Search results for: webinar

Tuesday, Jan. 30, 2024

11 a.m. – 12 p.m. ET

You read the news every day and maybe even receive notices yourself: data security and privacy compliance is a growing area of concern and risk for businesses. With security incidents on the rise across various industries of all sizes, as well as increased regulation of privacy and security-related issues, evaluating and addressing your current data governance program is a crucial step in protecting your business in the new year. Just like getting in shape or starting that diet, NOW is the time to get started on finally enacting a plan to not only address risks and compliance requirements, but identify opportunities that lie within your company’s data.

In this quick-moving and engaging session, “10 Privacy and Security Resolutions in the New Year,” Taft’s Privacy and Data Security attorneys Scot GanowZenus Franklin, and Jordan Jennings will provide a review of the legal and security landscape and provide you with a plan to get started on finally managing those obligations.

Topics include:

  • An update on the current privacy and regulatory risk landscape.
  • Universal best practices for sound data governance.
  • A practical set of tools to complement your current practices.

Just. Get. Started. Register today!

With the recent shift to a remote or hybrid workplace and advancements in technology, there are increased privacy concerns for employee information as well as employer liability for data breaches. There are important legal concerns for employers to understand about employee privacy issues. In addition, companies must have a plan to safeguard company and employee data and minimize the risk of a data breach.

Join Taft Law on July 28 at 12:00 pm ET for a discussion of the practical and legal implications of employee privacy and data security, including:

  • Establishing clear guidelines, expectations, and training for your employees regarding data security and privacy.
  • Policies and best practices for remote work.
  • Employee rights over their personal data.
  • BIPA compliance: policies, practices, disclosures, and releases.
  • Incident response plans and how to better manage the risk of data breaches.

Presented by Taft lawyers: Carolyn Davis, Scot Ganow, and Daniel Saeedi.

One hour of SHRM professional development credit and CLE credit for Illinois, Indiana, Kentucky, Minnesota, and Ohio pending.

Register here.

The U.S. Department of Defense published its Network Penetration Reporting and Cloud Computing Services regulations as an interim rule in August 2015 and updated them in December 2015.  Watch this new webinar replay at your convenience to learn about the regulations, how they may impact your business, and the concerns of industry groups. Click HERE to watch the webinar in its entirety.

 

An incident response plan can lead to a better roadmap for securing cost-effective cyber liability insurance and, consequently, lower costs associated with a data breach.

The adoption of an incident response plan is a major indicator to underwriters that an organization is sophisticated and understands that incidents do occur regularly within firewall perimeters and that the organization has an early detection, containment and eradication plan in place to manage incidents, thus protecting data more effectively.

Early detection minimizes the time that an intruder can spend inside the system and limits the access to critical data, which, in turn, minimizes the resulting fraud and identity theft loss. In addition, implementation of an incident response plan is indicative of senior stakeholder endorsement of a culture of security within the organization, which is a key focus of underwriters’ current examinations.

Learn:

  • How to Create an Incident Response Plan.
  • How an Incident Response Plan Can Reduce Your Cyber Insurance Costs.
  • How Having an Incident Response Plan Can Assist with Risk Shifting Strategy in Obtaining Effective Cyber Liability Coverage.

Register by clicking here. Instructions on how to access the webinar will be emailed to registered attendees prior to the date. For more information, contact Kathy Major, Director of Marketing, at (216) 706-3958 or kmajor@taftlaw.com

On Oct. 29, 2014, the United States Food and Drug Administration (FDA) held a webinar on its Final Guidance “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” According to the FDA, the webinar seeks to explain the guidance and provide a forum for stakeholders to ask questions.

Issued on Oct. 2, 2014, the FDA’s cybersecurity guidance sets out a number of voluntary, non-binding recommendations designed to help medical device manufacturers identify relevant cybersecurity issues that should be considered in the design and development of their medical devices. The FDA’s guidance gives further direction to manufacturers in the form of recommendations to document potential cybersecurity risks in premarket submissions, along with the measures and controls implemented by a manufacturer to mitigate those risks.

