helping it all click into place our global cybersecurity ... · the us cybersecurity act of 2015...
TRANSCRIPT
Helping it all click into place Our global Cybersecurity and Data Privacy practices
ContentsIntegrated approach to 3cybersecurity and privacy
Cybersecurity 5
Supporting your privacy 7
Privacy 8
GDPR 10
Contacts 12
One global, integrated approach to cybersecurity and privacy to handle all your needs now and in the future.
International reach and local knowledge – we have deep knowledge of US, UK and EU privacy and cybersecurity laws and regulations, as well as in most jurisdictions around the world including China, Singapore and the Middle East.
Deep sector knowledge – there are no one-size-fits-all solutions, and companies as well as industry sectors, require specifically tailored advice.
Unique experience – our team has vast experience planning for and responding to all manner of threats, from natural to man-made to cyber. Our team includes individuals who have been CTOs, GCs, regulators and senior decision-makers in charge of highly sensitive information. Our members have written policy, including the US Cybersecurity Act of 2015 and New York State’s Department of Financial Regulations, among others.
Business enabling – we deliver clear legal solutions to enable the widest range of options for decision-makers.
Business focused – from increasing pressures on GCs and CISOs to heightened threats, regulatory uncertainty and “cyber fatigue,” we bring greater clarity, simplicity and even opportunity.
Battle tested – if a breach occurs, we have a deep bench of experienced professionals to calmly handle every aspect. This includes notifications and regulatory actions as well as the most complex, bet-the-company litigation and even congressional or parliamentary investigations/inquiries.
60+
Evershed sutherland’s BreachLawWATCH provides easy, consistent and accurate access to the data breach statutes across a growing number of US and global jurisdictions.
BreachLawWATCH
3
Helping it all click into place Our global Cybersecurity and Data Privacy practices
2
Helping it all click into place Our global Cybersecurity and Data Privacy practices
3,000+attorneys across Eversheds Sutherland
100+team members
Award-winning Cybersecurity and Privacy Law practices
offices across Africa, Asia, Europe, the Middle East and the US
12th in Law360’s 2018 Global 20 rankings
30+ countries in which Eversheds Sutherland has offices
Our practice spans the full range of data law topicsWhether you call it privacy or data protection, cyber or information security law, transparency or information access laws, we can assist you.
Foresight – we advise on existing threats, regulations, and litigation risks, as well as on what to expect in the future, so you can be prepared and can take advantage of existing and future market opportunities.
Charting a course – as potential security and privacy-enhancing solutions (like encryption), or new business models (like using Big Data or incorporating IoT technology), can run up against regulations, particularly in large markets like China and the EU, we advise on the best way to navigate through the regulatory global tangle to maximize business opportunities and minimize risk.
Always on call – if problems arise, we are prepared, and we’ve got you covered. We are vastly experienced in global notification requirements, as well on quickly containing a breach and responding to it from regulatory action, litigation, public relations to congressional or parliamentary inquiries—all to minimize the fallout and to allow you to get back to business.
Crisis hotline – Every organization faces a crisis from time to time. The form it takes will vary depending on the particular risks your business is exposed to, but the outcome is usually the same - interruption to your business and a threat to your future. The actions you take immediately after a crisis breaks are the most important. Call our 24-hour crisis hotline and we will ensure that you are on the road to recovery immediately. Call the Eversheds Sutherland crisis hotline numbers: +44 20 7919 0828 (UK) or +1 404 853 8252 (US).
