On Episode 19 of Covington’s Inside Privacy Audiocast, Dan Cooper and and Yan Luo discuss the key provisions of China’s draft SCCs, compare the draft legislation with the GDPR, and talk through actions that companies should be considering in order to comply with the new cross-border data requirements.

This audiocast episode is repurposed from a

On July 5, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) and the National Institute of Standards and Technology (“NIST”) strongly recommended that organizations begin preparing to transition to a post-quantum cryptographic standard.  “The term ‘post-quantum cryptography’ is often referred to as ‘quantum-resistant cryptography’ and includes, ‘cryptographic algorithms or methods that are assessed not to be specifically vulnerable to attack by” a CRQC (cryptanalytically relevant quantum computer) or a classical computer.  NIST “has announced that a new post-quantum cryptographic standard will replace current public-key cryptography, which is vulnerable to quantum-based attacks.”  NIST does not intend to publish the new post-quantum cryptographic standard for commercial products until 2024 but urges companies to begin preparing now by following the Post-Quantum Cryptography Roadmap

Continue Reading CISA and NIST Urge Companies to Prepare to Transition to a Post-Quantum Cryptographic Standard

Today, the Federal Trade Commission (FTC) announced that it anticipates proposing a privacy rulemaking this month, with comments closing in August.  This announcement follows the agency’s statement in December that it planned to begin a rulemaking to “curb lax security practices, limit privacy abuses, and ensure that algorithmic decision-making does not result in unlawful discrimination.” 

In the early hours of Friday, 13 May, the European Parliament and the Council of the EU reached provisional political agreement on a new framework EU cybersecurity law, known as “NIS2”. This new law, which will replace the existing NIS Directive (which was agreed around the same time as GDPR, see here) aims to strengthen EU-wide cybersecurity protection across a broader range of sectors, including the pharmaceutical sector, medical device manufacturing, and the food sector.

Continue Reading Political Agreement Reached on New EU Horizontal Cybersecurity Directive

On April 20, 2022, the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom—the so-called “Five Eye” governments—announced the publication of Alert AA22-110A, a Joint Cybersecurity Advisory (the “Advisory”) warning critical infrastructure organizations throughout the world that the Russian invasion of Ukraine could expose them “to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.”  The Advisory is intended to update a January 2022 Joint Cybersecurity Advisory, which provided an overview of Russian state-sponsored cyber operations and tactics, techniques, and procedures (“TTPs”).

In its announcement, the authorities urged critical infrastructure network defenders in particular “to prepare for and mitigate potential cyber threats by hardening their cyber defenses” as recommended in the Advisory.
Continue Reading International Cybersecurity Authorities Issue Joint Advisory on Russian Cyber Threats to Critical Infrastructure

On April 7, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of its Sharing Cyber Event Information Fact Sheet (“Fact Sheet”) intended to provide clear guidance to critical infrastructure owners and operators and government partners on voluntary information sharing about “unusual cyber incidents or activity.”  In its announcement, CISA explained that it will use the information provided to fill “critical information gaps,” deploy resources, analyze trends, issue warnings, and “build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure sectors.”

CISA’s announcement of the Fact Sheet encourages entities to visit its Shields Up website for more information; the Shields Up website was recently updated with guidance in response to the heightened risk of Russian cyber attacks.  The Shields Up website recommends that “all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets” and provides detailed guidance that entities can use to protect themselves.
Continue Reading CISA Issues Voluntary Information Sharing Guidance for Critical Infrastructure Owners and Operators and Provides Resources for All

On March 15, 2022, President Biden signed the Consolidated Appropriations Act 2022, a $1.5 trillion omnibus spending package to fund the government through September 2022.  The omnibus spending package includes the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”), which establishes two cyber incident reporting requirements for covered critical infrastructure entities:  a 24-hour requirement to report any ransomware payments to the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) and a 72-hour requirement to report all covered cyber incidents to CISA.  These requirements will take effect upon the issuance of implementing regulations from the Director of CISA.
Continue Reading President Biden Signs Critical Infrastructure Ransomware Payment and Cyber Incident Reporting into Law

On February 4, 2022, the National Institute of Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products (“IoT Criteria”).  The IoT Criteria make recommendations for cybersecurity labeling for consumer IoT products, in other words, for IoT products intended for personal, family, or household use.

The purpose of the publication, as described by NIST, is to identify “key elements of a potential labeling scheme.”  The publication makes clear, however, that the scheme would not be established or managed by NIST, but rather “by another organization or program,” referred to in the publication as the “scheme owner.”  The identity of the scheme owner is undetermined, but it “could be a public or private sector” entity.

The publication of the IoT Criteria represents another step toward a national cybersecurity labeling scheme for consumer IoT products.  We should expect that the framework established by NIST in this publication will serve as a model for these requirements.
Continue Reading NIST Publishes Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products

On December 10th, the Federal Trade Commission (FTC) published a Statement of Regulatory Priorities that announced the agency’s intent to initiate rulemakings on issues such as privacy, security, algorithmic decision-making, and unfair methods of competition.
Continue Reading FTC Announces Regulatory Priorities for Both Privacy and Competition

On December 15, 2021, the U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of a warning for “critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks” before the upcoming holiday season.  CISA’s warning emphasizes that “[s]ophisticated threat actors . . . have demonstrated capabilities to compromise networks and develop long-term persistence mechanisms” and have “demonstrated capability to leverage this access for targeted operations against critical infrastructure with potential to disrupt National Critical Functions.”

CISA’s warning includes recommended actions for executives and senior leaders, additional recommended actions for organizations with operational technology (“OT”) and industrial control systems (“ICS”), recommendations for organizations that have experienced a cybersecurity incident, and a list of resources that organizations confronting cyber threats and evaluating cybersecurity best practices may find helpful.

Continue Reading CISA Warns Critical Infrastructure Owners and Operators to Prepare for and Take Steps to Mitigate Holiday Cyber Threats