European Parliament Approves EU Cybersecurity Act

Following a political agreement at the end of 2018, earlier this week the European Parliament approved a new cybersecurity regulation known as the EU “Cybersecurity Act” This forms part of the EU’s Cyber Package, first announced in September 2017 (which we blogged about here).

In addition to reinforcing the mandate of ENISA — now to be known as the EU Agency for Cybersecurity — the new regulation establishes an EU cybersecurity certification framework. This framework is intended to increase the transparency of the cybersecurity assurance of ICT products, services and processes, and thereby improve trust and help end users make informed choices.  Another key reason for the framework is to avoid the multiplication of conflicting or overlapping national certifications and thus reduce costs.

Under the regulation, the Commission is empowered to adopt European cybersecurity certification schemes, prepared by ENISA, concerning specific groups of ICT products, services and processes.  The schemes could cover, for example, ICT products, services and processes that are used in cars, airplanes, power plants, medical devices, as well as Internet-connected consumer devices.

Among many other details, each certification scheme will set out the subject matter and scope of the scheme, including the type or categories of ICT products, services and processes covered; a clear description of the purpose of the scheme; references to the international, European or national standards applied in the evaluation or other technical specifications; information on assurance levels (explained in more detail below); and an indication of whether conformity self-assessment is permitted under the scheme (also explained in more detail below). Continue Reading

Senate Reintroduces IoT Cybersecurity Improvement Act

On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.

To accomplish this goal, the Act puts forth several action items for the Director of the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget (“OMB”). Details of these action items and their deadlines are discussed below.

  • NIST is directed to complete, by September 30, 2019, all ongoing efforts related to managing IoT cybersecurity, particularly its work in identifying cybersecurity capabilities for IoT devices. Under the bill, those NIST efforts are to address at least: (i) secure development, (ii) identity management, (iii) patching, and (iv) configuration management for IoT devices.
  • NIST is directed to develop, by March 31, 2020, recommendations on “the appropriate use and management” of IoT devices “owned or controlled by the Federal Government.” These recommendations are expected to include “minimum information security requirements” that address the cybersecurity risks of IoT devices owned or controlled by the federal government. Once these recommendations are issued, OMB will have 180 days to issue guidance to each agency, consistent with NIST’s recommendations.

Additionally, the bill would require NIST to do the following within 180 days of its enactment:

  • Publish a draft report addressing considerations for managing cybersecurity risks associated with the “increasing convergence of traditional Information Technology devices, networks, and systems with Internet of Things devices, networks, and systems and Operational Technology devices, networks and systems.”
  • Consult with cybersecurity researchers and private-industry experts to publish guidance relating to the reporting and resolution of security vulnerabilities discovered in federal government IoT devices.

– OMB will then have 180 days to issue guidelines for each government agency, based on NIST’s recommendations. Those recommendations are required to be consistent with the information security requirements that are imposed on federal information systems in Title 44. OMB’s guidelines are also required to prohibit acquisition or use of IoT devices from a contractor or vendor that fails to comply with NIST’s security vulnerability guidance.

– Once OMB issues its guidance to agencies, these requirements will need to be included in a revision to the Federal Acquisition Regulation (FAR), which governs all federal procurement of goods and services using appropriated funds. No specific date for when these regulations should be promulgated are included in the current draft of the bill.

Notably, the Act also recognizes the debate about what constitutes an “IoT device.” It would apply to a “covered device,” which is defined as a “physical object” that: (1) is capable of connecting to and is in regular connection with the internet, (2) has computer processing capabilities that can collect, send, or receive data; and (3) is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems. At the same time, it directs OMB to establish a process for interested parties to petition for a decision that a device is not covered by this definition, potentially providing clarity for makers of devices about whether they are covered by the measure.

