Editors’ NotE: WElcomE to Pratt’s Privacy & cybErsEcurity laW rEPort!
Steven A. Meyerowitz and Victoria Prussen Spears
day oNE: thE origiN story of comPutEr forENsics
David Kalat
thE sEc’s NEW guidaNcE oN
cybErsEcurity: codiNg bEst PracticEs
Gregg S. Buksbaum, Skye W. Smith, Matt P. Cohen, Sunitha Malepati, and Brooke P. LoCoco
dEPartmENt of JusticE issuEs guidaNcE oN bEst PracticEs for cybErsEcurity PrEParEdNEss
A.J. Kess, Yafit Cohn, and Linda M. Nyberg
fcc bEcomEs latEst agENcy to iNcrEasE coNsumEr Privacy aNd data sEcurity ENforcEmENt
Paul C. Besozzi, Monica S. Desai, and Koyulyn K. Miller
sEcoNd circuit rulEs Patriot act doEs Not authorizE govErNmENt’s bulk tElEPhoNE mEtadata collEctioN Program
Angelo A. Stio III and Eli Segal
arE PrivatE iNstitutioN sEcurity dEPartmENt rEcords subJEct to disclosurE uNdEr Public rEcords acts?
Michael J. Cooney, Christopher D. Thomas, Steven M. Richard, and Kacey Houston Walker
cook couNty “Piggybacks” oN statE of illiNois aNd city of chicago EmPloyEE crEdit Privacy laWs
Howard L. Mocerf
iN thE courts
Steven A. Meyerowitz
lEgislativE aNd rEgulatory dEvEloPmENts
Steven A. Meyerowitz
iNdustry NEWs
Victoria Prussen Spears
Privacy &
cybersecurity
Law
REPoRT
Pra tt’s Priv a c y & c ybersecurity La w r EPO r t a u G u s t/ s e P t e m b e r 20 15 v o L. 1 • n o . 1 auGust/sePtember 2015 vol. 1 • no. 1an a.s. Pratt PubLication
Pratt’s Privacy & Cybersecurity
Law Report
VOLUME 1 NUMBER 1 AUGUST/SEPTEMBER 2015
Editors’ Note—Welcome toPratt’s Privacy & Cybersecurity Law Report!
Steven A. Meyerowitz and Victoria Prussen Spears 1
Day One: The Origin Story of Computer Forensics
David Kalat 4
The SEC’s New Guidance on Cybersecurity: Coding Best Practices
Gregg S. Buksbaum, Skye W. Smith, Matt P. Cohen, Sunitha Malepati, and
Brooke P. LoCoco 11
Department of Justice Issues Guidance on Best Practices for Cybersecurity Preparedness
A.J. Kess, Yafit Cohn, and Linda M. Nyberg 15
FCC Becomes Latest Agency to Increase Consumer Privacy and Data Security Enforcement
Paul C. Besozzi, Monica S. Desai, and Koyulyn K. Miller 19
Second Circuit Rules Patriot Act Does Not Authorize Government’s Bulk Telephone Metadata Collection Program
Angelo A. Stio III and Eli Segal 22
Are Private Institution Security Department Records Subject to Disclosure under Public Records Acts?
Michael J. Cooney, Christopher D. Thomas, Steven M. Richard, and Kacey
Houston Walker 26
Cook County ‘‘Piggybacks’’ on State of Illinois and City of Chicago Employee Credit Privacy Laws
Howard L. Mocerf 30
In the Courts
Steven A. Meyerowitz 33
Legislative and Regulatory Developments
Steven A. Meyerowitz 37
Industry News
QUESTIONS ABOUT THIS PUBLICATION?
