Much has been written about the SEC’s interpretive guidance on cybersecurity disclosures, issued in late February, including Commissioner Stein’s statement that it under-delivers for investors, public companies, and the capital markets. As many observers have noted, the Commission largely repackaged the Division of Corporation Finance’s prior October 2011 guidance. Further, by issuing interpretive guidance, rather than engaging in formal rulemaking, the SEC’s pronouncement does not have the force and effect of law and is not accorded such weight in the adjudicatory process.
Posts by: Editorial Board
Today the EU-U.S. Privacy Shield was approved by the EU Member States, which sets the stage for the European Commission to grant final approval to the Privacy Shield as a basis for EU-U.S. transfers of personal data.
This development follows criticisms of the Privacy Shield this past April from the Article 29 Working Party, an advisory group comprised of the EU privacy regulators. We summarized the primary criticisms in a prior blog post. The Working Party was responding to the draft adequacy decision that was released by the European Commission on February 29, 2016, which we summarized here. The revisions to the Privacy Shield are intended to address the criticisms of the Working Party but it is not yet clear if the criticisms have been fully reflected.
October ordinarily brings the return of crisp air, fall foliage, and Halloween. This year, for the first time, it also brings National Cyber Security Awareness Month. Yet designating a month to increase cybersecurity awareness seems redundant. We are reminded almost daily of the importance of cybersecurity, as media reports of cyber breaches have become commonplace. Of course, the most widely reported cyber incidents have been data privacy breaches that have affected tens of millions of consumers nationwide. These are the sorts of incidents that have spawned a growing market for so-called “cyber policies” (although as we wrote recently, the CEO of one of the largest insurers has acknowledged that cyber insurance capacity remains relatively small).
The American health care industry is under attack by sophisticated hackers seeking access to electronic medical records. Since January, three health insurers have announced major data breaches involving millions of records, with the largest one at Anthem Inc., involving nearly 80 million records. There have been dozens of smaller breaches as well. According to statistics kept by the U.S. Department of Health and Human Services, in 2009 the health care sector experienced 18 data breaches involving 500 or more individuals. In the first three months of 2015, more than 50 such breaches were reported.
In a stunning victory for the former Goldman Sachs programmer, New York State Justice Daniel Conviser threw out Sergey Aleynikov’s jury conviction on state law charges that he stole intellectual property from Goldman. Trade Secrets Watch has extensively covered this story, most recently reporting the start of Aleynikov’s new trial, but missing out on a (later-dismissed) juror’s tale of an errant avocado.
There has been no recent shortage of high-profile cyberattacks and data breaches leaving businesses with millions of dollars in losses. Verizon’s 2015 Data Breach Investigations Report counted 79,790 security incidents (including 2,122 confirmed data breaches) in the last year alone. If you’re a business that stores information electronically—that is, if you’re any business at all—you’re probably sufficiently worried about cyber threats just by reading the news. But if you haven’t fully appreciated the seriousness of the problem yet, the insurance industry is happy to help. As one insurer warns in its marketing materials, “many companies don’t realize that whether they experience a data security breach isn’t as much a matter of if it will happen as when.” Sufficiently terrified of cyber threats? Don’t worry—these same insurers will let you know they offer coverage that will help mitigate your risk. As one insurer puts it, “when a security breach happens, you’ll need comprehensive protection from an insurer that specializes in handling cyber risks, offers a full suite of integrated insurance solutions to help minimize gaps in coverage, and understands how to tailor coverage to your business.” READ MORE
When you, as a policyholder, give an insurance company notice of a claim, the insurance company often will send a “reservation of rights” letter—especially where there are complex liability claims—preserving its right to give you a coverage decision after it investigates the claim (that is, if it doesn’t accept or deny the claim outright). These letters usually include lengthy lists of coverage defenses the insurance company reserves the right to assert and questions that it wants you to answer. Many policyholders are naturally overwhelmed by the questions and have no idea how to respond. But respond you must. And how you respond has the potential to make or break your claim. Luckily, common sense and some simple rules are usually enough to make sure your claim survives this early hurdle.
The insurance company’s questions often pose three problems. First, they may seek information solely to enable the insurance company to deny coverage, often on grounds that the notice was late. Questions such as “When did you know that there was a problem” seek to gain information to enable the insurance company to deny coverage on the basis that you failed to notify them timely of the problem. But you must remember that you are under no obligation to give the insurance company information that it can use to defeat coverage. You should provide information adequate to describe the nature of the claim, but it is the insurance company’s obligation to figure out how to defeat coverage. READ MORE
Declaring cybercrime a “national emergency,” President Obama today empowered Treasury to freeze assets that are the fruits of cybercrime, according to an Executive Order issued this afternoon. The agency can block money or property in the United States or in the control of any United States person determined to have engaged in “cyber-enabled activities” originating or directed from outside the United States. Targeted activities include harming computer networks in critical infrastructure sectors; significantly disrupting a computer network; or causing significant misappropriation of trade secrets and other protected information. The EO also enables seizure of money or property of any persons involved in misappropriating trade secrets by “cyber-enabled means” that impact the national security, foreign policy, or economic health or financial stability of the United States.
TSW is tracking the EO and will report further developments.
This marks the inaugural “Five Minutes With” feature that Trade Secrets Watch will run occasionally. These will be question-and-answers with notable figures in the trade secrets world.
TSW got a chance to sit down with UC Hastings College of the Law professor and Liberty, Security & Technology Clinic founder Ahmed Ghappour. He had a lot to say about trade secrets, cybersecurity, and encrypting “all the things.”
TSW: Ahmed, TSW is dying to know what you’ve been up to lately in the world of economic espionage. What’s the inside scoop?
One of the biggest challenges the cyber-security field faces today—aside from outright hacking—is the fact that employees’ data is increasingly portable. Data portability can be a major boon for employers. For instance, it may allow an employer to offer its employees the ability to work remotely (something that can improve employees’ work/life balance, or could be a reasonable accommodation for an employee’s disability). However, data portability can also present major risks for an employer, particularly if an employee stands to profit from misuse of that information.