This bill follows two failed bills from the last congressional term: the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 and the Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018. The 2017 and 2018 Acts both focused on “provid[ing] minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies.” The prior bills contained only limited guidance to NIST and instead focused on OMB. For example, the 2017 bill required OMB to provide guidelines on specific, enumerated contractual terms in vendor contracts for IoT devices. The 2018 bill directed OMB to consider “voluntary consensus standards” in its promulgation of guidelines on contractual terms.

The current bill also follows increasing efforts by NIST to focus on IoT cybersecurity. Its efforts include development of a “baseline” set of cybersecurity capabilities for IoT devices. NIST announced earlier this month that it is seeking feedback on its proposal, especially insights into identifying those cybersecurity capabilities that could be achieved across the widest set of IoT devices.

Dutch Supervisory Authority Prohibits “Cookie Walls” under GDPR

On March 7, 2019, the Dutch Supervisory Authority for data protection issued guidance prohibiting the use of “cookie walls” on websites.  Cookie walls require website users to consent to the placing of tracking cookies or similar technologies before allowing them access to the website.  According to the regulator, it received many complaints about this practice.

The regulator explains that this practice is not compliant with the GDPR.  The (required) consent obtained in this way is not a freely given, because withholding consent has negative consequences for the user (i.e., the user is barred from accessing the website).  Instead, websites should offer users a real choice to accept or reject cookies.  User who decide not to consent to the placing of tracking cookies should still be granted access to the website, for example, against the payment.

The Supervisory Authority addressed a letter to the companies about whom it received the most complaints.  The authority also announced that it will carry out further verifications to ensure that the GDPR is correctly applied in this area.

The guidance of the Dutch authority is in line with an earlier decision of the Austrian Supervisory Authority discussed here.

Florida Legislature Proposes State Biometric Information Privacy Act

The regular session of the Florida Legislature began on March 5, 2019. Over the course of the 60 day session, the Legislature will consider a number of bills on a variety of topics. Among the measures that will be considered are two bills that address biometric information privacy: one from House Representative Bobby DuBose (D) (HB1153) and one from Senator Gary Farmer, Jr. (D) (SB 1270).

Continue Reading

FTC Proposes to Add Detailed Cybersecurity Requirements to the GLBA Safeguards Rule

On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”).  Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data.

In addition, the FTC is proposing to expand the definition of “financial institution” under the Safeguards Rule and the Privacy Rule to include “finders.”  Finally, the FTC is proposing to amend the Privacy Rule to make technical and conforming changes resulting from legislative amendments to GLBA in the Dodd-Frank Act and FAST Act of 2015.

Proposed Revisions to the Safeguards Rule’s Information Security Program Requirements

The Safeguards Rule establishes requirements for the information security programs of all financial institutions subject to FTC jurisdiction.  The Rule, which first went into effect in 2003, requires financial institutions to develop, implement, and maintain a comprehensive information security program.  As currently drafted, the Safeguards Rule has few prescriptive requirements, but instead generally directs financial institutions to take reasonable steps to protect customer information.

The FTC’s proposed revisions would add substantially more detail to these requirements.  Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, explained that the purpose of the proposed changes is “to better protect consumers and provide more certainty for business.”  The new requirements are primarily based on the cybersecurity regulations issued by New York Department of Financial Services (“NYSDFS”), and the insurance data security model law issued by the National Association of Insurance Commissioners. Continue Reading

Covington Hosts First Webinar on Connected and Automated Vehicles

On February 27, 2019, Covington hosted its first webinar in a series on connected and automated vehicles (“CAVs”).  During the webinar, which is available here, Covington’s regulatory and public policy experts covered the current state of play in U.S. law and regulations relating to CAVs.  In particular, Covington’s experts focused on relevant developments in: (1) federal public policy; (2) federal regulatory agencies; (3) state public policy; (4) autonomous aviation; and (5) national security.

Highlights from each of these areas are presented below.

Continue Reading

Republicans, Democrats Offer Different Views on Preemption During Senate Privacy Hearing

At a February 27, 2019 hearing on “Privacy Principles for a Federal Data Privacy Framework in the United States,” Republican and Democratic members of the Senate Commerce, Science, & Transportation Committee offered different perspectives on whether new federal privacy legislation should preempt state privacy laws.

