CYBERSECURITY AND PRIVACY


What is "cybersecurity" and why is it relevant to your business?

Broadly speaking, "cybersecurity" refers to public and private sector efforts to secure the nation's infrastructure against attacks designed to cripple government, defense, commerce, power grids, transportation and/or other basic services critical to the nation's infrastructure. At one extreme, cybersecurity refers to national cyber-defense strategy against concerted cyber-attacks by foreign powers or terrorists (a/k/a "cyber-warfare"). At the other extreme, the term refers to persistent, sophisticated cyber-hacking, cyber-espionage and cyber-terrorism events, large and small, targeting individual government agencies and private corporations for purposes of sabotage or for acquiring sensitive intelligence information, government secrets and/or commercial trade secrets. These incidents do not only target the Fortune 500 businesses; small to medium-sized businesses have been a major target of cybercrime in recent years.

The Cybersecurity Framework

The Obama Administration's recent executive order has launched an effort to promulgate a voluntary national framework under which government agencies and private sector businesses can establish and maintain minimum cybersecurity standards and practices. As proposed, adoption of the framework by private sector businesses would be accompanied with various incentives for investment in cybersecurity and sharing information with the government. For some months, a draft Cybersecurity Framework has been open for public comment by the National Institute for Standards and Technology. A final, revised version is scheduled for release in February 2014. Numerous bills pending in Congress, if enacted, would serve further to "federalize" the area of private sector cybersecurity standards, especially for industries designated as critical to the country's infrastructure (such as public utilities, communications networks and defense contractors). Regardless of the final form of any agreed upon cyber risk framework, government cybersecurity regulations and guidance are likely to issue.

Businesses in all sectors, not only in defense and utilities, have reason to prepare for the impending U.S. cyber- security regime. As a senior government official recently put it, "There are two kinds of businesses today: those that know they have been hacked, and those that don't know it yet." Any business that relies on networks and on digital systems to conduct operations and store information assets is exposed to cyber-risk. The unfolding federal cybersecurity "framework" is likely to expand through federal and state regulatory structures and lead to multiple new compliance mandates and guidelines for all major economic sectors. Recently, the Department of Defense issued new regulatory guidance to address cybersecurity in defense procurement contracts, likely signaling a larger trend across all federal procurement requirements. Recently the Department of Defense and the Government Services Agency issued a recommendation for enhanced cybersecurity compliance by federal contractors. Evolving federal cybersecurity standards may also affect standards for civil liability associated with maintaining information systems and for the insurability of cyber-risks. Businesses will ignore these developments at their peril.

What services does Wiggin and Dana provide relating to cybersecurity?

Risk Assessments and Compliance: The foundation of cybersecurity preparedness is a comprehensive risk assessment. And risk assessments need to be informed by an organization's particular legal and regulatory compliance posture and liability exposures. Working with clients and in some cases technical consultants, firm lawyers help structure risk assessments and then prepare and help clients implement cybersecurity compliance programs. Areas of compliance may include not only primary cybersecurity rules and guidelines but also such matters as export compliance, privacy and data security, computer crime laws, SEC disclosure requirements, health care legal requirements, employment practices, fraud prevention and other agency and industry ‘best practices.'

Internal Investigations: Cybersecurity incidents, threatened incidents, data breaches and even routine compliance efforts may reveal circumstances that call for sensitive internal investigations. Wiggin and Dana's litigation, White Collar and Regulatory Compliance practices have extensive experience in such investigations, and our team includes several partners with substantial prior government experience.

Government Investigations: Government regulators and state attorneys general are increasingly focused on security lapses in the private sector. The Federal Trade Commission, for example, has brought over a hundred enforcement actions in the last few years directed at private sector privacy and security practices. Government contracting practices are under increased scrutiny for their security implications. This compliance and enforcement environment translates into more investigations of data security incidents, data breaches and other corporate missteps involving security systems or government data. As with internal investigations, our litigation, white collar and compliance attorneys have extensive experience advising clients in their responses to such investigations.

