersecurity challenge is complex and dynamic, especially because there is a powerful upside to the continued embrace of digitization and connectivity. Intensifying cyber threats and an active legislative, regulatory, and standards-setting environment mean that the organizational, IT, and data security measures that were reasonable and prudent in the recent past are unlikely to suffice today and certainly will not meet expectations in the future. Alongside other efforts by senior leaders in government and industry, corporate counsel should satisfy themselves that their company s enterprise risk management strategy is informed by a 360-degree view of the risk that includes the legal and policy landscape. They should review and help refine corporate and legal action plans so that such plans emphasize governance, prevention, and preparedness, and are multi-disciplinary and sustainable. They should be a model of contemporary security-conscious behavior. Finally, to understand and potentially influence evolving standards care in this area, they should monitor and consider strategic involvement in the policy and standards arena.
15 Cybersecurity: The Corporate Counsel s Agenda 15 Further information If you would like further information on any aspect of these materials please contact the person mentioned below or the Hogan Lovells lawyer with whom you usually deal. Privacy and Information Management Harriet Pearson Partner, Washington, D.C. T Christopher Wolf Partner, Washington, D.C. T Barbara Bennett Partner, Washington, D.C. T Melissa Bianchi Partner, Washington, D.C. T Marcy Wilder Partner, Washington, D.C. T Timothy Tobin Partner, Washington, D.C. T Nadine Peters Partner, Washington, D.C. T
16 Hogan Lovells has offices in: Alicante Amsterdam Baltimore Beijing Berlin Brussels Budapest* Caracas Colorado Springs Denver Dubai Dusseldorf Frankfurt Hamburg Hanoi Ho Chi Minh City Hong Kong Houston Jakarta* Jeddah* London Los Angeles Madrid Miami Milan Moscow Munich New York Northern Virginia Paris Philadelphia Prague Riyadh* Rome San Francisco Shanghai Silicon Valley Singapore Tokyo Ulaanbaatar Warsaw Washington, DC Zagreb* Hogan Lovells or the firm is an international legal practice that includes Hogan Lovells US LLP and Hogan Lovells International LLP. The word partner is used to refer to a member of Hogan Lovells International LLP or a partner of Hogan Lovells US LLP, or an employee, or consultant with equivalent standing and qualifications, and to a partner, member, employee or consultant in any of their affiliated businesses who has equivalent standing. Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney advertising. For more information, see Hogan Lovells All rights reserved * Associated offices
Cloud Computing: A Primer on Legal Issues, Including Privacy and Data Security Concerns Privacy and Information Management Practice / Washington, DC Disclaimer THIS PRESENTATION IS TO ASSIST IN A GENERAL
Cyber Security: A major issue for Australian business: February 2016 1 Cyber security: A major issue for Australian business Contents Introduction and background Is your industry particularly vulnerable
China's new national security law creates more insecurity for foreign businesses Contents Overview 1 JULY Broad definition of national security 1 Expanded national security review regime 1 NSR in relation
E-commerce liberalization in China: State Council and MIIT push forward Contents State Council orders government agencies to take liberalization steps 1 JUNE [ MIIT removes foreign ownership restrictions
Cuba Sanctions Update: Removal of Cuba from Terrorism List Will Result in Modest Easing of Trade Sanctions A legal analysis prepared at the request of the Cuba Study Group 9 April 2015 By Stephen F. Propst,
Loan Trading under LMA Documentation A Guide for Traders and In-house Counsel 2 Further information If you would like further information on any aspect of this note, please contact a person mentioned below
Selection and Use of Patient-Reported Outcome Measures The Role of Outside Consultants Janice Hogan, Partner, Hogan Lovells LLP Tuesday, November 27, 2012 Key Topics for Consultants Selection of Instruments
Luxembourg Doing deals in the Grand Duchy, an English lawyer's perspective Tom Whelan (Partner, Hogan Lovells International LLP) Erin Anderson (Senior Associate, Hogan Lovells International LLP), Camille
China Publishes Draft Rules on Protection of Information Network Dissemination Rights 1 China Publishes Draft Rules on Protection of Information Network Dissemination Rights On 22 April, 2012, the Supreme
JUDGMENT ON THE SPANISH TAX LEASE SYSTEM CASE T-719/13 PYMAR / COMMISSION Contents 1. Background 2. Judgment of the GCEU of 17 December 2015 in Case T- 719/13, PYMAR / Commission 3. Effects of the Judgment
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
The Telephone Consumer Protection Act: Compliance Developments and What to Expect in 2015 November 2014 Mark W. Brennan, Partner Overview Overview of the TCPA Recent Developments Issues to Watch What You
Liberating the Power of Service The right of establishment The case of lawyers Second Bruges European Business Conference College of Europe Jacques Derenne, Partner, Hogan Lovells, Brussels Associate Professor,
