Data Security

On July 13, 2023 the White House issued the National Cybersecurity Strategy Implementation Plan (“NCSIP”).  The NCSIP identifies 65 initiatives – to be led by 18 different departments and agencies – that are designed as a roadmap for implementing the U.S. National Cybersecurity Strategy released earlier this year.  This is the first iteration of the plan, which is intended to be an evolving document that the Administration plans to update annually.  Consistent with the Strategy, the NCSIP contemplates five broad lines of effort (“pillars”):

  • Defending critical infrastructure;
  • Disrupting and dismantling threat actors;
  • Shaping market forces to drive security and resilience;
  • Investing in a resilient future; and
  • Forging international partnerships to pursue shared goals.

Among the many initiatives, the Administration has outlined several specific efforts over the next three years that will be of interest to technology companies, federal contractors, and critical infrastructure owners and operators.

Continue Reading White House Releases Implementation Plan for the National Cybersecurity Strategy

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) released guidance on Security-by-Design and Security-by-Default principles for technology manufacturers that was jointly developed by the Federal Bureau of Investigation and the National Security Agency, as well as cybersecurity authorities in Australia, Canada, United Kingdom, Germany, Netherlands, and New Zealand.  While similar principles have been published in the past, such as those released by the U.S. Federal Trade Commission, this guidance builds on the White House’s recent roll-out of the U.S. National Cybersecurity Strategy and is in line with efforts to encourage a consistent, international approach to software security that emphasizes the responsibilities of software manufacturers across various jurisdictions.  While the guidance primarily focuses on recommendations for technology manufacturers, it also includes recommendations for enterprise customers to “hold their supplying technology manufacturers accountable for the security outcomes of their products.”  CISA and the authoring agencies are seeking feedback on the guidance, and indicated plans to hold future listening sessions to collect feedback. 

Continue Reading CISA Publishes International Guidance on Implementing Security-by-Design and Security-by-Default Principles for Software Manufacturers and Customers

On March 8, 2023, the United States Department of Health and Human Services (“HHS”), through the Administration for Strategic Preparedness and Response and the Health Sector Coordinating Counsel Joint Cybersecurity Working Group, released an updated version of its Cybersecurity Framework Implementation Guide (the “Guide”) “to help the public and private health care sectors prevent cybersecurity incidents.”  Specifically, the Guide aims to help healthcare organizations leverage the NIST Cybersecurity Framework to “determine their cybersecurity goals, assess their current cybersecurity practices, or lack thereof, and help identify gaps for remediation.”  

Continue Reading HHS Releases Guidance to Help Healthcare Organizations Align with the NIST Cybersecurity Framework

The United States National Cybersecurity Strategy, released on March 2, 2023, is poised to place significant responsibility for cybersecurity on technology companies, federal contractors, and critical infrastructure owners and operators.  The Strategy articulates a series of objectives and recommended executive and legislative actions that, if implemented, would increase the cybersecurity responsibilities and requirements of these types of entities.  The overall goal of the Strategy is to create a “defensible, resilient digital ecosystem” where the costs of an attack are more than the cost of defending those systems and where “neither incidents nor errors cascade into catastrophic, systemic consequences.”  The Strategy outlines two fundamental shifts to how the federal government will attempt to allocate roles, responsibilities, and resources in cyberspace. 

Continue Reading White House Releases National Cybersecurity Strategy

In February, the Federal Trade Commission (“FTC”) published a blog post that elucidated key security principles from recent FTC data security and privacy orders.  Specifically, the FTC highlighted three practices that the Commission regards as “effectively protect[ing] user data.”  These practices include: (1) offering multi-factor authentication (“MFA”) for consumers and requiring it for employees; (2) requiring that connections within a company’s system be both encrypted and authenticated (e.g., deploying a “zero trust” methodology); and (3) requiring companies to develop data retention schedules.  The FTC noted that while these measures “are not the sum-total of everything the FTC expects from an effective security program, they are a sample of provisions [that the FTC has] seen recently that speak directly to the idea of attacking things at their root cause to produce uniquely effective results.”

Continue Reading FTC Publishes Blog Post on Data Security Practices for Complex Systems

The Federal Energy Regulatory Commission (“FERC”) issued a final rule (Order No. 887) directing the North American Electric Reliability Corporation (“NERC”) to develop new or modified Reliability Standards that require internal network security monitoring (“INSM”) within Critical Infrastructure Protection (“CIP”) networked environments.  This Order may be of interest to entities that develop, implement, or maintain hardware or software for operational technologies associated with bulk electric systems (“BES”).

Continue Reading FERC Orders Development of New Internal Network Security Monitoring Standards

On September 12, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a Request for Information, seeking public comment on how to structure implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  Written comments are requested on or before November 14, 2022 and may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.

Continue Reading CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act

The UK Government’s (UKG) proposals for new, sector-specific cybersecurity rules continue to take shape. Following the announcement of a Product Security and Telecommunications Infrastructure Bill and a consultation on the security of apps and app stores in the Queen’s Speech (which we briefly discuss here), the UKG issued a call for views on whether action is needed to ensure cyber security in data centres and cloud services (described here).

In recent weeks, the UKG has made two further announcements:

  • On 30 August 2022, it issued a response to its public consultation on the draft Electronic Communications (Security measures) Regulations 2022 (Draft Regulations) and a draft Telecommunications Security code of practice (COP), before laying a revised version of the Draft Regulations before Parliament on 5 September.
  • On 1 September 2022, it issued a call for information on the risks associated with unauthorized access to individuals’ online accounts and personal data, and measures that could be taken to limit that risk.

We set out below further detail on these latest developments.

*****

Continue Reading A packed end to the UK’s cyber summer: Government moves forward with telecoms cybersecurity proposals and consults on a Cyber Duty to Protect

On Episode 19 of Covington’s Inside Privacy Audiocast, Dan Cooper and and Yan Luo discuss the key provisions of China’s draft SCCs, compare the draft legislation with the GDPR, and talk through actions that companies should be considering in order to comply with the new cross-border data requirements.

This audiocast episode is repurposed from a

In addition to the two developments we reported on in our last blog post, on July 7, 2022, the long-waited, final version of the Measures for Security Assessment of Cross-border Data Transfer (《数据出境安全评估办法》, “Measures”) were released by the Cyberspace Administration of China (“CAC”).  With a very tight implementation schedule, the Measures will take effect on September 1, 2022.  The full text of the Measures can be found here (currently available only in Mandarin Chinese).

In this blog, we highlight a few key takeaways from the final Measures.

Continue Reading China Releases Measures for a Security Assessment of Cross-Border Data Transfers To Take Effect in September 2022