data-breach recommendations for CISOs

Navigating personal liability: post data-breach recommendations for CISOs

/in , /by

Navigating personal liability: post data-breach recommendations for CISOs

Insights

data-breach recommendations for CISOs
Read More

CSO Online

 

Navigating personal liability: post data-breach recommendations for CISOs

 

April 29, 2024

 

By Daniel B. Garrie, Esq. and Richard A Kramer

CISOs can avoid being liable for data breaches by following legal advice, communicating effectively with internal and external stakeholders, and demonstrating commitment to avoid future incidents.

The key to minimize personal liability for CSOs and CISOs after a data breach is to act responsibly and reasonably. The current state of the law is that those involved in an organization that is threatened or affected by a data breach are expected to react reasonably under the circumstances. To meet this standard, one should engage and follow legal advice, communicate effectively, and demonstrate a commitment to addressing the breach and preventing future incidents. By following these recommendations, CSOs, and CISOs can navigate the challenging terrain of a data breach while minimizing their own risk of personal liability.

A data breach can have significant financial, reputational, legal, and emotional implications for an organization, its personnel, clients, and a wide range of others. When a data occurs, affected persons become concerned with what may have happened and how it could negatively impact them. Not only is there a real threat to their financial well-being, but there is also a perceived disquieting attack on personal privacy. And beyond those reactions, government regulators as well as politicians often spring into action for a wide range of purposes.

For chief security officers (CSOs) and chief information security officers (CISOs), a breach presents unique challenges, including potential personal liability. While it is rare, personal liability for CSOs and CISOs is not entirely out of the question. In cases where it can be demonstrated that the CSO or CISO acted negligently or failed in their duties, they could potentially be held personally liable. This could result in financial penalties, disqualification from holding director or officer positions, and, in extreme cases, criminal charges.

To read the full article, go to CSO Online

Independent cybersecurity audits

Independent Cybersecurity Audits Are Powerful Tools for Boards

/in , /by

Independent Cybersecurity Audits Are Powerful Tools for Boards

Insights

Independent cybersecurity audits
Read More

Bloomberg Law

 

Independent Cybersecurity Audits Are Powerful Tools for Boards

 

March 11, 2024

 

By Daniel B. Garrie, Esq.

Board members today increasingly face personal liability for their organization’s cyber posture. This has raised the stakes of attestations and created a need to gain insight into cyber programs.

One of the most effective ways to do so is through independent cybersecurity audits. This essential component of responsible organizational governance can demonstrate proactive leadership and reveal possible blind spots. Cybersecurity audits are also necessary for compliance with regulations that hold the board and C-suite accountable for verifying the efficacy of their company’s cybersecurity program.

Recent Regulations

Growing cyber regulatory oversight is demanding dynamic evidence of compliance. The Securities and Exchange Commission’s 2023 rules on cybersecurity risk governance and public company incident disclosure require boards of directors to oversee corporate cybersecurity management and demonstrate active oversight, while facing personal liability for failures. Public reporting companies must also:

  • Disclose all material cybersecurity incidents within four business days
  • Describe process(es) used to identify, assess, and manage material risks from cybersecurity threats, and their effect on business strategy, results of operations, or financial condition
  • Describe the board’s oversight of cybersecurity risks and leadership’s role in assessing and managing material risks from cybersecurity threats

Another recent example is the New York State Department of Financial Services’ amended cybersecurity regulation, which requires covered entities to conduct independent audits of their cybersecurity programs and integrates cybersecurity into business strategy. Changes include:

  • Additional controls and requirements for more regular risk and vulnerability assessments, along with more robust incident response, business continuity, and disaster recovery planning
  • Updated notification requirements, which include reporting ransomware payments
  • Updated direction for companies to invest in at least annual training and cybersecurity awareness

To read the full article, go to Bloomberg Law

Cybersecurity and Privacy Regulations

Small Law Firms Must Take Action and Address Cybersecurity and Privacy Regulations

/in , /by

Small Law Firms Must Take Action and Address Cybersecurity and Privacy Regulations

Insights

Cybersecurity and Privacy Regulations
Read More

ALM

 

Small Law Firms Must Take Action and Address Cybersecurity and Privacy Regulation

 

February 15, 2024

 

By Daniel Garrie, Esq., Peter A. Halprin, Esq., and Elsa Ramo, Esq.

