Photo of Moriah Daugherty

Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients in responding to cybersecurity incidents, including matters involving Advanced Persistent Threats targeting sensitive intellectual property and personally identifiable information. Moriah also assists clients in evaluating existing security controls and practices, assessing information security policies, and preparing for cyber and data security incidents.

As part of her litigation and investigations practice, Moriah leverages her government experience to advise clients on national security and law enforcement related compliance issues, internal investigations, and response to government inquiries.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

On September 30, 2018, China’s Ministry of Public Security (“MPS”) released the Regulation on the Internet Security Supervision and Inspection by Public Security Organs (the “Regulation”;《公安机关互联网安全监督检查规定》), which will take effect on November 1, 2018.
Continue Reading China Releases New Regulation on Cybersecurity Inspection

On December 20, 2017, the National Institute of Standards and Technology (“NIST”) held a live webcast to discuss the draft updates to the Framework for Improving Critical Infrastructure Cybersecurity (“the Cybersecurity Framework”) and the Roadmap for Improving Critical Infrastructure Cybersecurity (“the Roadmap”). Although the webcast is not currently available online, NIST plans to publish a recording of the live webcast in early January 2018.

During this webcast, NIST provided an overview of the updates to Version 1.1 of the Cybersecurity Framework (“Version 1.1”), which were analyzed in previous blog posts on Inside Privacy and Inside Government Contracts. The webcast included a discussion of the following topics:
Continue Reading NIST Holds Webcast to Discuss Updates to Cybersecurity Framework

On December 5, 2017, the National Institute of Standards and Technology (“NIST”) announced the publication of a second draft of a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), Version 1.1, Draft 2. NIST has also published an updated draft Roadmap to the Cybersecurity Framework, which “details public and private sector efforts related to and supportive of [the] Framework.”
Continue Reading NIST Releases Updated Draft of Cybersecurity Framework

Ahead of the upcoming December 31, 2017 deadline for federal defense contractors to implement the security controls of National Institute of Standards and Technology (“NIST”) Special Publication 800-171 (“SP 800-171”), NIST has released a new draft publication designed to assist organizations in assessing compliance under SP 800-171, Draft Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information (“CUI”) (“SP 800-171A”).

Currently, there is no regulation or statute that imposes SP 800-171A on contractors. Rather, SP 800-171A is intended as guidance for organizations in developing assessment plans and conducting “efficient, effective, and cost-effective” assessments of the implementation of security controls required by SP 800-171. Similar to SP 800-171, SP 800-171A does not prescribe specific, required assessment procedures. Instead, SP 800-171A provides a series of “flexible and tailorable” procedures that organizations could use for conducting assessments with each security control in SP 800-171. SP 800-171A specifically recognizes three distinct methods for conducting assessments: examining and interviewing to facilitate understanding, achieve clarification, or obtain evidence and testing to compare actual results with expectations.
Continue Reading NIST Releases New Draft Publication Designed to Assist Contractors In Assessing Compliance with NIST SP 800-171

Today, one of the most critical risks a company can face is the cyber risks associated with its own employees or contractors.  Companies are confronting an increasingly complex series of cybersecurity challenges with employees in the workplace, including employees failing to comply with established cybersecurity policies, accidentally downloading an attachment containing malware or providing their credentials in response to a phishing scam, or intentionally stealing company information for the benefit of themselves or the company’s competitors by simply copying information to their email or a thumb drive and leaving the company.  Contractors or consultants with access to company systems can pose these same challenges. To guard against these risks, companies can implement various policies and procedures to address an employee’s tenure, from pre-hiring to post-employment, and can implement many of these same precautions with respect to contractors, consultants, or any other third parties with access to company systems.
Continue Reading Cyber Risks in the Workplace: Managing Insider Threats

A Minnesota state court on February 1, 2017, issued an unusually broad search warrant directed to Google in connection with a wire fraud case.  The warrant seeks a broad set of data about all users who searched on Google for a specific person between December 1, 2016 and January 7, 2017.  The warrant became public after a researcher published an article discussing the warrant application and judge’s order.
Continue Reading Broad Minnesota Warrant Seeks Data on All Users Who Googled Fraud Victim

The Trump Administration appears likely to release an Executive Order on Cybersecurity.  The most recent draft suggests this Executive Order may have notable impact in the Communications, Energy, and Defense Industrial Base sectors.  However, it remains unclear if and when the current draft will be signed.

President Trump originally was scheduled to sign an Executive Order on Cybersecurity on February 1, 2017, but the signing was postponed.  The original draft Order, titled “Strengthening U.S. Cyber Security and Capabilities,” (the “first draft Order”) articulated a general policy focused on enhancing the nation’s cybersecurity defenses and capabilities, particularly with respect to specified federal systems and critical infrastructures.  Specifically, the first draft Order directed the Department of Defense (“DOD”) and Department of Homeland Security (“DHS”)—in coordination with representatives of the intelligence community—to accomplish three main goals.  First, to conduct a review of cybersecurity vulnerabilities in national security systems, federal networks, and critical civilian infrastructure systems.  Second, to identify the United States’ cyber adversaries.  Third, to conduct a review of the United States’ cybersecurity capabilities, including a review of “U.S. efforts to educate and train the workforce of the future.”

On Friday, February 10, 2017, a revised draft of the Executive Order was circulated.  The revised draft Order, now retitled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” (the “Revised Order”) is significantly different from the first draft Order and more closely aligns with Executive Order 13636, “Improving Critical Infrastructure Security,” signed by President Obama on February 12, 2013.  Like Executive Order 13636, the Revised Order focuses on an agency-led, risk-based approach to cybersecurity and, in particular, requires federal agencies to adopt the NIST Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”) to manage cybersecurity risk.  The Revised Order also delegates primary responsibility for developing a comprehensive risk management plan to the Executive Branch, specifically the Office of Management and Budget (“OMB”) and DHS.
Continue Reading Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors

On October 24, 2016, the U.S. Department of Transportation’s National Highway Traffic Safety Administration (“NHTSA”) announced the release of Cybersecurity Best Practices for Modern Vehicles, a non-binding, proposed guidance document designed to assist the automotive industry in improving motor vehicle cybersecurity and mitigating threats to safety.

The guidance is intended to apply broadly to “all individuals and organizations manufacturing and designing vehicle systems and software,” including entities that design, supply, manufacture, alter or modify motor vehicles or motor vehicle equipment.  The voluntary best practices described in the guidance are intended to “provide a solid foundation for developing a risk-based approach” to mitigating cybersecurity risks throughout the automotive industry.Continue Reading NHTSA Releases Proposed Cybersecurity Guidance for the Automotive Industry and Solicits Public Comment