The FAST Act’s Cybersecurity and Privacy Provisions for the Electric Grid, Internet of Things, and Connected Cars

On Friday, December 4, President Obama signed the Fixing America’s Surface Transportation (“FAST”) Act, a $300 billion-plus highway and transportation law and the first comprehensive transportation spending law in a decade. Despite its title, the bill impacts a number of regulated sectors. Nestled within this 490-page law are 13 pages that pertain to cybersecurity and other protections for the electric grid. As detailed below, the FAST Act also includes a number of privacy and cybersecurity provisions relating to privacy notices by financial institutions as required by the Gramm Leach Bliley Act, event data records in vehicles, Internet of Things technologies, and connected cars.

Cybersecurity Legislation for the Electric Grid (§ 61003)

Perhaps motivated by Ted Koppel’s recent book Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath, the FAST Act addresses several key regulatory requirements regarding cybersecurity protections for the electric grid. Now that this bill is law, we identify the basic elements of the new legislation.

First, the Department of Energy (“DOE”) is designated the “lead Sector-Specific Agency for cybersecurity for the energy sector.”  As part of this, the Secretary of Energy is required to “coordinat[e] with the Department of Homeland Security” and other federal agencies, critical electric infrastructure entities, state and local governments, and other entities. This may serve to further strengthen the Secretary’s position to regulate cybersecurity across the different entities of the electric grid.

Second, the bill creates a new information classification of “Critical Electric Infrastructure Information” (“CEII”) and requires DOE to issue regulations that will establish procedures regarding the designation of CEII, prohibit its disclosure, and “facilitate voluntary sharing of critical electric infrastructure information with, between, and by” federal, state, and local government; “the Electric Reliability Organization”; “regional entities”; “information sharing and analysis centers”; “owners, operators and users of critical electric infrastructure in the United States”; and “other entities.” Information will be designated CEII by DOE or FERC. It is unclear at the moment how the DOE’s authority will interface with FERC’s existing authority to designate information as Critical Energy Infrastructure Information. Presumably this will be one of the many things that DOE will have to work out in the rulemaking process.

Third, the bill defines an “Electric Security Emergency,” the presidential declaration of which would allow the Secretary of Energy to issue orders to “protect or restore the reliability of critical electric infrastructure or of defense critical infrastructure” for the duration of the declared emergency. This may establish a basis for the Secretary to exercise extraordinary authority over the electric grid in the aftermath of a cybersecurity attack.

Fourth, the bill establishes a renewed information sharing regime for the electric grid regarding threats. It requires DOE, FERC, and other agencies “to the extent practicable … share timely actionable information regarding grid security with appropriate key personnel of owners, operators, and users of the critical electric infrastructure.”

Fifth, and critically, the bill establishes liability protections for critical electric infrastructure entities regarding its sharing or receipt of critical electric infrastructure information and for any acts relating to its compliance with orders by the Secretary of Energy during an Electric Security Emergency, with exceptions for actions that are determined to be “grossly negligent.” This has been a key sticking point in the broader cybersecurity legislation that Congress has been trying to pass for several years.

The details of any new cybersecurity requirements and the information-sharing regime will likely be worked out in the rulemaking process that DOE must undergo in the coming months. The bill, and its liability protections in particular, may serve as a test flight for more comprehensive cybersecurity reform that Congress has been trying to pass for several years.  Cybersecurity legislation is currently in conference to work out differences between the House and Senate bills.

Other Privacy and Cybersecurity Provisions

The FAST Act also served as a quiet vehicle for a number of other privacy and cybersecurity provisions.  Specifically, the legislation made noteworthy changes to required privacy notices by financial institutions under the Gramm-Leach-Bliley Act; created new privacy rights relating to data stored in vehicular data recorders; initiated a significant study into Internet of Things technologies; and focused federal attention on the cybersecurity of connected cars:

  • Gramm Leach Bliley Act Privacy Notice (§ 75001) – The FAST Act quietly amended the Gramm-Leach-Bliley Act’s privacy provisions.  Specifically, it created an exception for annual privacy notices for financial institutions that only share information pursuant to the joint marketing exception or the servicing exceptions in Gramm Leach Bliley (subsection (b)(2) or (e) of section 502 or regulations prescribed under section 504(b)). These institutions, if they have not changed their policies and practices with regard to disclosing nonpublic personal information in the last year, do not have to send out an annual privacy policy notice. The amendment to the GLBA leaves some open questions. For instance, it is unclear whether firms that share information with affiliates will be able to take advantage of the change. Regardless, it hopefully will provide some relief to SEC-regulated and insurance firms that could not take advantage of the exception promulgated last year by the Consumer Financial Protection Bureau through regulation.
  • Driver Privacy Act (§§ 24301 – 24303) – The FAST Act includes the Driver Privacy Act, which establishes rights to the data stored by event data recorders in vehicles (often referred to as “black box” data). The Act states that “[a]ny data retained by an event data recorder … is the property of the owner … or lessee ….” Potentially relevant for the insurance industry, the Act also provides that data stored or transmitted by such devices cannot be accessed by anyone other than the owner or lessee except where (1) there is a court order; (2) the owner or lessee consents; (3) the data is retrieved pursuant to certain National Transportation Safety Board or Department of Transportation authorized investigations and most personally identifiable information is not disclosed; (4) the data is needed to facilitate emergency medical response to a crash; or (5) the data is to be anonymized and used for traffic safety research purposes.
  • Privacy of Internet of Things (§ 3024) – The FAST Act requires the Secretary of Transportation to issue a report and recommendations on the “Internet of Things to improve transportation services in rural, suburban, and urban areas.” As part of this review, the report must evaluate innovative transportation systems as well as review “best practices to protect privacy and security.”
  • Intelligent Transportation Systems (§ 6006) – The FAST Act provides $400 million over the next four years in funding towards support for Intelligent Transportation Systems (with attention to cybersecurity for such systems).  The Act specifically directs the Secretary of Transportation to “assist in the development of cybersecurity research … to help prevent hacking, spoofing, and disruption of connected and automated transportation vehicles.”