NIST Unveils Cybersecurity Framework

On February 12th, the National Institute of Standards and Technology (NIST) released its long-anticipated Framework for Improving Critical Infrastructure Cybersecurity together with a companionRoadmap for Improving Critical Infrastructure Cybersecurity. The Framework is issued in accordance with President Obama’s February 19 Executive Order 13636, Improving Critical Infrastructure Cybersecurity Version 1.0, which tasked NIST with developing a cost-effective Framework “to reduce cyber risks to critical infrastructure.” The companion Roadmap discusses NIST’s next steps with the Framework and identifies key areas of development, alignment of cybersecurity standards and practices within the U.S. and globally and collaboration with private and public sector organizations and standards-developing organizations.  K&L Gates attorney Roberta D. Anderson has drafted a white paper describing the Framework and Roadmap, and some of the anticipated impacts on the technology industry.  You can read the white paper here.

Cyber Insurance - Selecting the Right Policy

K&L Gates lawyers Roberta Anderson and Nickolas Milonas recently developed a list of five key issues to consider when selecting a cyber insurance policy, including identifying an organization’s risk profile, checking against an organization’s existing policies, purchasing cyber insurance as-needed, covering third-party cloud providers, and recognizing the physical aspect of cyber security.

Click here to see the list.

The Impact of PRISM on the U.S. Cloud Industry

The Information Technology & Innovation Foundation (ITIF) recently published a white paper addressing the question, "how much will PRISM cost the U.S. cloud computing industry?"  The answer according to ITIF: a lot.  ITIF projects that, over the next three years, the U.S. cloud industry will lose at least $22 to $35 billion as foreign customers find alternatives outside the U.S. 

The U.S. cloud industry will likely lose revenue as more companies consider other options as a result of the PRISM revelations, but non-U.S. companies will not be the primary driver behind those losses.  Instead, the losses will stem from U.S. companies pursuing alternatives such as internal data centers and private, on-premises clouds. 

Continue Reading...

Spotlight On Cyber "Cloud" Insurance Coverage

By Roberta D. Anderson

Every company is at cyber risk. Reports of high-profile cyber attacks make headlines almost every day and confirm the reality: cyber attacks are on the rise with unprecedented frequency, sophistication and scale. And it is abundantly clear that network security alone cannot entirely address the issue; no firewall is unbreachable, no security system impenetrable.

The problem is exacerbated by the trend in outsourcing of data handling, processing and/or storage to third-party vendors, including “cloud” providers. A 2012 Ponemon benchmark study found that over 41% of U.S. data breaches are caused by third parties’ errors, including “when protected data is in the hands of outsourcers, cloud providers and business partners.” Third party errors also increase the average cost of a breach “by as much as $43 per record” according to the new 2013 study — significant considering the average cost is $188 per record.

Continue Reading...

Cybersecurity Webcast Focuses on Risks and What Companies Need to Know

 By Marty Stern

The recent rise in frequency and sophistication of cyber attacks underscores the reality that nearly every company faces some sort of risk. Data security breaches and distributed denial-of-service (DDoS) attacks, among others, can target every industry from financial markets to social media. News headlines have highlighted attacks and breaches involving Sony, Citi, the New York Times, and LivingSocial, among others. These attacks create increasing prevention, regulatory, insurance, and recovery costs, suggesting that companies need to be aware of these risks and implement policies and procedures to protect their infrastructure, data, intellectual property, and other assets in efforts to mitigate and avoid exposure.

A K&L Gates presentation entitled “What Your Company Needs to Know about Cybersecurity,” recently focused on these issues and a series of cybersecurity best practices, featuring K&L Gates partners Roberta Anderson, David Bateman, and Bruce Heiman. The program provided an introduction to managing Advanced Persistent Threats on data and infrastructure, understanding the legal and regulatory developments surrounding cybersecurity, dealing with agency and class-action litigation risks, as well mitigating loss through insurance coverage relating to cyber risks. Noting that no single approach provides a silver bullet, the panel discussed a comprehensive strategy, focusing on prevention and deterrence, pursuit of perpetrators, response to attacks, avoidance of legal/regulatory liability, and loss mitigation.

An audio archive of the webcast is available here (free registration required; password “klgates”). To download the presentation slides, click here. For the additional presentation materials, click here

Business Considerations in Cloud Contracts

Cloud contracts present a variety of issues, including several business issues that companies should address in the early stages of any cloud strategy.  Below are a few best practices that companies should consider when pursuing cloud contracts.

Continue Reading...