The guidelines are applicable to a wide range of premarket submissions and include medical devices that contain software, or are themselves software. Among others, the FDA specifies that 510(k)s, de novo submissions and Premarket Approval Applications (PMAs) are covered by the guidance. Importantly, this framework covers mobile medical applications that are subject to FDA clearance (via a 510(k), for example). In light of new smartphone and wearable-based technologies and the projected growth in the number of mobile medical applications, developers of those apps should be mindful of the new guidance and its recommendations.
The FDA’s guidance is comprised of two principal themes. First, as part of a manufacturer’s design and development process, the FDA encourages manufacturers to create a set of cybersecurity controls designed to maintain device functionality and safety, based upon the intended use of the device. Consistent with the Quality System Regulation (QSR), the FDA instructs that an appropriate plan to identify and manage potential cybersecurity risks includes the following elements:

  • Identification of assets, threats and vulnerabilities.
  • Assessment of the impact of threats and vulnerabilities on device functionality and end users/patients.
  • Assessment of the likelihood of a threat and of a vulnerability being exploited.
  • Determination of risk levels and suitable mitigation strategies.
  • Assessment of residual risk and risk acceptance criteria.

Second, the FDA’s guidance sets forth recommendations for manufacturers to document their respective consideration of cybersecurity risks, as well as their implementation of controls designed to safeguard the integrity of the device software. In particular, the FDA encourages manufacturers to include the following information in a premarket submission for an applicable medical device:

  • Hazard analysis of cybersecurity risks.
  • Traceability matrix linking cybersecurity controls to identified cybersecurity risks.
  • Summary of the manufacturer’s plans for providing software updates and patches.
  • Summary of the controls implemented by the manufacturer to assure the integrity of the medical device software until it leaves the manufacturer’s control.
  • Relevant instructions for use related to the device’s cybersecurity controls.

Biometrics continue to be a hot issue and one primed for litigation and related liabilities.  We in the Privacy and Data Security Practice are happy to share this upcoming Taft webinar, which will include a discussion on BIPA class action risks.   Join our colleagues from Taft’s Litigation Practice on April 15th.

Time: 12 p.m. – 1:15 p.m. EST
Register HERE.

Continue Reading Taft Takeaways: Class Action Insights and Updates

On Nov. 4, the U.S. Department of Defense (DoD) announced that it is suspending the current iteration of the Cybersecurity Maturity Model Certification program (CMMC) in order to streamline the size and scope of required administrative, technical, and physical controls for businesses contracting with DoD. Originally, CMMC was designed to take full effect in 2025 by requiring every defense contractor responsible for processing controlled unclassified information (CUI) to obtain certification from an approved third-party auditor indicating satisfaction of one of five levels of certification. Implementation of CMMC is now halted until DoD has completed a revision to the program intended to strategically meet the needs and capabilities of industries conducting business with the government. As the Office of Under Secretary of Defense described it, the goal is to make cybersecurity requirements “streamlined, flexible, and secure.”

In its place, DoD intends to promote CMMC 2.0, which will reduce the certification model from five levels to three. CMMC 2.0 will remove additional controls added under the initial program and rely primarily on those set forth in NIST 800-171. All contractors required to meet Level 1 (foundational, with 10 required cybersecurity practices and annual self-assessments) will be able to self-attest satisfaction of associated requirements. Level 2 (advanced, with 110 required practices aligned with NIST 800-171) will take a bi-furcated approach to certification with some priority contractors needing to participate in the audit process, while a subset of non-priority contractors will be able to self-attest satisfaction. In the coming weeks, DoD will announce the approach for Level 3 (expert, with at least 110 required practices aligned with NIST 800-171), which will likely be subject to the audit process as well as heightened requirements. Continue Reading See ya, CMMC. Hello, CMMC 2.0: DOD Announces Suspension of Current Information Security Certification Program

There are several helpful resources for contractors looking to comply with the National Institute of Standards and Technologies Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” To help contractors meet the requirements, NIST recently issued NIST Handbook 162, entitled “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements.”  The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171, Revision 1.

The assessment procedures consist of an assessment objective and a set of potential assessment methods and assessment objects that be used to perform the assessment.  Each assessment objective includes a determination statement related to a CUI security requirement that is the subject of the assessment and traced back to SP 800-171. The application of an assessment procedure to a security requirement produces assessment findings. These findings reflect or are used to determine if the security requirement has been satisfied.

