National Institute of Standards and Technology

The National Institute of Standards and Technology (“NIST”) issued its initial draft of the “AI Risk Management Framework” (“AI RMF”), which aims to provide voluntary, risk-based guidance on the design, development, and deployment of AI systems.  NIST is seeking public comments on this draft via email, at AIframework@nist.gov, through April 29, 2022.  Feedback received on this draft will be incorporated into the second draft of the framework, which will be issued this summer or fall.
Continue Reading NIST Releases Draft AI Risk Management Framework for Public Comment

On February 4, 2022, the National Institute of Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products (“IoT Criteria”).  The IoT Criteria make recommendations for cybersecurity labeling for consumer IoT products, in other words, for IoT products intended for personal, family, or household use.

The purpose of the publication, as described by NIST, is to identify “key elements of a potential labeling scheme.”  The publication makes clear, however, that the scheme would not be established or managed by NIST, but rather “by another organization or program,” referred to in the publication as the “scheme owner.”  The identity of the scheme owner is undetermined, but it “could be a public or private sector” entity.

The publication of the IoT Criteria represents another step toward a national cybersecurity labeling scheme for consumer IoT products.  We should expect that the framework established by NIST in this publication will serve as a model for these requirements.
Continue Reading NIST Publishes Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products

In response to the drastic increase of U.S. employees working remotely, the U.S. Federal Trade Commission (“FTC”) and the U.S. National Institute of Standards and Technology (“NIST”) have both issued guidance for employers and employees on best practices for teleworking securely.  In addition, the Cybersecurity and Infrastructure Security Agency (“CISA”) has provided advice on identifying essential workers, including IT and cybersecurity personnel, in critical infrastructure sectors that should maintain normal work schedules if possible.  Each set of guidance is discussed in further detail below.
Continue Reading COVID-19 Cybersecurity Advice: FTC, NIST, and CISA Release Guidance on Secure Teleworking and Critical Infrastructure Jobs

The Department of Commerce’s National Institute of Standards and Technology (“NIST”) has released Version 1.0 of its Privacy Framework.  This voluntary framework aims to provide organizations with strategies to improve their privacy practices, build customer trust, and fulfill compliance obligations.  It is designed to be flexible and non-prescriptive, allowing public and private organizations of all sizes to adapt the framework to their own goals and priorities.

NIST announced its intention to develop this tool in September 2018, and spent the following year collaborating with stakeholders – including corporations, governments, academics, industry groups, and non-profits – to create a draft.  It released a preliminary draft of the framework in September 2019, soliciting comments that were used to create Version 1.0.

The Privacy Framework comes at a time of significant change for organizations endeavoring to manage their privacy risk.  Federal, state, and local governments around the world are issuing first-of-their-kind privacy laws, with more on the horizon, as we have written about here, here, here, here, and here.  This patchwork of untested laws increases the challenge of privacy compliance in the U.S. and abroad.   
Continue Reading NIST Releases Version 1.0 of its Privacy Framework

Pursuant to Executive Order 13636, the National Institute of Standards and Technology (“NIST”) established the Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, a technology-neutral, voluntary, risk-based cybersecurity framework that includes standards and processes intended to align policy, business, and technological approaches to addressing cybersecurity risks.  Four years later, NIST has released an updated version of the Framework.

Prior to releasing this update, NIST issued a request for information to get a better understanding of how companies were using the Framework, released a draft of the revised Framework for public comment, and held a public webcast to discuss the updates to the Framework.  The key updates in Version 1.1 are summarized below.
Continue Reading NIST Releases Updated Cybersecurity Framework

On August 28, 2017, the U.S. Government Accountability Office (“GAO”) publicly released a report regarding consumer privacy issues associated with the rapidly increasing number of cars that are “connected”—i.e., capable of wirelessly monitoring, collecting, and transmitting information about their internal and external environments.  The report examines four key issues: (1) the types of data collected by connected cars and transmitted to selected automakers, and how such automakers use and share such data; (2) the extent to which selected automakers’ privacy policies are in line with established privacy best practices; (3) selected experts’ views on privacy issues related to connected cars; and (4) federal roles and efforts related to consumer privacy and connected cars.

