White House’s Cybersecurity National Action Plan (CNAP) Includes Cybersecurity Awareness Campaign, Creation of Federal Privacy Council

Following the announcement of the President’s Cybersecurity National Action Plan (CNAP), an initiative designed to “enhance cybersecurity capabilities within the Federal Government and across the country,” the White House has released a fact sheet outlining the different components of the CNAP.  The announcement of the CNAP follows the President’s request for $19 billion in funding for cybersecurity initiatives in fiscal year 2017, an increase of 35% over the previous year’s request.  The CNAP includes a mixture of near-term measures and long-term objectives, with the ultimate goal of enhancing the federal government’s cybersecurity posture while encouraging private citizens and businesses to do the same.  Some of the most significant aspects of the CNAP, discussed further below, include:

  • The launch of a cybersecurity awareness campaign to promote the use of multi-factor authentication;
  • A “systematic” review by the White House to identify areas where the federal government can reduce the use of Social Security Numbers as individual identifiers;
  • Plans for the development of a Cybersecurity Assurance Program to test and certify connected devices against certain security standards;
  • The creation of a Chief Information Security Officer (CISO) position within the federal government, coupled with a $3.1 billion initiative to modernize federal agencies’ IT systems and applications;
  • The establishment of a commission of private sector cybersecurity experts to offer recommendations on cybersecurity initiatives; and
  • The establishment of a Federal Privacy Council, composed of representatives from various key federal agencies, to coordinate guidelines for the federal government’s collection and storage of data.

Continue Reading

After Two-Day Workshop, CDRH Releases Postmarket Cybersecurity Draft Guidance

By Christopher Hanson

On January 22, 2016, CDRH announced in the Federal Register the publication of the draft guidance,“Postmarket Management of Cybersecurity in Medical Devices.”  The release of the draft guidance coincided with the conclusion of a two-day public workshop hosted by FDA entitled, “Moving Forward: Collaborative Approaches to Medical Device Cybersecurity.”  We previously discussed the Agency’s announcement of the workshop in a separate post.

This is the second significant cybersecurity guidance document CDRH has released, having finalized its “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices” guidance in October 2014.  Having now issued both premarket and postmarket guidance documents, the Agency recognizes that an “effective cybersecurity risk management program should incorporate both premarket and postmarket lifecycle phases and address cybersecurity from medical device conception to obsolescence.” Continue Reading

Commerce Releases Fact Sheet on the EU-U.S. Privacy Shield

As we reported yesterday, the United States and the European Commission have reached a political agreement on a new framework for transatlantic data flows, referred to as the EU-U.S. Privacy Shield.  The U.S. Department of Commerce (“Commerce”) released a fact sheet yesterday to coincide with the announcement of the agreement.

The fact sheet includes a series of bullet points listing ways in which the Privacy Shield (1) “significantly improves commercial oversight and enhances privacy protections,” and (2) “demonstrates the U.S. Commitments to limitations and safeguards on national security.”  On the first point, Commerce states that “EU individuals will have access to multiple avenues to resolve concerns,” including alternative dispute resolution at no cost to individuals.  In addition, Commerce “will step in directly and use best efforts to resolve referred complaints” using a “special team with significant new resources.”  On the second point, the fact sheet references President Obama’s executive actions to enhance privacy protections and oversight relating to U.S. government surveillance activities.  Finally, Commerce states that “the United States is making the commitment to respond to appropriate requests” regarding U.S. intelligence activity, in a manner that is consistent with national security obligations.

Article 29 Working Party Reacts to the U.S.-EU Privacy Shield Agreement

On February 3rd, the Article 29 Working Party, representing Europe’s data protection authorities, published its reaction to the announcement of a new “Privacy Shield” political agreement between the European Commission and the U.S. Government.  The Privacy Shield agreement, announced on February 2nd (and further described in our blog post here), is intended to replace the now-defunct Safe Harbor Framework, and may form a future legal basis for transatlantic data flows between Europe and the United States. Continue Reading

Agreement Reached on New EU-U.S. Safe Harbor: the EU-U.S. Privacy Shield

By Dan Cooper, Phil Bradley-Schmieg and Joseph Jones

Today (February 2nd, 2016), the European Commission and U.S. Government reached political agreement on the new framework for transatlantic data flows.  The new framework – the EU-U.S. Privacy Shield – succeeds the EU-U.S. Safe Harbor framework (for more on the Court of Justice of the European Union decision in the Schrems case declaring the Safe Harbor invalid, see our earlier post here).  The EU’s College of Commissioners has also mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement. Continue Reading

Report Questions Use of “Going Dark” to Describe Encryption Trends

A report released yesterday by the Berkman Center for Internet & Society at Harvard University addresses the recent debate over the use of encryption in communications technologies and its impact on government access to communication data.  The report focuses on the U.S. government’s use of the “going dark” metaphor to describe recent decisions by several major providers of communications services and products to enable end-to-end encryption on their applications, operating systems, and mobile devices.

