Auto Industry Releases Cybersecurity Best Practices

The Automotive Information Sharing and Analysis Center (“Auto-ISAC”) has released a set of cybersecurity best practices for the automotive industry.  The best practices are primarily geared toward automakers, but note that suppliers of motor vehicle components might also benefit from implementing them.

The best practices include seven functions, each of which includes several recommendations: (1) governance; (2) risk assessment and management; (3) security by design;  (4) threat detection and protection; (5) incident response; (6) training and awareness; and (7) collaboration and engagement with appropriate third parties.  The recommendations incorporate established cybersecurity resources and standards from organizations such as the International Organization for Standardization and National Institute of Standards and Technology.

Given the variation among automakers, the best practices do not prescribe specific technical or organizational solutions, and are only “suggested measures.”  The Auto-ISAC also commits to updating the best practices over time to “reflect the constantly evolving cyber landscape.”

Bill Criminalizing “Revenge Porn” Introduced in Congress

Today, Rep. Jackie Speier (D-Calif.) introduced legislation that would criminalize the non-consensual distribution of sexually explicit images, commonly referred to as “revenge porn.”

The Internet Privacy Protection Act would make it a federal crime for individuals to knowingly distribute sexually explicit images or video of a person without or with a “reckless disregard” for their consent and for websites to intentionally promote or solicit such content.  Borrowing the terms of Section 230 of the Communications Decency Act, the law would not apply to websites and other interactive computer service providers that merely show content provided by another information content provider.  (Twitter and Facebook have backed the bill, while Google is staying neutral, according to The Hill.)  The law also would not apply to voluntary exposure or visual depictions in public places or in the public interest.  The proposed penalties range from fines to up to five years in prison.

While Speier’s bill is the first federal legislative attempt, thirty-four states and the District of Columbia have enacted similar legislation.  However, some of these laws have been challenged on First Amendment grounds.  For example, the ACLU, National Press Photographers Association, American Association of Publishers, and other businesses challenged Arizona’s revenge porn law, which had no requirement that the individual distributing such images have an intent to harm—that is to say, take revenge against—the image’s subject.  Last year, an Arizona district court judge entered a decree stating that the state could not enforce the law as written.  The proposed federal law requires “knowing” intent, but there are higher intent standards in criminal law.

Speier has said that she will introduce the legislation next Congress if it fails to move in the current, election-dominated session.

EU and US Unveil the New Privacy Shield

At a joint press conference in Brussels this morning (July 12, 2016), EU Commissioner Jourová and the U.S. Secretary of Commerce, Penny Pritzker, presented the new EU-U.S. data transfer mechanism (see press release here, adequacy decision text here, annexes here and Q&A factsheet here).  The press conference followed the approval of the underlying adequacy decision by the College of EU Commissioners.  This was the last step in the adoption of the Privacy Shield in the EU.  Last night, Commissioner Jourová discussed the new framework with the European Parliament.

This announcement is the culmination of more than two years of negotiation between the EU and U.S. on the revision of the previous EU-U.S. Safe Harbor framework (invalidated by the Court of Justice of the EU in October 2015).  Once translated and published in the Official Journal of the EU, the adequacy decision will enter into force.  The U.S. Department of Commerce is now working on the implementation of the framework and will accept self-certifications from U.S.-based companies from August 1, 2016.  The Department of Commerce have released a Guide to Self-Certification, available here.  Companies will need to update their privacy policies, verification mechanisms and identify an independent dispute resolution provider prior to self-certifying.

The Privacy Shield provides a legal basis for transfers of personal data from the European Economic Area to Privacy Shield-certified companies in the U.S.  It contains a much more robust set of commitments than those underpinning the Safe Harbor and will provide stronger protections to data subjects in the EU than its predecessor.  The European Commission will produce a citizens’ guide to explain redress options for EU citizens.

For further background on the Privacy Shield, see past InsidePrivacy coverage here.

Third Circuit Takes Narrow View of PII Under the VPPA

Last week, the Third Circuit adopted a narrow definition of “personally identifiable information,” or “PII,” under the Video Privacy Protection Act (“VPPA”), joining the majority of district courts that have addressed similar issues.  The VPPA defines PII as information that “identifies a person as having [obtained a video]” from a video tape service provider (“VTSP”).

