On September 15, the Federal Trade Commission (“FTC”) and U.S. Department of Health and Human Services (“HHS”) announced an updated joint publication describing the privacy and security laws and rules that impact consumer health data.  Specifically, the “Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule” guidance provides an overview of the Health Insurance Portability and Accountability Act, as amended, and the implementing regulations issued by HHS (collectively “HIPAA”); the FTC Act; and the FTC’s Health Breach Notification Rule (“HBNR”) and how they may apply to businesses.  This joint guidance follows a recent surge of FTC enforcement in the health privacy space.  We offer below a high-level summary of the requirements flagged by the guidance.

Continue Reading FTC and HHS Announce Updated Health Privacy Publication

As many readers will be aware, the EU’s new cybersecurity directive, NIS2, imposes security, incident notification, and governance obligations on entities in a range of critical sectors, including energy, transport, finance, health, and digital infrastructure (for an overview of NIS2, see our previous post here). One of the main reasons the Commission proposed these new rules was the inconsistent manner in which Member States had implemented requirements under the prior directive, NIS. To help improve harmonization further, the Commission has now issued two guidance documents to help assess when NIS2 or sector-specific requirements apply, and to ensure that registration requirements are consistent across the Union.

Continue Reading European Commission Publishes Guidance on NIS2: Interplay with Sector-Specific Laws

On 12 September 2023, the UK Information Commissioner, John Edwards, and the Chief Executive of the National Cyber Security Centre (“NCSC”), Lindy Cameron, signed a joint memorandum of understanding (“MoU”) detailing how the Information Commissioner’s Office (“ICO”) and NCSC will work together moving forward.

The MoU does not create legally binding obligations between the ICO and NCSC, but provides a strong signal of intent for areas of cooperation.  The statements about information sharing and engaging with NCSC leading to potentially reduced fines under the UK GDPR are likely to be of particular interest to commercial organizations.

Continue Reading ICO Encourages Organizations To Cooperate with NCSC and Flags Potential Reduction in Fines

On September 8, 2023, Senators Richard Blumenthal (D-CT) and Josh Hawley (R-MO), Chair and Ranking Member of the Senate Judiciary Subcommittee on Privacy, Technology, and the Law, announced a new bipartisan framework for artificial intelligence (“AI”) legislation.  Senator Blumenthal said, “This bipartisan framework is a milestone – the first tough, comprehensive legislative blueprint for real, enforceable AI protections. It should put us on a path to addressing the promise and peril AI portends.” He also told CTInsider that he hopes to have a “detailed legislative proposal” ready for Congress by the end of this year.

Continue Reading Senators Release Bipartisan Framework for AI Legislation

Ahead of its September 8 board meeting, the California Privacy Protection Agency (CPPA) has issued draft regulations on cybersecurity audits and risk assessments.  Public comments will be requested once the formal rulemaking process is kicked off.  Accordingly, the draft regulations are subject to change.  Below are the key takeaways:

Cybersecurity Audits

  • New cybersecurity audit requirement.  Certain categories of businesses would be required to perform cybersecurity audits.  The Board will consider several options for thresholds that a business must meet in order to be subject to the requirement, such as the number of customers for whom the business has processed personal information in the past year and whether the business reached a certain annual gross revenue.
  • Timing.  A business subject to the audit requirement would have 24 months from when the rules go into effect to complete its first audit and would be required to complete an audit annually thereafter.
  • Scope.  The CPPA will consider scoping the audit requirement based on a number of factors, such as:
    • economic, physical, and psychological harms associated with unauthorized activity around personal information;
    • any risks from cybersecurity threats or incidents that have or could materially affect consumers.
  • Reporting.  A businesses subject to the audit requirement would be required to submit an annual notice of compliance to the CPPA, including written certifications that the business either did or did not comply with its requirements.

Risk Assessments

  • New definitions.  “Artificial intelligence” and “Automated Decisionmaking Technology” are defined broadly.
  • New risk assessment requirement.  A business whose processing activities would present significant risk to consumers would be required to conduct a risk assessment before processing.
  • Timing.  Risk assessments may be required annually, biannually, or once every three years.  In addition, a business would need to update its risk assessment after a material change in processing activity such as changes to the processing purpose, the degree of human involvement, or the logic of the ADMT.
  • Additional requirements for businesses using ADMT.  A business that uses ADMT would need to explain why ADMT was used to achieve a particular purpose and how the business plans to use outputs secured from ADMT.
  • Additional requirements for businesses using personal information to train AI and ADMT.  A business that processes personal information to train AI and ADMT to be available to other persons or businesses would be required to explain the purposes for which the AI or ADMT may be used and any safeguards the business has put in place.
  • Reporting.  Businesses would need to certify their risk assessments with the CPPA annually.