Corporate Information Security Policies, Employee Awareness, Governance and Board Education Programs: The adoption of appropriate, written cybersecurity policies will be a cornerstone for corporate compliance efforts, including employee training programs and for overall enterprise governance of cybersecurity practices. Wiggin and Dana's privacy and data security lawyers have substantial experience in this kind of policy development work and in ‘best practices' approaches to information security governance and training.

Security Incident and Breach Preparedness and Responses: Data security incidents are routine and pervasive, but, increasingly, businesses are also falling victim to sophisticated cyber-attacks (or "advanced persistent threats") designed not to steal customer data but to acquire company assets or to seize control of systems and disrupt business operations. Clients typically require outside legal advice in responding to these incidents, in managing the multiple consumer and regulatory notice obligations imposed by state and federal law and in mitigating litigation risk. Our litigators, privacy and health care lawyers have extensive experience in data breach preparedness and response programs. Often these services are coupled with assistance in developing relevant client security and incident response policies.

Litigation: Although it remains to be seen whether cybersecurity regulations will create a new field for civil litigation, there is already a thriving class action industry in data breach litigation under existing state and federal laws. However, standards of liability for security lapses are likely to be affected as cybersecurity law and policy evolve. Businesses that are victims of cyber-attacks will likely find themselves sued in addition to their other compliance related problems. Litigators at Wiggin and Dana have extensive litigation experience in defending consumer protection and privacy claims and in handling complex class  action cases.

Cyber-risk in Procurement, Outsourcing Transactions and Supply Chains: As more companies outsource or send parts of their operations into ‘the cloud', procurement increasingly becomes a cybersecurity risk vector. How companies go about buying technology and technology-related services can have a significant impact on their cyber-risk profile. Many existing regulations obligate businesses to engage in reasonable due diligence and obtain appropriate, written contractual terms from vendors that have access to company systems and data. With the recent issuance of Department of Defense cybersecurity guidelines for procurement, businesses that contract with the federal government can expect cybersecurity to be a prominent requirement for certain federal awards. Any comprehensive approach to managing cyber risk will involve appropriate procurement and supply chain management policies and practices. Lawyers in Wiggin and Dana's outsourcing and technology group regularly advise clients on these issues in connection with individual transactions and procurement policies.

Cyber-liability Insurance Products: Lawyers in the firms Insurance and Litigation practices have extensive experience in advising on insurance coverage disputes. Our insurance lawyers have also helped insurers develop new cyber-liability insurance products.

What kinds of businesses should be addressing cybersecurity risks?

Businesses in economic sectors identified by the government as "critical infrastructure", include public utilities, defense contractors, health care, manufacturers, technology companies, banking and financial services companies and transportation businesses.

All other businesses that: 

  • maintain substantial proprietary information and intellectual property on information systems, whether internal or outsourced; 
  • contract with, or are otherwise in the supply chain for, "critical infrastructure" businesses or the government, and   therefore need to keep pace with the evolving requirements for the critical infrastructure; 
  • are already subject to state or federal regulatory requirements pertaining to information security (e.g., financial services, health care, education);
  • are critically dependent upon the security of their data and information systems to operate and maintain business continuity, or 
  • for reputational, risk management and brand-protection reasons, seek to limit their exposure to public data breach and cyber-hacking incidents.

What about small and medium-sized businesses?

Smaller and mid-sized businesses may assume that they can avoid serious cyber-risk if they just sit quietly and keep their heads down. But the facts indicate otherwise; several major industry studies have emphasized that cyber-assailants are finding some of their richest targets in smaller, and less prepared, businesses. The answer for such businesses is not ‘zero preparation' but appropriate preparation.