“Named in Law Firms Best at Cybersecurity report.” (BTI Consulting Group)
Cybersecurity
How we can help
Riskassessment
Implementation of controls
Breach/ cyber attack
Incident response plan
of action to minimize risk
Recovery and improvement
– proactively brief boards and senior executives
– draft cybersecurity and privacy plans and procedures
– identify and mitigate risk
– review existing cyber insurance
– embrace tech opportunities
– make holistic assessments
– perform table-top exercises
– create cyber resilience
– manage crisis response
– notifications
– regulatory actions
– internal investigations
– multi-jurisdictional litigation
– defense in court and before regulators
– congressional/parliamentary investigations
– manage claims process with insurers
– injunctive relief/redress
– proactive compliance with multiple jurisdictions (e.g., SEC, NY DFS, GDPR, Chinese law)
– maintenance of relationships
– policy advice
– senior officer certificationRegulatory
Planning and corporate
governance
Business operations and transactional
Investigations, litigation and
regulatory enforcement
– due diligence/M&A
– valuation of cybersecurity
– IPOs
– investment decisions
– manage risk with third parties
– cross-border data transfer agreements
– maximize competitiveness
5
Helping it all click into place Our global Cybersecurity and Data Privacy practices
4
Helping it all click into place Our global Cybersecurity and Data Privacy practices
Cybersecurity experience
representing a large health care insurer on a breach response and notification (including state and HIPAA notifications), and class-action defense (three jurisdictions and appeal to DC Circuit); additionally, we engaged with the FBI and the US National Cyber Investigative Joint Task Force in relation to the incident
assisting credit card processing company with a breach and notifications to individuals under state privacy laws and engaging credit monitoring company); the breach affects individuals in approximately 30 jurisdictions
advising an electric distribution utility on cybersecurity and information privacy issues arising in contract negotiations with IT outsourcing providers
advising independent generator and generation and transmission cooperative on NERC cybersecurity requirements
advising a major mutual insurance company in developing a new cyber insurance product for the energy industry
advising a major insurance company and affiliated broker-dealer/investment adviser on a data breach, including retention and work with a consulting firm to determine the cause of the breach and its scope; we self-reported the breach and our findings to the SEC and FINRA, and the matter was closed without action
conducting a privileged cybersecurity assessment for a major retirement benefits and life insurance company with a national cybersecurity consulting firm and advising the client on preparation for regulatory examinations, incident response and potential litigation
assisting a major mutual insurance company with drafting a cyber insurance policy for the energy industry and guided underwriters on current cybersecurity underwriting risks
advising a major mutual fund and its investment adviser on the development and implementation of cybersecurity policies and procedures designed to meet SEC requirements, including a focus on vendors, sub-advisers and incident response planning
conducting cyber risk assessments and developed remediation strategies for a large insurance administrator
advising various global technology companies, broker-dealers and insurance companies on amendments to their vendor agreements and confidentiality agreements to address cybersecurity and privacy risks
advising a broker-dealer/investment adviser on assessing a cybersecurity breach, and self-reporting the matter to the SEC and FINRA, neither of which pursued an investigation
defending in trial a broker-dealer against SEC allegations that the firm violated Regulation S-P through its recruiting practices and convinced the administrative law judge to order a reduced penalty
successfully defending a putative class action in California state court involving allegations of an alleged data breach following the theft of computer hardware containing medical and other personally identifying information (PII) from a third-party vendor’s offices; obtains a highly favorable settlement resulting in the dismissal of all claims with prejudice
advising an Internet commerce company following discovery of a cybersecurity breach by a criminal hacking group and negotiations with the US Department of Justice and the Naval Criminal Investigative Service to get additional information about the hackers and the data that was stolen
advising a leading mutual insurance company through the development of a new cybersecurity coverage and services offering
counseling a privately held insurance and financial services holding company on state notification requirements and engaging credit monitoring for affected and potentially affected customers of a data breach
advising a leading retirement plan services company on the privacy notice requirements for qualified plans under the Gramm-Leach-Bliley Act and state privacy regulations
advising a leading online retailer on state privacy law requirements and exemptions for sharing non-public personal information with state government agencies
advising a regional bank on its response to the cybersecurity breach of a commercial customer’s wire transfer system that resulted in millions of dollars being transferred out of the country
successfully defending an insurer’s subsidiary in a putative class action involving an alleged data breach by a subsidiary’s vendor
counseling a leading national life insurance company on changes to its consumer privacy and security practice notices under US federal and state privacy laws and regulations and advised the company on responses to minor data breaches
advising a large insurer on HIPAA obligations in claim privacy breach
Meeting your needs
“[Eversheds Sutherland] is thorough, responsive and is very helpful in estimating the cost of our various projects.“(Chambers & Partners 2017)
Supporting your privacy
And how we will deliver...