For questions about theEditorial Contentappearing in these volumes or reprint permission, please contact: Deneil C. Targowski at ... 908-673-3380 Email: ... [email protected] For assistance with replacement pages, shipments, billing or other customer service matters, please call: Customer Services Department at ... (800) 833-9844 Outside the United States and Canada, please call ... (518) 487-3000 Fax Number ... . . .. (518) 487-3584 Customer Service Web site ... http://www.lexisnexis.com/custserv/ For information on other Matthew Bender publications, please call
Your account manager or ... (800) 223-1940 Outside the United States and Canada, please call ... (518) 487-3000
ISBN: 978-1-6328-3362-4 (print) ISBN: 978-1-6328-3363-1 (eBook) ISSN: 2380-4785 (Print) ISSN: 2380-4823 (Online)
Cite this publication as:
[author name], [article title], [vol. no.] PRATT’S PRIVACY& CYBERSECURITYLAWREPORT[page number]
(LexisNexis A.S. Pratt);
David Kalat,Day One: The Origin Story of Computer Forensics, [ 1] PRATT’SPRIVACY& CYBERSECURITYLAW
REPORT[4] (LexisNexis A.S. Pratt)
This publication is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought.
LexisNexis and the Knowledge Burst logo are registered trademarks of Reed Elsevier Properties Inc., used under license. A.S. Pratt is a trademark of Reed Elsevier Properties SA, used under license.
Copyright#2015 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc. All Rights
Reserved.
No copyright is claimed by LexisNexis, Matthew Bender & Company, Inc., or Reed Elsevier Properties SA, in the text of statutes, regulations, and excerpts from court opinions quoted within this work. Permission to copy material may be licensed for a fee from the Copyright Clearance Center, 222 Rosewood Drive, Danvers, Mass. 01923, telephone (978) 750-8400.
An A.S. PrattäPublication
Editorial
Editorial Offices
630 Central Ave., New Providence, NJ 07974 (908) 464-6800 201 Mission St., San Francisco, CA 94105-1831 (415) 908-3200 www.lexisnexis.com
Editor-in-Chief, Editor & Board of Editors
EDITOR-IN-CHIEFSTEVENA. MEYEROWITZ
President, Meyerowitz Communications Inc. EDITOR
VICTORIAPRUSSENSPEARS
Senior Vice President, Meyerowitz Communications Inc. BOARD OF EDITORS
EMILIOW. CIVIDANES
Partner, Venable LLP RICHARDCOHEN
Special Counsel, Kelley Drye & Warren LLP CHRISTOPHERG. CWALINA
Partner, Holland & Knight LLP RICHARDD. HARRIS
Partner, Day Pitney LLP DAVIDC. LASHWAY
Partner, Baker & McKenzie LLP CRAIGA. NEWMAN
Partner, Patterson Belknap Webb & Tyler LLP ALANCHARLESRAUL
Partner, Sidley Austin LLP AARONP. SIMPSON
Partner, Hunton & Williams LLP RANDISINGER
Partner, Weil, Gotshal & Manges LLP JOHNP. TOMASZEWSKI
Senior Counsel, Seyfarth Shaw LLP TODDG. VARE
Partner, Barnes & Thornburg LLP THOMASF. ZYCH
Partner, Thompson Hine
Editor-in-Chief, Editor & Board of Editors
Pratt’s Privacy & Cybersecurity Law Reportis published nine times a year by Matthew Bender & Company, Inc. Periodicals Postage Paid at Washington, D.C., and at additional mailing offices. Copyright 2015 Reed Elsevier Properties SA, used under license by Matthew Bender & Company, Inc. No part of this journal may be reproduced in any form—by microfilm, xerography, or otherwise—or incorporated into any information retrieval system without the written permission of the copyright owner. For customer support, please contact LexisNexis Matthew Bender, 1275 Broadway, Albany, NY 12204 or e-mail [email protected]. Direct any editorial inquires and send any material for publication to Steven A. Meyerowitz, Editor-in-Chief, Meyerowitz Communications Inc., 26910 Grand Central Parkway Suite 18R, Floral Park, New York 11005, [email protected], 718.224.2258. Material for publication is welcomed—articles, decisions, or other items of interest to lawyers and law firms, in-house counsel, government lawyers, senior business executives, and anyone interested in privacy and cybersecurity related issues and legal developments. This publication is designed to be accurate and authoritative, but neither the publisher nor the authors are rendering legal, accounting, or other professional services in this publication. If legal or other expert advice is desired, retain the services of an appropriate professional. The articles and columns reflect only the present considerations and views of the authors and do not necessarily reflect those of the firms or organizations with which they are affiliated, any of the former or present clients of the authors or their firms or organizations, or the editors or publisher.
