Risk Evaluation and Management

December 12, 2016

Cybersecurity Law in 2017 – Predictions and Prognostications

December is the month for predictions. During this month, commentators of all sorts and in all areas predict the trends and actions that will impact us during the coming year. While speculating the future is a questionable pursuit, we at the Cybersecurity Lawyer Forum would hate to be left out of the fun. With that in mind, a few thoughts on what we might expect in the year to come.

National Cybersecurity Legislation

Legislation in the United States is less an exercise in establishing comprehensive systems than in reacting to events; much legislation tends to be anecdotal and designed to fit the day’s headlines. Moreover, legislation is a curious process, and even with the Congress and White House held by the same party, legislation is hard to pass.

Cybersecurity legislation faces additional hurdles. It is not always the highest priority for lawmakers, especially during a year when an entirely new administration must be established, and when the campaign promises of the last year did not include cybersecurity as a priority. Continue reading

September 2, 2016

Ignoring Cybersecurity – It’s Not an Option

by Robert E. Braun

3679571-business-people Paralysis is one of the biggest obstacles to achieving a cybersecure environment. Companies are often unable to take the steps necessary to bring security to an enterprise. It’s not only common; it’s entirely understandable.

Achieving cybersecurity appears to be an overwhelming task. Every day brings another headline announcing a data breach, or reports on the enormous cost of data breaches – one has to wonder if implementing a cybersecurity regime would even achieve its goal. Companies are challenged by the complexity of their systems and the seemingly impenetrable jargon used to describe them. Funding a cybersecurity program is a challenge – as one CEO put it, “I gave my team an unlimited budget, and they exceeded it.” Spending valuable time and scarce resources on security takes away from operations that ground an enterprise. Companies fear that focusing on cybersecurity can only come at the expense of their core operations.

August 5, 2016

Cybersecurity Surveys – Key Takeaways

by Robert E. Braun

Digital Padlock on Circuit Background - Web Security Concept

Spring is the season for many things, including the publication of cybersecurity surveys. In the past few months, Verizon has published its Data Breach Investigations Reports, Ponemon Institute Published its 2016 Study on How Organizations Manage Data Breach Exposures, the California Attorney General published its annual California Data Breach Report, and a variety of others have published reports describing the state of cybersecurity and privacy, and the threats individuals and businesses face in online security. While the reports each contain important facts and focus on different aspects of cybersecurity, they also have some key lessons for enterprises that focus on risk reduction:

February 8, 2016

Cybersecurity Alert: Business Management Firms and Family Offices

by Michael A. Gold

The Big Data deluge - A businessman tries to crunch the numbers at his desk.png

We are flooded with news reports of major data breaches and malware attacks. The reports focus on attacks against businesses with significant volumes of sensitive personal and financial information, like financial institutions, hospitals, retailers – and most recently, law firms. There is no question that the press pays the most attention to a data breach when large volumes of valuable information have been stolen or encrypted for ransom.

Some firms, like business managers and family offices, have not received much media scrutiny. But lack of media coverage is not a reason for comfort. These organizations are ripe targets for intruders, precisely because of the people they represent and the information they possess. Business managers and family offices hold the most confidential information of their clients – financial records, bank and securities account information, health records, estate planning and trust documents, physical locations of valuable assets and the like. Intruders do not gravitate only to the largest companies or those with the highest public profiles. Rather, intruders are attracted to targets with valuable information, regardless of who they are.

October 3, 2013

California Proposition Would Expand Duties and Liabilities for Collecting Personal Information

by Robert E. Braun and Michael A. Gold

On September 26, 2013, the California Secretary of State allowed proponents of a new ballot proposition to collect signatures for the “Personal Privacy Protection Act.” The Act, if approved, would radically change the privacy landscape in California by adding new provisions to the California Constitution. Most importantly, the Act (1) requires all “legal persons” that collect personal information to use “all reasonably available means to protect it from unauthorized disclosure” and (2) creates a presumption that a person is harmed whenever his or her personal information is disclosed without authorization.
Continue reading

March 18, 2013

The Seven Deadly Sins of Data Security

by Robert E. Braun and Michael A. Gold

There is no shortage of advice on how to secure electronic information. Companies can look to pronouncements by state and federal agencies (for example, the recent statements by the California Attorney General and the Federal Trade Commission on mobile application security), private industry (like the Payment Card Industry’s Data Security Standards) and foreign standards (like the European Union Data Protection Directive). There is guidance regarding technical standards, corporate protocols, contracting requirements and others.
Continue reading