Government contractors are subject to cybersecurity requirements, found in the Federal Acquisition Regulation (FAR) and each agency’s supplement to the FAR, and some important deadlines are fast approaching. Set forth below is a high-level overview of cybersecurity requirements found in the FAR and the Department of Defense (DoD) FAR Supplement (DFARS).
This week we highlight Bloomberg BNA’s analysis “Corporate Cyber Risk Disclosures Jump Dramatically in 2017,” which examines SEC annual and quarterly filings from 2010 to June 30, 2017. The findings show that more public companies are citing cybersecurity as a risk in their financial disclosures in the first half of 2017 than in all of 2016, suggesting that board and C-suite fears over data breaches may be escalating.
This week we highlight an analysis by Ernst & Young on the trends in US capital markets. The capital markets landscape has changed considerably over the past two decades, including the expansion of private capital markets and related regulatory changes. The report discusses the public market and private market trends impacting the number of US-listed companies today.
Yesterday, a coalition of 44 service and retail industry trade associations sent a letter to congressional leadership, urging the House and Senate to adopt a single data breach notification standard at the federal level. The letter, addressed to the Majority and Minority Leaders of each chamber, states that “a single, federal law applying to all breached entities would ensure clear, concise and consistent notices to all affected consumers regardless of where they live or where the breach occurs.”
The coalition letter states that any legislation to address data security and data breaches should cover all types of entities that handle sensitive data, and should not provide exemptions for certain business sectors. The letter cites several recent examples of breaches across different sectors, including the JP Morgan and Apple iCloud breaches, as well as one involving a Department of Homeland Security contractor.
On Tuesday, California Governor Jerry Brown signed into law a new data protection bill, which comes amid revelations of additional high-profile data breaches at Supervalu and Albertson’s grocery stores.
Assembly Bill 1710 now requires businesses in California to provide one year of credit monitoring and identity theft protection services free of charge to customers who are affected by a data breach in which their Social Security numbers, driver's license number or California identification card numbers are breached. The bill also extends current data security obligations for businesses to companies who own or license customer information according to the bill’s co-author, Assemblyman Roger Dickinson.
On August 5, The New York Times reported that Russian hackers have obtained what could be the largest collection of confidential data in history. The security firm that discovered the breach continues to alert affected companies to possible exposure. Although the hackers remain anonymous, affected companies have unconventional legal tools at their disposal to limit the damage.
To learn more, click here to read our client alert.
Electronic commerce, or eCommerce, is rapidly expanding in the member states of the Gulf Cooperation Council (GCC), spurred by the region’s near-universal online access, disposable income and technologically forward-thinking decision making bodies. The term eCommerce refers to transactions completed over computer networks as opposed to within brick and mortar storefronts, and includes ancillary activities like Internet marketing and data collection and analysis.
The potential for online spending in the GCC is among the highest in the world. Nearly 90% of residents have access to the Internet. Compare that figure with 35% access worldwide and 81% in the USA. Additionally, GCC cities Abu Dhabi, Dubai and Riyadh occupy the top three spots on the list of highest per capita disposable incomes in the Middle East according to a recent survey by the Economist Intelligence Unit.
Terms like “web security” and “data breach” are now familiar to most Americans in light of recent, significant issues with the websites and databases of some large U.S. companies. But web security encompasses more than just protection of consumer data on corporate systems, it is also critical in preventing the widespread introduction of malware directly onto user computers and networks. Most people know they should not open emails from unknown senders or click on strange links, but they may not know that simply visiting a mainstream website could infect a computer or network with malware without a single click. This “malvertising”—which has already become a problem for many popular sites—can deliver viruses with the ability to steal personal information, usernames and passwords. Worse, it can carry viruses that give criminals the ability to take over an infected computer altogether.
Malvertising is so insidious and effective because it can appear on a website and infect a computer system without any warning, and without any action on the victim’s part. The problem is compounded by the difficulty website owners encounter in policing potential malware. Many popular websites use advertising services managed by other companies. This arrangement means website owners often do not have a direct relationship with their advertisers, and may not even know which ads are appearing on their sites. Hidden malware could impact many users before the website owner ever becomes aware of it.