Continue Reading

House Subcommittee Holds Initial Hearing On Potential New Privacy Bill

On February 26, 2019, a key House subcommittee held a hearing to explore the possible contours of new federal privacy legislation.  At the hearing, Rep. Jan Schakowsky (D-IL)—who chairs the Energy & Commerce Committee’s Subcommittee on Consumer Protection and Commerce—said the hearing on “Protecting Consumer Privacy in the Era of Big Data” was only the first of “several hearings” that she would organize on consumer privacy.

Continue Reading

GAO Report Calls for Federal Privacy Law

This month, the Government Accountability Office (“GAO”) released a report recommending that Congress consider enacting a federal internet privacy law in the United States.  The 56-page independent report was requested by the House Energy and Commerce Committee, which has scheduled a hearing on data privacy on February 26, during which it plans to discuss the GAO’s findings.  The Senate Commerce Committee is scheduled to hold a similar hearing on February 27th.

According to the GAO, “Congress should consider developing comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment.”  The GAO stressed the importance of striking an appropriate balance between the benefits of data collection and addressing consumer concerns.

Continue Reading

All-Time Record Year for HIPAA Enforcement

The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) announced that 2018 was an all-time record year for Health Insurance Portability and Accountability Act (“HIPAA”) enforcement activity.   Enforcement actions in 2018 resulted in the assessment of  $28.7 million in civil money penalties.  Enforcement activity focused primarily on breaches of electronic protected health information (ePHI).

Under 45 C.F.R. 164.308, a covered entity must conduct “accurate and thorough assessment[s] of the potential risks and vulnerabilities . . . of [ePHI].”  The final settlement of the year occurred in December 2018. In that settlement, Cottage Health agreed to pay $3 million to OCR and agreed to adopt a corrective action plan to remedy violations of the HIPAA Rules. The alleged violations pertained to December 2013 and December 2015 compromises of unsecured ePHI that implicated data of over 62, 500 individuals. The ePHI breached included patient names, addresses, dates of birth, Social Security numbers, diagnoses, conditions, lab results, and other treatment information.  OCR concluded that Cottage Health failed to conduct risk assessments and failed to implement security measures to reduce vulnerabilities.  In September 2018, OCR settled with Advanced Care Hospitals (ACH), a contractor physician group, for $500,000 after ACH reported that ACH patient information was viewable on a medical billing services’ website.  The OCR investigation revealed that ACH lacked the required business associate agreement with the billing service provider, that it had not conducted a risk assessment, and that it had not implemented security measures or HIPAA policies or procedures before 2014.  And, in October 2018, Anthem, Inc. paid $16 million (the largest HIPAA penalty ever assessed by OCR) after the largest health data breach in history.  Anthem discovered that malicious actors accessed its network through undetected, continuous and targeted attacks to extract data and had infiltrated the system through spear phishing emails.

Another enforcement theme in 2018 focused on physical theft of PHI or devices containing ePHI.  In January 2018, OCR settled with a medical records maintenance, storage, and delivery services provider, Filefax, Inc., after finding that Filefax left PHI in an unlocked truck in the Filefax parking lot and granted permission to unauthorized individuals to remove PHI.   Additionally, in June 2018, an Administrative Law Judge ruled in favor of OCR and required the University of Texas MD Anderson Cancer Center to pay $4.3 million in civil penalties for HIPAA violations after a theft of an unencrypted laptop from the residence of an employee and the loss of two USB thumb drives.

OCR’s record-breaking enforcement activities in 2018 serve as a reminder to covered entities and business associates to conduct frequent and meaningful assessment of the security of any PHI they hold, to swiftly remediate any vulnerabilities discovered, and to carefully document the assessment, remediation, and general HIPAA policies and procedures.

This blog post is part of our ongoing coverage of HIPAA issues, which includes, among others: