Alston & Bird has updated its Cyber Risk Legal Package based on an increased client demand relating to the following topics:
- What constitutes reasonable security or adequate security practices in the eyes of a regulator?
- What is the FTC’s position with respect to consumer-facing privacy disclosures to collect data?
- How can my company effectively test our incident response plan and/or conduct a cyber “tabletop” exercise?
- What are recommended practices for sharing cyber threat information with government agencies and third-party sharing platforms?
To assist with certainty around reasonable security practices and privacy disclosures (as such disclosures are impacted by big data, mobile apps, children’s privacy, data broker activities and deceptive practices), the Legal Package now includes use of a regularly updated dynamic tool that produces two detailed checklists, customizable to industry sectors, summarizing: (a) recommended security practices based on legal sources, including a list of inadequate security measures, and (b) the FTC’s complaints and enforcement actions as it relates to consumer disclosures in the areas of big data, children’s personal information and mobile apps.
In addition, as part of the Package we now offer: (a) strategies for conducting effective tests of incident response and data breach plans, including cyber tabletop exercises and simulations; and (b) information-sharing risk mitigation counseling to assist companies in developing an information-sharing strategy to take advantage of valuable, actionable threat intelligence and respond appropriately to government requests for cyber-related information.
Crafting your company’s privacy and cybersecurity program in a manner that is consistent with regulatory expectations, while always recommended, is all the more imperative in light of the recent public statements by the FTC that it will not promulgate specific regulations before commencing enforcement privacy and data security actions. The FTC continues to state publicly, reinforced by court decisions such as the FTC v. Wyndham matter and the recent LabMD litigation, that its data security expectations can be derived by companies using documents and resources that have been made publicly available by the Commission during the past decade, including speeches, business education, congressional testimony, articles, blog entries and settlements in enforcement actions. The FTC is not alone. Other regulators are promulgating guidance related to cyber risk mitigation of varying forms that can inform a company as it embarks on developing a cybersecurity program. This guidance, from legal sources, needs to be incorporated into the information security team’s understanding of measures and standards necessary to adequately protect the organization from cyber risk.
Furthermore, given the lack of guidance around behavioral tracking, big data, mobile apps and data broker activities, we think it is prudent for companies to consider past FTC orders and guidance as well as White House, legislative, and state Attorney General materials to glean best practices.
If you would like to learn more about the updated services incorporated in Alston & Bird’s Cyber Risk Legal Package, please contact: Kim Peretti.
For more information on the original package, please see our page discussing the Cyber Risk Legal Package in detail. The updates to the package will be available here soon.
Kimberly Kiefer Peretti | 202.239.3720 | firstname.lastname@example.org