House Passes Cyber Vulnerability Disclosure Reporting Act

On January 9, the House of Representatives passed the Cyber Vulnerability Disclosure Reporting Act by voice vote.  The Act directs the Secretary of the U.S. Department of Homeland Security (“DHS”) to prepare a report describing the policies and procedures that DHS developed to coordinate the cyber vulnerability disclosures.  Under the Homeland Security Act of 2002 and the Cybersecurity Information Sharing Act of 2015 (“CISA”), DHS is responsible for working with industry to develop DHS policies and procedures for coordinating the disclosure of cyber vulnerabilities.

Continue Reading

CBP Revises Rules for Border Searches of Electronic Devices

Last week, U.S. Customs and Border Protection (“CBP”) released a revised Directive governing searches of electronic devices at the border.  These are the first official revisions CBP has made to its guidelines and procedures for devices since its 2009 Directive.  The new Directive is intended to reflect the evolution of technology over the intervening decade, and CBP’s corresponding need to update its investigative techniques.

Notably (and as in previous CBP Directives), the new Directive does not require officials to obtain a warrant before conducting searches of travelers’ devices—even if the traveler being searched is an American—based on CBP’s position that searches and seizures at the border are exempt from the Fourth Amendment’s “probable cause” requirement.  CBP nevertheless acknowledges that its searches must still meet the Fourth Amendment’s “reasonableness” requirement, which the self-imposed restrictions contained in the Directive are meant to achieve.  Continue Reading

UK Government Consults on EU Cybersecurity Plans

As we summarized last fall, the EU Commission published a new Cybersecurity Communication in September that, among other things, sets out proposals for an EU cybersecurity certification framework as part of ‎an EU “Cybersecurity Act” (see our post here and a more detailed summary here).  Just before the holidays, on December 20, 2017, the UK Government published a consultation on these proposals, which the UK Government will use‎ to help develop its position.  Key elements of the proposals that the UK Government is consulting on include:

  • Harmonizing the existing cybersecurity certification landscape to reduce costs and administrative burdens for companies by establishing a common “European Cybersecurity Certification Framework for ICT products and services.”
  • Further specifying and publishing best practices relating to incident reporting and security obligations for some digital service providers under the NIS Directive (see our reports here and ‎here).
  • Changes to the tasks and functions of ENISA, including providing ENISA with a strengthened and permanent mandate.

The UK Government also welcomes views from stakeholders on the impact of the proposals with respect to the UK’s exit from the EU.  The consultation closes on February 13, 2018.  Before then, and by January 20, 2018, the UK Government has been asked by the UK Parliament to clarify issues relating to the proposals, including on issues relating to the “Cybersecurity Act” and cybersecurity certification.

DFARS Cyber Rule – What Questions Should Contractors Ask Themselves in the New Year?

[The referenced article was originally published in Law360.]

Since August 2015, defense contractors have been on notice that they were required to implement the security controls in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 no later than December 31, 2017 on covered contractor information systems. Although the focus has been on meeting this deadline, contractors should add to their New Year resolutions compliance with other areas of DFARS 252.204-7012 (“DFARS Cyber Rule” or “Rule”) and confirm that their existing processes and procedures anticipate how the Department of Defense (“DoD”) will measure compliance with the Rule in the year to come. In particular, contractors should assess whether they are providing “adequate security” beyond NIST SP 800-171, review their obligations with regard to their supply chain’s cyber risks, understand how the System Security Plans and Plans of Action and Milestones could be used by the government, and confirm that their incident response plan incorporates the requirements of the DFARS Cyber Rule.  The answers to these and other questions are included in the article that was originally published in Law360 and is linked here.

A Year-End Thanks to Our Readers

As 2017 ends, all of us at InsidePrivacy are grateful for the attention and engagement of our readers.  This has been an excellent year for our blog, and we’d like to share with you some information about InsidePrivacy and its readers.

First, there are more of you than ever — in fact, an 11% year-over-year increase in unique visitors.  We expected some uptick after the American Bar Association named us one of the top 100 law blogs about a year ago, but the good news is that this has been a sustainable increase in our audience rather than a spike.

