Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

EDRM’s TAR Guidelines: Validity Measures and Considerations for Practitioners

Posted in Information Management, Litigation, Product Liability & Torts, Proportionality, Technology Assisted Review, Uncategorized
Genevieve MorelandKate Watkins

EDRM and the Bolch Judicial Institute at Duke Law recently released Technology Assisted Review (TAR) Guidelines (Guidelines) with the aim “to objectively define and explain technology-assisted review for members of the judiciary and the legal profession.” Among the topics covered are the validation and reliability measures practitioners can use to defend their TAR processes. This post summarizes this validation and reliability guidance, which has the potential to be a widely-referenced authority on this topic going forward.

According to EDRM, there are no “bright-line rules” governing what constitutes a reasonable review or one standard measurement to validate the results of TAR. Instead, principles of reasonableness and proportionality as set forth in FRCP Rule 26 generally guide the inquiry. Continue Reading

DoD Increases DCMA Cybersecurity Responsibilities

Posted in Cybersecurity / Data Security
Evan D. WolffKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/G

The Department of Defense recently released a memorandum directing the Defense Contract Management Agency (DCMA) to implement and assess company-wide cyber compliance with the DFARS Safeguarding Clause and related security standard, NIST SP 800-171.  For further analysis, visit our Government Contracts Legal Forum blog post.

For GCs, Tech Can Separate Courtroom Winners And Losers

Posted in Litigation, Technology Assisted Review
Crowell & Moring

“In-house attorneys should aggressively deploy the technology that’s all but taken for granted in legal operations to map out litigation strategies, and failing to do so increasingly means losing out to savvier adversaries, according to a report released Wednesday by Crowell & Moring LLP.”

To read the full Law360 article, please click here.

E-Discovery – AI: E-Discovery Gets Smarter

Posted in Cybersecurity / Data Security, Uncategorized
Crowell & Moring

E-discovery does not sit still. To provide high-level service, practitioners necessarily deal with legal technology at the bleeding edge of development. This involves the embrace of nascent artificial intelligence (AI) in combination with other analytic tools and techniques to tackle increasingly challenging discovery projects. As ever-expanding volumes and sources of information strain the capacity of counsel to manage discovery, AI is coming just in time.

To read the full article on Crowell’s website, please click here.

Welcome To Your New War Room. Take A Look At Our Litigation Forecast Cover Story To See How Companies Are Using Technology To Advance Litigation Case Strategy

Posted in Uncategorized
Crowell & Moring


Crowell & Moring has issued its seventh-annual “Litigation Forecast 2019: What Corporate Counsel Need to Know for the Coming Year.” 

The Forecast cover story, “Welcome to Your New War Room: How Technology Is Finding Its Way into Litigation Case Strategy,” explores how companies and law firms are leveraging technology to improve their legal operations and litigation strategy.

The section on Privacy & Cybersecurity, “Targeted Data Privacy Laws Increase Risk,” examines how data privacy has been a growing source of class action litigation for some time and how recently enacted state laws are now opening the door to new areas of risk.

The Forecast focuses on how technology is impacting the practice of law and litigation case strategy in particular, and provides forward-looking perspectives on technological developments that can help corporate counsel identify the many opportunities and challenges ahead as they harness its power.

Be sure to follow the conversation on Twitter with #LitigationForecast.

NIST Surveys and Assesses Broad Landscape of IoT Cybersecurity Standards in Interagency Report

Posted in Cybersecurity / Data Security, Information Management, Internet of Things, Privacy
Cheryl A. FalveyGabriel RamseyKate M. Growley, CIPP/G, CIPP/USPaul Mathis

Following a draft Interagency Report published in February, the National Institute of Standards and Technology (“NIST”) has published NISTIR 8200: Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT), which seeks to assess the “current state of international cybersecurity standards development for IoT.” In this effort, the Report defines the major areas where IoT is currently being used and evaluates various IoT cybersecurity standards commonly applied in those areas. To evaluate the surveyed IoT standards, the Report relies on a framework that breaks the standards down into twelve core areas, each of which designates a distinct, common element of cybersecurity measures.

Where IoT is Being Used the Most

To help evaluate the current understanding of cybersecurity risks involved in IoT applications and the methods used to measure them, the Report overviews major IoT technologies and how they are deployed. It then breaks down the network-connected devices, systems, and services comprising IoT into five major categories of application, explaining the common components of each:

Continue Reading

SEC Encourages Internal Accounting Controls to Guard Against Cyber Fraud

Posted in Cybersecurity / Data Security, Data Breach, Government Agencies
Paul RosenDaniel ZelenkoKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/GPaul Mathis

Concluding its investigation into the internal accounting controls of nine public issuers who were recent cyber fraud victims, the Securities and Exchange Commission (“SEC”), Division of Enforcement explicitly reminded issuers to consider cyber-related threats in developing and deploying their Section 13(b)(2)(B) internal accounting controls.

