On June 28, 2018, California Gov. Jerry Brown signed into law the California Consumer Privacy Act of 2018 (AB 375). According to the bill’s author, it was consciously designed to emulate the new European General Data Protection Regulation (GDPR) that went into effect on May 25, and if and when it goes into effect, it would constitute the broadest privacy law in the United States. It is intended to give consumers more transparency regarding and control over their data and establishes highly detailed requirements for what companies that collect personal data about California residents must disclose. (more…)
Soon after he took office, President Trump issued Executive Order (EO) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Given that the President spent much of his campaign and early Presidency trying to distance his Administration from that of his predecessor, commentators noted a surprising amount of continuity between Trump’s cybersecurity EO and the Obama Administration’s approach to cybersecurity. A focus on critical infrastructure and transparency from publicly traded companies that control it; an emphasis on the public and private sectors working together; reliance on standards promulgated by the National Institute of Standards and Technology; a focus on protecting the Federal Government’s networks, including by taking steps toward using shared infrastructure such as the cloud – EO 13800 builds on existing policies and initiatives in each of these areas and others. (more…)
In recent years, the Federal Trade Commission has increasingly exercised its enforcement authority to target deceptive and unfair information security practices. During this time, enforcement actions have targeted companies for failing to honor their promises to implement “reasonable” or “industry standard” security practices, defend against well-known security threats, put in place basic security measures, or take many other basic data security steps. And despite challengers arguing that the FTC provided insufficient notice before pursuing these actions or that the actions otherwise exceeded the FTC’s Section 5 enforcement authority, the Commission generally has a track record of successfully defending its prerogatives. (more…)
On May 15, 2018, various media outlets reported that the Trump administration decided to eliminate the position of White House Cybersecurity Coordinator. According to reports, John Bolton, appointed as National Security Adviser effective April 2018, had been instrumental in the decision that the position was no longer necessary based on the reasoning that the role was already addressed by other members of President Trump’s national security staff. The administration’s decision was met with sharp criticism, including from Democrats in Congress such as U.S. Senator Mark R. Warner (D-VA) who called the move “mindboggling” and cybersecurity expert Bruce Schneier, who called it “a spectacularly bad idea.”
In its preview of hot privacy and cybersecurity topics for 2018, Data Matters noted that this year the Supreme Court was scheduled to decide a number of cases with potentially substantial privacy implications. This past week, the Court issued its opinion in one such case, Byrd v. United States, a case concerning “whether a driver has a reasonable expectation of privacy in a rental car when he or she is not listed as an authorized driver on the rental agreement.” Concluding that a driver does have such an expectation, the Court issued a narrow and unanimous opinion that, as laid out below, could have implications for commercial privacy expectations in other contexts. (more…)
For defense contractors, January 1, 2018 brought with it not only a new year, but also a new era – an era in which contractors must comply with the entire set of more detailed cybersecurity requirements under Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012. As we have flagged before on Data Matters, this DFRAS provision applies to all Department of Defense (DOD) contracts (except for those involving commercial, off-the-shelf items) and places a number of substantial obligations on contractors, including that they comply with the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” and report certain cyber incidents to DOD. (more…)
In recent years, the rise of cloud computing has led to more and more data being stored somewhere other than the jurisdiction in which it was created. This trend increasingly has led U.S. law enforcement officials to demand access to information held abroad, just as foreign officials increasingly want access to data held inside the United States. But satisfying these growing desires for cross-border access has proven complicated. The Mutual Legal Assistance Treaty (MLAT) process has not kept pace with the Internet-fueled increase in data requests, nor has a workable alternative to that process emerged. And questions remain as to whether relevant U.S. statutes authorize extraterritorial legal process. Even if law enforcement officials do have tools that allow them to seek data held elsewhere, the holders of such data may face a conflict between their obligations to respond to one country’s lawful process and the obligations to comply with another country’s privacy protections or blocking statutes. (more…)
Few would describe 2017 as a quiet year. But it actually was a period of relative calm with respect to at least one important topic. After supporters and opponents of mandated government access to encrypted communications publicly feuded for much of 2016, reprising arguments they’ve had since at least the days of the “Clipper Chip,” these “encryption debates” seemed to quiet down for much of last year. The same tensions likely simmered beneath the surface, to be sure, but they didn’t boil over and there was accordingly less attention directed at the issue than there had been previously. (more…)
Following months of intense debate, an attempted filibuster, and close votes in both the House and Senate, Congress last week finally extended Section 702 of the Foreign Intelligence Surveillance Act (FISA).
This past year was marked by ever more significant data breaches, growing cybersecurity regulatory requirements at the state and federal levels and continued challenges in harmonizing international privacy and cybersecurity regulations. We expect each of these trends to continue in 2018.
As we begin this New Year, here is list of the top 10 privacy and cybersecurity issues for 2018: (more…)