KMK Law Cybersecurity & Privacy Blog

The U.S. Computer Emergency Readiness Team (US-CERT) is implementing new reporting requirements beginning April 1, 2017, and just released new guidelines to help federal departments and agencies; state, local, tribal, and territorial government entities; information sharing and analysis organizations; and foreign, commercial and private-sector organizations submit incident notifications to the federal government.

Two Courts of Appeals have issued decisions during the past week related to cybersecurity and data retention which anyone who maintains electronic data and personal information should read.

As we recently touched on at the KMK Cybersecurity Seminar, lower courts are beginning to apply Spokeo Inc. v. Robins as defendants renew challenges to class certification. 

This post is a follow-up to January’s cybersecurity post discussing the cybersecurity considerations in performing due diligence in M&A transactions. The previous discussion can be found here. This post addresses two contractual provisions, the closing conditions and indemnification, which, if properly utilized, can protect acquiring companies from taking on too much cybersecurity risk in M&A transactions.

The Cybersecurity Information Sharing Act (CISA), S. 754, was signed into law by President Obama on December 18, 2015 as part of the larger 2016 Omnibus Spending Bill, and arrived on the cybersecurity landscape with an equally strong set of supporters and opponents.  With strong views on both sides, CISA is the first step in building what all will likely agree is of critical importance – improving cybersecurity in the United States.  

In today’s M&A transactions, cybersecurity deficiencies in a target company pose potentially significant financial and regulatory risks to the acquiring company. For this reason, new measures must be implemented in M&A transactions to protect both companies from today’s emerging cybersecurity epidemic.