Advisories

08/18/2017 Uber-FTC Settlement Highlights the FTC's Focus on Aligning Security Promises with Security Practices
01/06/2017 Although Delayed, New York's Aggressive Cybersecurity Law Expected to Affect Financial Services and Insurance Firms
09/13/2016 OCR Continues to Strengthen HIPAA Enforcement Efforts
06/09/2016 Morgan Stanley Hit with $1 Million Fine in SEC Cybersecurity Enforcement Action
04/22/2016 The General Data Protection Regulation: Its Time Has Come
03/24/2016 Chinese National Pleads Guilty to Conspiracy to Commit Cyber Theft of Export-Controlled Technology
03/15/2016 United States to Renegotiate Controls on Intrusion Software
02/05/2016 The New E.U.-U.S. Privacy Shield: What You Need to Know
02/03/2016 The Cybersecurity Act of 2015
01/29/2016 Cybersecurity in Postmarket Medical Devices: New Guidance from the FDA
12/02/2015 Cyber-Insurance Does Not Ensure Protection From Data Breach
11/23/2015 FTC Administrative Law Judge to FTC: "Not So Fast on Data Security Enforcement!"
10/30/2015 U.S. Senate Moves Forward on Cybersecurity Information-Sharing Legislation
10/06/2015 European Union High Court Invalidates US/EU Safe Harbor for Data Transfers
08/31/2015 Third Circuit Affirms FTC's Ability to Bring Cybersecurity Enforcement Actions
06/04/2015 Doing Business in Connecticut? There's a New Data Security Law You Should Get to Know
04/08/2015 Implications of FCC's Record $25M Data Breach Settlement With AT&T
03/10/2015 Higher Ed Legal Update, March 2015
02/13/2015 OCIE's Cybersecurity Risk Alert Provides Insight for Investment Advisers into Peer Practices
02/09/2015 Cybersecurity Updates Newsletter, Winter 2015
02/06/2015 The Anthem Breach: What Affected Group Plans Should Be Thinking About
12/10/2014 The Connecticut Supreme Court Opens Door for Expanded Negligence Liability Based on HIPAA Violations
11/07/2014 California Reports 600% Increase in the Number of Individuals Affected by Data Breaches
10/28/2014 Cybersecurity by Design: FDA's Final Guidance for the Medical Device Industry
04/17/2014 SEC's OCIE Issues Cybersecurity Risk Alert and Sample Information Request
04/14/2014 HIPAA Enforcement Update
04/08/2014 Judge Green Lights FTC's Data Security Case Against Wyndham Worldwide
03/26/2014 ‘Kill Chain' Analysis of Target Data Breach is a Chilling Read for Corporate Cybersecurity and Privacy Professionals
02/21/2014 Cybersecurity Updates Newsletter, February 2014
02/11/2014 Cybersecurity Legislation: Is Congress Ready?
01/28/2014 Federal Contractors: Meet the New Cybersecurity Standards or Lose Your Government Book
12/09/2013 Cyber Attacks: A Clear and Present Danger
11/20/2013 Google Enters Into $17 Million Settlement With 37 States and the District of Columbia After Circumventing Privacy Settings in Apple Inc.'s Safari Browser
05/07/2013 A Data Privacy and Security Checklist for Management
03/13/2013 Connecticut Attorney General Announces $7 Million Settlement with Google for Data-Snatching Wi-Fi Drive-Bys
02/26/2013 The Federal Trade Commission's ‘Device Squad' Gets Technical with HTC on Smartphone Security
02/20/2013 The Unusual Suspects: HIPAA's Applicability Broadly Expanded to Downstream Contractors
02/14/2013 White House Issues Cybersecurity Executive Order
02/04/2013 Federal Trade Commission Issues Comprehensive Mobile Privacy Recommendations and Proposes Mobile ‘Do Not Track' Mechanism
01/31/2013 Lost Backup Tape Puts Blood Bank Under the FTC's Microscope
01/30/2013 Keeping Up with HIPAA: OCR's New Omnibus Rule
01/22/2013 Lessons from the Most Recent HHS HIPAA Settlement
01/16/2013 Summary of Wiggin and Dana's Fifth Annual Health Care Compliance and Enforcement Roundtable on HIPAA Enforcement
01/11/2013 The World Gone Mobile: California Attorney General Issues Roadmap to Privacy Protection in the 'Mobile Ecosystem'
12/08/2011 OCR Begins HIPAA Audits
04/13/2011 SEC, For the First Time, Imposes Fines on Executives for Privacy Violations
12/21/2010 Congress Curbs the Reach of the Red Flags Rule
08/19/2010 HHS Proposes HIPAA Regulatory Changes to Address HITECH.
08/11/2010 ONC Establishes Temporary EHR Certification Program
09/01/2009 HIPAA Covered Entities and Business Associates Now Subject to New Breach Notification Requirements
08/14/2009 Compliance with Red Flags Rule
06/23/2009 Compliance with New Laws on Identity Theft and Protecting Personal Information
06/16/2009 The HITECH Act Makes Significant Changes to HIPAA Affecting Covered Entities, Business Associates and Personal Health Record Vendors
03/13/2009 Final Federal Patient Safety Regulations Provide Broad Protection to Patient Safety Data
09/29/2008 New Law Concerning the Protection of Personal Information Takes Effect on October 1, 2008
01/21/2005 New HIPAA Challenges: Implementing the HIPAA Security Rule
07/13/2004 HIPAA Security Rule Compliance Deadline Nine Months Away: Tips for Compliance
09/12/2000 The Department of Health and Human Services Issues Proposed Rule Containing Federal Privacy Standards

