Your binder contains too many pages, the maximum is 40.
We are unable to add this page to your binder, please try again later.
This page has been added to your binder.
Our Cybersecurity practice has unsurpassed experience addressing the most significant cybersecurity matters confronted by commercial enterprises. We have assisted clients in responding to scores of cybersecurity incidents, ranging from security breaches perpetrated by inside actors, to sophisticated external attacks involving millions of customer and employee records, to several of the largest cyber-related financial crimes on record. These incidents have spanned a broad range of industries, including financial services, pharmaceuticals, media and Internet content companies, retail, technology, communications, defense, energy, software, travel-related services, and data-based services companies. Many of these incidents have been global in nature.
Our cybersecurity lawyers and advisors are based on both coasts of the United States, and in Europe and Asia. We regularly work with multinational companies on the full lifecycle of cybersecurity events, including development of internal compliance policies and incident response planning; incident response, investigation, and remediation; and defense of claims and pursuit of recoveries. We have unparalleled depth across a range of practice areas that intersect with cyber-related risks, including insurance, litigation, corporate governance, and regulatory compliance, to name a few.
Enterprises face threats from multiple vectors, including, among others, state-sponsored actors, criminal organizations, hactivists, competitors, and insiders—with potential for incidents that may include denial-of-service attacks, theft of funds or IP, breaches of payment card data and other sensitive customer information, and other significant compromises. Unlike many other firms, Covington does not approach cybersecurity as simply a subset of our broader privacy practice. Rather, we take a truly multi-dimensional, cross-disciplinary approach, taking into account not only privacy law, but also the potential impact of any particular threat vector on U.S. national security and the integrity of critical enterprises internationally.
Our team includes former senior officials from the Department of Homeland Security and Department of Justice, and we regularly engage with those agencies, as well as the Federal Trade Commission, Federal Bureau of Investigation, Department of Defense, and other federal and international agencies as well as State Attorneys General and EU, Asian, and Latin American data protection authorities, on defending against and responding to cyber threats.
Our areas of focus include:
We have directed the investigations and response into APT attacks from state-sponsored actors and sophisticated criminal groups targeting intellectual property and other proprietary information. These attacks, and the responses, have spanned multiple industries and global companies, with investigations covering four continents.
We have handled multiple large cyber-based financial crimes, including, among others, assisting in the response to one of the largest criminal organization ATM cash drawdowns in U.S. history.
We have addressed regulatory investigations and enforcement actions from regulators in the United States, Europe, and Asia following data breaches. These have included investigations or formal enforcement proceedings brought by the Federal Trade Commission, State Attorneys General, and the Securities and Exchange Commission in the United States, and by data protection authorities and sector-specific regulators across Europe and Asia.
We have a leading practice advising Internet companies and cloud service providers on responding to legal demands seeking access to customer data or network surveillance, served by governments around the world.
We have directed investigations into cyber-based insider thefts of highly sensitive proprietary information and consumer information.
Advised employer health plans on HIPAA breach notification requirements relating to breaches of protected health information held by the plans.
We regularly advise clients on compliance with information security requirements and best practices, including, among others, governance best practices, vendor contract terms and due diligence, the implementation of information security controls to satisfy regulatory requirements, and the conduct of vulnerability assessments.
We have counseled clients on all aspects of data breach response globally, including incidents involving more than 100,000 impacted employees, payment card incidents involving millions of consumers, and breaches of other personal information impacting more than 50 million consumers.
We have successfully handled the recovery under insurance coverage policies for several of the largest documented data security breaches.
October 20, 2016, Covington Alert
On October 19, 2016, the Board of Governors of the Federal Reserve System (Federal Reserve), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) (collectively the “Agencies”) released a joint Advance Notice of Proposed Rulemaking (ANPR) requesting public comment on enhanced cybersecurity standards that would apply to ...
October 10, 2016, Inside Privacy
Today, our colleagues Susan Cassidy, Ashden Fein, and John Sorrenti posted an article on Inside Government Contracts about the Department of Defense (DoD) issuing a Final Rule implementing mandatory cyber incident reporting requirements for DoD contractors and subcontractors. The article can be read here.… Continue Reading
September 15, 2016, Inside Privacy
On September 13, 2016, New York Governor Andrew Cuomo announced a proposed regulation that would require financial service institutions to develop and implement cybersecurity programs to prevent and mitigate cyber-attacks. The proposed regulation will be subject to a 45-day comment period once it is published in the New York State Register. The regulation will ...