On August 21, 2023, the Cybersecurity and Infrastructure Security Agency (“CISA”), National Security Agency (“NSA”), and National Institute of Standards and Technology (“NIST”) issued a joint quantum-readiness factsheet (the “Factsheet”) to inform organizations—particularly those that support critical infrastructure sectors—about quantum computing threats and to urge these organizations to begin planning for future migration to post-quantum cryptographic (“PQC”) standards.  CISA, NSA and NIST are part of a government-wide effort to prepare for the development of computers that can break existing encryption algorithms in a short period of time—which the Factsheet refers to as “cryptanalytically-relevant quantum computers” or “CRQCs”.  The Factsheet provides several recommendations for organizations, including that such organizations should establish a “quantum-readiness roadmap” to prepare for the migration to PQC standards; create a “cryptographic inventory” of the cryptography within the products, applications, and services used by the organization; and engaging with the organizations’ technology vendors about the vendors’ plans for quantum-readiness. 

Quantum-Readiness Roadmap

The Factsheet urges organizations to establish a “quantum readiness roadmap” that will prepare the organizations for the migration to PQC standards, which the Factsheet notes are currently under development by NIST and slated for release in 2024.  The Factsheet suggests that entities can begin by establishing a project management team to plan and scope the organization’s migration to PQC and begin identifying the organization’s reliance on quantum-vulnerable cryptography, such as systems and assets that depend on existing digital signature standards.  The Factsheet notes that this “cryptographic inventory,” which is discussed further below, will enable the organization to identify and prioritize the systems that will need to migrate to PQC in the future and to assess potential risks to the organization that may be presented by CRQCs. 

Cryptographic Inventory

The Factsheet explains that, when prepared, an organization’s cryptographic inventory serves multiple purposes.  For example, according to the Factsheet, organizations are often unaware of the breadth and functional dependency on quantum-vulnerable “public-key cryptography” that is within the products, applications, and services that they use.  A cryptographic inventory provides visibility, supports risk assessment efforts, and facilitates engaging vendors to address potential supply chain risks.  The Factsheet also notes that a cryptographic inventory will help an organization transition to a zero trust architecture, identify data that is accessible from outside their operational environment, and inform what data protected by existing cryptography could be targeted and decrypted when CRQCs become viable.

The Factsheet provides several recommendations for how to develop the cryptographic inventory.  For example, the Factsheet suggests that organizations can use discovery tools to look for vulnerable algorithms in their Information Technology (“IT”) and Operational Technology (“OT”) environments, including algorithms used in network protocols, assets on end user systems and servers, and in the organization’s continuous integration/continuous delivery (“CI/CD”) development pipeline.  The Factsheet recommends that the cryptographic inventory should also identify when and where quantum-vulnerable cryptography is used to protect the organization’s most sensitive and critical data, as well as identify estimates for how long those data need to be protected.

Vendor Engagement

The Factsheet also provides steps that organizations and their vendors should take to address PQC adoption.  Specifically, the Factsheet encourages organizations to engage with the organization’s vendors about the vendors’ quantum-readiness roadmaps.  The Factsheet also notes that organizations should start considering updates to the organization’s contracts with vendors to ensure that older products used by the organization will be upgraded with PQC and new products will have PQC built in.  The Factsheet also encourages vendors to review the NIST-published draft PQC standards to begin planning and testing for integration and to be prepared to support PQC as soon as possible after the NIST standards become final.

Supply Chain

Finally, the Factsheet outlines a number of considerations related to supply chain risks that the use of quantum-vulnerable cryptography by vendors may present to organizations.  The Factsheet recommends that organizations:  (1) prioritize high-impact systems, industrial control systems (“ICS”), and systems with long-term confidentiality needs; (2) identify and develop plans to address quantum-vulnerable cryptography in custom-built technologies, which the Factsheet asserts will likely require the most effort to make quantum-resistant; and (3) engage with vendors to ensure both commercial-off-the-shelf (“COTS”) and cloud-based products supplied by vendors are accounted for in the organizations’ quantum-readiness roadmaps.

Looking Forward

The Factsheet builds on the Quantum Computing Cybersecurity Preparedness Act, enacted in December 2022, which requires the Office and Management and Budget (“OMB”) to issue guidance for U.S. executive branch agencies “on the migration of information technology to post-quantum cryptography,” which includes a requirement that each agency develop an inventory of quantum-vulnerable cryptography, similar to one of the recommended actions in the Factsheet.  A similar effort to migrate national security systems (including those used by the Department of Defense and Intelligence Community) to PQC is also underway.  The Factsheet signals the U.S. Government’s continued interest in PQC and the development of strategies to address CRQCs and suggests that the U.S. Government believes the private sector—particularly owners and operators of critical infrastructure—needs to begin similar preparations.  Additionally, since the March 2022 passage of the Cyber Incident Reporting for Critical Infrastructure Act, the door to regulation of critical infrastructure appears open.  Accordingly, entities within or supporting the critical infrastructure sectors may wish to continue monitoring for further developments in this space, including the forthcoming release of the NIST PQC standards in 2024, and may also wish to begin preparations for PQC now in anticipation of possible future requirements or legislation.

On August 25, 2023, China’s National Information Security Standardization Technical Committee (“TC260”) released the final version of the Practical Guidelines for Cybersecurity Standards – Method for Tagging Content in Generative Artificial Intelligence Services (《网络安全标准实践指南——生成式人工智能服务内容标识方法》) (“Tagging Standard”) (Chinese version available here), following a draft version circulated earlier this month.

Continue Reading Labeling of AI Generated Content: New Guidelines Released in China

On June 27, 2023, the European Parliament and the Council of the EU reached a political agreement on the Data Act (see our previous blog post here), after 18 months of negotiations since the tabling of the Commission’s proposal in February 2022 (see our previous blog post here).  EU lawmakers bridged their differences on a number of topics, including governance matters, territorial scope, protection of trade secrets, and certain defined terms, among others.

The Data Act is a key component of the European strategy for data. Its objective is to remove barriers to the use and re-use of non-personal data, particularly as it relates to data generated by connected products and related services, including virtual assistants. It also seeks to facilitate the ability of customers to switch between providers of data processing services.

We’ve outlined below some key aspects of the new legislation.

Continue Reading European Parliament and Council Release Agreed Text on Data Act

On August 4, 2023, the Securities and Exchange Commission’s (“SEC”) final rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure was published in the Federal Register, confirming the dates on which these new requirements will enter into force.  Covington has previously published a detailed summary of this rule, which imposes significant new disclosure requirements for publicly traded companies and, in certain instances, foreign private issuers.  As discussed in greater detail in that alert, the new rule requires U.S. public companies to report material cybersecurity incidents on Form 8-K within four business days of their determination that a material cybersecurity incident has occurred.  Foreign private issuers will be required to furnish information on Form 6-K about material cybersecurity incidents that they disclose or otherwise publicize to any stock exchange or to security holders in a foreign jurisdiction. 

Continue Reading Compliance Dates for SEC’s New Cyber Disclosure Rules Confirmed

Following up on the recent release by the New York Department of Financial Services (“NYDFS”) of an updated Proposed Second Amendment to its “first-in-the-nation” Cybersecurity Regulation, 23 NYCRR Part 500 (Proposed Second Amendment released June 28, 2023), it is not too late for companies to submit comments on the most recent version of the proposed changes from NYDFS.  Comments are due by 5:00 p.m. ET on August 14.

As background, the NYDFS Cybersecurity Regulation took effect in March 2017, including a robust set of cybersecurity requirements as well as a 72-hour incident notification requirement for NYDFS licensees.  After releasing an initial draft of a proposed amendment on July 29, 2022, NYDFS released the first version of a Proposed Second Amendment to the regulation in November 2022 with a public comment period that closed on January 9, 2023.  The changes proposed in November 2022 included several significant updates to the regulation with respect to:

  • Increased cybersecurity governance and board oversight requirements;
  • The creation of “classes” of companies subject to different requirements;
  • The introduction of new reporting requirements for privileged account compromise, ransomware deployment, and “extortion” payments; and
  • The enumeration of factors to be considered in enforcement decisions, among others. 

After reviewing the comments received on these proposed changes, NYDFS released an updated version of the Proposed Second Amendment on June 28, 2023 with adjustments made in response to these comments.  The revisions reflect adjustments rather than substantial changes to the prior version, and include among other things: 

  • Clarifying that a CISO must be a “qualified individual” responsible for an entity’s cybersecurity program and policy (Section 500.1(c));
  • Narrowing the definition of “privileged accounts” that will be subject to some of the new programmatic and reporting requirements (Section 500.1(m));
  • Specifying that  newly required annual independent audits of cybersecurity programs for “Class A” companies can be conducted by internal or external auditors that meet certain requirements (Section 500.1(g));
  • Clarifying that the board must exercise effective oversight over an entity’s cybersecurity risk management but eliminating the requirement that the board have “sufficient expertise and knowledge” (Section 500.4); and
  • Requiring companies to conduct a “root cause analysis” as part of incident response (Section 500.16).

As noted above, the updated version is subject to an additional comment period, and stakeholders may submit comments before 5:00 p.m. ET on August 14, 2023.  Comments should be sent by email to cyberamendment@dfs.ny.gov or by mail to the New York State Department of Financial Services c/o Cybersecurity Division, Attn: Joanne Berman, 1 State Street Plaza, Floor 19, New York, NY, 10004.