In an appeal from the multi-district litigation In re Nickelodeon Consumer Privacy Litigation, the Third Circuit ruled that digital identifiers such as MAC addresses and IP addresses are not PII because the statutory definition of that term “applies only to the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.”  Continue Reading

Privacy Shield Deal Passes Major EU Hurdle

On July 8, 2016, the draft EU-U.S. Privacy Shield adequacy decision was formally approved by the so-called “Article 31 Committee” of EU Member States (see press release, here).

That approval opens the door for the College of EU Commissioners to approve the Privacy Shield on Monday (July 11).  Once translated and published in the Official Journal of the EU, the adequacy decision will then enter into force.

However, there may need to be an implementation period during which the EU and U.S. put in place relevant structures; it is expected that Commissioner Věra Jourová will provide more details to the European Parliament on Monday, and in a joint press conference on Tuesday with U.S. Secretary of Commerce Penny Pritzker.

Once that implementation phase is complete, U.S.-based companies will be able to self-certify under the Privacy Shield.  Doing so provides a legal basis which entities in the European Economic Area can rely on to transfer personal data to those Privacy Shield-certified companies in the US. Continue Reading

Ninth Circuit: CFAA’s Prohibition on Accessing Computer Without Authorization “Unambiguous”

In a decision released Tuesday, the Ninth Circuit held that the Computer Fraud and Abuse Act’s (“CFAA”) prohibition on accessing a computer “without authorization” is violated when a person whose access to a computer system has been “affirmatively revoked” nonetheless accesses that computer system by other means.

In United States v. Nosal, the Ninth Circuit focused on the CFAA’s prohibition on accessing a computer “without authorization.”  The court described that term as “unambiguous” and “non-technical,” meaning  “accessing a protected computer without permission.”   Given this plain meaning, the court found that “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the [CFAA] by going through the back door and accessing the computer through a third party.” Continue Reading

FDA Releases Draft Guidance on Dissemination of Patient-Specific Information by Device Manufacturers

Last month, the FDA released a draft guidance document on the sharing of patient-specific data associated with medical devices, including information recorded, stored, processed, retrieved, and/or derived from the device.  A new post on Covington’s Inside Medical Devices blog discusses the draft guidance and its implications for sharing patient information.

Significant HIPAA Fine Follows Business Associate’s Stolen iPhone

A new post over on Covington’s eHealth blog discusses a recent enforcement action taken by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) against Catholic Health Care Services, a business associate under HIPAA, arising out of a stolen iPhone.  This recent enforcement action should put business associates on notice of the potential for significant liability for failure to implement required HIPAA policies and procedures.  Furthermore, business associates should take steps to ensure that all PHI on laptops and mobile devices is rendered unreadable and unusable to unauthorized users, such as through encryption.  Read the full post here.

China Issues New Rules for Mobile Apps

The Cyberspace Administration of China (“CAC”) has issued new rules regulating apps for smartphone/mobile devices, the Rules on the Management of Mobile App Information Services (“App Rules,” available here, preceded by a Q&A section, all in Chinese), that will come into effect on August 1, 2016. The App Rules are aimed primarily at regulating the rapidly growing app market and addressing corresponding data privacy issues. Among other things, they impose data privacy, cybersecurity, and content monitoring requirements on app and app store providers. Continue Reading

Federal Aviation Administration Finalizes Small Unmanned Aircraft Rule

By Jack Schenendorf, Brian Smith, and Hannah Lepow

Tuesday, the Federal Aviation Administration (“FAA”) finalized its long-awaited rule on the commercial use of small unmanned aircraft systems (“UAS” or “drones”).  The rule comes a month after the National Telecommunications and Information Administration multistakeholder group reached consensus on best practices for drone privacy.  The FAA’s action is significant—for the first time, there will be a comprehensive and generally applicable set of rules for anyone wishing to operate a small drone for commercial purposes.

Before the adoption of this rule, which will take effect in August 2016, anyone wishing to operate a drone for anything other than hobbyist recreation had to apply for an individualized authorization from the FAA.  Although the FAA had made an effort to process the authorizations quickly, the applications quickly developed a backlog.  We expect that the new rule, which applies to drones weighing less than 55 pounds, will spur widespread use of drones for a variety of commercial operations, including aerial video for newsgathering, pipeline and radio tower inspections, aerial surveying, aerial photography for real estate and construction site monitoring, disaster response, and other uses still to be developed. Continue Reading

LexBlog