Your binder contains too many pages, the maximum is 40.
We are unable to add this page to your binder, please try again later.
This page has been added to your binder.
Our Cybersecurity practice has unsurpassed experience addressing the most significant cybersecurity matters confronted by commercial enterprises. We have assisted clients in responding to scores of cybersecurity incidents, ranging from security breaches perpetrated by inside actors, to sophisticated external attacks involving millions of customer and employee records, to several of the largest cyber-related financial crimes on record. These incidents have spanned a broad range of industries, including financial services, pharmaceuticals, media and Internet content companies, retail, technology, communications, defense, energy, software, travel-related services, and data-based services companies. Many of these incidents have been global in nature.
Our cybersecurity lawyers and advisors are based on both coasts of the United States, and in Europe and Asia. We regularly work with multinational companies on the full lifecycle of cybersecurity events, including development of internal compliance policies and incident response planning; incident response, investigation, and remediation; and defense of claims and pursuit of recoveries. We have unparalleled depth across a range of practice areas that intersect with cyber-related risks, including insurance, litigation, corporate governance, and regulatory compliance, to name a few.
Enterprises face threats from multiple vectors, including, among others, state-sponsored actors, criminal organizations, hactivists, competitors, and insiders—with potential for incidents that may include denial-of-service attacks, theft of funds or IP, breaches of payment card data and other sensitive customer information, and other significant compromises. Unlike many other firms, Covington does not approach cybersecurity as simply a subset of our broader privacy practice. Rather, we take a truly multi-dimensional, cross-disciplinary approach, taking into account not only privacy law, but also the potential impact of any particular threat vector on U.S. national security and the integrity of critical enterprises internationally.
Our team includes former senior officials from the Department of Homeland Security and Department of Justice, and we regularly engage with those agencies, as well as the Federal Trade Commission, Federal Bureau of Investigation, Department of Defense, and other federal and international agencies as well as State Attorneys General and EU, Asian, and Latin American data protection authorities, on defending against and responding to cyber threats.
Our areas of focus include:
We have directed the investigations and response into APT attacks from state-sponsored actors and sophisticated criminal groups targeting intellectual property and other proprietary information. These attacks, and the responses, have spanned multiple industries and global companies, with investigations covering four continents.
We have handled multiple large cyber-based financial crimes, including, among others, assisting in the response to one of the largest criminal organization ATM cash drawdowns in U.S. history.
We have addressed regulatory investigations and enforcement actions from regulators in the United States, Europe, and Asia following data breaches. These have included investigations or formal enforcement proceedings brought by the Federal Trade Commission, State Attorneys General, and the Securities and Exchange Commission in the United States, and by data protection authorities and sector-specific regulators across Europe and Asia.
We have a leading practice advising Internet companies and cloud service providers on responding to legal demands seeking access to customer data or network surveillance, served by governments around the world.
We have directed investigations into cyber-based insider thefts of highly sensitive proprietary information and consumer information.
We regularly advise clients on compliance with information security requirements and best practices, including, among others, governance best practices, vendor contract terms and due diligence, the implementation of information security controls to satisfy regulatory requirements, and the conduct of vulnerability assessments.
We have counseled clients on all aspects of data breach response globally, including incidents involving more than 100,000 impacted employees, payment card incidents involving millions of consumers, and breaches of other personal information impacting more than 50 million consumers.
We have successfully handled the recovery under insurance coverage policies for several of the largest documented data security breaches.
Advised employer health plans on HIPAA breach notification requirements relating to breaches of protected health information held by the plans.
March 22, 2017, Inside Privacy
Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) reintroduced a pair of bills today relating to the cybersecurity of cars and aircraft, which would impose affirmative security, disclosure, and consent requirements on manufacturers and air carriers. The Security and Privacy in Your Car (“SPY Car”) Act and Cybersecurity Standards for Aircraft to Improve ...
March 6, 2017, Inside Privacy
On March 2nd, Democratic members of the House Energy and Commerce Committee introduced three pieces of legislation that would expand the Federal Communications Commission’s (FCC) authority over the cybersecurity practices of communications network providers. The first bill, the “Securing IoT Act of 2017” (introduced by Rep. Jerry McNerney (D-CA)), would expand ...
February 22, 2017, The Cybersecurity Law Report
Steve Surdu was interviewed by The Cybersecurity Law Report for a three-part series on the role of forensic firms during a cyber breach. Part one discusses how to understand and leverage the expertise of forensic firms from the start. According to Surdu, forensic consultants have specialized skills and knowledge “that are very difficult for most organizations to ...
February 17, 2017, Inside Privacy
The Trump Administration appears likely to release an Executive Order on Cybersecurity. The most recent draft suggests this Executive Order may have notable impact in the Communications, Energy, and Defense Industrial Base sectors. However, it remains unclear if and when the current draft will be signed. President Trump originally was scheduled to sign an ...