According to the report, the government’s use of the “going dark” metaphor to describe this phenomenon dates back to at least 2010, when the FBI’s then-General Counsel Valerie Caproni used the term in testimony before the Senate Judiciary Committee.  The report acknowledges that views on encryption differ within the government, and that the Obama administration announced in October 2015 that it would not pursue legislative action to force companies to decrypt data in response to government requests.  It notes, however, that several recent statements by FBI Director James Comey and others in the law enforcement and intelligence communities have expressed concern that encryption technologies inhibit access to communications even when the government has the legal authority to access them.  This, in turn, could limit the government’s ability to prevent terrorist attacks or investigate and prosecute criminal activity.  Continue Reading

Judge Denies Neiman’s Motion to Dismiss Data Breach Class Action

A federal judge in the Northern District of Illinois has denied Neiman Marcus Group LLC’s (“Neiman”) motion to dismiss a consumer class action lawsuit arising from a December 2013 data breach at the retailer that exposed about 350,000 credit cards.  As we previously reported, the plaintiffs sued Neiman alleging various claims arising from fraudulent charges following the data breach.

The district court previously dismissed the suit on the ground that the plaintiffs lacked standing to sue, but that argument was rejected by the Seventh Circuit, and Neiman’s request for rehearing en banc was denied.  Back in the district court, Neiman argued that the court should still dismiss the suit because plaintiffs’ alleged injuries were insufficient to state claims for, among other things, negligence, breach of implied contract, and violations of state data breach notification requirements.

In a brief docket entry, the district court denied the motion to dismiss, stating only that “[d]ismissal is not appropriate at this time.”  The case will therefore proceed on the merits, with a status hearing currently scheduled for February 25th.

Senate Committee Passes Judicial Redress Act, May Assist Safe Harbor Negotiations

The Senate Judiciary Committee today successfully reported H.R. 1428, the Judicial Redress Act of 2015.  However, the bill included an amendment to the House-passed version that has the potential to influence current negotiations between the United States and the European Union to reach a new Safe Harbor agreement.

As we previously reported, the Judicial Redress Act of 2015 would allow EU citizens and citizens of other nations limited rights to file suit in U.S. courts under the federal Privacy Act of 1974 over allegations that the U.S. government misused their personal data.  Passage of the Judicial Redress Act is seen by many as key to the success of the ongoing negotiations between EU and U.S. representatives to reach a new Safe Harbor agreement before the January 31 deadline.

Today, the Senate Judiciary Committee advanced the bill to the full Senate, but, at the eleventh hour, added an amendment that would require the foreign countries covered by the Act to permit the transfer of personal data for commercial purposes between that country and the United States, as well as require the U.S. Attorney General to certify that the transfer of personal data does not materially impede U.S. national security interests.  This new language could complicate current safe harbor negotiations, as the amendment would add further requirements to the extension of privacy rights to foreign citizens, as well as give U.S. regulators considerable flexibility to assert that certain commercial data transfers do not accord with U.S. national security interests.

The key sponsors of the Act urged that the full Senate schedule a vote on its passage at its earliest opportunity.  The House of Representatives passed a parallel measure in late 2015.

Senators Introduce Bill Requiring Cybersecurity Expertise Reports to SEC

On December 17, 2015, Senators Reed (D-RI) and Collins (R-ME) introduced the Cybersecurity Disclosure Act of 2015 (S. 2410), which has been referred to the Committee on Banking, Housing, and Urban Affairs.  According to the press release accompanying the bill, it “seeks to strengthen and prioritize cybersecurity at publicly traded companies by encouraging the disclosure of cybersecurity expertise, or lack thereof, on corporate boards at these companies.”

The bill applies to “reporting companies,” defined as companies that issue registered securities under 15 U.S.C. § 78l or companies that are required to file reports with the Securities and Exchange Commission (“SEC”) under 15 U.S.C. § 78o(d).  It requires the SEC to issue rules within one year of enactment that require reporting companies to include disclosures relating to the cybersecurity expertise of their corporate boards in their annual reports. Continue Reading

European Parliament Committee Approves EU Cybersecurity Rules and Publishes Agreed Text

By Mark Young and Vera Coughlan

Formal adoption of the EU Network and Information Security (NIS) Directive is a step closer following a vote on January 14 by the European Parliament’s internal market and consumer protection (IMCO) committee.

As we reported in December, the European institutions reached an informal political agreement on the NIS Directive — dubbed the Cybersecurity Directive — on December 7, 2015, (see press release from the Council).  The informal consolidated text, dated December 18, is available here.  Member States (the Committee of Permanent Representatives (COREPER)) endorsed this agreement on December 18.

On January 14, the European Parliament’s IMCO committee voted in favour of the NIS Directive (34-2).  The committee confirmed that the minimum harmonisation requirements under the Directive do not apply to digital service providers.  This means that Member States would not be able to impose any further security or notification requirements on digital service providers when transposing the Directive into national law.

The IMCO committee also published a table, dated January 13, 2016, which provides an interesting overview of the different institutions’ positions during the negotiations.  This table sets out an article-by-article comparison of differences between the Commission proposal, European Parliament’s position, and the Council position, and shows suggested compromises and also the compromise amendments.

The NIS Directive will now be put forward for a full plenary vote in the European Parliament.  Once it is published in the Official Journal of the European Union and enters into force later this year, Member States will have 21 months to transpose it into national law.  Member States will then have a further 6 months to apply criteria laid down in the Directive to identify specific operators of essential services covered by national rules.  These processes are likely to be complicated, and companies that may fall within scope should participate in consultations and monitor developments across the EU over the coming months.