By Susan Cassidy, Alex Sarria, Patrick Stanton, and Catlin Meade
On August 26, 2015, the Department of Defense (DoD) issued an interim rule that significantly expands the obligations imposed on defense contractors and subcontractors to safeguard “covered defense information” and for reporting cyber incidents on unclassified information systems that contain such information. The interim rule revises the Defense Federal Acquisition Regulation Supplement (DFARS) to implement section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 and section 1632 of the NDAA for FY 2015. In addition, the interim rule implements DoD policies and procedures for safeguarding data and reporting cyber incidents when contracting for cloud computing services.
This Covington Alert outlines the expanded cyber incident reporting and safeguarding requirements imposed on DoD contractors and subcontractors, as well as new policies applicable to cloud service providers.
As part of its broader effort to develop a “Do Not Track” (DNT) web browser privacy standard, the World Wide Web Consortium (“W3C”), an international organization that develops Internet standards, recently released a draft of one technical component of the standard to gather implementation experience from the developer community.
The Third Circuit released its decision in FTC v. Wyndham Worldwide Corp. earlier today, affirming the district court’s decision that the FTC has the authority to regulate companies’ data security practices under the “unfair practices” prong of Section 5 of the FTC Act. The highly anticipated precedential opinion dismissed Wyndham’s arguments that the FTC lacks the authority to regulate cybersecurity practices, finding instead that neither Congressional legislation nor the FTC’s prior statements contradicted the FTC’s attempts to assert its cybersecurity powers. The court also held that Wyndham received fair notice of the potential application of the unfairness standard under Section 5 to data security practices, rejecting Wyndham’s argument that it should receive notice of which specific cybersecurity practices are required to satisfy the Section 5 standard. Finally, the court held that the FTC sufficiently alleged a “substantial injury” to consumers, as required under Section 5’s unfairness prong. An analysis of the highlights of the Third Circuit’s opinion is available after the jump.
By Megan L. Rodgers
The FTC has announced its agenda and panelists for its conference on data security, which will be held on September 9, 2015 at University of California Hastings College of the Law, in San Francisco.
This is the first in a series of conferences aimed at helping small- to medium-sized businesses protect consumers’ information. It comes on the heels of the FTC’s recent publication, Start with Security: A Guide for Business, which included a list of “best practices” related to data security.
The conference will focus on the challenges faced by start-ups and developers in creating secure applications. Panels will feature experts from Dropbox, Pinterest, Twitter, Mozilla, and other technology companies, and will provide information about (1) security by design, (2) common security vulnerabilities, (3) strategies for secure development, and (4) vulnerability response. Chairwoman Edith Ramirez will deliver remarks at the event.
The all-day conference will begin at 10:00 am Pacific.
The second Start with Security event will be on November 5, 2015, in Austin, Texas.
By Bianca Nunes
Cybersecurity vulnerability is becoming an increasing concern as medical devices are becoming more connected to the Internet, hospital networks, and other medical devices. As we previously reported, FDA has increasingly focused on promoting cybersecurity, recognizing that compromised medical devices can pose a risk to patient health and safety and to the confidentiality of personal medical information. In addition, the National Institute of Standards and Technology (NIST) has recently provided a draft practice guide for securing health records maintained on mobile devices. Continue Reading
By Susan Cassidy, Alex Sarria
On August 11, 2015, the Office of Management and Budget (OMB) issued a draft guidance memorandum intended to improve cybersecurity protections in federal acquisitions. Specifically, the proposed memorandum provides direction to federal agencies on “implementing strengthened cybersecurity protections in Federal acquisitions for products or services that generate, collect, maintain, disseminate, store, or provides access to Controlled Unclassified Information (CUI) on behalf of the Federal government.” CUI is defined in a recently issued proposed FAR rule as “information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information.”
Although the OMB memorandum is a laudable attempt to create uniformity across the federal government, the Guidance leaves many questions unanswered and the details of its implementation by federal agencies remains to be seen. As described below, even with this Guidance, contractors will continue to encounter inconsistent requirements for what constitutes a “cyber incident,” how quickly a cyber incident must reported to the government, and what security controls are considered “adequate” for safeguarding CUI.
This Covington Alert outlines the guidance provided by OMB, and notes important questions left unanswered by the proposed memorandum.
Earlier this week, the Online Trust Alliance released a draft framework of best practices for Internet of Things device manufacturers and developers, such as connected home devices and wearable fitness and health technologies. The OTA is seeking comments on its draft framework by September 14.
The framework acknowledges that not all requirements may be applicable to every product due to technical limitations and firmware issues. However, it generally proposes a number of specific security requirements, including encryption of personally identifiable data at rest and in transit, password protection protocols, and penetration testing. In addition, it proposes the following requirements:
- Conspicuous disclosure of all personally identifiable data collected.
- Data sharing is limited to service providers that agree to limit usage of data for specified purposes and maintain data as confidential or to other third parties as clearly disclosed to users.