“Assessment objects identify the specific items being assessed and can include specifications, mechanisms, activities, and individuals. Specifications are the document-based artifacts (e.g., policies, procedures, security plans, security requirements, functional specifications, architectural designs) associated with a system. Mechanisms are the specific hardware, software, or firmware safeguards employed within a system. Activities are the protection-related actions supporting a system that involve people (e.g., conducting system backup operations, exercising a contingency plan, and monitoring network traffic). Individuals or groups of individuals are people apply the specifications, mechanisms, or activities described above.”

The assessment methods define the nature of the assessor’s actions and include examine, interview, and test. The assessor examines one or more assessment objects. Any security requirements that are deemed non-applicable are noted in the system security plan.  The CUI security requirements are then deemed either satisfied or other than satisfied based on the findings and evidence produced during the assessment. Contractors will be able to claim compliance with the security requirements specified in SP 800-171 using the procedures in SP 800-171A.

So how does it work? Each security requirement is assessed by examine, interview, and test. For example, security requirement 3.1.4(a) involves separation of duties. Potential assessment methods and objects include examining policies and procedures, interviewing personnel, and testing to make sure mechanisms implementing the separation of duties exist. For assessment findings other than satisfied, contractors may choose to defined subcategories of findings to indicate the severity or criticality of the weakness or deficiencies discovered and the potential adverse effects on the contractor. “Defining such subcategories can help to establish priorities for needed risk mitigation actions.  Organizations may also choose to employ a more granular approach to findings by introducing a partially satisfied category for assessment.”

Here are some additional links:

  • DFARS 252-204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting, available here;
  • NIST SP 800-171, Revision 1 – Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, available here;
  • Draft NIST SP 800-171A – Assessing Security Requirements for Controlled Unclassified Information, available here;
  • NIST’s Manufacturing Extension Partnership’s Handbook 162, NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements, available here;
  • DoD’s Frequently Asked Questions (FAQs) dated Jan. 27, 2017 – Implementation of DFARS Case 2013-D018, Network Penetration Reporting and Contracting for Cloud Services, available here;
  • DoD’s Procurement Toolbox Cybersecurity Resources, available here;
  • The National Archives Controlled Unclassified Information Registry – Categories and Subcategories, available here;
  • Taft’s Checklists and Other Blog Posts on the DFARS Safeguarding Regulations, available here;
  • Taft’s webinar on the Defense Department Cybersecurity Rules, available here.

If you have a particular question about the DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting regulation or NIST SP 800-171, let us know and we might use your question for an upcoming blog post.

This is part two of a multi-part look into the European Union’s General Data Protection Regulation (GDPR) and why U.S. companies need to be aware of the law and how it may impact their business.  We will conclude the series with a webinar in 2018 that will review the series and provide further insights and comments on any updates that may have occurred since the beginning of the series. In this second part of our series, we think it is important to provide some insight into the differing approaches to privacy between the U.S. and EU.

The U.S. and EU have a fundamentally different approach to privacy law. Generally, the 28 EU member states view privacy as a fundamental human right and legislate access to their citizen’s data with that philosophy. The EU model, even prior to the GDPR, employs a comprehensive approach to privacy law. This generally means that they have one law that covers the collection of all information and data about EU citizens. In essence, the cornerstone of EU privacy law is that when it comes to the collection, use and sharing of personal information, nothing can happen absent the notice and consent of the individual subject of that information.

By contrast, the U.S. does not legislate with the understanding that privacy is a fundamental human right. The word “privacy” doesn’t even appear in its Constitution.  Generally, it has been argued that the U.S. does not view privacy rights in the same context as the EU, due in part to its history and commitment to First Amendment protection.  Rather than create fundamental overarching privacy regulations, the U.S. tends to create privacy laws when a need for them arises. When it comes to regulating and protecting individual privacy in business, the U.S. follows uses a sectoral approach. Under this approach, regulations concerning information about U.S. citizens are often based on the category into which the information falls. For example, health information is regulated under HIPAA, financial information is regulated under GLBA and FCRA, and marketing can be regulated under the TCPA, TSR, and CAN-SPAM regulations.

