Eversheds Sutherland Cybersecurity and Privacy Insights Blog
content top

FERC Clarifies FAST Act Regulations and Proposes Rules on Geomagnetic Disturbance Events

FERC has clarified its regulations implementing the Fixing America’s Surface Transportation Act (FAST Act) related to Critical Energy/Electric Infrastructure Information (CEII). In Order No. 833-A, issued May 17, 2018, FERC clarified that it would consider “public safety benefits” in evaluating a request for CEII, and that its CEII Coordinator may solicit input from affected parties in evaluating a request. FERC also clarified that its CEII Coordinator may consider on a case-by-case basis requests for additional terms for non-disclosure agreements (NDAs) that must be signed before a...
Continue Reading

Protecting your assets Block and tackle—unclaimed property and cryptocurrency

As promoters of cryptocurrencies and digital-asset exchanges face intense scrutiny from tax, securities and other financial services regulators, they will soon have to contend with unclaimed property (or escheat) laws in the United States. This article explores how these laws could apply to cryptocurrency exchanges, hosted wallets, and other market participants, such as banks, broker-dealers and vendors, who are eager to gain a strategic foothold in this burgeoning market. Since 2017, four states have enacted new escheat laws that specifically address cryptocurrency, and several other states...
Continue Reading

It’s a material world—why the SEC’s Yahoo! penalty really matters

Determining whether to notify when struck by a cyberattack can be a complex undertaking, but the SEC’s recent $35 million penalty levied on Yahoo! Inc. for untimely disclosure of its breach raises the stakes for corporations. The need for a proactive, well-thought out regulatory notification strategy, and an awareness of the dangers of default non-disclosure positions, has never been greater. SEC guidance requires that organizations “take all required actions  to inform investors about material cybersecurity risks and incidents in a timely fashion.” There is no bright line rule...
Continue Reading

A paradise for data privacy advocates—Bermuda’s privacy law now in full effect

With enactment of the Personal Information Protection Act (PIPA), Bermuda can now count itself among the ever-expanding list of jurisdictions with enhanced privacy protections. PIPA, passed on July 27, 2016, and entered into force in December 2017, shares many of the more stringent requirements and protections with Europe’s impending General Data Protection Regulation (GDPR), which indicates a growing, global trend towards stepped-up privacy regimes. That said, as much as there are similarities between the regulations, there are important differences, especially for those companies which...
Continue Reading

Hospitals’ Response to Data Breaches May Be Impacting Patient Health

A study presented last week at the 4A Security and Compliance Conference in Philadelphia, found an increase in a common measure of mortality rates at hospitals following data breaches. However, there did not appear to be any correlation between the type of breach or the number of records affected by the breach, leading the researchers to conclude that it was the response to the breach, and not the breach itself that led to the higher mortality rates. This may be an indication that clamp-downs on security made it more difficult for hospital staff to provide the same level of care as they had...
Continue Reading

Indictment in Massive Iranian Cyberbreach Shows Companies Still Vulnerable

If general counsel fear their companies are vulnerable to cyberattacks from far afield, they have good reason. An indictment unsealed Friday details how hackers hired by the Iranian government broke into computer systems of at least 36 U.S. companies, including technology firms, banks, media companies and a law firm. Learn...
Continue Reading

Eversheds Sutherland launches BreachLawWATCH mobile app

We are pleased to announce the release of BreachLawWATCH, a unique mobile app that provides easy, consistent access to data breach statutes across the United States and a growing number of jurisdictions, including Europe and Asia. Easy-to-use functionality enables users to find specific and relevant state and global breach notification regulations at their fingertips. Learn more.
Continue Reading

NERC and power company reach settlement on violations of cybersecurity standards

A power company has reached an agreement with the North American Electric Reliability Corporation (NERC) to pay $2.7 million for violations of a cybersecurity reliability standard. This violation resulted from the online exposure of the company’s data due to a vendor’s mishandling of the data, allowing unrestricted third-party access to 30,000 asset records. The violation posed a “serious” risk to the reliability of the bulk power system because it allowed physical and remote access to the power company’s network. This case highlights the need for supply chain management and sufficient...
Continue Reading

Today’s cybersecurity strategies are “not sufficiently robust or scalable,” Nuclear Threat Initiative says

The cyber threat to nuclear facilities is serious, but the challenge going forward is evident,” Dr. Page Stoutland, NTI vice president of scientific and technicals affairs, said in the post. “Threats and vulnerabilities will continue to mount. Today’s strategy is not sufficiently robust or scalable, and a high level of cybersecurity may never be compatible with current nuclear plant business models. Governments, regulators, facility operators, vendors, and experts need to accelerate our efforts to develop new approaches that can scale to the threats of the future. Learn...
Continue Reading

About face: court finds biometric information creates unique privacy rights

A recent decision from a California federal court increases the risks to companies that use biometric information and reinforces the need to strictly comply with the requirements of biometric protection statutes. Key Takeaways The suit arises from the Illinois Biometric Information Privacy Act (BIPA), which governs the collection, storage, and use of biometric information, including finger prints, retina or facial recognition scans, or photographic likenesses, that can be used to identify an individual. BIPA provides for a private right of action, statutory damages, and attorneys’ fees, and...
Continue Reading

The SEC wants companies to talk about cybersecurity

On February 21, 2018, the Securities and Exchange Commission issued an interpretive release providing important guidance to certain registrants on cybersecurity disclosure. The guidance makes clear its view that material risks or incidents related to cybersecurity fall within a company’s ongoing obligation to disclose material information in current and periodic reports. The guidance also expands on disclosure controls and procedures, insider trading and selective disclosures. The decision to release this guidance underscores a heightened focus on cybersecurity and serves as a reminder to...
Continue Reading

Helping it click into place – Our monthly Asia cybersecurity update

During 2017, cyberattacks continued to evolve and develop sophistication, exploiting both previously unidentified vulnerabilities and known vulnerabilities in new ways. Ransomware attacks such as Petya and WannaCry put critical functions across the world and across industries on hold, while the Mirai botnet attack, unleashed in late 2016, highlighted the increasing vulnerabilities of networked Internet of Things (or IoT) devices. Learn...
Continue Reading

Insurers May Not be Able to Avoid Blockchain, Virtual Currencies ‘Sweeping Through Industry’

Virtual currency, such as bitcoin, is an unregulated digital form of currency that can be used as a substitute for legally recognized currency and eliminates the so-called “middle-man,” which includes banks and clearing houses. Learn more.
Continue Reading

DOE Creates Cybersecurity Office

The Department of Energy (DOE) has created a new office for energy security and cybersecurity. The Office of Cybersecurity, Energy Security, and Emergency Response (CESER) will work on energy infrastructure protection and DOE’s role in national security. As Secretary of Energy Rick Perry noted in his statement regarding the creation of the office, “DOE plays a vital role in protecting our nation’s energy infrastructure from cyber threats, physical attack, and natural disaster, and as secretary, I have no higher priority…This new office best positions the department to address the...
Continue Reading