TOP TRENDING THE MAGAZINE. Cybersecurity Emerging Trends and Regulatory Guidance - ACCDocket.com. Wisdom of the Crowd The First General Counsel

Transcription

1 ETHICS & COMPLIANCE LAW DEPT. MANAGEMENT LITIGATION TECHNOLOGY EMPLOYMENT & HUMAN RESOURCES CAREER NEWS INTERVIEWS & PROFILES CROSS BORDERS TOP TRENDING Cybersecurity Emerging Trends and Regulatory Guidance Wisdom of the Crowd The First General Counsel Sign Here: Electronic Signatures and the In-house Counsel When Employment Ends: Updates on Entitlements and Claims in Asian Jurisdictions Seven Ways for New In-house Counsel to Start Off on the Right Foot THE MAGAZINE Our Current Issue Digital Docket Article Archive 1 of 6 6/18/15 11:20 AM

2 Cybersecurity Emerging Trends and Regulatory Guidance By ACC 2015-Apr-28 Back Issues Authoring Guidelines Editorial Calendar Subscribe 2014 was a tumultuous year in data security, as cyberthreats rose to unprecedented levels. High profile data breaches at JPMorgan Chase & Co, Home Depot, Target Corp., Sony Pictures and Entertainment, among others, made data security in the private sector a legislative priority in the United States. The House has answered with the Protecting Cyber Networks Act bill, which allows companies under threat to share data with the government in order to better protect themselves and others from cyber attacks. President Barack Obama has voiced his support for the bill, which is expected to pass the Senate. Chief Legal Officers are rightfully concerned with data breaches, both reactively and by keeping up with the changing regulatory environment. According to the 2015 ACC CLO Survey, 27 percent of CLOs COMMUNITY Lessons Learned from the Recent Antitrust Investigations in 2 of 6 6/18/15 11:20 AM

3 reported data breaches at their organizations in the past two years, with big organizations at greater risk. The cover story in the May edition of the Docket, mindful of the need for targeted advice on data security for CLOs, provides guidance on compliance and preparing for data breaches. Below, excerpts from "Cybersecurity Emerging Trends and Regulatory Guidance": China Engaging Your Network: Michelle Gustavson Step one: assess your company's exposure to a cybersecurity threat by figuring out what your company needs to protect. Step two: identify where the vulnerabilities exist. This is complex and multilayered issue. Step three: prepare and coordinate among the key stakeholders in your company. The legal department should be able to identify legal requirements and ways to limit liability. Step four: develop a plan. Your plan should include among many other things guidance on a potential media response by your company. One conceptual framework worth considering as a standard of care for company readiness against cyberattacks was developed by the National Institute of Standards and Technology (NIST). The NIST framework core includes five functions that are performed concurrently and continually to create a culture that addresses the dynamic nature of cybersecurity risks: ACC Chicago Hosts Best Practices of General Counsel Program The Chicago Chapter-Sponsored MBA-style Program Explores Corporate Strategy IN-HOUSE ACCESS Disposing of Protected Health Information Under HIPAA and Notification Requirements Resulting From a Breach Please Read ASAP: The Four-Letter Phrase Lives on In-house In-house Job Things to Think About More > Identify: understand the business context, resources that support critical functions and the related cybersecurity risks to focus and prioritize efforts. Protect: develop and implement safeguards to limit or contain the impact of a potential cyberincident. 3 of 6 6/18/15 11:20 AM

4 Detect: develop and implement activities to detect a cyberincident in a timely manner. Respond: develop and implement activities to contain the impact of a potential cyberincident. Recover: develop and implement activities that support timely recovery to normal operations to reduce the impact of the cyberincident. Corporate cybersecurity is not limited to the United States. From the article: With the growing number of data-security breaches around the world, security remains a great concern. Seventeen countries have enacted mandatory breach-notification laws that require organizations to notify individuals and/or government regulators in the event of a data breach. Ten other countries have issued voluntary data-breach-notification guidelines. With respect to data safeguards, there is a broad range of data security obligations. Some countries such as those in the United Kingdom, simply require that companies use reasonable organization and technical measure to protect personal information. Other countries have detailed security obligations such as South Korea (which requires encryption of certain types of data at rest) and Argentina (which requires encryption of sensitive data over the Internet). With respect to privacy, more than 90 countries now have comprehensive privacy statutes. Most privacy laws outside the United States are broader than US law, covering any personally identifiable information, not only 4 of 6 6/18/15 11:20 AM

5 customer or consumer information. Generally, these laws require that the existence of databases be publicly disclosed and that the databases be registered with the government or with an independent data-protection authority. They also require that individuals whose personal information is maintained in these databases be given notice of, and in certain circumstances consent to, the collection, use and transfer of their personal information as well as the right to access and correct the information held about them. For now, all in-house counsel should carefully monitor the legislative developments and continue to stay vigilant about cyberthreats. Compliance & Ethics Information Security Related Items Top Ten Tips for Companies Buying Cyber Security Insurance Coverage A Roadmap: How In-House Counsel Can Prepare For and Mitigate the Risk of a Cyber Attack President Obama s Executive Order on Cybersecurity and its Special Relevance to the Payments Industry The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing 5 of 6 6/18/15 11:20 AM

6 practical advice and references for the busy in-house practitioner and other readers ACC Docket.com Privacy Policy Terms of Use Media Kit 30-Somethings A Publication of the Association of Corprate Counsel 6 of 6 6/18/15 11:20 AM