Government Regulations & FISMA

After a year of development, NIST has released the long-awaited Cybersecurity Framework, which promises to have significant implications for the public and private sectors alike. The final version retains much of the Framework Core set forth in the draft version and provides a blueprint to align cybersecurity efforts (along with the accompanying Roadmap document

In a January 15, 2014 update, the National Institutes of Standards and Technology (“NIST”) announced that it would eliminate contentious privacy provisions in Appendix B of the Preliminary Cybersecurity Framework. The appendix was originally intended “to protect individual privacy and civil liberties” as part of the February 2012 Executive Order 13636 requiring NIST

A DFARS final rule (Nov. 18, 2013) on the safeguarding of unclassified, controlled technical information requires contractors, among other things, to report within 72 hours of discovery any “cyber incident” (an action that results in an actual or potentially adverse affect on an information system and/or the information residing therein), preserve relevant data for at

With the HIPAA Final Rule now in place, business associates as well as subcontractors must comply with the entire Security Rule (among other aspects of HIPAA) and face direct liability for the failure to do so. Some entities may be surprised to learn they are subject to HIPAA given the recently expanded definition of “business

2013 has been a historic year for cybersecurity, privacy and data breach issues. From the President’s Executive Order, to the revised NIST security & privacy controls, and to the groundbreaking Mandiant report on cyber espionage, the pressure is on for companies to secure their handling of sensitive data.

In order to mitigate the risk of

With no comprehensive cybersecurity legislation nearing the finish line, Congress and federal agencies have attempted to fill the void with a series of piecemeal laws, regulations, and polices leaving both the public and private sector with fragmented — even inconsistent — guidance on how to defend cyberspace.  As we discuss in our recent article, “

Following its key cyber role in President Obama’s Executive Order No. 13636 issued this February, the National Institute of Standards and Technology (NIST) again seized the reins on federal cybersecurity standards on April 30, issuing the 457-page tome, Security and Privacy Controls for Federal information Systems and Organizations, that not only provides the “most

The Health Insurance Portability and Accountability Act (HIPAA) final rule published on January 25, 2013 contains important changes that affect data management organizations, such as cloud providers. In many cases, entities that have access to health information will be considered “Business Associates.” Such entities would therefore be required to comply with HIPAA’s extensive security provisions within the next six months and could face significant liability for the failure to do so. This may be particularly troublesome for cloud providers and e-discovery vendors because such requirements and potential liability may apply even where vendors do not actively solicit health information.
Continue Reading

On January 14, 2013, a federal court sanctioned the government for failing to preserve a website advertising a $32 million Department of Veterans Affairs procurement, finding that the Federal Acquisition Regulations requiring the government to preserve documents related to procurements triggered its duty to preserve the website. Noting that the government’s conduct amounted to negligence

On September 27, 2012, the Federal Trade Commission published final revisions to the Commission’s Rules of Practice governing its investigatory process (16 CFR Part 2) and attorney discipline (16 CFR Part 4). Spurred in large part by the challenges posed by discovery of electronically stored information, the Commission explained that the final rules will “update and improve the Commission’s Part 2 investigation process by accounting for and incorporating modern discovery methods, facilitating the enforcement of Commission compulsory process, and generally increasing efficiency and cooperation.” After the Commission published its proposed revisions on January 23, 2012, a number of individuals and organizations, including Crowell & Moring, submitted public comments regarding the FTC’s proposed amendments. While the Commission adopted the bulk of the proposed rules changes without modification, it agreed that “some of the proposed rules can be modified to better reduce the burdens of the Part 2 process without sacrificing the quality of the investigation.” Accordingly, the Commission’s modifications to the proposed rules include (1) a revision of the privilege log specifications to decrease the burden on respondents, while still accounting for staff’s need to effectively evaluate privilege claims; (2) extending the deadline for the first meet and confer to decrease the burden on recipients of process and their counsel; and (3) implementing a “safety valve” provision allowing parties showing good cause to file a petition to limit or quash before any meet and confer has taken place.

Revisions to Proposed Rules Based on Public Comments

The original proposed amendments required additional detailed and specific information for withheld privileged material to be provided on a privilege log, which must be attested by the lead or supervising attorney responsible for asserting the privilege claims [Rule 2.11(a)]. This amendment largely was adopted as proposed, but the staff responded to certain concerns raised by commenters in the final rule by permitting respondents to (1) append a legend to the log enabling them to more conveniently identify the titles, addresses, and affiliations of authors, recipients, and persons copied on privileged material; (2) more conveniently identify authors or recipients acting in their capacity as attorneys by identifying them with an asterisk on a privilege log; and (3) forego providing the number of pages or bytes of a withheld document, and instead provide document control numbers.
Continue Reading