Archives: Data Security

Subscribe to Data Security RSS Feed

FERC Requests Comments on Grid Cybersecurity Initiatives

In a new post on the Covington Energy & Environment Blog, our colleagues discuss the Federal Energy Regulatory Commission’s Notice of Inquiry on updating reliability standards related to cybersecurity, especially given the threat of a coordinated cyberattack targeting geographically distributed generation resources.  The Commission also issued a staff paper that suggests a framework for providing … Continue Reading

FTC to Consider Changes to the Health Breach Notification Rule

On May 8, 2020, the Federal Trade Commission (“FTC”) issued a notice soliciting public comment regarding whether changes should be made to its Health Breach Notification Rule (the “Rule”).  The request for comment is part of a periodic review process “to ensure that [FTC rules] are keeping pace with changes in the economy, technology, and … Continue Reading

China Issued the Commercial Encryption Product Certification Catalogue and Certification

On May 11, 2020, the State Cryptography Administration (“SCA”) and the State Administration for Market Regulation jointly issued the Commercial Encryption Product Certification Catalogue (First Batch) (“Product Catalogue”) and the Commercial Encryption Product Certification Measures (“Certification Measures”) (the announcement is available here), taking effect immediately.   Prior to the adoption of the Encryption Law (see … Continue Reading

China Issues New Measures on Cybersecurity Review of Network Products and Services

On April 27, 2020, the Cyberspace Administration of China (“CAC”) and other eleven government agencies jointly released the final version of the Measures on Cybersecurity Review (“Measures”) (an official Chinese version of the Measures is available here).  These Measures will take effect on June 1, 2020. Under Article 35 of China’s Cybersecurity Law (“CSL”), operators … Continue Reading

UK ICO Issues Opinion on Apple-Google Initiative for a Contact Tracing Framework

On April 17, 2020, the UK’s Information Commissioner’s Office (“ICO”) issued an opinion on the recently announced Apple-Google initiative to develop a Bluetooth-based Contact Tracing Framework (“CTF”) to help prevent the spread of COVID-19.  The ICO opinion is generally supportive of the Apple-Google proposal and perceives it to be, at this early phase, aligned with … Continue Reading

IoT Update: FTC Settles with Smart Lock Manufacturer and Provides Guidance for IoT Companies

On April 6, 2020, Tapplock, Inc., a Canadian maker of internet-connected smart locks, entered into a settlement with the Federal Trade Commission (“FTC”) to resolve allegations that the company deceived consumers by falsely claiming that it had implemented reasonable steps to secure user data and that its locks were “unbreakable.”  The FTC alleged that these … Continue Reading

UK Supreme Court Rules That Supermarket Is Not Vicariously Liable For Data Breach Committed By Employee

On 1 April 2020, the UK Supreme Court handed down its ruling in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12.  The Court ruled that Morrisons was not vicariously liable for a data breach deliberately perpetrated by an employee.  The judgment is significant in that it overturned the decisions of the two lower … Continue Reading

COVID-19 Cybersecurity Advice: FTC and FBI Provide Guidance on Cybersecurity Scam Trends and Preventive Measures

In response to the COVID-19 outbreak, several U.S. government entities have released warnings about a rise in scams and fraudulent activity connected to the outbreak.  In a recent bulletin, the FBI warned of a rise in phishing emails, counterfeit treatments or equipment for COVID-19 preparedness, and fake emails from the Centers for Disease Control and … Continue Reading

Guidance released by EU Authorities on How to Ensure IT Security when Working Remotely

In order to combat the proliferation of COVID-1, several EU Member States have strongly recommended or required that employees engage in teleworking, rather than attend work as normal. In this context, the European Union Agency for Cybersecurity (“ENISA”), on March 15, 2020, issued its “top tips for cybersecurity when working remotely”. Some data protection Supervisory … Continue Reading

New York SHIELD Act’s Reasonable Safeguard Requirements Became Effective on March 21st —Is Your Company Ready?

On March 21, 2020, the data security requirements of the New York SHIELD Act became effective.  The Act, which amends New York’s General Business Law, represents an expansion of New York’s existing cybersecurity and data breach notification laws.  Its two main impacts on businesses are: expanding data breach notification requirements under New York law; and … Continue Reading

COVID-19 Cybersecurity Advice: FTC, NIST, and CISA Release Guidance on Secure Teleworking and Critical Infrastructure Jobs

In response to the drastic increase of U.S. employees working remotely, the U.S. Federal Trade Commission (“FTC”) and the U.S. National Institute of Standards and Technology (“NIST”) have both issued guidance for employers and employees on best practices for teleworking securely.  In addition, the Cybersecurity and Infrastructure Security Agency (“CISA”) has provided advice on identifying … Continue Reading

