Photo of Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring's Washington, D.C. office where he is co-chair of the firm's Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators.

NIST has finalized Internet of Things (IoT) risk management guidance, which derived from a draft publication.  The guidance informs government agencies how to understand and manage IoT risks throughout device lifecycles.  Industry can anticipate government focus on three high-level goals:

  1. Device security;
  2. Data security; and
  3. Individual privacy.

The publication highlights three differences between

On September 30, 2014, California Governor Jerry Brown signed into law Assembly Bill 1710, which contains a new set of personal information protections that affect all businesses that “own, license, or maintain personal information about Californians.” In what may become a precedent for other jurisdictions, the law includes the nation’s first mandatory state requirement for breached entities to offer breach mitigation services – including credit monitoring – to all affected individuals. Further, the law includes new restrictions on the sale of social security numbers (SSNs). These amendments to the existing California Civil Code Sections 1798.81.5, 1798.82, and 1798.85 will take effect on January 1, 2015.

While offering some sort of breach mitigation services has become common practice for breached entities, California will now require any notifying entity that is the source of a breach to “offer to provide appropriate identity theft prevention and mitigation services … at no cost to the affected person for not less than 12 months.” This obligation will apply only to breaches involving Californians’ names combined with an SSN, driver’s license number, or California ID number.


Continue Reading