New York Event: Shark Tank – Cybersecurity in the Boardroom

How to pitch, explain, defend and collaborate on cybersecurity

The board demands answers on cybersecurity. We discuss how executives can effectively respond to and collaborate with the board.

Boards have now recognized that their companies, and board members themselves, face operational, financial, legal, and reputational consequences if they fail to address cybersecurity risk. Now, boards are asking company executives to explain the company’s current state of readiness and a plan of action – presenting both a challenge and an opportunity.

Join us on July 11 in New York for an engaging discussion on how to meet the challenge of explaining cybersecurity to boards and leverage the conversation to empower company executives with focus and resources to address cybersecurity risks.

Challenging questions. Practical, insightful answers.

Continue reading

Colorado Division of Securities Adopts Final Cybersecurity Rule

Broker-dealers and investment advisers in Colorado will soon be required to comply with new rules designed to protect the electronic information they collect and maintain.  On May 19, 2017, the Colorado Division of Securities adopted final cybersecurity rules under the Colorado Securities Act.  In addition to requiring written procedures that are “reasonably designed to ensure cybersecurity,” the rules also mandate annual risk assessments of firms’ data security practices.  The Colorado Attorney General approved the rules on June 7, 2017, and the effective date of the rules is July 15, 2017.

Continue reading

Target Resolves State Attorney Generals’ Investigation

Data Protection Report - Norton Rose Fulbright

On May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident.  Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial measures that are of most interest to those following data breach enforcement actions. Continue reading

China Amends Draft Regulation on Cross-Border Data Transfer

Data Protection Report - Norton Rose Fulbright

We have just received a revised draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (Measures).  Here we outline the changes made to the draft Measures first issued on 11 April 2017 for public comment (see our previous briefing and blog post here). The revised draft is likely to be the final version of the Measures.  The Measures are to take effect on the same day as China’s Cyber Security Law (Cyber Security Law) on 1 June 2017.

Continue reading

WannaCry Ransomware Attack Summary

Data Protection Report - Norton Rose Fulbright

In this post, we summarize key facts regarding the WannaCry ransomware attack, provide an abbreviated list of known affected companies, and offer an overview of the legal issues and the response to the attack. This post is an update to our prior coverage of WannaCry.

Continue reading

Houston Event: Cybersecurity, Enterprise Risk and the Boardroom

Data Protection Report - Norton Rose Fulbright

What could a hacking event mean for directors and officers?

Significant cybersecurity incidents are intensifying and evolving. What are director and officer (D&O) duties to prevent, prepare for and respond to data breaches?

Directors and officers are facing a sophisticated, organized, and motivated adversary in cyber attackers, who are untethered by law, ethics, or fear of capture, and who are supported by a “dark web” of economic infrastructure. Gone are the days where boards of directors only had to mind what competition was doing to their operations. In the wake of these cyber incidents, the role of the C-suite and board of directors in managing cyber risks has come to the forefront.

Join us on May 23 in Houston, Texas, for an engaging discussion on the threats posed by cyber attackers; the responsibilities of the C-suite and board of directors in preventing, preparing for, and responding to, cyber risks; and recent cases that have tried to hold directors liable when cyber events occur.

Continue reading

Large Ransomware Attack Affects Companies in Over 70 Countries

A large-scale ransomware attack began impacting companies and hospitals across the United States, Europe, and Asia early Friday morning.  According to reports, companies in more than 70 countries have reported incidents as of Friday afternoon.

The attacks are being caused by ransomware called “WannaCry,” which quickly moves across systems to encrypt large amounts of computer data.  Ransom demands seen during the current attack have requested Bitcoin amounts that equal between $300 and $600 in return for the decryption key.  According to security researchers, the ransomware exploits a vulnerability in Microsoft’s Windows operating system that was disclosed in an April leak of NSA spying tools. Confirmed targets of the attack include Telefonica, Spain’s largest telecommunications provider, and the National Health System (NHS) in the United Kingdom.

Ransomware attacks are often discovered after computer systems begin malfunctioning or when files suddenly become inaccessible.  Forensics computer experts may be needed to investigate and provide assistance with addressing ransom demands.

Norton Rose Fulbright’s global data protection team is available to assist companies that believe they may be subject to a ransomware attack and to help companies prepare to guard against ransomware attacks. For more information, please visit our website.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

Hong Kong: SFC consults on proposed measures to improve cyber security for internet trading of securities in Hong Kong

A two-month consultation on proposed measures to reduce and mitigate cyber security risks associated with internet trading of securities in Hong Kong (the Consultation) was launched on 8 May 2017 by the Securities and Futures Commission (the SFC).

The Consultation follows a recent review by the SFC of resilience of brokers in Hong Kong to cyber-attacks (such as the hacking of trading accounts, installation of ransomware and denial of service attaches) and is set against a backdrop of the increasing number of cyber security incidents to the financial services sector.

For further information please see this post on our Financial services: Regulation tomorrow blog.

White House Issues Cybersecurity Order

Data Protection Report - Norton Rose Fulbright

On May 11th, 2017, the White House released an executive order on strengthening the cybersecurity of federal networks and critical infrastructure (the “Order”).  The Order marks the administration’s first successful effort to address cybersecurity, after an earlier draft executive order on cybersecurity was postponed in January.

The Order is divided into three substantive sections covering the cybersecurity of federal networks, the cybersecurity of critical infrastructure, and cybersecurity for the nation.

Continue reading

Do Promises To Use “Best Efforts” To Protect Data Really Require Unreasonable Action?

In technology vendor contracts, the vendor’s obligations to protect the customer’s data are often hotly negotiated.  The vendor may want to spell out only the data security measures it currently employs, or—at most—agree to implement “reasonable” data security measures.  Given the stakes if sensitive data is breached, though, the customer may insist that the vendor use its “best efforts” to protect its data.  But one rarely sees a “best efforts” clause in a technology contract, especially with respect to data protection.

Continue reading