Published Works

04/02/2017 Why the Supreme Court Shouldn't Allow WhatsApp to Share Data with FacebookThe Wire
03/06/2017 Regulatory Oversight of Third-Party Arrangements: Who's Writing the Contract?New York Law Journal
03/24/2016 Cultural Property ProsecutionsUnited States Attorneys' Bulletin
03/07/2016 Hone a Plan to Meet Evolving Regulatory ExpectationsNew York Law Journal
01/20/2016 Cybersecurity in the U.S.: Living with Regulatory UncertaintyTerralex Connections
12/01/2015 Navigating Cyber-riskBest's Insurance News and Analysis
05/11/2015 Mitigating the Risks of Medical Technology SecurityConnecticut Law Tribune
03/16/2015 US State Supreme Court Expands Potential Negligence Liability for HIPAA Violations TerraLex Connection
08/01/2014 HIPAA 101 for Cosmetic Orthodontic DentistsJournal of the American Academy of Cosmetic Orthodontics, Summer 2014
04/02/2014 Practice Tips for Mitigating Data-Breach Risk and LiabilityCriminal Litigation, American Bar Association Section of Litigation, Spring 2014, Vol. 14, No. 2
01/25/2013 Reining In Mobile App Privacy PracticesLaw360
05/14/2012 Feds Step up HIPAA Compliance AuditsConnecticut Law Tribune, Vol. 38, No. 20
02/14/2011 Insurance Coverage for the Computer AgeConnecticut Law Tribune, Vol. 37, No. 7
05/17/2010 Practical Application of Consumer Privacy Laws to Franchised Businesses*
01/27/2009 Make Data Protection A High Priority
01/01/2005 HIPAA Handbook: Implementing the Federal Privacy Rule in a Long-Term Care Setting
11/29/2001 Wiggin & Dana Develops HIPAA Privacy Handbook for Long-Term Care Providers
10.27.2017Wiggin and Dana Hosts Another Successful Cyber and Privacy Forum
09.22.2017Six Wiggin and Dana Partners Recognized as New York Best Lawyers 2018
07.24.2017Wiggin and Dana Partner interviewed by CNBC's public television Nightly Business Report
07.13.2017Wiggin and Dana Health Care Attorneys Appointed to Leadership Positions
03.29.2016Cybersecurity Partner Quoted in Law360 Article
10.27.2015Benchmark Litigation 2016 Highly Recommends Wiggin and Dana
06.30.2015John Kennedy Featured in Digital Privacy Article
03.30.2015Wiggin and Dana Partner John Kennedy Publishes Cybersecurity Portfolio in Bloomberg BNA
03.25.2015Wiggin and Dana Counsel Michael Menapace Testifies to U.S. Senate on Cyber Insurance
02.25.2014John Kennedy Elected to American Law Institute
08.12.2013Wiggin and Dana Partner Appointed Advisor of American Law Institute Project
06.04.2012Leading Information Technology Lawyer Joins Wiggin and Dana
01.05.2012Wiggin and Dana Health Care Partner Appointed Chairperson of Advisory Committee on Patient Privacy and Security
09.29.2010Wiggin and Dana Announces New Privacy and Information Security Practice
04.30.2010Wiggin and Dana Partner Appointed to The Health Information Technology and Exchange Advisory Committee
12.21.2009Michelle Wilcox DeBarge interviewed by Part B Insider
10.05.2009Doctors Win Fight to Keep Records Private
03.10.2005Michelle DeBarge quoted in Best Practices Magazine
08.23.2002HIPAA attorney Michelle Wilcox DeBarge quoted in McKnight's Long Term Care News on HIPAA compliance
10/19/2017 Cyber Breach - When the Worst Happens: Tactical and Legal Responses
09/14/2017 2017 Cyber and Privacy Forum
04/24/2017 Metadata Risks: Scrubbing, Mining, Redacting, Tracking Locations & Protecting Client Information
03/13/2017 The Next Frontier in Security - Working with Business Partners and Vendors
11/16/2016 Bracing for a Breach
06/28/2016 Crack99: The Takedown of a $100 Million Chinese Software Pirate
06/03/2016 Healthcare Risk Management: Cybersecurity
06/02/2016 CRACK99: The Takedown of a $100 Million Chinese Software Pirate
05/30/2016 Cybersecurity M&A - Navigating US & Israeli Regulations
