On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government. As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts to safeguard the security of executive agencies’ … Continue Reading
Last week, the U.S. Department of Justice (“DOJ”) released a voluntary framework for organizations to use in the development of a formal program to receive reports of network, software, and system vulnerabilities, and to disclose vulnerabilities identified in other organizations’ environments. This framework provides private entities a series of steps to establish a formal program … Continue Reading
As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500). Among other things, the regulations require regulated entities to conduct cyber risk assessments and … Continue Reading
The increasing connectivity of vehicles has raised questions about how to maintain the security of connected vehicles. In response, the Cloud Security Alliance released on May 25, 2017 a 35-page research and guidance report on Observations and Recommendations on Connected Vehicle Security. The Cloud Security Alliance is a not-for-profit organization dedicated to promoting a secure … Continue Reading
On May 11, 2017, President Trump signed an Executive Order titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (the “Order”). The long-anticipated directive was issued months after the White House originally planned to release a cybersecurity order in February. Since then, revised drafts of the order were circulated, including a version from February … Continue Reading
Among the many issues that can give rise to the initial uncertainty of responding to a significant cybersecurity incident is a failure by incident response team members to understand the perspectives and priorities of other stakeholders. But this complicating factor can readily be mitigated through cross-functional education and relationship building before an incident occurs. In … Continue Reading
Today, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Security Review of Network Products and Services (Trial) (“the Measures”), with an effective date of June 1, 2017 (official Chinese version available here). The issuance of the Measures marks a critical first step toward implementing China’s Cybersecurity Law (“the … Continue Reading
Last week, New Mexico and Tennessee both passed legislation updating each state’s requirements for notifying residents following a data breach. New Mexico’s new law, H.B. 15, makes it the 48th U.S. state to enact a state data breach notification law, leaving Alabama and South Dakota as the only states that have not enacted similar laws. … Continue Reading
New York Attorney General Eric T. Schneiderman announced this week that there were a record number of data breach notices in New York in 2016, with nearly 1,300 reported data breaches exposing the personal records of 1.6 million New Yorkers. These numbers represented a 60 percent year-over-year increase in the number of data breaches reported, … Continue Reading
Senators Ed Markey (D-MA) and Richard Blumenthal (D-CT) reintroduced a pair of bills today relating to the cybersecurity of cars and aircraft, which would impose affirmative security, disclosure, and consent requirements on manufacturers and air carriers. The Security and Privacy in Your Car (“SPY Car”) Act and Cybersecurity Standards for Aircraft to Improve Resilience (“Cyber … Continue Reading
On March 2nd, Democratic members of the House Energy and Commerce Committee introduced three pieces of legislation that would expand the Federal Communications Commission’s (FCC) authority over the cybersecurity practices of communications network providers. The first bill, the “Securing IoT Act of 2017” (introduced by Rep. Jerry McNerney (D-CA)), would expand the FCC’s certification authority … Continue Reading
The Trump Administration appears likely to release an Executive Order on Cybersecurity. The most recent draft suggests this Executive Order may have notable impact in the Communications, Energy, and Defense Industrial Base sectors. However, it remains unclear if and when the current draft will be signed. President Trump originally was scheduled to sign an Executive … Continue Reading
By Christopher Hanson On December 28, 2016, CDRH announced the publication of the final guidance “Postmarket Management of Cybersecurity in Medical Devices.” In a separate post, we reported on the January 22, 2016 draft version of this guidance document. The final guidance provides FDA’s recommendations on a risk-based framework for medical device manufacturers to assess and … Continue Reading
Last week, the Office of Management and Budget issued an updated breach response policy for federal agencies, replacing a policy last updated in 2007. The policy, set forth in memorandum M-17-12, provides minimum standards for federal agencies in preparing for and responding to breaches of personally identifiable information (PII). In addition to setting forth requirements … Continue Reading
In our previous post, we discussed seven draft cybersecurity and data protection national standards released by China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), on December 21, 2016. “Information Security Technology – Personal Information Security Specification” … Continue Reading
Based on reports citing New York Department of Financial Services (“DFS”) sources (see here and here), DFS may propose a revised version of its first-in-the-nation cybersecurity regulations on December 28, 2016. That revision would be followed by a new 30-day comment period, with the revised regulations scheduled to take effect on March 1, 2017. This … Continue Reading
On December 19, 2016, the New York State Assembly Standing Committee on Banks heard testimony about a proposed regulation introduced by the New York State Department of Financial Services that would require financial services companies to develop and implement cybersecurity programs to defend against cyber-attacks. As we covered when Governor Andrew Cuomo announced this first-in-the-nation … Continue Reading
By Tim Stratford and Yan Luo China’s National Information Security Standardization Technical Committee (“NISSTC”), a standard-setting committee jointly supervised by the Standardization Administration of China (“SAC”) and the Cyberspace Administration of China (“CAC”), released seven draft national standards related to cybersecurity and data privacy for public comment on December 21, 2016. The public comment period … Continue Reading
The recent National Institute of Standards and Technology (NIST) publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even … Continue Reading
Following NIST’s release of cybersecurity guidance for the Internet of Things last week, the Broadband Internet Technical Advisory Group (BITAG) released a report today titled Internet of Things (IoT) Security and Privacy Recommendations (the Report). BITAG is a non-profit organization that brings together engineers and technologists in a working group to develop consensus on technical … Continue Reading
On November 15, 2016, the National Institute of Standards and Technology (NIST) released its final guidance providing engineering-based solutions to protect cyber-physical systems and systems-of-systems, including the Internet of Things (IoT), against a wide range of disruptions, threats, and other hazards. NIST Special Publication 800-160 (the “Guidance”) is the result of four years of research … Continue Reading
The National Institute of Standards and Technology (NIST) released guidance today designed to help small businesses improve their cybersecurity preparedness. The document, Small Business Information Security: The Fundamentals, is based on NIST’s 2014 Framework for Improving Critical Infrastructure Cybersecurity, a widely used cybersecurity framework (Cybersecurity Framework). For additional background on the Cybersecurity Framework, please see … Continue Reading
On October 24, 2016, the U.S. Department of Transportation’s National Highway Traffic Safety Administration (“NHTSA”) announced the release of Cybersecurity Best Practices for Modern Vehicles, a non-binding, proposed guidance document designed to assist the automotive industry in improving motor vehicle cybersecurity and mitigating threats to safety. The guidance is intended to apply broadly to “all … Continue Reading
On Tuesday, the FTC issued new guidance for businesses on responding to data breaches, along with an accompanying blog post and video. The data breach response guidance follows the issuance of the FTC’s “Start with Security” data security guidance last year and builds upon recent FTC education and outreach initiatives on data security and cybersecurity … Continue Reading
