A DFARS final rule (Nov. 18, 2013) on the safeguarding of unclassified, controlled technical information requires contractors, among other things, to report within 72 hours of discovery any “cyber incident” (an action that results in an actual or potentially adverse affect on an information system and/or the information residing therein), preserve relevant data for at least 90 days, conduct an internal review of its network for evidence and extent of any compromise of data, cooperate with DoD “damage assessments,” and flow the clause down to subcontractors (even for commercial items) — all at the contractor’s own cost. Given the rampant intellectual property and technology losses due to cyber espionage and other thefts documented in Congressional hearings, intelligence assessments, and industry reports this year, these DFARS requirements will apply additional pressure upon contractors to amend their existing compliance policies and procedures to address how to respond to a cyber incident and comply with these regulations.
In the Fall issue of the American Bar Association’s Criminal Justice Magazine, I write about the recent developments in the regulation of virtual currencies. The Federal Government recently indicted several administrators of Liberty Reserve, a virtual currency, for money laundering. This appears to be only the beginning of heightened scrutiny for virtual currencies like Liberty Reserve and BitCoin. The Department of the Treasury’s Financial Crimes Enforcement Network, or “FinCEN,” has recently issued guidance for the operators and users of virtual currency, which I analyze and explain. Virtual currencies are in the news every day, and understanding the mechanics of how they work and how they’re regulated is an important first step in assessing whether they fit your company’s needs.
With initial approval in the European Parliament civil liberties committee (the so-called LIBE Committee), the EU is moving ahead with overhauling its existing 15-year-old Data Protection Directive, replacing it with the General Data Protection Regulation (GDPR). The European Commission introduced the draft GDPR in January 2012 and seeks to harmonize regulations across the 28 member-states, replacing varying national laws with a single, consistent regulation on data handling and individual rights.
This new regime could fundamentally change the privacy and data transfer practices of every large company operating in Europe or offering goods or services to data subjects in Europe, the flows of data within financial services and other firms, and the business practices underlying internet products, cloud computing, or social networks offered to European consumers. Continue Reading
With the HIPAA Final Rule now in place, business associates as well as subcontractors must comply with the entire Security Rule (among other aspects of HIPAA) and face direct liability for the failure to do so. Some entities may be surprised to learn they are subject to HIPAA given the recently expanded definition of “business associate.” Even for entities that are aware of HIPAA generally, there are complex legal and practical issues to consider when designing and implementing a HIPAA-compliant privacy and security program. Please join Jeff Poston, Robin Campbell, and Elliot Golding for a complimentary webinar addressing these and other issues related to the Omnibus HIPAA Final Rule, including:
•HIPAA applicability to Business Associates under the final rule
•Regulatory reasons for compliance
•Business benefits of compliance
•Implications for breach response
•Importance of training
•And more, including your questions
The 90-minute webinar will take place on Tuesday, November 12, 2013 at 1 pm Eastern. Registration is available here.
Adding another building block to implementation of the President’s cybersecurity executive order issued in February 2013, the Department of Commerce’s National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework on October 22, 2013. As discussed in greater detail in the attached Bullet Analysis by David Bodenheimer, Evan Wolff, and Eliot Golding, this framework has major implications not only for companies operating in the various critical infrastructure sectors (e.g., defense industrial base, information technology, banking, energy, chemical, and critical manufacturing), but also for government contractors that may see the framework’s impact upon future revisions to the FAR’s cybersecurity requirements.
A California appellate court recently dismissed a putative class action alleging that UCLA violated the California Confidentiality of Medical Information Act (CMIA) when an employee lost an encrypted hard drive containing 16,000 patient records. The court concluded that the plaintiff’s claim—which sought a whopping $16 million based on $1,000 in nominal damages for each record—failed to allege that any “release” to a third party actually occurred. Although the decision ostensibly applies only to the CMIA, it has potential broader implications for entities defending class actions seeking damages for data breaches. To read the full blog post, please click here.
On October 1st, I attended an all-day series of presentations hosted by Huron Legal Institute and Sandpiper Legal LLP in New York, which included several leading federal jurists and well-regarded practitioners offering their insights.
The event featured five hypothetical cases covering a range of topics, with attorneys appearing before one of more of the judges to conduct a mock discovery conference or to argue motions. This structure proved to be an engaging means of discussing the issues, and the more astute members of the audience recognized that a couple of the scenarios were drawn from recent cases, including the Biomet case that I discussed a few months ago and Pippins v. KPMG, which we posted about last year. The format also played to the judges’ strengths, allowing them to tease out issues and express their opinions. While the discussion was “off the record”, I will discuss the overall themes and provide some highlights (without attribution) of the discussions of predictive coding and proposed amendments to the Federal Rules on proportionality and preservation. Continue Reading
As the cyber threats continue to escalate sharply, Congress confronts a host of daunting tasks for bolstering cybersecurity, such as: balancing security while maintaining privacy; enhancing public-private partnerships while keeping information safe; and assuring accountability while maintaining flexible and agile security standards. At noon on November 7, Staff members from four Senate and House committees will discuss Congressional initiatives, oversight, and challenges relating to cybersecurity.
Please join us and register here: http://www.americanbar.org/content/dam/aba/administrative/science_technology/cyberonthehill.authcheckdam.pdf
In January 2012, the European Commission published its proposal for a general Regulation on data protection, which would apply directly in all EU Member States (see our newsletters from February 28, 2012, July 12, 2012, and January 22, 2013). The new Regulation should replace the current Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the various national laws implementing this Directive.
The Commission’s proposal meanwhile has been extensively discussed within the European Parliament and the Council, thousands of suggested amendments to the original text have been made and lobbyists and interest groups are working overtime. Continue Reading
Document review often is the most expensive component of discovery in large, complex cases. Wouldn’t it be great if you could shift that cost to the party that requested the documents, along with the burden of performing the tedious, time-consuming review? Well, maybe you can. A federal magistrate judge in the N.D. Florida recently did exactly that.
In FDIC v. Brudnicki, No. 5:12-cv-00398, 2013 WL 2948098 (June 14, 2013) , the FDIC, as receiver for a bank, sued eight of the bank’s former directors, including one officer. The defendants moved to compel documents from the FDIC and sought sanctions against the FDIC “for delaying discovery.” Id. at *3. The FDIC had “agreed to produce responsive documents under a proposed protocol.” Id. at *4. The court observed, however: “The parties sharply disagree on the method of production and the ESI protocol.” Id. Continue Reading