September 13, 2016, Inside Privacy
The FTC has become the most recent regulator to take a closer look at ransomware and its impact on consumers. During the FTC’s September 7, 2016, Fall Technology Series on Ransomware, Chairwoman Edith Ramirez announced that the FTC will soon release guidance to businesses on how to protect against ransomware. Ransomware is a malicious software … Continue Reading
September 8, 2016, Inside Privacy
By Catlin Meade and Jenny Martin On August 31, 2016 the FTC posted a blog addressing whether compliance with the NIST Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”) necessarily constitutes compliance with FTC cybersecurity practices. The FTC answers this question with a resounding “No” and specifically states: “there’s really no ...
August 5, 2016, ABA Journal
Jennifer Martin participated in the American Bar Association’s Annual Meeting and is quoted in an ABA Journal article regarding effective cybersecurity in today’s current threat environment. Martin discussed the importance of concentrating on developing an incident response program. “More and more companies have plans, but the devil is really in the details. She ...
July 27, 2016, Inside Privacy
The White House has released a Presidential Policy Directive on United States Cyber Incident Coordination (PPD-41). PPD-41 is part of President Obama’s broader Cybersecurity National Action Plan, which was unveiled this past February. PPD-41 is primarily geared toward “significant cyber incidents,” which are “likely to result in demonstrable harm to the ...
July 27, 2016, Global Investigations Review
Stephen Surdu and James Garland are quoted in a GIR article regarding Surdu’s arrival to Covington as a Senior Cybersecurity Advisor. “In the fog of war, companies do not think clearly,” Surdu says. “They want to do the right thing, but they do not quite know what that is. As someone who has handled many cybersecurity investigations, I can help calm the ship.” ...
July 25, 2016, Inside Privacy
The Automotive Information Sharing and Analysis Center (“Auto-ISAC”) has released a set of cybersecurity best practices for the automotive industry. The best practices are primarily geared toward automakers, but note that suppliers of motor vehicle components might also benefit from implementing them. The best practices include seven functions, each of which ...
July 25, 2016, Covington Alert
Search warrants served on U.S. Internet companies and cloud service providers cannot obtain customer data stored overseas, the U.S. Court of Appeals for the Second Circuit ruled on July 14. The federal appellate decision focuses on warrants issued under the federal Electronic Communications Privacy Act (“ECPA”) and formally applies only in the Second Circuit, ...
July 21, 2016, Law360
David Fagan and Stephen Surdu are quoted in a Law360 article regarding the launch of Covington’s new Cybersecurity Incident Response Team in conjunction with the arrival of Surdu and Jenny Martin. According to Fagan, “We’re a big firm with clients that span the globe. They can’t control when they have incidents, and you can get calls on a Friday afternoon from ...
July 18, 2016
WASHINGTON—Covington has formed an enhanced team of lawyers and advisors to provide cybersecurity incident response services to clients, highlighted by Stephen Surdu, who formerly led the professional services group of Mandiant, joining the team as a Senior Cybersecurity Advisor.
Through the formation of the Cybersecurity Incident Response Team with members on ...
July 18, 2016, The American Lawyer
James Garland and Steve Surdu are quoted in an American Lawyer article regarding the launch of Covington’s Cybersecurity Incident Response Team, highlighted by Surdu’s recent arrival as a Senior Cybersecurity Advisor. According to Garland, "The lawyers that do the interviews and oversee the forensic investigation, we're experienced but we're not engineers." He ...
July 7, 2016, Covington Alert
The Brazilian financial industry has long been a target of cyber criminals, and with the continued growth of sophisticated online banking services in Brazil, such systems are a prime target for organized crime. In addition, among the emerging BRICS countries (Brazil, Russia, India, China, and South Africa), Brazil is on a par with China and Russia in terms of ...
June 21, 2016, Webinar
June 16, 2016, Inside Privacy
Yesterday, the Department of Homeland Security (“DHS”) and Department of Justice released final guidance as required by Title I of the Cybersecurity Act of 2015 (“CISA”), which was enacted into law this past December. The guidance was prepared in consultation with several additional federal agencies, and includes four separate documents. We summarize each of ...
Cyber insurers commonly require insureds to complete detailed applications, often including extensive technical disclosure and risk self-assessments. The complaint recently filed by the insurer in Columbia Casualty Co. v. Cottage Health System illustrates the pitfalls in these requirements. Cottage Health, an operator of a hospital network, suffered a data ...