NIST Developing Cybersecurity Best Practices

K&L Gates lawyers Nickolas Milonas, Marc Martin, and Paul Stimers have posted an article at TMT Law Watch covering the recent Cyberspace Executive Order signed by President Obama.  "Cybersecurity Executive Order Aims to Increase Information Sharing and Strengthen Defenses" addresses  the contents of the order as well as the reception by industry groups, privacy groups and legislators.  A key part of the Executive Order is the requirement that NIST develop cybersecurity best practices within the next eight months:   


The order also directs the Commerce Department’s National Institute of Standards and Technology (NIST) to work with companies that operate critical infrastructure components in developing a set of cybersecurity best practices within 240 days of the order. The order requires that NIST’s framework be “technology neutral” and focused on “cross-sector security standards and guidelines applicable to critical infrastructure.” As part of this process, federal agencies will need to review their existing cybersecurity regulations, in consultation with the industries they regulate, to determine if existing measures are consistent with NIST’s new standards.


These best practices will certainly filter down to cloud providers and could eventually be viewed as the minimum industry standard security practices for the cloud industry.  For this reason, cloud providers and cloud customers should pay special attention as they develop.

You can read the full article here.


The Trouble with Rogue Clouds

A recent Symantec survey shows some troubling issues in cloud usage among businesses, including "rogue clouds" and how using them them might expose a company's confidential information.

Continue Reading...

US-Japan Report on Cloud Computing Wary of EU Privacy Protections

By Chad King and Nickolas Milonas

The United States and Japan recently concluded a Director General-level meeting of the US-Japan Policy Cooperation Dialogue on the Internet Economy, addressing cloud computing and other Internet-related issues. The Cooperation Dialogue is focused on developing bilateral Internet policy initiatives and includes senior-level US and Japanese government officials and industry representatives. As part of a working group on cloud computing issues, representatives from US and Japanese industries submitted a joint report to the US and Japanese governments, which highlighted the benefits of robust and widely-adopted cloud computing services but cautioned against the potential adverse impacts of increased EU privacy regulations on the deployment and adoption of cloud services.

Continue Reading...

Election 2012: What it Means for Emerging Technologies

The upcoming national election not only determines who will sit in the Oval Office and on Capitol Hill. It will also impact every emerging technology company, their investors and American innovation for years to come.  

You are invited to a Webinar on November 7th -- the day after the election -- to hear how the election's results will impact a wide range of emerging technologies, including cleantech/renewable energy, healthcare/biosciences, and emerging IT/cloud computing.

Continue Reading...

Cloud Considerations: E-Discovery

By Katie Taylor

SaaS, PaaS and data hosting providers stress the significant efficiencies to be gained from cloud computing when marketing their services. Depending on the cloud computing system you are considering, however, a number of features may have a significant impact on your company’s ability to comply with electronic discovery obligations should it be sued or subpoenaed.

Continue Reading...

Virtual Law Offices in the Clouds

By: Susan Altman

As we reported last year, state bar associations are weighing in on the ethical duties of a lawyer performing legal services in the cloud. California is the latest state to issue a formal opinion on the matter. This new advisory opinion by the Standing Committee on Professional Responsibility and Conduct of the State Bar of California focuses on issues raised by virtual law offices and further comments on the broader use of cloud technology in traditional law firms.

Continue Reading...

First Circuit's Patco Decision Clarifies Liability Rules for Providers of Online Banking Services; Federal Regulators Provide New Guidance on Cloud Computing

By Mark H. Wittow

Banking services increasingly are being provided via the cloud. The ability of banking customers to access accounts and transfer funds from any computer, via cloud-based online banking, also has increased the opportunities for fraudulent transfers. Who bears the liability when thieves gain unauthorized online access to a business account -- the business customer, or the bank? In a post on our Consumer Financial Services Watch blog, my colleague Holly Towle looks at a recently issued appellate decision (Patco Construction Co. v. People's United Bank (1st Cir. July 3, 2012)) addressing liability for several hundred thousand dollars of fraudulent withdrawals from a construction company's bank account. The decision applied the principles of Article 4A of the Uniform Commercial Code to determine that the bank's security procedures were not reasonable, and remanded the case for consideration of other issues.

Continue Reading...

Alternatives to Pre-Signing Implementation Plans

 By Susan P. Altman

In an earlier post, Starting Out is the Hardest Part, Todd Fisher discusses the importance of the implementation phase to the success of a SaaS launch. Vendors who have implemented their solutions many times over should be able to provide detailed estimates of the implementation plan once they have performed sufficient due diligence on the customer. This due diligence certainly should be performed prior to contract execution for any important function or application moving to a SaaS solution. However, not all SaaS solutions are mission-critical and not all implementation planning is done before execution of the SaaS contract. In these cases, the parties should consider alternative risk-reduction approaches.

Continue Reading...

The German Cloud

By: Dr. Friederike Gräfin von Brühl

In an effort to ease concerns regarding security of personal information, some European companies and cloud providers are pushing for a “German Cloud” where customer’s data is held in data centers located only in Germany. This would not only help companies comply with Germany’s strict data protection requirements, but would also keep cloud data out of the reach of other governments, including requests by the US government under the US Patriot Act.

Continue Reading...