04/08/2016 Hacked: Implications for Privacy and Bioethics in an Era of Big Data
03/11/2016 Protecting Privacy in Behavioral Health Practice
03/07/2016 So, You Want to Fly a Drone?
12/21/2015 Charging Decisions in Cybercrime Cases
12/03/2015 Lessons Learned from Recent Privacy and Security Cases and Settlements
11/17/2015 CRACK99: The Takedown of a $100 Million Chinese Software Pirate
10/02/2015 Cybersecurity Panel
07/22/2015 Technology in Healthcare - How Personalized Health Data Will Save Medicine
05/12/2015 Cybersecurity Panel
04/23/2015 2015 Connecticut Cyber and Privacy Forum
03/25/2015 Privacy and Security of Personal and Healthcare Information in the Workplace (Stamford)
03/18/2015 Privacy and Security of Personal and Healthcare Information in the Workplace (New Haven)
03/04/2015 Cybersecurity: Why You Should Be Up At Night
02/26/2015 Cyber Risks and Considerations for the Marine Insurance Industry
06/17/2014 Fifteenth Annual Institute on Privacy and Data Security Law
05/08/2014 Export Controls in the Cyber Age
04/25/2014 Fifth Annual Connecticut Privacy Forum
04/04/2014 The Connecticut Medicaid Audit: A Survival Guide for Dental Practices
03/12/2014 The Connecticut Medicaid Audit: A Survival Guide for Dental Practices
09/19/2013 Keeping Up with HIPAA: What Will the New Omnibus Rule Mean for Dentists
06/20/2013 HITECH & Cyber Risk
06/18/2013 Negotiating Privacy and Security Contract Terms
06/17/2013 Fourteenth Annual Institute on Privacy and Data Security Law
06/13/2013 HIPAA Omnibus Rule Update and Implementation Collaborative
05/23/2013 HIPAA Omnibus Rule Update and Implementation Collaborative
04/18/2013 Privacy Developments, Requirements and Practical Applications for Corporate Legal Counsel
03/06/2013 HIPAA Updates - New Rule Protects Patient Privacy, Secures Health Information
03/01/2013 Don't Miss the Omnibus!: How to Comply With the New HIPAA Provisions (Hartford)
02/27/2013 Don't Miss the Omnibus!: How to Comply With the New HIPAA Provisions (New Haven)
11/08/2012 Fifth Annual Health Care Compliance and Enforcement Roundtable
06/19/2012 Clouds Without Borders - How to Ensure Privacy and Security in the Cloud
11/15/2011 Healthcare IT: Its Challenges and Opportunities
09/15/2011 Third Annual Connecticut Privacy Forum
07/27/2011 FERPA and Student Privacy Issues
05/21/2011 Building and Sustaining Strong Coalitions - Panel Discussion
07/01/2010 Privacy & Information Security Update
06/08/2010 Highlights of the HITECH Act
04/29/2010 The New HIPAA Rules & Regulations
01/14/2010 Legal and Practical Implications of a Data Breach Incident
11/17/2009 New Federal HITECH Regulation Briefing
11/17/2009 HITECH Overview
11/05/2009 Health Information Technology for Economic and Clinical Health Act (HITECH) Seminar
10/02/2009 Student Privacy Issues, FERPA and Beyond
08/27/2009 National Government Services Medical Review and Red Flags Implementation
01/27/2009 Access to Public Records in the Probate Court - HIPAA, Freedom of Information Act and Beyond
12/16/2008 Protecting Patient Information: Implementing Public Act 08-167 and Preparing for Federal 'Red Flag'
11/07/2007 Law and Electrons: Computers, Copyright, Telecommunications, Privacy and Security on Campus
04/19/2007 Electronic Records and IT Issues: Update on Stark, Anti-kickback and E-discovery Issues
02/24/2005 HIPAA Security Compliance
04/20/2004 HIPAA: Overview and Impact
03/22/2004 2004 Annual Freedom of Information Conference
02/19/2003 HIPAA Overview and Impact, Access of Law Enforcement Officials to Protected Health Information
02/11/2003 HIPAA Implementation For Long-Term Care Providers: The Time Is Now
02/06/2003 HIPAA Audio Conferences
10/29/2002 HIPAA Implementation: Challenges and Solutions
02/26/2002 Getting A Handle on HIPAA: Focus on Long Term Care

