Cybersecurity: Legal implications and risk management

Cybersecurity crisis management

The internet knows no borders, neither do we. Our global team of cybersecurity response experts work across borders, combining data protection, privacy, regulatory, white collar and litigation expertise in order to deliver seamless crisis management and legal advice, whenever and wherever needed.

The digitalization and free flow of information has transformed global business. However, with increased opportunities have come new and increased risks, together with complex legislative regimes that can vary significantly by jurisdiction, and are constantly evolving. Even the most conscientious company can become the victim of a cybersecurity incident, such as the stealing of client or company information, or a ransomware attack. We work with a wide range of multinational companies to manage their cybersecurity risks, developing rapid response plans, providing time-critical crisis management advice, and working with clients to manage any resulting legal issues that may arise.

Key issues

Why?
Reputation Fines Breach of contract M&A due diligence Insurance	Proprietary information Litigation Criminal offences Negligence

Be prepared

Risk Assessment

Key Information
Assets
Key Systems
Threat Analysis
Security Measures

Toolkit

Scripts
Internal and
External
Communications
Employee contacts
Response Plan
Live Training
Business Continuity Plan

Key considerations

Customer/individual rights

Requests for data
Data Protection Authority Complaints
Group litigation orders
Resolution mechanisms

B2B relationships

Contractual obligations
Contractual liability
Tort

Reputation management

Media strategy
Customer interaction
Employee engagement

Commercial

Proprietary
Information/Trade Secrets
System Disruption

Regulatory issues

Data Protection Authority
Financial Regulators
Market authorities
Other regulators

Privacy & data protection

Jurisdictions involved
Reporting obligations
- individuals
- authorities

Evidence

Law Enforcement Involvement
Legal Privilege
Preservation of Evidence

Response

Crisis Team

Legal (internal and external)
IT/IT Forensics
PR
Regulatory
DPO
Executive committee
HR
Vendor manager

Key Actions

Work with forensic investigators to:
- Identify and contain breach
- Gather/preserve evidence
- Maximise legal privilege coverage
Contact crisis team
Bring in external partners
Identify key risks and priorities based on nature of breach
Assess notification requirements
Communications
Regulatory notifications

US Cybersecurity Standards to Get Tougher and More Specific

by F. Paul Pittman, Steven R. Chabinsky, and Mark Williams

In the past few years, cybersecurity has taken on increasing importance in the eyes of lawmakers and regulators.

Data Sharing Without Borders

by Jonathan Pickworth, Anneka Randhawa, and Rebecca Copcutt

UK law enforcement can now obtain an order against a person in or operating in the US for the production of or access to electronic data under a new ‘landmark’ US-UK data sharing agreement.

Responding to a cyber-incident

by Tim Hickman and John Timmons

The COVID-19 crisis has exposed many companies to more cyber threats. Tim Hickman and John Timmons discuss what businesses need to do should a major incident occur.

Trending: Legal protection for cryptoasset stakeholders

Recent decisions in Singapore and New Zealand confirm that the courts are prepared to act to provide greater certainty and support to stakeholders in cryptoassets.

Recovering the ransom: High Court confirms Bitcoin status as property

by Steven Baker, Jenna Rennie, Gwen Wackwitz

The High Court has determined that Bitcoin (and other similar cryptocurrencies) can be considered property under English law, and could be the subject of a proprietary injunction. The Court granted the injunction to assist an insurance company to recover Bitcoin that it had transferred in order to satisfy a malware ransom demand.

Navigating Privacy and Cyber Incident Notification and Disclosure Requirements

by F. Paul Pittman and Steven R. Chabinsky

Organisations are facing increasing uncertainty in assessing global notification and disclosure obligations and making a determination of whether to notify or disclose a privacy violation or security incident in today's complex regulatory environment. This article offers six steps companies should consider when navigating this complex process.

Proposal on the Application of the NIS Regulations post-Brexit

by John Timmons and Dr. Detlev Gabel

This article examines the impact of the UK Network and Information Systems Regulations 2018 (SI 2018/506) (NIS Regulations) on organisations post Brexit and their obligations under applicable cybersecurity law.