POSTMASTER: Send address changes toPratt’s Privacy & Cybersecurity Law Report,LexisNexis Matthew Bender, 630 Central Ave., New Providence, NJ 07974.
The SEC’s New Guidance on
Cybersecurity: Coding Best Practices
By Gregg S. Buksbaum, Skye W. Smith, Matt P. Cohen, Sunitha Malepati, and Brooke P. LoCoco*
This article explains recent U.S. Securities and Exchange Commission cybersecurity guidance for funds and advisers. The guidance emphasizes the importance of miti-gating cybersecurity risks and suggests a number of preventative measures that funds and advisers should consider implementing.
As registered investment companies (‘‘funds’’) and registered investment advisers increasingly rely on information technology, the U.S. Securities and Exchange Commission (‘‘SEC’’) continues to focus its attention on cybersecurity issues. Following the SEC’s Office of Compliance Inspections and Examinations (‘‘OCIE’’) summary of cybersecurity ‘‘sweep’’ exams issued in February,1the SEC’s Division of Investment Management (‘‘Division’’) recently issued a cybersecurity guidance update (‘‘Guidance’’) for funds and advisers.2 The Guidance emphasizes the importance of mitigating cybersecurity risks and suggests a number of preventative measures that funds and advisers should consider implementing.
The Guidance provides a broad three-step approach for funds and advisers to consider when analyzing cybersecurity risks and potential preventative measures to adopt.
STEP ONE: CONDUCT A PERIODIC ASSESSMENT OF CYBERSECURITY RISKS
This assessment is intended to assist in prioritizing and mitigating risks by identi-fying the potential cybersecurity threats and vulnerabilities of a fund or an adviser.
* Gregg S. Buksbaum is a partner and Skye W. Smith, Matt P. Cohen, Sunitha Malepati, and Brooke P. LoCoco are associates at Squire Patton Boggs. The authors may be contacted at gregg.buksbaum@ squirepb.com, [email protected], [email protected], sunitha.malepati@ squirepb.com, and [email protected], respectively.
1 See Office of Compliance Inspections and Examinations, Cybersecurity Examination Sweep Summary, National Exam Program Risk Alert, Feb. 3, 2015,available athttps://www.sec.gov/about/of fices/ ocie/cybersecurity-examination-sweep-summary.pdf (providing summary observations from the examinations of 57 registered broker-dealers and 49 advisers conducted under OCIE’s Cybersecurity Examination Initiative).See alsoOffice of Compliance Inspections and Examinations, OCIE Cyberse-curity Initiative, National Exam Program Risk Alert, Apr. 15, 2014, available at https://www. sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf (describing OCIE’s initiative to assess cybersecurity preparedness in the securities industry).
2SeeU.S. Securities and Exchange Commission Division of Investment Management, Cybersecurity Guidance, IM Guidance Update, Apr. 2015,available at http://www.sec.gov/investment/im-guidance-2015-02.pdf.
Funds and advisers should consider the sensitivity and nature of the information they collect and process and where such information is stored. They need to identify both internal and external cybersecurity threats and vulnerabilities to the information, as well as to any technology systems currently in use. Funds and advisers should also assess their current security controls and processes and the effectiveness of their govern-ance structure that manages cybersecurity risks. Lastly, they need to evaluate the impact of a compromise on any information or technology system.
STEP TWO: CREATE A STRATEGY TO PREVENT, DETECT, AND RESPOND TO CYBERSECURITY THREATS
The strategy should include various procedures to control access to systems and data, such as:
managing user credentials;
authentication and authorization methods; firewalls;
perimeter defenses;
tiered access to sensitive information and network resources; network segregation; and
system hardening.