Relevant key issues and red flags identified quicklyto help decision making
Easy to understand and implement reports and documentation to aid compliance
Audit trail for accountability of data use, related risks and mitigation
Support for creation of compliance strategy. What, how, when and how much?
Effective project management of legal advice delivery locally and internationally for group and individual companies
An enabling approach helping you to help the business to achieve its business goals in an appropriate privacy compliant way
Practical solutions to deliver a quick, efficient and risk appropriate solution for the business to take forward
7
Helping it all click into place Our global Cybersecurity and Data Privacy practices
6
Helping it all click into place Our global Cybersecurity and Data Privacy practices
– expert counsel to add experience
– value and clarity
– a realistic solution for your group and the individual businesses within it
– support for the big picture
– framework with focus on priority
– with central top to bottom approach
– embed data privacy compliance in corporate DNA
Privacy
How we can help
Top to bottom structures: advising international clients on their privacy programs including prioritization of work streams, as well as delivery of specific components.
Global data transfer solutions for personal data, including Binding Corporate Rules, Privacy Shield and approved form contracts.
Helping you with your product and service offering development through its life cycle, to align with privacy requirements on privacy by design and default.
Addressing privacy issues for customers and suppliers contracting for cloud-based solutions.
Advising on data analytics and transfers among strategic business partners and data aggregators.
Handling staff data on a multi-jurisdictional basis and addressing the industrial relations issues which can arise as new data policies, contracts and procedures are introduced.
Data protection aspects of acquisitions and divestitures, joint ventures and other major transactions.
Record retention and document management policy development.
Handling complaints and requests from individuals and regulatory bodies and providing guidance in the face of investigations, prosecution and claims.
Defending privacy claims and addressing privacy issues in other litigation and disclosure processes.
Providing training on data protection.
Appeals against supervisory authority decisions through court or tribunal decisions.
Srategies for dealing with emerging localization/data location requirements including Russia and China.
Responding to government and other agency access and retention requests.
Supporting public authorities and affected private sector clients to respond to information access requests and protect valuable confidential information against unexpected disclosure.
Responding to data security incidents and counselling on reporting requirements.
advising multiple international clients on GDPR programs, including prioritization of work streams, as well as delivery of specific components
advising a client on third-party contract strategy for adoption of GDPR terms
advising a client on marketing consents in light of forthcoming changes in direct marketing and GDPR rules
analyzing the RM strategy on GDPR, including parent company liability and governance structure, for an international telecoms and cloud services provider, and developing a liability model
conducting audits for clients in several sectors to enable them to understand processing and to act as a foundation for the production of other compliance documentation
providing workshops on particular topics to support clients’ operational working groups
drafting GDPR data processor clauses to be adopted in clients’ standard terms
assisting a client in creating a privacy impact assessment template in anticipation of GDPR and conducting an impact assessment on new product development
reviewing strategies for responding to practical difficulties with legacy systems and creating or refreshing international policies
creating a GDPR Manual for a branch of an Asian Bank that includes several policies and procedures to align with GDPR
drafting GDPR privacy notices for staff and customers
providing training on GDPR for multiple clients
advising a public limited company on adoption of a cloud-based HR system including notices to staff, filings, contracts with vendors, interaction with German, Dutch and French work councils, and staff training across EMEA, Asia and South America
advising several aerospace and other sector clients on the interplay of export control and data protection rules in order to achieve compliance in both spheres
advising a global technology business on background checking staff and candidates across 80+ countries around the globe
advising a vehicle manufacturer on a new connected car platform across 30+ countries
undertaking a multinational privacy governance review in conjunction with our consulting practice for an international vehicle manufacturer
assisting with labor law disputes with trade unions and work councils where privacy law has been deployed as a tactical “weapon”
Privacy experience
9
Helping it all click into place Our global Cybersecurity and Data Privacy practices
8
Helping it all click into place Our global Cybersecurity and Data Privacy practices
GDPR requires a new approach to privacy and the protection of personal details and their use. Organizations must plan for privacy and integrate the principle of data minimization into their business processes.
Businesses must continue to invest time to ensure they are compliant with the detailed application of the GDPR. Eversheds Sutherland can help you navigate this extensive piece of legislation that came into force on May 25 2018, helping you stay on course and maintain GDPR compliance for the future.
How we can helpEversheds Sutherland have already been entrusted by clients across a spectrum of regulated and non-regulated sectors to work with them on their GDPR programmes, helping them to plan, budget and start their compliance reviews, as well as assessing their strategy and response to the change in risk profile.
Our integrated team can provide analysis and practical solutions as the formal adoption occurs and assist your business in gearing up as the deadline to GDPR takes effect. We will help you understand the impact it will have on your business and how to prepare in a pragmatic and phased way.
We have tried and tested practical advice on:
– territorial scope and application
– data processor obligations
– data security and breach reporting
– international data transfers
– governance (privacy impact assessments, data protection officers and more)
– non-compliance: enforcement and sanctions
– profiling
– data subjects’ rights
GDPR experience
www.eversheds-sutherland.com/gdpr
Advising – Top to Bottom: advising international clients on GDPR programme, including prioritisation of work streams as well as delivery of specific components
Advising – contract strategy: advising client on third party contract strategy for adoption of GDPR terms
Advising – marketing consents: advising client on marketing consents in light of forthcoming changes in direct marketing and GDPR rules
Analysis – risk management: analysis of RM strategy on GDPR, including parent company liability and governance structure for an international telecoms and cloud services provider, and developing liability model
Data Audits – conducting audits for clients I several sectors to enable them to understanding processing and to act as foundation for production of other compliance documentation.
Expertise workshops – providing workshops on particular topics to support clients operational working groups define the requirements and sense check solutions proposed.
Create – GDPR Policies and Procedures Manual: creating GDPR Manual for branch of Asian Bank, comprising several policies and procedures to align with GDPR
Drafting – privacy notes: drafting GDPR privacy notices for staff and customers.
Drafting – data processor clauses: drafting GDPR data processor clauses to be adopted in client’s standard terms.
Privacy Impact Assessment: assisting a client to create a privacy impact assessment template in anticipation of GDPR and conducting impact assessment on new product develop
Records Retention and Destruction: reviewing strategies for responding to practical difficulties with legacy systems and creating or refreshing international policies
Training: providing training on GDPR for multiple clients
GDPRThe General Data Protection Regulation (GDPR) will significantly impact how organizations collect and process personal information.
GDPR is new, EU-wide data protection legislation to replace the current 20-year-old EU data protection laws. It aims to “future-proof” laws against technological developments, and it hopes to harmonize data privacy laws across the EU. It requires greater transparency and accountability from companies, and imposes greater privacy protections for individuals. Regulators have a range of significant sanctions to enforce compliance.