Second, we now have a good sense of the issues that interest you.  Not surprisingly, our most popular posts in this year leading up to the effective date of the European Union’s General Data Protection Regulation (GDPR) have been our posts on preparation for the GDPR.  In particular, our post on the Article 29 Working Party’s opinions on the meaning of the GDPR’s terms, like this one, have been our most popular, both in direct traffic and search queries.  In addition, you are very interested in China — and, in particular, the regulations that are now being crafted under China’s new cybersecurity law.  Big fines have been interesting to you as well, with our blog on Italy’s record fine drawing a large audience.  Stateside, new legislative efforts by the states, such as Washington’s new biometric identification law, have been particularly popular.  Our more analytical articles, such as Lindsey Tonsager’s excellent post on whether the FTC should consider IP addresses to constitute “personal information,” continue to be popular — Lindsey’s post is still one of our most searched blog posts, even more than a year after its publication. Continue Reading

NIST Holds Webcast to Discuss Updates to Cybersecurity Framework

On December 20, 2017, the National Institute of Standards and Technology (“NIST”) held a live webcast to discuss the draft updates to the Framework for Improving Critical Infrastructure Cybersecurity (“the Cybersecurity Framework”) and the Roadmap for Improving Critical Infrastructure Cybersecurity (“the Roadmap”). Although the webcast is not currently available online, NIST plans to publish a recording of the live webcast in early January 2018.

During this webcast, NIST provided an overview of the updates to Version 1.1 of the Cybersecurity Framework (“Version 1.1”), which were analyzed in previous blog posts on Inside Privacy and Inside Government Contracts. The webcast included a discussion of the following topics: Continue Reading

FTC Hosts Workshop Highlighting Consumer, Industry, and Law Enforcement Perspectives on Informational Injury

On December 12, 2017, the Federal Trade Commission (“FTC”) hosted a workshop examining “informational injury,” defined by Acting Chairman Maureen Ohlhausen in her opening remarks as the harm consumers suffer due to privacy and data security breaches.

Chairman Ohlhausen emphasized three main purposes for the workshop:  First, to better identify qualitatively different injuries; second, to explore different frameworks for quantifying informational injury and estimating the overall impact of informational injury; and third, to better understand how businesses and consumers weigh the risks around informational injury.  Noting the FTC’s role in enforcing consumer protections, Chairman Ohlhausen envisioned the workshop as part of an ongoing conversation on consumer injury.

The workshop highlighted the tension between the benefits consumers receive when they engage with products that collect their personal information  and the potential risks to consumers that data breaches and disclosures of personal information pose.  While panelists disagreed on how to define injury and how much risk of injury is acceptable, there was a clear consensus that better definitions for injury and risk are needed to guide consumers, industry, and law enforcement moving forward.

Continue Reading

EU Regulators Provide Guidance on Notice and Consent under GDPR

By Mark Young, Joseph Jones and Ruth Scoles Mitchell

The Article 29 Working Party (WP29) has published long-awaited draft guidance on transparency and consent.  We are continuing to analyze the lengthy guidance documents, but wanted to highlight some immediate reactions and aspects of the guidance that we think will be of interest to clients and other readers of InsidePrivacy.  The draft guidance is open for consultation until 23 January 2018.

Continue Reading

Digital Health Checkup: Key Questions to Consider in the Digital Health Sector

Covington’s global cross-practice Digital Health team has posted an illuminating three-part series on the Covington Digital Health blog that covers key questions entities should be asking as they seek to fit together the regulatory and commercial pieces of the complex digital health puzzle.

  • In the first part of the series, the Digital Health team answers key regulatory questions about digital health solutions.
  • In the second part of the series, the Digital Health team considers key commercial questions when contracting for digital health solutions.
  • In the third part of the series, the Digital Health team answers key regulatory and commercial questions about the Artificial Intelligence (AI), data privacy, and cybersecurity aspects of digital health solutions.

NIST Releases Updated Draft of Cybersecurity Framework

On December 5, 2017, the National Institute of Standards and Technology (“NIST”) announced the publication of a second draft of a proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”), Version 1.1, Draft 2. NIST has also published an updated draft Roadmap to the Cybersecurity Framework, which “details public and private sector efforts related to and supportive of [the] Framework.”

Continue Reading