Photo of David Bodenheimer

David Z. Bodenheimer is a Government Contracts Group partner and litigator in Crowell & Moring's Washington, D.C. office. Mr. Bodenheimer brings 33 years of hands-on experience in doing business with the federal government. Nationally ranked by Chambers USA in Government Contracts and described as "an impressive government contracts practitioner" and "a fabulous writer," he has found solutions for clients for everything from bet-the-company cases to the day-to-day complexities of government contracting.

The FDA recently passed down a set of guidelines governing the cybersecurity of medical devices. The guidelines, which are the first of its kind, were issued in response to the FDA’s recognition of the particular security concerns involved in the handling of sensitive medical information. The recommendations vary based on the specific vulnerabilities of each

Hackers, terrorists, and cyber criminals have ignited escalating threats to cybersecurity, homeland defense, and privacy largely unanticipated to the legal profession a generation ago. Today, lawyers must grapple with the intersection of technology, information governance, and law, navigating unprecedented legal challenges and crafting practical solutions on the emerging cyber, homeland, and privacy frontiers.

On behalf

Cybersecurity’s escalating threats, intensifying oversight, and expanding publicity in recent years exploded in 2013. It was a year bookended by President Obama’s cybersecurity warnings in his State of the Union message and the mega-breaches at Target and Neiman-Marcus. And it gave us a cyber panorama – the Cybersecurity Executive Order; industry security reports of massive

With cyber heists plundering $1 trillion in global intellectual property (per President Obama) and driving “the greatest transfer of wealth in human history” (per NSA Director Alexander), corporations face bet-the-company threats when cyber attacks and data breaches empty their intellectual property vaults, torpedo their mergers and business deals, and crush their stock prices. In our

After a year of development, NIST has released the long-awaited Cybersecurity Framework, which promises to have significant implications for the public and private sectors alike. The final version retains much of the Framework Core set forth in the draft version and provides a blueprint to align cybersecurity efforts (along with the accompanying Roadmap document

On January 9, the Securities & Exchange Commission (“SEC”) released its National Examination Priorities (“NEP”) for 2014 and once again identified cybersecurity as a heightened risk that the agency intends to scrutinize as part of its mission to protect investors.  The NEP identifies technology — specifically, companies’ governance and supervision of IT systems, information security, and response readiness — as one of its most significant initiatives for 2014.  The NEP’s Broker-Dealer Exam Program also identifies market access controls related to “information leakage and cyber security” as a core risk on which the agency will focus in the coming year.

We wrote in a previous post about the SEC’s intensifying focus on corporations’ cybersecurity efforts – and on their cybersecurity weaknesses and risks.  Cybersecurity has continued to be a focal point for the SEC, especially in the face of mounting Congressional pressure on the agency to demand more transparency from companies about their cybersecurity risks and steps taken to address those risks, and recent reports of cyberattacks against U.S. companies and the massive costs to those companies that result.  SEC Chair Mary Jo White noted in a speech to the National Association of Corporate Directors in October that cybersecurity was a “hot topic from many perspectives.”  This year’s NEP is the latest sign that corporate cyber risks and incidents will remain in the agency spotlight in 2014.
Continue Reading

A DFARS final rule (Nov. 18, 2013) on the safeguarding of unclassified, controlled technical information requires contractors, among other things, to report within 72 hours of discovery any “cyber incident” (an action that results in an actual or potentially adverse affect on an information system and/or the information residing therein), preserve relevant data for at

Adding another building block to implementation of the President’s cybersecurity executive order issued in February 2013, the Department of Commerce’s National Institute of Standards and Technology (NIST) released its Preliminary Cybersecurity Framework on October 22, 2013. As discussed in greater detail in the attached Bullet Analysis by David Bodenheimer, Evan Wolff, and Eliot Golding, this

As the cyber threats continue to escalate sharply, Congress confronts a host of daunting tasks for bolstering cybersecurity, such as: balancing security while maintaining privacy; enhancing public-private partnerships while keeping information safe; and assuring accountability while maintaining flexible and agile security standards. At noon on November 7, Staff members from four Senate and House committees

With no comprehensive cybersecurity legislation nearing the finish line, Congress and federal agencies have attempted to fill the void with a series of piecemeal laws, regulations, and polices leaving both the public and private sector with fragmented — even inconsistent — guidance on how to defend cyberspace.  As we discuss in our recent article, “