Data breaches suffered by retailers and other businesses that handle payment cards can result in substantial assessments by card brands such as MasterCard and Visa. Retailers typically do not process payment card transactions directly with the banks that issue their customers’ cards. Instead, they contract with an intermediary—called an acquiring or servicing ...
June 15, 2016, Inside Privacy
By Ciarra Chavarria and Keir Gumbs On June 8, 2016, the Securities and Exchange Commission announced that Morgan Stanley Smith Barney LLC (“Morgan Stanley”) had agreed to pay $1 million as a penalty for charges relating to its “failures to protect customer information.” Morgan Stanley’s settlement with the SEC came several months after a federal … Continue ...
May 3, 2016
NEW YORK — Jennifer Martin has joined Covington’s Data Privacy and Cybersecurity practice. She most recently served as the Director of Cyber Incident Response & Investigations at Symantec.
“Jennifer has worked at the intersection of law and cybersecurity from almost every vantage point over the past 15 years,” said David Fagan, who leads Covington’s cyber and ...
May 2, 2016, Law360
May 2016, National Defense Magazine
April 8, 2016, Covington Alert
On April 6, the National Telecommunications and Information Administration (NTIA), part of the U.S. Department of Commerce, issued a Request for Comment (RFC) seeking public feedback on the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things (IoT).
NTIA issued the RFC as part of the Commerce ...
March 2016, Cyber Security Law & Practice
February 19, 2016, Law360
Mark Young and Libbie Canter are quoted in this Law360 article offering tips on how deal makers can mitigate cybersecurity risks.
According to Young, any discovered incidents can give buyers pause on how — and if — they want to move forward. “We’ve dealt with at least a couple examples where deals were at least delayed if not reconsidered because of ...
January 12, 2016, Covington Alert
December 2015, Privacy & Data Protection
October 13, 2015
WASHINGTON, DC, October 13, 2015 - Covington addresses the critical issue of how to manage risks associated with third-party outsourcing in Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers. Published in collaboration with Palo Alto Networks and the New York Stock Exchange, the book provides boards, executives and ...
October 6, 2015, Covington Alert
October 2015, Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers
September 2015, Bloomberg BNA World Data Protection Report
August 27, 2015, Inside Cybersecurity
Susan Cassidy was quoted in this article.
August 13, 2015, Inside Cybersecurity
Susan Cassidy was quoted in this article.
August 12, 2015, The Cybersecurity Law Report
August 11, 2015
WASHINGTON, DC, August 11, 2015 —The Los Angeles Business Journal has named Covington partner and former federal prosecutor Daniel Shallman to its list of the city’s “Most Influential Lawyers” in the white collar and cyber practice areas.
In selecting Mr. Shallman, the publication noted that he has handled “a string of impressive matters” since joining the firm ...
August 2015, Bloomberg BNA World Data Protection Report
July 17, 2015, Webinar
July 13, 2015, China Law & Practice
July 10, 2015, Covington Alert
July 2, 2015, Covington Alert
June 12, 2015, InsidePrivacyBlog
June 9, 2015, InsideCounsel
May 12, 2015, Inside Counsel
May 2015, Privacy Laws & Business UK Report
March 13, 2015, CDR News
March 12, 2015, InsideCounsel
March 9, 2015, The National Law Journal
February 28, 2015, InsidePrivacy Blog
February 19, 2015, Inside Counsel
February 2015, Bloomberg BNA World Data Protection Report
January 2015, Regulatory Rapporteur
November/December 2014, E-Commerce Law Reports
October 10, 2014, InsideMedicalDevices Blog
2014, Data Protection and Privacy Law (2nd Edition, Thomson Reuters)
September 2014, World Data Protection Report
August 29, 2014, InsidePrivacy Blog
June 2014, E-Commerce Law & Policy
May 14, 2014, InsidePrivacy Blog
April 8, 2014, InsidePrivacy Blog
April 2014, West Briefing Papers
November 27, 2013, Covington E-Alert
October 24, 2013, Covington E-Alert
October 8, 2013, Law360
April 25, 2013, Law360
April 2013, World Data Protection Report
May 21, 2012, Corporate Counsel
May 2010, Privacy Law & Business
October 2009, The Privacy Advisor
November 24, 2008, Covington E-Alert