Liberating the Power of Service The right of establishment The case of lawyers Second Bruges European Business Conference College of Europe Jacques Derenne, Partner, Hogan Lovells, Brussels Associate Professor,
Cyber security: A growing threat to the energy sector An Australian perspective Contents What is a "cyber attack"? 2 The growing threat to the energy sector 2 The effects of a cyber attack in the energy
Tax Guide 2014/15 South Africa Individuals and Trusts Tax Rates 1 March 2014 to 28 February 2015 Individual Taxpayers and Special Trusts Taxable Income R0 174 550 Rate of Tax 18% of taxable income R174
Number 1462 February 5, 2013 Client Alert Latham & Watkins Litigation Department Accountants and Auditors as SEC Whistleblowers Nearly every public company and financial industry firm subject to the enforcement
Full Foreign Ownership of E-commerce Businesses Permitted in the Shanghai FTZ: But is It a Breakthrough? Contents Backgroud E-commerce Business Shanghai FTZ's Continuing Liberalisation in Telecommunications
CYBER SECURITY Cyber Security for Canadian Directors in the Wake of Ashley Madison Gary Solway* Bennett Jones LLP The August release of the purported names and other details of over 35 million customers
1 of 7 5/8/2014 7:34 PM Posted by David A. Katz, Wachtell, Lipton, Rosen & Katz, on Sunday December 16, 2012 at 10:20 am Editor s Note: David A. Katz is a partner at Wachtell, Lipton, Rosen & Katz specializing
SEC ENFORCEMENT The SEC s Two Primary Theories in Cybersecurity Enforcement Actions By Daniel F. Schubert, Jonathan G. Cedarbaum and Leah Schloss WilmerHale Cyber attacks are increasingly common and affect
Cybersecurity: What In-House Counsel Needs to Know November 19, 2013 Vivian A. Maese firstname.lastname@example.org 2013 Dechert LLP So what does all of the legal activity in cybersecurity mean to you? The top
Increased Regulatory Focus on Cybersecurity Underscores Need for Public Companies to Review Cybersecurity-Related Disclosures March 11, 2014 I. RECENT FOCUS ON CYBERSECURITY As a result of recent highly-publicized
Changing Legal Landscape in Cybersecurity: Implications for Business Delaware Cyber Security Workshop September 29, 2015 William R. Denny, Esquire Potter Anderson & Corroon LLP Agenda Growing Cyber Threats
Outsourcing, Technology Procurement and Cloud in Asia: the Legal and Regulatory Essentials 1 Outsourcing, Technology Procurement and Cloud in Asia: the Legal and Regulatory Essentials New Operating Models
Automotive Meeting your global industry legal needs With lawyers in more than 40 offices around the world, the depth and breadth of Hogan Lovells experience in the automotive sector is unmatched. We advise
A new milestone in the Spanish insurance sector: the reform of the Scale SEPTEMBER A NEW MILESTONE IN THE SPANISH INSURANCE SECTOR: THE REFORM OF THE SCALE 1 The Law 35/2015, 22 September, over the reform
CRITICAL THINKING AT THE CRITICAL TIME CONSTRUCTION SOLUTIONS Table of Contents 1 ABOUT FTI CONSULTING 2 CHALLENGES OVERCOME 3 OUR EXPERTISE 4 PROJECT TYPES 5 OUR TEAM ii FTI Consulting, Inc. CONSTRUCTION
Insurance claims and losses in Spain. Procedural aspects of the Spanish legal system Further information If you would like further information, please contact a person mentioned below or the person with
Preventing And Dealing With Cyber Attacks And Data Breaches Arnold & Porter LLP Lockheed Martin WMACCA February 12, 2014 Charles A. Blanchard Arnold & Porter LLP Formerly General Counsel, U.S. Air Force
Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP email@example.com
Self-reporting is getting complicated: Balancing FINRA's rule 4530 and the SEC's whistleblowing requirements Jun 30 2011 K. Susan Grafton recommended FINRA rule 4530 will take effect on July 1, 2011. The
Data Privacy Regulation Comes of Age in Asia 1 Data Privacy Regulation Comes of Age in Asia Data Privacy Regulation Comes of Age in Asia A Sea Change There has been an explosion of new data privacy regulation
Cybersecurity for Nonprofits: How to Protect Your Organization's Data While Still Fulfilling Your Mission June 25, 2015 1 Your Panelists Kenneth L. Chernof Partner, Litigation, Arnold & Porter LLP Nicholas
Sharing Cybersecurity Threat Info With the Government -- Should You Be Afraid To Do So? Bruce Heiman K&L Gates September 10, 2015 Bruce.Heiman@klgates.com (202) 661-3935 Why share information? Prevention
NORTHERN VIRGINIA Hogan & Hartson LLP PRACTICE AREAS: Antitrust Business, Finance, and Tax Capital Markets Corporate and Securities Corporate Governance Estate Planning and Administration Government Contracts
Merger Control Issues and Private Equity Transactions Further information If you would like further information on any aspect of Merger Control and Private Equity Transactions please contact a person mentioned
Employee monitoring in France January 2010 Contents Legal Framework 1 Principal situations where an individual's privacy is restricted in the workplace 1 Potential disciplinary sanctions applied to employees
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
SEC Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two) By Amy Terry Sheehan The SEC has made clear that material cybersecurity risks and incidents should be
WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.