Process

The GAO turned to a variety of resources to explore the four identified issues.  For starters, the GAO conducted a series of interviews with relevant industry associations, organizations that work with consumer privacy issues, and a sample of sixteen automakers (thirteen of which offered connected vehicles) based on their vehicle sales in the U.S.  In addition, the GAO analyzed selected automakers’ privacy policies and compared them to privacy frameworks developed by the Organization for Economic Cooperation and Development (“OECD”) as well as the Federal Trade Commission (“FTC”), the National Highway Traffic Safety Administration (“NHTSA”), and the National Institute of Standards and Technology (“NIST”).  Finally, the GAO consulted relevant sources (e.g., federal statutes, regulations, and reports) and interviewed agency officials, including those from the Department of Transportation (“DOT”), the FTC, and the Department of Commerce.
Continue Reading GAO Releases New Vehicle Data Privacy Report

By Susan Cassidy, Jenny Martin, and Catlin Meade

The National Institute of Standards and Technology (“NIST”) released on August 15, 2017 its proposed update to Special Publication (“SP”) 800-53.  NIST SP 800-53, which was last revised in 2014, provides information security standards and guidelines, including baseline control requirements, for implementation on federal information systems under the Federal Information Systems Management Act of 2002 (“FISMA”).  The revised version will still apply only to federal systems when finalized, but one of the stated objectives of the revised version is to make the cybersecurity and privacy standards and guidelines accessible to non-federal and private sector organizations for voluntary use on their systems.

In its announcement of the draft revision, NIST explains that the update “responds to the need by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of computing platforms, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and Internet of Things (IoT) devices.”  In particular, a key purpose of the update process was to assess the relevance and appropriateness of the current security controls and control enhancements designated for each baseline (low, moderate, and high) to ensure that protections are commensurate with the harm that would result from a compromise of applicable government data and systems.  In addition, the revised guidelines recognize the need to secure a much broader universe of “systems,” including industrial control systems, IoT devices, and other cyber physical systems, than the “information systems” that were the focus of the prior iterations of SP 800-53.  Relatedly, the revised publication also identifies those controls that are both security and privacy controls, as well as those controls that are the primary responsibility of privacy programs.
Continue Reading NIST Releases Fifth Revision of Special Publication 800-53

The recent National Institute of Standards and Technology (NIST) publication of cybersecurity guidance for the Internet of Things (IoT) is a useful reminder that hacking incidents can result not only in privacy breaches, but also in bodily injury or property damage — via critical infrastructure, medical devices and hospital equipment, networked home appliances, or even children’s toys. In addition to enhanced system security engineering and preventive education efforts, insurance is an increasingly essential component in any enterprise risk management approach to cyber vulnerabilities. But purchasers of cyber insurance are finding that nearly all of the available cyber insurance products expressly exclude coverage for physical bodily injury and property damage.

Continue Reading Insurance Coverage Issues for Cyber-Physical Risks

The Federal Trade Commission (“FTC” or “Commission”) is soliciting public comments on its Standards for Safeguarding Customer Information (“Safeguards Rule”) as part of the systematic review of all FTC rules and guides on a 10-year schedule.  The Safeguards Rule was promulgated by the Commission pursuant to the Gramm-Leach-Bliley Act’s (“GLBA”) directive for federal agencies to

The Federal Trade Commission (FTC) issued a unanimous opinion and order today, vacating the Administrative Law Judge’s (ALJ) initial decision and finding that LabMD’s data security practices were “unfair” under Section 5 of the FTC Act.  In August 2013, the FTC issued a complaint against LabMD, alleging that its failure to implement adequate data security measures led to the disclosure of patient information from LabMD’s networks.  As we previously reported, FTC staff appealed the ALJ’s November 2015 initial decision dismissing the FTC’s complaint against LabMD for allegedly “unfair” data security practices.  The Commission’s Chief ALJ had dismissed the complaint on the ground that there was no injury or likelihood of injury to consumers because there was no evidence of misuse of any of the personal information at issue.  The Commission Opinion reverses that finding and holds that injury, for purposes of the FTC Act, was established on a record of insufficient data security protections.

The Commission’s opinion in LabMD further bolsters the FTC’s authority to regulate corporate data security practices, which was affirmed last year by the Third Circuit in Wyndham.  It also clarifies and expands upon the Commission’s interpretation of the unfairness test under Section 5 of the FTC Act as it relates to data security. 
Continue Reading FTC: LabMD’s Data Security Practices Violated the FTC Act