We’re honored to announce that InsidePrivacy has been included in the American Bar Association’s Annual Blawg 100, the ABA’s annual list of 100 best law blogs, for 2016. In including InsidePrivacy in its tenth anniversary list of top blogs, the ABA noted: “Covington & Burling bloggers address the struggles of courts and governments around the United States and the world to apply existing privacy laws to evolving technology—and the struggles of entities that face liability when their data security measures aren’t up to snuff. Posts also cover relevant congressional legislation, White House policy directives and industry best practices related to cybersecurity.” Our entire writing team is grateful to our readers and friends for their loyalty and the comments that we use to improve our work, and hope that you will continue to let us know how we can better serve you.
On December 1, 2016, the Commission on Enhancing National Cybersecurity released its Report on Securing and Growing the Digital Economy. In its Report, the Commission, established in February 2016 by President Obama, provided detailed short- and long-term recommendations to strengthen cybersecurity in the public and private sectors. The Commission took a multi-stakeholder approach, emphasizing the need for broad public-private cooperation, defined consumer rights and responsibilities, and international streamlining efforts. The Report focused on eight cybersecurity topics identified in the Commission’s charging Executive Order: federal governance, critical infrastructure, cybersecurity research and development, cybersecurity workforce, identity management and authentication, Internet of Things, public awareness and education, state and local government cybersecurity, and additionally insurance and international issues.
After studying these eight critical areas, the Commission articulated ten foundational principles that shaped its recommendations in the Report. These principles focused on the growth in size and density of Internet-connected systems, United States and federal government leadership in cybersecurity innovation, private-public collaboration, clear definitions of authority and accountability, consumer education, user-friendly cybersecurity products, privacy and trust development, the unique needs and constraints of small businesses, and designing incentives for innovation.
The Report then enumerated myriad imperatives, recommendations, and action items for the current and next Presidential administrations to develop robust cybersecurity in the nation. Continue Reading
Yesterday, the European Parliament voted to approve the EU-U.S. Umbrella Agreement, a framework for the exchange of personal data for law-enforcement (including anti-terrorism) purposes between the EU and U.S. As we previously explained, negotiations on this Agreement have been underway for quite some time, with the European Parliament first calling for it back in March 2009.
According to the European Commission’s fact sheet, the Agreement “puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation.” Specifically, the Umbrella Agreement includes the following protections:
- Data Use Limitations
- Onward Transfer Requirements
- Publicly Available Retention Periods
- Access and Rectification Rights
- Data Breach Notification
- Judicial Redress and Enforceability
On November 30, the FTC released a staff summary of its September 15, 2016 public workshop, Putting Disclosures to the Test. Numerous goods and services, from home appliances to financial services, make use of disclosures to inform users of their privacy practices. These disclosures—whether delivered offline or online, via text, video, or audio—are a key tool for consumers in learning the information they need to make informed decisions in the marketplace. The FTC has previously issued guidance about making effective digital disclosures and mobile privacy notices. The workshop went beyond these areas and discussed disclosures for a range of products through the lens of multiple disciplines.
The FTC workshop had nearly 1,000 attendants (including, of course, online participants). These participants explored the following topics: Continue Reading
The recent National Institute of Standards and Technology (NIST) publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even children’s toys. In addition to enhanced system security engineering and preventive education efforts, insurance is an increasingly essential component in any enterprise risk management approach to cyber vulnerabilities. But purchasers of cyber insurance are finding that nearly all of the available cyber insurance products expressly exclude coverage for physical bodily injury and property damage.
Following NIST’s release of cybersecurity guidance for the Internet of Things last week, the Broadband Internet Technical Advisory Group (BITAG) released a report today titled Internet of Things (IoT) Security and Privacy Recommendations (the Report). BITAG is a non-profit organization that brings together engineers and technologists in a working group to develop consensus on technical issues that can affect users’ Internet experiences. The Report includes contributions from academics, advocacy organizations, and members of the telecommunications and consumer technology industries, with recommendations designed to “dramatically improve the security and privacy of IoT devices and minimize the costs associated with the collateral damage that would otherwise affect both end users and ISPs.”
As used in the Report, IoT refers to “consumer-oriented devices and their associated local and remote software systems.” The Report begins with background information about IoT, why IoT security and privacy is of particular interest, and the observation that many IoT devices do not abide by “rudimentary security and privacy best practices.” According to the Report, IoT devices therefore pose unique security and privacy challenges because they tend to implicate “non-technical or uninterested consumers” and can widely impact Internet access and other services when the devices are compromised by malware. Continue Reading
On November 15, 2016, the National Institute of Standards and Technology (NIST) released its final guidance providing engineering-based solutions to protect cyber-physical systems and systems-of-systems, including the Internet of Things (IoT), against a wide range of disruptions, threats, and other hazards. NIST Special Publication 800-160 (the “Guidance”) is the result of four years of research and development and builds upon well-established international standards for systems and software engineering.
By Ezra Steinhardt and Gemma Nash
On November 11, 2016, a Russian court in Moscow upheld the decision of an earlier court to block online access to the website LinkedIn throughout Russia. This decision, which affirms a decision to penalize LinkedIn by the Russian data protection regulator, the Roskomnadzor, was based on the court’s view that LinkedIn had breached the new Russian data localization law (see below) by failing to maintain servers hosting site data in Russia. The block came into effect this week.
As previously reported on InsidePrivacy, Law 242-FZ (the “Data Localization Law”) came into effect in Russia last year. It introduced a requirement for certain businesses to physically store personal data relating to Russian citizens in Russian territory, subject to exceptions. The law also established a new power for the Roskomnadzor to block online access in Russia to websites of companies who are found to be in breach of these laws; this is the power now being exercised and upheld by the courts against LinkedIn. LinkedIn is one of the first foreign companies operating in Russia to have been faced with enforcement action in relation to the Data Localization Law.
LinkedIn has over 5 million registered users in Russia who will be affected.
In an order released last week, the Eleventh Circuit temporarily delayed enforcement of the Federal Trade Commission’s (FTC) order in the LabMD case. As we reported earlier, the FTC ruled in July that LabMD’s data security practices violated the FTC Act, clarifying and expanding upon the FTC’s authority to regulate corporate data security practices. After the FTC denied LabMD’s request for a stay, the company appealed to the Eleventh Circuit, which granted the stay in a unanimous decision. Continue Reading
The National Institute of Standards and Technology (NIST) released guidance today designed to help small businesses improve their cybersecurity preparedness. The document, Small Business Information Security: The Fundamentals, is based on NIST’s 2014 Framework for Improving Critical Infrastructure Cybersecurity, a widely used cybersecurity framework (Cybersecurity Framework). For additional background on the Cybersecurity Framework, please see our prior post on the subject. Continue Reading