- Disclosure of the term and duration of the data retention policy. In addition, the framework goes on to state that data generally should be retained only for as long as the user is using the device or to meet legal requirements.
- Disclosure of whether the user has the ability to remove or anonymize personal and sensitive data other than purchase history by discontinuing device use.
- Disclosure of what functions will work if “smart” functions are disabled or stopped.
- For products and services designed to be used by multiple family members, the ability to create individual profiles and/or have parental or administrative controls and passwords.
- Mechanisms for users to contact the company regarding various issues, transfer ownership, manage privacy and security preference.
In addition, the draft framework makes various other recommendations that go above and beyond the proposed baseline requirements, although acknowledging that the recommendations may not be applicable to every device or service.
By Ashwin Kaja* and Yan Luo
Close on the heels of a sweeping new National Security Law, the Standing Committee of the National People’s Congress released last month for public comment a very significant draft Network Security Law (“Draft Law”), also referred to as the draft Cybersecurity Law.
Since it came into power in 2012, China’s current leadership has attached an unprecedented level of attention to network security, which it sees as a core aspect of national security. Marking the establishment of a new Central Leading Group for Cyberspace Affairs in 2014 that he himself would lead, President Xi Jinping declared that “network security and informatization are key strategic issues related to national security and development,” and that “national security no longer exists without network security.” President Xi went on, in those remarks, to call for the development of a legal infrastructure for the administration of cyberspace, with particular emphasis on the protection of “critical information infrastructure” (see further discussion below). The resolution of the Fourth Plenum of the Central Committee of the Chinese Communist Party in October 2014 echoed this theme.
The focus on network security appears to stem from the explosive development and extensive usage of network and information technologies, made more pressing by Edward Snowden’s disclosures in 2013 regarding activities of the US National Security Agency (NSA). Since the Snowden leaks, it has been repeatedly reported that the Chinese government is working actively to wean government networks and financial systems off of IT products and services from foreign companies. The Draft Law is the government’s latest effort to consolidate existing security-related requirements and grant government agencies more security-related powers. On its face, the Draft Law does not discriminate against foreign products and services. However, designed to “safeguard cyberspace sovereignty and national security,” it could be implemented to become an additional hurdle for foreign companies seeking to access China’s vast market if and when it comes into effect. Continue Reading
By Ani Gevorkian
The FTC has issued a request for public comment regarding Riyo’s application to recognize a new proposed verifiable parental consent method under the FTC’s Children’s Online Privacy Protection Act Rule. The Rule, which implements the Children’s Online Privacy Protection Act (COPPA), requires certain website operators, mobile applications, and other online services to provide parents notice, and to obtain verifiable parental consent, before collecting, using, or disclosing personal information from children under the age of 13 online. The COPPA Rule includes a non-exhaustive list of approved methods for obtaining parental consent but also allows an interested party to propose voluntarily a new verifiable parent consent method for FTC consideration.
Jest8 Ltd., trading as Riyo, submitted such a proposal for a consent method that involves “validating a parent’s face against an online presentation of verified photo identification.” Riyo said the method is based on a fraud prevention tool currently in use in sensitive and regulated markets globally, and that the method differs from those enumerated in the COPPA Rule because it “uses computer vision technology, algorithms, image forensics, and multi-factor authentication to validate a parent’s identity . . . .” The parent begins by using a mobile phone or computer to take a picture of the parent’s photo identification (such as a driver’s license). The parent then uses the same device to take a picture of him- or herself. The two images are compared to validate that the person providing consent is the same person in the photo identification. (The application suggests all information in the photo identification is cropped out, except for the photo image.) Riyo states that the verification process can be completed within minutes, providing a real-time parental consent process for websites and mobile applications.
The Commission states that it is particularly interested in receiving comments that address whether: the proposed method is already covered by existing methods under the COPPA Rule; the method is reasonably calculated, in light of available technology, to ensure that the person providing the consent is actually the child’s parent; and the benefits of the program outweigh any risks to consumer’ personal information. Comments are due on or before September 3, 2015.
A Seventh Circuit panel that allowed a data breach suit against Neiman Marcus to proceed misapplied the Supreme Court’s precedents on standing and, “if allowed to stand, will impose wasteful litigation burdens on retailers and the federal courts,” the retailer argues in a petition filed yesterday asking the full Seventh Circuit to rehear the case.
Last month, a Seventh Circuit panel ruled that Neiman Marcus customers whose credit card information potentially was exposed in a 2013 breach of the retailer’s computer systems could proceed with their proposed class action lawsuit against the retailer. The panel found that the plaintiffs alleged sufficient “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” to establish their standing to sue in federal court, and that affected customers “should not have to wait until hackers commit identity theft or credit‐card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.” The panel also found it “telling” that the retailer offered affected customers a year of free credit monitoring and identity-theft protection, and appeared to interpret this as a tacit acknowledgment that the risk to customers was more than “ephemeral.” Continue Reading