A fund or adviser could also implement data encryption, as well as data backup and retrieval measures. The strategy should address minimizing the use of removable storage media and utilizing software that monitors for any unauthorized intrusions, loss or exfiltration of sensitive data and any other unusual event. Funds and advisers should also develop an incident response plan and routinely test the effectiveness of their strategy.
STEP THREE: IMPLEMENT THE STRATEGY
Funds and advisers need to implement their strategies through written policies and procedures and by monitoring compliance with them. They should also provide training and guidance to their officers and employees on how to identify, prevent and respond to any threats. Funds and advisers can also inform their investors and clients of how to minimize the risk of their accounts being exposed to cybersecurity threats.
CONSIDER CUSTOM MEASURES
These suggested measures are not intended to be comprehensive. Rather, funds and advisers need to assess their particular operations and customize an approach that best fits their needs. For example, funds and advisers that share common networks with
12
their affiliated entities should consider whether it is appropriate to conduct an assess-ment of the entire corporate network. The Guidance also encourages funds and advisers to monitor ongoing and new cyber threats by gathering information from outside resources, such as vendors, third-party contractors specializing in cybersecurity and technical standards, publications and conferences, as well as participating in the Financial Services—Information Sharing and Analysis Center (‘‘FS-ISAC’’).3 Each fund or adviser should determine whether these or other measures need to be consid-ered when tailoring their compliance programs based on the nature and scope of their particular business.
COMPLY WITH FEDERAL SECURITIES LAWS
The Guidance also notes that, in the Division’s view, funds and advisers should also take their obligations to comply with federal securities laws into account when addres-sing cybersecurity risks and establish policies and procedures reasonably designed to prevent violations of federal securities laws in the event of a cyber-attack. The Guidance specifically suggests supplementing existing compliance programs to assess and mitigate cybersecurity risk as it relates to identity theft, data protection, fraud and business continuity, in addition to other disruptions in service that could affect, for example, an adviser’s ability to process capital calls or distributions for its private funds under management. The Guidance highlights how fraudulent activity can result from internal breaches, by fund or advisory personnel, and funds and advisers should therefore consider taking appropriate internal precautions concerning information security as well. The Guidance also notes that funds and advisers are especially vulnerable to cyber-attacks due to their reliance on third-party vendors to conduct their daily operations. Accordingly, funds and advisers should review their own opera-tions and compliance programs, as well as those of their service providers, to assess whether they have appropriate measures in place designed to mitigate exposure to cybersecurity risk.
3The FS-ISAC gathers threat, vulnerability, and risk information about cyber and physical security risks faced by the global financial services sector from various sources, including commercial companies, government agencies, CERTs, and academic sources. Alerts are delivered to its participants after the information is analyzed by industry experts. The U.S. Treasury, U.S. Department of Homeland Security and other government agencies and entities also use the FS-ISAC to disseminate critical information to the financial services sector in times of crisis. See Fin. Servs. Info. Sharing & Analysis Ctr., FAQs, https://www.fsisac.com/faqs (last visited May 14, 2015). Funds and advisers participating in the FS-ISAC have access to information regarding current cybersecurity threats and risks that people are facing around the world and the various mechanisms being utilized to prevent such risks. Therefore, this program reduces the need for funds and advisers to rely on regulations and published guidance regarding cybersecurity. In addition, the more funds and advisers that participate in providing information, the greater the database of information and research available to participants.
13
A PRACTICAL APPROACH
A cybersecurity policy, however, should not dominate a fund’s or adviser’s resources. Rather, funds and advisers should take a practical approach to determining the scale of their cybersecurity programs. For example, funds and advisers could consider utilizing a third-party service provider to perform some or all of their security operations or supplementing their physical and technical cybersecurity measures by obtaining an insurance policy that mitigates costs associated with cybersecurity breaches. If a fund or an adviser maintains its cybersecurity program internally, then experience has shown that its success will depend on the cooperation, team effort and proper training of management, investment personnel and information technology personnel. The Divi-sion recognizes that not every cyber-attack can be anticipated or prevented, but funds and advisers can take reasonable steps to mitigate the impact of such attacks on firms and clients while complying with federal securities laws.
14