May 2017

On May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident.  Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial measures that are of most interest to those following data breach enforcement actions.

We have just received a revised draft of the Measures on Security Assessment of Cross-border Data Transfer of Personal Information and Important Data (Measures).  Here we outline the changes made to the draft Measures first issued on 11 April 2017 for public comment (see our previous briefing and blog post here). The revised draft is likely to be the final version of the Measures.  The Measures are to take effect on the same day as China’s Cyber Security Law (Cyber Security Law) on 1 June 2017.

In this post, we summarize key facts regarding the WannaCry ransomware attack, provide an abbreviated list of known affected companies, and offer an overview of the legal issues and the response to the attack. This post is an update to our prior coverage of WannaCry.

What could a hacking event mean for directors and officers?

Significant cybersecurity incidents are intensifying and evolving. What are director and officer (D&O) duties to prevent, prepare for and respond to data breaches?

Directors and officers are facing a sophisticated, organized, and motivated adversary in cyber attackers, who are untethered by law, ethics, or fear of capture, and who are supported by a “dark web” of economic infrastructure. Gone are the days where boards of directors only had to mind what competition was doing to their operations. In the wake of these cyber incidents, the role of the C-suite and board of directors in managing cyber risks has come to the forefront.

Join us on May 23 in Houston, Texas, for an engaging discussion on the threats posed by cyber attackers; the responsibilities of the C-suite and board of directors in preventing, preparing for, and responding to, cyber risks; and recent cases that have tried to hold directors liable when cyber events occur.

A large-scale ransomware attack began impacting companies and hospitals across the United States, Europe, and Asia early Friday morning.  According to reports, companies in more than 70 countries have reported incidents as of Friday afternoon.

The attacks are being

On May 11th, 2017, the White House released an executive order on strengthening the cybersecurity of federal networks and critical infrastructure (the “Order”).  The Order marks the administration’s first successful effort to address cybersecurity, after an earlier draft executive order on cybersecurity was postponed in January.

The Order is divided into three substantive sections covering the cybersecurity of federal networks, the cybersecurity of critical infrastructure, and cybersecurity for the nation.