View our GDPR hub to find our more information: www.eversheds-sutherland.com/gdpr
11
Helping it all click into place Our global Cybersecurity and Data Privacy practices
10
Helping it all click into place Our global Cybersecurity and Data Privacy practices
ContactsUSMichael Bahar, Co-Lead of Global Cybersecurity and Data Privacy T: +1 202 383 0882 [email protected]
Mark D. Herlach, Partner T: +1 202 383 0172 [email protected]
Bob Owen, Partner T: +1 212 389 5090 [email protected]
Mary Jane Wilson-Bilik, Partner T: +1 202 383 0660 [email protected]
Brittany M. Cambre, AssociateT: +1 404 853 8063 [email protected]
Alexander Sand, Associate T: +1 212 287 7019 [email protected]
Mark Thibodeaux, Associate T: +1 713 470 [email protected]
UKPaula Barrett, Co-Lead of Global Cybersecurity and Data Privacy T: +44 20 7919 4634 [email protected]
Liz Fitzsimons, Partner T: +44 122 344 3808 [email protected]
James Hyde, Partner T: +44 113 200 4066 [email protected]
Richard Little, Partner T: +44 207 919 0602 [email protected]
Jake Mcquitty, Partner T: +44 20 7919 0600 [email protected]
Simon Morrissey, Partner T: +44 20 7919 4818 [email protected]
Craig Rogers, Partner T: +44 20 7919 0707 [email protected]
Christopher Ives, Principal Associate T: +44 734 150 6209 [email protected]
David Cook, Senior Associate T: +44 161 831 8144 [email protected]
BelgiumKoen Devos, Partner T: +322 737 9360 [email protected]
ChinaCedric Lam, Partner T: +852 2186 3202 [email protected]
Jennifer Van Dale, Partner T: +852 2186 4945 [email protected]
EstoniaTambet Toomela, Partner T: +372 622 9990 [email protected]
NetherlandsBenjamin van Kessel, Partner T: +31 20 5600 600 [email protected]
Olaf Van haperen, Partner T: +31 61 7456 299 [email protected]
PolandDr Aleksandra Kunkiel-Kryńska, Partner T: +48 22 50 50 77 5 [email protected]
Marta Gadomska-Golab, Partner T: +48 22 50 50 73 2 [email protected]
RomaniaMihai Guia, Partner T: +40 21 31 12 56 1 [email protected]
SingaporeBrian Law, Counsel T: +65 63 61 98 33 [email protected]
South AfricaTanya Waksman, Partner T: +27 10 003 1422 [email protected]
Grant Williams, Partner T: +27 10 003 1375 [email protected]
SpainFrancisco J. (Kiko) Carrión García de Parada, Partner T: +34 91 429 43 33 [email protected]
José Mariano Cruz, Partner T: +34 67 971 62 79 [email protected]
Vicente Arias Máiz, Partner T: +34 69 909 65 25 [email protected]
SwitzerlandMonika McQuillen, Partner T: +41 44 204 90 90 [email protected]
Bruno Schoch, Partner T: +41 31 328 75 75 [email protected]
UAEGeraldine Ahern, Partner T: +971 4 494 2521 [email protected]
FinlandTiina Ashorn, Partner T: +358 10 684 1617 [email protected]
Markku Varhela, Partner T: +358 10 684 1457 [email protected]
FranceGaetan Cordier, Partner T: +33 1 55 73 40 73 [email protected]
GermanyAlexander Niethammer, Partner T: +49 89 54 56 52 45 [email protected]
Lutz Schreiber, Partner T: +49 40 80 80 94 444 [email protected]
Nils Mueller, Principal Associate T: +49 89 54 56 51 94 [email protected]
Constantin Herfurth, Associate T: +49 89 54 56 52 95 [email protected]
Hungary Agnes Szent-Ivany, Partner T: +36 13 94 31 21 [email protected]
Ireland Marie McGinley, Partner T: +353 1 6441 457 [email protected]
ItalyBeatrice Bigonzi, Partner T: +39 02 892 871 [email protected]
Andrea Zincone, Partner T: +39 06 893 2701 [email protected]
LatviaAgris Bitáns, Partner T: +371 6 728 0102 [email protected]
LithuaniaRimtis Puišys, Partner T: +370 5 239 2391 [email protected]
MauritiusNitish Hurnaum, Partner T: +230 211 0550 [email protected]
13
Helping it all click into place Our global Cybersecurity and Data Privacy practices
12
Helping it all click into place Our global Cybersecurity and Data Privacy practices
Notes
15
Helping it all click into place Our global Cybersecurity and Data Privacy practices
14
Helping it all click into place Our global Cybersecurity and Data Privacy practices
eversheds-sutherland.com© Eversheds Sutherland Ltd. 2020. All rights reserved. Eversheds Sutherland (International) LLP is part of a global legal practice, operating through various separate and distinct legal entities, under Eversheds Sutherland. For a full description of the structure and a list of offices, please visit eversheds-sutherland.com. DTUK003013_01/20