February 7, 2017, Covington Alert
On February 4, 2017, the Cyberspace Administration of China (“CAC”) released the draft Measures on the Security Review of Network Products and Services (“the draft Measures”) for public comment (official Chinese version available here; Covington’s translation of the draft Measures is here). The comment period ends on March 4, 2017.
January 24, 2017, Law360
Mark Young, Jennifer Martin, and Ian Hargreaves are quoted in a Law360 article regarding the high level of cyberattacks on the financial services industry and the resulting regulatory pressures. According to Young, “The GDPR [General Data Protection Regulation] is a massive text with groundbreaking change in the data privacy area, in terms of compliance ...
January 19, 2017, Inside Privacy
The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) and the Financial Industry Regulatory Authority, Inc. (“FINRA”) (a private self-regulatory organization overseen by OCIE), recently released their 2017 examination priorities. It is no surprise to find cybersecurity listed as an examination priority again ...
January 17, 2017, Inside Privacy
For those considering submitting comments on the federal advance notice of proposed rulemaking (ANPR) on enhanced cyber risk management standards, you’ve been granted an extension. The agencies involved—the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation—announced ...
January 17, 2017, Federal Contracts Report
Susan Cassidy is quoted in a Federal Contracts Report article regarding the fate of cybersecurity improvements made by the DoD under President Trump. According to Cassidy, “I would expect those to continue forward because I don't see a political will to say, ‘No you shouldn't protect this.’”
The nomination of former Sen. Dan Coats (R-Ind.) to serve as director ...
January 14, 2017, Inside Privacy
By Christopher Hanson On December 28, 2016, CDRH announced the publication of the final guidance “Postmarket Management of Cybersecurity in Medical Devices.” In a separate post, we reported on the January 22, 2016 draft version of this guidance document. The final guidance provides FDA’s recommendations on a risk-based framework for medical device ...
January 6, 2017, Inside Privacy
In our previous post, we discussed seven draft cybersecurity and data protection national standards released by China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), on December ...
January 6, 2017, PaymentsCompliance
Jennifer Martin is quoted in a PaymentsCompliance article regarding revisions to “first-in-nation” cybersecurity rules made by New York financial regulators following industry backlash. According to Martin, third-party service due diligence requirements had been clarified to “narrow and more clearly describe the regulation’s applicability to vendors.”
January 4, 2017, Covington Alert
President Obama announced several actions on December 29 to respond to Russian cyber operations that the U.S. intelligence community previously had concluded were intended to influence the U.S. presidential election. Specifically, the President revised and expanded an earlier executive order that blocks the property and interests in property of persons that ...
December 23, 2016, Inside Privacy
Based on reports citing New York Department of Financial Services (“DFS”) sources (see here and here), DFS may propose a revised version of its first-in-the-nation cybersecurity regulations on December 28, 2016. That revision would be followed by a new 30-day comment period, with the revised regulations scheduled to take effect on March 1, 2017. This … Continue ...
On December 19, 2016, the New York State Assembly Standing Committee on Banks heard testimony about a proposed regulation introduced by the New York State Department of Financial Services that would require financial services companies to develop and implement cybersecurity programs to defend against cyber-attacks. As we covered when Governor Andrew Cuomo ...
December 21, 2016, Inside Privacy
By Tim Stratford and Yan Luo China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), released seven draft national standards related to cybersecurity and data privacy for public ...
November 2, 2016
NEW YORK—The National Law Journal has named Covington’s Jennifer Martin as one of its “Cybersecurity & Data Privacy Trailblazers.” The list profiles 50 lawyers “who have helped make a difference in the fight against criminal cyberactivity and towards adding much needed layers of data security in an increasingly digital world of commerce.”
Ms. Martin has worked ...
October 20, 2016, Covington Alert
On October 19, 2016, the Board of Governors of the Federal Reserve System (Federal Reserve), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC) (collectively the “Agencies”) released a joint Advance Notice of Proposed Rulemaking (ANPR) requesting public comment on enhanced cybersecurity standards that would apply to ...
August 5, 2016, ABA Journal
Jennifer Martin participated in the American Bar Association’s Annual Meeting and is quoted in an ABA Journal article regarding effective cybersecurity in today’s current threat environment. Martin discussed the importance of concentrating on developing an incident response program. “More and more companies have plans, but the devil is really in the details. She ...
July 27, 2016, Global Investigations Review
Stephen Surdu and James Garland are quoted in a GIR article regarding Surdu’s arrival to Covington as a Senior Cybersecurity Advisor. “In the fog of war, companies do not think clearly,” Surdu says. “They want to do the right thing, but they do not quite know what that is. As someone who has handled many cybersecurity investigations, I can help calm the ship.” ...
July 25, 2016, Covington Alert
Search warrants served on U.S. Internet companies and cloud service providers cannot obtain customer data stored overseas, the U.S. Court of Appeals for the Second Circuit ruled on July 14. The federal appellate decision focuses on warrants issued under the federal Electronic Communications Privacy Act (“ECPA”) and formally applies only in the Second Circuit, ...
