Mark Mermelstein, a trial lawyer
with more than 20 first-chair trials, specializes in white collar criminal
defense and complex litigation. He is
also Global Co-chair of the firm’s Cyber,
Privacy & Data Innovation practice.
Mark Mermelstein, a trial lawyer with more than 20 first-chair trials, specializes in white collar criminal defense and complex litigation, particularly in technology-related matters. He also handles Cybersecurity, Privacy, Litigation and Enforcement matters.
Mark focuses his work representing corporations and individuals facing allegations of securities fraud, healthcare fraud, environmental crimes, violations of the Foreign Corrupt Practices Act (FCPA) and the False Claims Act, mail/wire fraud, and embezzlement.
Mark also focuses on asset recovery for corporate crime victims such as those victimized by cybercrime, including theft of trade secrets, hacking, counterfeiting and other business crimes. In this regard, Mark routinely leads data breach and cybersecurity incident response efforts, as well as proactively advises on data breach mitigation strategies.
Mark has written many articles and has spoken extensively on many aspects of his practice. A frequent commentator on matters related to white collar crime, he has been recommended by Legal 500 in both White Collar Criminal Defense, and Cybersecurity.
Happy U.S. National Cybersecurity Awareness Month! One year ago, in recognition of the Department of Homeland Security’s annual campaign to raise awareness about cybersecurity, Orrick’s Cybersecurity & Data Privacy Group launched its award winning blog Trust Anchor.
Almost daily we hear news about data breaches, cybersecurity and privacy enforcement proceedings, litigation, and new laws and regulations. Trust Anchor covers it all: recent cases, legislative and regulatory developments, emerging compliance standards and best practices for cybersecurity and privacy risk management, insurance trends and more! But, we don’t just report on these events, we highlight key takeaways and what these developments mean for you.
On May 10, 2016, the United States Department of Treasury (Treasury) became the latest federal agency to highlight the importance of cybersecurity in the financial services industry. In its white paper, which follows last year’s request for information to the online marketplace lending industry, Treasury addressed the opportunities and challenges of technological advancements and data availability that have driven change to the way in which consumers and businesses secure financing.
In June 2015, Canada made significant amendments to its data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). These amendments to PIPEDA will require businesses to inform the Canadian Privacy Commissioner of certain data breaches, provide notice to affected individuals and maintain a log of any breaches of their cybersecurity safeguards. Regulations implementing the amendments are being developed and we expect, with a new government in place, to see something soon.
With the most significant of cyberattacks resulting in millions of dollars in costs, irreparable damage to a company’s brand, and key executives getting fired, organizations must begin to prepare for what most experts think is the inevitable breach. And yet, when it comes to cybersecurity, many still think of it like physical security: a matter for professionals to handle by fencing in a campus perimeter, putting the most important entry points under lock and key, and assigning someone to monitor the video surveillance.
But cybersecurity does not work like physical security. In the “The Cybersecurity Playbook: Building Effective Attack and Breach Preparedness” chapter of “Understanding Developments in Cyberspace Law: Leading Lawyers on Analyzing Recent Trends, Case Laws, and Legal Strategies Affecting the Internet Landscape” we explore strategies to reduce the likelihood of a breach but more importantly mitigate the harm whether it be reputational, legal, or key job losses that can all too often arrive in the wake of a data breach.
For the last few years, the SEC has been issuing guidance as to appropriate cybersecurity policies and procedures for financial firms. In a move that signal’s the regulator’s willingness to put muscle into its cybersecurity guidance, the SEC announced an agreement with St. Louis-based investment company, R.T. Jones Capital Equities Management (“R.T. Jones” or “the company”), to settle charges that the company failed to adequately safeguard the personal information (“PI”) of approximately 100,000 individuals. Consistent with this trend, the SEC has announced that its Office of Compliance Inspections and Examinations (“OCIE”) would be conducting a second round of investigations into the cybersecurity practices of brokerage and advisory firms (the “Cybersecurity Examination Initiative”). These moves signal the SEC’s increasing scrutiny of investment firms’ information security practices and indicate the regulator’s willingness to enforce the guidance that it has issued.
First rule of thumb in trade secrets litigation? A trade secret must be kept secret. It is painfully obvious, but modern practitioners must not grow complacent due to the convenience of electronic filing. Although trade secrets law does not command absolute secrecy, a recent e-filing snafu in HMS Holdings Corp. v. Arendt offers a cautionary tale from New York on how one botched upload could jeopardize a client’s most prized possession.
As many companies are considering purchasing cyber insurance, they often wonder: “Will my insurer be there when I have a data breach?” Cyber insurers have generally been good in paying claims. But the recent lawsuit featured in this Orrick Client Alert demonstrates that as the landscape evolves, insurers may refuse to cover breach costs by arguing that insureds failed to meet “minimum requirements” for cybersecurity. Tending to cybersecurity policies and procedures before breaches occur is more important than ever. For more insight on how to avoid facing the loss of cyber insurance coverage just when you need it most, keep reading.
The fact that data breaches are becoming a routine occurrence in the life of a business is no surprise considering the drastic increase over recent years in the volume of data that companies maintain. While routine, breaches are nonetheless an extremely costly part of doing business. According to a 2014 research report by the Ponemon Institute, the average cost of post-breach activities is $1.6 million, with the average cost of lost business an astounding $3.2 million. Since some form of a data breach incident is highly likely, one solid defense is to create a written information security program (WISP). However, a WISP must be more than mere words on paper. In order to create an effective program, a company must comply with its WISP, in conjunction with other measures. And the company’s compliance efforts should be led by top executives in order to underscore the importance of the security issues involved.
On Feb. 3, the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) each released reports regarding cybersecurity issues for brokerage and advisory firms, both of which should be considered required reading for chief information security officers, chief information officers, legal teams and anyone else responsible for managing cybersecurity risk. These reports highlight best practices for managing cybersecurity risk and areas for potential improvement, and should encourage firms to consider further investments in cybersecurity because, as FINRA specifically points out, it ‘‘expects firms to consider the principles and effective practices presented in the report as they develop or enhance their cybersecurity programs.’’ As a result, firms should anticipate that elements covered in the reports will be benchmarks for measuring the effectiveness of a firm’s cybersecurity program in any enforcement action brought by either the SEC or FINRA.
Read the full article here
* Reprinted with permission from Bloomberg BNA Privacy & Security Law Report, April 6, 2015