In practice, having two different philosophies and regulatory models can be difficult to navigate for a U.S. company. The differing approaches can create new and challenging problems that must be solved. Under the U.S. sectoral approach, companies can be generally certain with what regulations they must comply. Since the EU model covers all categories of data, companies that may not be used to operating under strict regulations will now have to adopt and develop new policies, procedures and compliance mechanisms. “GDPR brings its own challenges to U.S. companies, especially those that do not operate in regulated areas, says Scot Ganow, Senior Counsel at Taft. “While companies do need to understand the specific requirements of a law, including the GDPR, we often encourage our clients to think more holistically about privacy and seek to protect personal information period–regardless of how it is regulated. Adopting such a broad approach and implementing best practices across the board will better server companies to adjust as the law continues to change in the face of continued threats to privacy and security.”

Another key difference is transferring data across borders. The GDPR has regulations concerning how and if data about EU citizens can be transferred outside their member states’ borders. Essentially, in order to be allowed to transfer data to a country that is not subject to the GDPR, the sending entity must ensure that receiving country has been deemed to have equal or better data protection laws in place. Only a handful of non-EU countries currently meet that criteria.  You may (or may not) be surprised to learn that the U.S. is not one of them. This can be a complicating factor for many companies in today’s digital environment. Transporting information across borders is now as easy as clicking a mouse, but the consequences of transferring that data without complying with the law can be devastating. As we mentioned in our previous post, the fines for a violation can be as much as 4% of worldwide annual revenue.

U.S. companies have to understand what personal information they collect and use from E.U. citizens, whether they are employees or customers. Furthermore, companies have to ensure they have a compliance program to satisfy the requirement to properly and safely transfer such personal information to the U.S. In future posts, we will discuss the GDPR’s requirements, enforcement mechanisms and how companies can develop those compliance programs.

Brian Eaton is a member of the Taft Privacy and Data Security practice area and is a Certified Information Privacy Professional in EU privacy law.

This is part one of a multi-part look into the EU’s General Data Protection Regulation (GDPR) and why U.S. companies need to concern themselves with an EU law, the difference from U.S. regulations and the different mechanisms available to comply. We will conclude this series with a webinar in 2018 that will review the series and provide further insights and comments on any updates that may have occurred since the beginning of the series.

The GDPR is a new privacy regulation that will go into effect in the EU on May 25, 2018. The impetus behind the legislation is to strengthen privacy protections for EU citizens as well as unify the laws across the EU member states. The EU has been operating under a privacy directive, which was established in 1995. This directive set a baseline for privacy regulations throughout the EU but left it up to each individual member state to enact its own privacy laws. The GDPR is going to be an EU regulation, which will apply to all member states and become a uniform set of laws.

The impact that it could have on U.S. companies will depend on whether or not your company processes the personal data of EU citizens. The definition of what consists of personal data under the GDPR is quite broad. It is defined as any information that relates to an individual, such as names, email address and other personally identifying information. This definition also extends to technical information, such as an IP addresses or device identifiers. Further, your company does not have to have a physical presence in the EU in order to be subject to this regulation. With the expansive reach of the internet, it is now easier than ever to collect personal data from E.U. residents while operating solely in the U.S.

The most significant and severe change that should have U.S. companies paying attention is the new penalties associated with the regulation. Violations of the GDPR can fall into two levels of severity. The lower level carries a maximum penalty up to €10 million euros or 2% of worldwide annual revenue of the prior financial year, whichever amount is higher. An upper tier violation can be up to €20 million euros or 4% of worldwide annual revenue of the prior financial year. These new penalties are a strong incentive for companies to comply with the GDPR and compliance for U.S. companies can be a radical shift if they are only familiar with operating under U.S. privacy laws. “For years the U.S. has been viewed as the ‘Wild West’ when it comes to the handling of the personally identifiable information of EU residents,” says Scot Ganow, Senior Counsel in Taft’s Privacy and Data Security practice area. “I think many U.S. companies have operated in the EU under the existing Data Directive without even being aware that it applied to them. The GDPR represents a wake-up call to all companies operating in the global marketplace.  Now, more than ever, such companies need to have a solid handle on what personally identifiable information they collect, from where they collect it and how to safeguard it. The clock is ticking.”

In our next post we will look at the differences in the way U.S. privacy law and EU privacy law operate with respect to private sector companies.

Brian Eaton is a member of the Taft Privacy and Data Security practice area and is a Certified Information Privacy Professional in EU privacy law.