Client Note: RICS Code of Practice, Second Edition 2 THE NEW CODE On 4 May the RICS launched the second edition of its Service Charges in Commercial Property Code of Practice. The revised Code will come
Third Party Payment Licences in China - Are They within The Grasp of Foreign Investors? Contents Payment Licenses 1 Telecoms Licences 2 JUNE International Remittances 3 Comments 4 Third Party Payment Licences
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
SESSION ID: CSV-R03 The Legal Pitfalls of Failing to Develop Secure Cloud Services Cristin Goodwin Senior Attorney, Trustworthy Computing & Regulatory Affairs Microsoft Corporation Edward McNicholas Global
July 2015 Many companies know they have to follow privacy and data security rules. Companies in the health care industry know about Health Insurance Portability and Accountability Act (HIPAA). Financial
How Cybersecurity Initiatives May Impact Operators Ross A. Buntrock, Partner firstname.lastname@example.org 202.669.0495 Agenda! Rise in Data Breaches! Effects of Increase in Cybersecurity Threats! Cybersecurity
Who s next after TalkTalk? Frequently Asked Questions on Cyber Risk Fraud threat to millions of TalkTalk customers TalkTalk cyber-attack: website hit by significant breach These are just two of the many
Outsourcing, Technology Procurement and Cloud in Asia: the Legal and Regulatory Essentials 1 Outsourcing, Technology Procurement and Cloud in Asia: the Legal and Regulatory Essentials New Operating Models
2015 www.bdo.com For more information on BDO USA s service offerings to this industry vertical, please contact one of the regional service leaders below: TIM CLACKETT Los Angeles 310-557-8201 / email@example.com
Number 928 September 9, 2009 Client Alert Latham & Watkins Health Care Practice Violation of this rule will be treated by the FTC as an unfair or deceptive act in violation of the Federal Trade Commission
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
Alvarez & Marsal Global Forensic and Dispute Services 2015 Asia Pacific Regional Meeting (APRM) Tokyo, Japan 23-25 April 2015 A&M OVERVIEW GLOBAL REACH NEW YORK (GLOBAL HQ) LONDON (EUROPE HQ) HONG KONG
FOR INTERNAL USE ONLY Lawyer Development Framework U.S. Associates 2014-2015 Purpose of the Lawyer Development Framework The U.S. Lawyer Development Framework includes 11 skills that are important throughout
Page 1 of 6 Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 firstname.lastname@example.org How GCs And Boards Can Brace For The Cybersecurity
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
CLIENT UPDATE CRITICAL INFRASTRUCTURE CYBERSECURITY: U.S. GOVERNMENT RESPONSE AND IMPLICATIONS NEW YORK Jeremy Feigelson email@example.com WASHINGTON, D.C. Satish M. Kini firstname.lastname@example.org Renee
www.pwc.com/cybersecurity Answering your cybersecurity questions The need for continued action January 2014 Boards and executives keeping a sustained focus on cybersecurity do more than protect the business:
THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Investment in cyber insurance Lockton Companies
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues Todd Bertoson Daniel Gibb Erin Sheppard Principal Senior Managing Associate Counsel email@example.com
March 30, 2015 DATA BREACH RESPONSE READINESS Is Your Organization Prepared? Peter Sloan Pete Enko Jeff Jensen Deborah Juhnke The data security imperatives of Prevention, Detection, and Response do not
CIP Supply Chain Risk Management (RM15 14 000) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016 My name is Jacob Olcott and I am pleased to share some observations on
Welcome Clarity on Online Sales in China For Foreign Investors From An Unexpected Source But Uncertainty Remains For The VIE Structure December 2012 Further information If you would like further information
CDT ISSUE BRIEF ON FEDERAL DATA BREACH NOTIFICATION LEGISLATION January 27, 2015 A September 2014 Ponemon study found that 60% of U.S. companies have experienced more than one data breach in the past two