The SEC emphasized the importance of tailoring internal accounting controls to cyber-related threats, noting that cyber frauds like those carried out in the nine cases it investigated have caused “over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017.” Continue Reading

NIST Offers Insight Into Updated Risk Management Framework

Posted in Cybersecurity / Data Security
Peter B. Miller, CIPP/G/US, CIPP/E, CIPM, CIPTKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/G

The National Institute of Standards and Technology (NIST) has recently provided a glimpse into their revised Risk Management Framework (RMF).  NIST issued a Final Draft of Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations–A System Life Cycle Approach for Security and Privacy.  The focus of the revised Framework, which is open for comment through October 31, 2018, is to integrate privacy and data security.  The RMF features several updates aimed at supply chain risk, the NIST Cybersecurity Framework, and the pending update to NIST SP 800-53, Revision 5, which is focused on information security for federal information systems but now with an added emphasis on privacy-by-design.  One of the key changes to the Framework is the introduction of a new step in the RMF process – “Prepare.”  The purpose of this step is to achieve more cost-effective and efficient security and privacy risk management processes. The revision also seeks comment about a new task to improve the quality of privacy and security risk assessments, “identify[ing] and understanding all stages of the information life cycle.” In addition, the updated Risk Management Framework includes among others the following objectives, which strike some familiar notes:

    • Integrating security-related, supply chain risk management concepts into the RMF to address untrustworthy suppliers (e.g., poor manufacturing, counterfeits, tampering, malicious code, etc.);
    • Demonstrating how the NIST Cybersecurity Framework can be combined with the RMF to establish NIST risk management processes;
    • Allowing an organization-generated control selection approach to support the use of the consolidated control catalog in the pending NIST SP 800-53, Revision 5.

The revised RMF reflects the increasing trend, at NIST and more broadly in both the public and private sectors, toward approaching risk assessment and risk management as a comprehensive, enterprise-wide responsibility rather than as a series of discrete activities divided into subject matter silos.

Navy Boils The Ocean on Cyber

Posted in Cybersecurity / Data Security, Privacy
Evan D. WolffKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/G

The Navy has recently issued a policy memorandum entitled “Implementation of Enhanced Security Controls on Select Defense Industrial Base Partner Networks” that calls for heightened cybersecurity requirements and oversight for “critical” government contractors handling their sensitive government data, broadly referred to as controlled unclassified information (“CUI”) or “covered defense information” (CDI) within the defense sector.  The memo reflects a continued focus within the Department of Defense on evaluating contractors’ compliance with the Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012 Safeguarding Clause, which defines the baseline protections that all defense contractors need to implement to protect CDI.  Under the Clause, contractors must demonstrate their IT security compliance with 110 security controls found within the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 through documentation in a System Security Plan (“SSP”), even if that documentation discusses how certain controls are not yet implemented.  The Navy memo takes those requirements several steps further.  For example, the Navy will require select contractors to submit fully implemented SSPs for evaluation – something the DoD has generally discussed but not yet done on this programmatic scale.  The Navy’s evaluation will also ensure that historically challenging NIST requirements such as multifactor authentication and data encryption are satisfactorily met.  Additionally, the Navy will require wholly new requirements not found in the Clause.  Among them is the requirement to allow the Naval Criminal Investigative Services (“NCIS”) to install “network sensors” on contractors’ information systems when NCIS intelligence detects a potential vulnerability.

These Naval additions highlight the potentially divergent approaches that different arms of the DoD are beginning to take in response to their unique risk calculations.  The memo serves as a reminder that the extensive cybersecurity requirements of the DFARS are only the floor and remain subject to each government customer identifying its own ceiling.

Outcome of Privacy Shield Review Uncertain, Despite U.S. Steps Toward Compliance

Posted in GDPR, Privacy
Maarten StassenLee Matheson CIPP/US, CIPP/E, CIPP/A, CIPM

When the European Commission re-approved the Privacy Shield agreement during its first annual review in the fall of 2017, permitting the transatlantic transfer of personal information to compliant U.S. companies to continue, it did so with a number of reservations. As the Privacy Shield agreement fast approaches its second annual review at the end of this week, it remains to be seen if the steps taken by the U.S. government at the close of the summer will be enough to satisfy skeptical European lawmakers.

Continue Reading