July 21, 2016, Law360
David Fagan and Stephen Surdu are quoted in a Law360 article regarding the launch of Covington’s new Cybersecurity Incident Response Team in conjunction with the arrival of Surdu and Jenny Martin. According to Fagan, “We’re a big firm with clients that span the globe. They can’t control when they have incidents, and you can get calls on a Friday afternoon from ...
July 18, 2016
WASHINGTON—Covington has formed an enhanced team of lawyers and advisors to provide cybersecurity incident response services to clients, highlighted by Stephen Surdu, who formerly led the professional services group of Mandiant, joining the team as a Senior Cybersecurity Advisor.
Through the formation of the Cybersecurity Incident Response Team with members on ...
July 18, 2016, The American Lawyer
James Garland and Steve Surdu are quoted in an American Lawyer article regarding the launch of Covington’s Cybersecurity Incident Response Team, highlighted by Surdu’s recent arrival as a Senior Cybersecurity Advisor. According to Garland, "The lawyers that do the interviews and oversee the forensic investigation, we're experienced but we're not engineers." He ...
July 7, 2016, Covington Alert
The Brazilian financial industry has long been a target of cyber criminals, and with the continued growth of sophisticated online banking services in Brazil, such systems are a prime target for organized crime. In addition, among the emerging BRICS countries (Brazil, Russia, India, China, and South Africa), Brazil is on a par with China and Russia in terms of ...
June 21, 2016, Webinar
May 3, 2016
NEW YORK — Jennifer Martin has joined Covington’s Data Privacy and Cybersecurity practice. She most recently served as the Director of Cyber Incident Response & Investigations at Symantec.
“Jennifer has worked at the intersection of law and cybersecurity from almost every vantage point over the past 15 years,” said David Fagan, who leads Covington’s cyber and ...
May 2, 2016, Law360
May 2016, National Defense Magazine
April 8, 2016, Covington Alert
On April 6, the National Telecommunications and Information Administration (NTIA), part of the U.S. Department of Commerce, issued a Request for Comment (RFC) seeking public feedback on the benefits, challenges, and potential roles for the government in fostering the advancement of the Internet of Things (IoT).
NTIA issued the RFC as part of the Commerce ...
March 2016, Cyber Security Law & Practice
February 19, 2016, Law360
Mark Young and Libbie Canter are quoted in this Law360 article offering tips on how deal makers can mitigate cybersecurity risks.
According to Young, any discovered incidents can give buyers pause on how — and if — they want to move forward. “We’ve dealt with at least a couple examples where deals were at least delayed if not reconsidered because of ...
January 12, 2016, Covington Alert
December 2015, Privacy & Data Protection
October 13, 2015
WASHINGTON, DC, October 13, 2015 - Covington addresses the critical issue of how to manage risks associated with third-party outsourcing in Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers. Published in collaboration with Palo Alto Networks and the New York Stock Exchange, the book provides boards, executives and ...
October 6, 2015, Covington Alert
October 2015, Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers
September 2015, Bloomberg BNA World Data Protection Report
August 27, 2015, Inside Cybersecurity
Susan Cassidy was quoted in this article.
August 13, 2015, Inside Cybersecurity
Susan Cassidy was quoted in this article.
August 12, 2015, The Cybersecurity Law Report
August 11, 2015
WASHINGTON, DC, August 11, 2015 —The Los Angeles Business Journal has named Covington partner and former federal prosecutor Daniel Shallman to its list of the city’s “Most Influential Lawyers” in the white collar and cyber practice areas.
In selecting Mr. Shallman, the publication noted that he has handled “a string of impressive matters” since joining the firm ...
August 2015, Bloomberg BNA World Data Protection Report
July 17, 2015, Webinar
July 13, 2015, China Law & Practice
July 10, 2015, Covington Alert
July 2, 2015, Covington Alert
June 12, 2015, InsidePrivacyBlog
June 9, 2015, InsideCounsel
May 12, 2015, Inside Counsel
May 2015, Privacy Laws & Business UK Report
March 13, 2015, CDR News
March 12, 2015, InsideCounsel
March 9, 2015, The National Law Journal
February 28, 2015, InsidePrivacy Blog
February 19, 2015, Inside Counsel
February 2015, Bloomberg BNA World Data Protection Report
January 2015, Regulatory Rapporteur
November/December 2014, E-Commerce Law Reports
October 10, 2014, InsideMedicalDevices Blog
2014, Data Protection and Privacy Law (2nd Edition, Thomson Reuters)
June 2014, E-Commerce Law & Policy
May 14, 2014, InsidePrivacy Blog
April 8, 2014, InsidePrivacy Blog
April 2014, West Briefing Papers
November 27, 2013, Covington E-Alert
October 24, 2013, Covington E-Alert
October 8, 2013, Law360
April 25, 2013, Law360
April 2013, World Data Protection Report
May 21, 2012, Corporate Counsel
May 2010, Privacy Law & Business
October 2009, The Privacy Advisor
November 24, 2008, Covington E-Alert