Executive Order: In the President s State of the Union Address on February 12, 2013, he announced an Executive Order Improving Critical Infrastructure Cybersecurity (EO) to strengthen US cyber defenses
HEALTH CARE AND CYBER SECURITY: Increasing Threats Require Increased Capabilities kpmg.com 1 HEALTH CARE AND CYBER SECURITY EXECUTIVE SUMMARY Four-fifths of executives at healthcare providers and payers
9 September 2015 Practice Groups: Investment Management, Hedge Funds and Alternative Investments Broker-Dealer Finance Cybersecurity Update: National Futures Association Proposes Cybersecurity Guidance
Into the cybersecurity breach Tim Sanouvong State Sector Cyber Risk Services Deloitte & Touche LLP April 3, 2015 Agenda Setting the stage Cyber risks in state governments Cyber attack vectors Preparing
An Executive Brief from Cisco Cybersecurity: A View from the Boardroom In the modern economy, every company runs on IT. That makes security the business of every person in the organization, from the chief
Equity Capital Markets Team Germany 2 Equity Capital Markets Team Germany Our strength is our experience with complex assignments Capital markets are difficult to predict and present serious challenges
NASCIO 2014 State IT Recognition Awards Project: California Cybersecurity Task Force Category: Cybersecurity Initiatives Project Initiation Date: September, 2012 Project Completion Date: May 2013 Carlos
IAPP Global Privacy Summit 2014 The SEC and Cybersecurity: What Every Publicly Traded Company Must Know Moderator: Elaine Wolff, Partner Corporate Finance and Securities Practice, Jenner & Block Mary Ellen
White House Report May Have Long-Term Effect on Consumer Privacy and How Companies Do Business April 10, 2012 Boston Brussels Chicago Düsseldorf Houston London Los Angeles Miami Milan Munich New York Orange
Cyber Security for the Private Sector: What Companies and Their Lawyers Need to Know Gus Coldebella, Goodwin Procter LLP John Geschke, VP and General Counsel, Zendesk, Inc. Jim Jaeger, VP, Cybersecurity
ediscovery: Trends & Challenges Joseph P. Grasser Carrie E. Jantsch January 28, 2014 Overview Trends & Challenges Mobile Device Electronic Discovery and BYOD Policies How BYOD Policies Complicate E-Discovery
ROCKEFELLER SNOWE CYBERSECURITY ACT SUBSTITUTE AMENDMENT FOR S.773 March 17, 2010 BACKGROUND & WHY THIS LEGISLATION IS IMPORTANT: Our nation is at risk. The networks that American families and businesses
Brief The BakerHostetler Data Security Incident Response Report 2015 The rate of disclosures of security incidents in 2015 continues at a pace that caused many to call 2013 and then 2014 the year of the
www.pwc.com Cybersecurity and Privacy Hot Topics 2015 Table of Contents Cybersecurity and Privacy Incidents are on the rise Executives and Boards are focused on Emerging Risks Banking & Capital Markets
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
Cybersecurity y Managing g the Risks Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin 99 Cybersecurity The Risks Are Real Perpetrators are as varied as their goals Organized Crime: seeking
Intelligize // 02 As is tradition, at the beginning of the year, the U.S. Securities and Exchange Commission outlined both its current state of affairs and annual goals for maintaining proper compliance
Cybersecurity and Insurance Companies ACLI Forum 500 CEO Leadership Retreat Timothy J. Nagle Vice President & Chief Privacy Counsel Prudential Financial 1 May 13, 2015 What is cybersecurity? Protecting
Cyber-insurance: Understanding Your Risks Cyber-insurance represents a complete paradigm shift. The assessment of real risks becomes a critical part of the analysis. This article will seek to provide some
Legislative Language SECTION 1. DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY AUTHORITY. Title II of the Homeland Security Act of 2002 (6 U.S.C. 121 et seq.) is amended (a) in section 201(c) by striking
www.pwc.co.uk Cyber security Building confidence in your digital future November 2013 Contents 1 Confidence in your digital future 2 Our point of view 3 Building confidence 4 Our services Confidence in