Vermont Enacts Data Breach Notification and Student Privacy Legislation

Earlier this month, the Governor of Vermont signed into law S.B. 110, which will amend the state’s data breach notification law and create a new student privacy law focused on operators of educational technology services.  Notably, the amendments to the state’s data breach notification law will expand the categories of personally identifiable information (“PII”) that … Continue Reading

Key COVID-19 Issues for Privacy and Cybersecurity Professionals

Covington experts on issues as varied as supply chain and other commercial contracts, employment, and insurance are supporting companies on the commercial implications of Coronavirus COVID-19.  But this blog post provides a brief overview of some of the key issues that privacy and cybersecurity professionals should have top of mind in dealing with response efforts.  … Continue Reading

European Commission Presents Strategies for Data and AI (Part 1 of 4)

On 19 February 2020, the European Commission presented its long-awaited strategies for data and AI.  These follow Commission President Ursula von der Leyen’s commitment upon taking office to put forward legislative proposals for a “coordinated European approach to the human and ethical implications of AI” within the new Commission’s first 100 days.  Although the papers … Continue Reading

French Supervisory Authority Publishes Guidance for Website and App Developers

On January 27, 2020, the French Supervisory Authority (“CNIL”) issued a guidance for developers of websites and applications which sets out the main principles of the General Data Protection Regulation (“GDPR”), expounds on their application in the online environment, and gives practical tips to help developers respect users’ privacy when deploying websites and apps. The … Continue Reading

Cyberspace Administration of China Releases Notice on the Protection of Personal Information in the Fight Against Coronavirus

In response to the recent coronavirus outbreak (“2019-nCoV”), a wide range of Chinese regulators, including many levels of local governments (down to the neighborhood committee level) and local public security bureaus (“PSBs”), have been actively collecting personal information to monitor and potentially mitigate the spread of the outbreak.  For example, Shenzhen PSB has issued a … Continue Reading

DoD Announces the Release of CMMC Version 1.0

Last Friday, the Department of Defense announced the release of Version 1.0 of its Cybersecurity Maturity Model Certification (“CMMC”), which sets forth the cybersecurity requirements that contractors and suppliers must meet to participate in the Department’s supply chain.  A new post on Covington’s Inside Government Contracts blog discusses the release of Version 1.0 of the … Continue Reading

Germany Publishes Draft Regulation on the Reimbursement of Digital Health Applications

Germany recently enacted a law that enables state health insurance schemes to reimburse costs related to the use of digital health applications (“health apps”), but the law requires the Federal Ministry of Health to first develop the reimbursement process for such apps.  Accordingly, on January 15, 2020, the German government published a draft regulation setting … Continue Reading

FTC Summarizes 2019 Changes to Data Security Orders

In a recent blog post, the Federal Trade Commission highlighted three key changes it made in 2019 in its approach to issuing orders in data security enforcement matters.  As stated by Andrew Smith, the Director of the FTC’s Bureau of Consumer Protection, in the blog post, the agency intends for these changes to strengthen consumer … Continue Reading

State Legislatures Are Off to the Privacy Races, With New Hampshire in the Lead

While some state legislators are still putting away their holiday decorations, New Hampshire legislators introduced new data privacy legislation, New Hampshire House Bill 1680.  The legislation is similar to the California Consumer Privacy Act (which we’ve written extensively about before, including here and here).  It grants consumers access, portability, transparency, non-discrimination, deletion, and opt-out-of-sale rights … Continue Reading

House Energy and Commerce Committee Circulates Draft Privacy Bill Expanding FTC Authority

On December 18, 2019, staffers on the House Energy and Commerce Committee circulated a draft of a bipartisan privacy bill.  The draft is currently unnamed and unfinished, but it lays out a comprehensive framework that expands both individuals’ rights to their data and the FTC’s enforcement role over digital privacy.  Rep. Cathy McMorris-Rodgers (R-Wash.) and … Continue Reading

CISA Releases Cyber Readiness Recommendations for Small Business

Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) released a set of cyber readiness recommendations for small businesses.  The recommendations, which CISA developed in collaboration with small businesses and state and local governments, are intended to assist smaller organizations in implementing organizational cybersecurity practices.  While not binding requirements, the … Continue Reading

Spanish Supervisory Authority and EDPS Release Guidance on Hashing for Data Pseudonymization and Anonymization Purposes

On November 4, 2019, the Spanish Supervisory Authority (“AEPD”), in collaboration with the European Data Protection Supervisor, published guidance on the use of hashing techniques for pseudonymization and anonymization purposes. In particular, the guidance analyses what factors increase the probability of re-identifying hashed messages. The AEPD explains that the probability of re-identification increases if more … Continue Reading

China Enacts Encryption Law

On October 26, 2019, China enacted a landmark Encryption Law, which will take effect on January 1, 2020.  The Encryption Law significantly reshapes the regulatory landscape for commercial encryption, including foreign-made commercial encryption products, but leaves many questions to be answered in future implementing regulations.  In this blog post, we provide a few highlights of … Continue Reading
LexBlog