Cybersecurity and privacy regulations have become increasingly important in recent years due to the exponential growth of technology and the internet. The legal industry, including small law firms, is not immune to these challenges. In fact, small law firms must prioritize cybersecurity and privacy regulations to protect their clients’ sensitive information and maintain their professional reputations. This article explores the reasons why small law firms need to care about cybersecurity and privacy regulations and provides recommended first steps.

Six Reasons Why Small Law Firms Should Be Concerned About Cybersecurity and Privacy Regulations

 

    1. Ethical Obligations

As legal professionals, lawyers have an ethical obligation to protect their clients’ confidential information. Rules of professional conduct across various jurisdictions emphasize the importance of maintaining client confidentiality and safeguarding client data. Failing to uphold these ethical obligations can lead to disciplinary action.

From social media posts to a third-party vendor who is managing the website to a company processing a credit card payment on behalf of the firm, the lawyer has an ethical responsibility to ensure that all parties that interface with the law firm are operating under strict confidentiality and complying to prevent the disclosure of confidential information.

    1. Legal Obligations

Small law firms may also be subject to privacy regulations, such as the California Consumer Privacy Act (CCPA). Non-compliance with these regulations can result in financially devastating consequences for small law firms.

As noted above, it is not simply a limited duty for the attorney to maintain confidentiality, but rather the attorney and law firm have a legal obligation to ensure that client information is stored in a way that protects privacy. More often than not, small law firms are paperless and store virtually all of their data electronically, so the law firm must ensure that how, where, and who is storing that data is in compliance with applicable law.

To read the full article, go to ALM

SEC new cybersecurity rules and protection of trade secrets

SEC’s New Cybersecurity Rules and Protection of Trade Secrets

/in , /by

SEC’s New Cybersecurity Rules and Protection of Trade Secrets

Insights

SEC new cybersecurity rules and protection of trade secrets

Law360

Between Disclosure and Discretion: The SEC’s New Cybersecurity Rules and The Protection of Trade Secretes

August 25, 2023

 

By Daniel Garrie and Bradford Newman

The prevailing wisdom among chief information security officers and cybersecurity professionals has long been that effective cyber preparedness requires shielding threat actors’ visibility into the technical defenses and strategies employed to protect corporate computer systems from unauthorized third-party attacks.

In July, the U.S. Securities and Exchange Commission adopted cybersecurity risk management rules that flip this proverbial script, threatening substantial fines, shareholder lawsuits and the full spectrum of other penalties for regulated companies that do not comply with the newly required broad public disclosures.

In fact, a stated intent of the SEC in promulgating the new rules is transparency that promotes a culture of accountability and vigilance.

The regulatory hope is that this proactive approach will not only lead to better visibility in the public markets but require companies to be more diligent in their cyber preparedness.

Mandates that include disclosure of material cybersecurity incidents — and public descriptions of the processes for assessing, identifying and managing risks from cybersecurity threats — now force companies to show the world, including the threat actors, the specific know-how, processes and methodologies that historically have been most effective in protecting companies from cyber intruders only when kept secret.

This is a paradigmatic shift in the world of cybersecurity.

While the SEC cybersecurity rules have garnered substantial media coverage, little to no attention has been given to how compliance necessarily affects the protection of trade secrets.

This article seeks to start the conversation by highlighting some of the key considerations concerning the intersection of SEC reporting compliance and trade secret protections.

The end goal is to assist the industry with processes that strengthen, rather than compromise, corporations’ abilities to safeguard valuable confidential information.

To read the full article, go to LAW360

 
Navigating Vendor Cybersecurity Risks: Strategies for Companies and Lawyers to Mitigate Exposure

Navigating Vendor Cybersecurity Risks

/in , , /by

In the face of a progressively interconnected digital landscape, successfully managing the cybersecurity risks posed by vendors is an escalating concern for all businesses.

Read more
Tabletop

Cybersecurity Tabletop Exercise for a Multinational Insurance Brokerage Company

/in , , /by

L&F has recently hosted a successful cybersecurity tabletop exercise for a multinational insurance brokerage company.

Read more
Proposed Amendments to Cybersecurity Regulation

New York DFS Proposed Cybersecurity Regulations

/in , /by

NYDFS issues Proposed Amendments to 2017 Cybersecurity Regulation 23 NYCRR 500, with a 60-day public comment period until Jan 9, 2023.

Read more