Our cybersecurity and privacy services include:

  • Advising clients on compliance with federal privacy and security statutes and regulations, including the FTC Red Flags Rule, Gramm-Leach-Bliley, and the HIPAA Privacy and Security Rules, and with state statutes and regulations on privacy and data protection;
  • Helping clients structure outsourcing transactions, including transactions involving cross-border data transfers;
  • Drafting, reviewing and negotiating agreements with contractors that address privacy and data security issues;
  • Assisting clients in preventing and responding to data mismanagement or data breaches, including implementing breach notification, mitigation, and corrective action strategies;
  • Handling state Attorney General and Federal Trade Commission investigations of alleged data breaches;
  • Handling litigation resulting from alleged data breaches, including class actions;
  • Assisting clients with litigation discovery issues that raise data privacy concerns;
  • Advising institutions of higher education on student privacy issues under FERPA and state law;
  • Conducting or assisting clients with data security risk assessments, audits, and training;
  • Developing or revising privacy and data security policies and procedures, and assisting clients with implementation; and
  • Advising clients on HIPAA compliance and other health care information privacy requirements.


CONNECTICUT   |   NEW YORK   |   PHILADELPHIA   |   WASHINGTON, DC   |   PALM BEACH
© 1998-2017 Wiggin and Dana LLP   |   Disclaimer Notice   |   Attorney Advertisement   |   Privacy Policy   |   Contact
wiggin.com
© 1998-2017 Wiggin and Dana LLP