The DHS and DOJ have issued final rules and guidance for receipt of cyber threat indicators and defensive measures, including Guidelines for privacy and civil liberties protections. On June 15, the DHS and DOJ announced the release of their joint rules for government handling of cybersecurity information shared by companies, along with expanded guidance for companies wishing to share cybersecurity threat information and take advantage of CISA’s liability shields for certain information sharing and defensive monitoring activities. The newly released rules incorporate and implement provisions of the Cybersecurity Information Sharing Act (CISA) which was passed in December 2015. CISA authorizes and protects information-sharing for certain cybersecurity purposes. It applies to all organizations and it offers companies a broad safeguard from liability for voluntarily sharing “cyber threat indicators” or engaging in certain cybersecurity “defensive measures.”
On May 24-25, 2016, the Cybersecurity (EX) Task Force of the National Association of Insurance Commissioners (NAIC) held a two-day interim meeting in Washington, D.C. to discuss the Task Force’s preliminary draft of a model law outlining data security standards applicable to insurance licensees. The Draft Insurance Data Security Model Law (“the Draft Model Law”), first released for public comment on March 2, 2016, would apply to all licensed insurers, producers and other persons licensed or required to be licensed (or authorized or required to be authorized, or registered or required to be registered) pursuant to state insurance laws (“Insurance Licensees”).
This month, the White House announced a series of workshops and a working group to address the “benefits and risks” of artificial intelligence. The workshops, which are to be held in Seattle, Washington, Pittsburgh, and New York City, will take place between May 24 and July 7, and are expected to result in a public report issued by the end of the year. The workshops and report are expected to address familiar themes – “privacy, security, regulation, law, and research and development to be taken into account when effectively integrating this technology into both government and private-sector activities.” Participation by all stakeholders – academia, industry, the research community, civil society, and others – will be key to shaping a report that is likely provide an initial roadmap for regulatory and policy initiatives in the next administration.
South Korea has enacted stricter penalties for violations of data protection or privacy requirements by telecommunications and online service providers, including potentially steep damages in the wake of a data breach. The amendment (the “Amendment”) to South Korea’s Act on the Promotion of IT Network Use and Information Protection (“Network Act”) became law on March 22, 2016 and will become effective on September 23, 2016. The Network Act regulates and protects the personal information of individuals (“Information Subjects”) that are collected, used and disclosed by telecommunications and online service providers (“Service Providers.”) Overall, the Amendment provides heavier penalties for violating privacy provisions in the Network Act. The increased penalties and stricter privacy standards are consistent with recent amendments in other Korean privacy laws, such as the Personal Information Protection Act and the Utilization and Protection of Credit Information Act.
The past several days, the GDPR (the EU General Data Protection Regulation) took two significant steps towards adoption. On Friday, April 8, 2016, the European Council adopted the GDPR at first reading. Then today, Tuesday, April 12, 2016, the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (the LIBE Committee) approved the GDPR by a 54-3 vote with one abstention. The European Parliament is due to vote on the GDPR in a second reading at a plenary session this coming Thursday. That will complete the legislative process for adoption of the GDPR. The final step will be for the GDPR to be published in the Official Journal of the EU which will likely take place in May 2016. After publication, the GDPR will apply two years after the date of publication, allowing companies and regulators a grace period to prepare. The interpretation of the GDPR will be shaped by guidance from the new European Data Protection Board.
On March 24, Tennessee enacted a law amending its breach notification law, originally enacted in 2005. The new amendment requires businesses and government agencies to notify citizens affected by data breaches within 45 days of discovering the breach. Exceptions to the 45-day time limit will be allowed only when required for law enforcement purposes. The amendment also specifies that unauthorized access of information by employees of the business or agency that holds the information triggers the 45-day notification requirement.
On March 31, 2016, a sharply divided Federal Communications Commission adopted a notice of proposed rulemaking (NPRM), soliciting comments on draft privacy guidelines for broadband Internet services providers (ISPs). These proposed guidelines spring from the Commission’s reclassification of broadband ISPs as common carriers under Title II of the Communications Act, which is currently under review in United States Telecom Association v. FCC in the Court of Appeals for the D.C. Circuit. If the Commission’s interpretation is upheld, the new guidelines would impose significant new transparency, consumer choice, and data security requirements under Section 222 of the Communications Act. Notably, these proposed rules will apply only to ISPs, leaving edge providers, such as web browsers, operating systems, and web sites, under the authority of the Federal Trade Commission.
Despite today’s approval and Chairman Tom Wheeler’s release of a factsheet on the subject, the text of the NPRM and the Commissioners’ separate statements have yet to be released. For further analysis of the Commission’s description of the NPRM’s contents, see FCC Proposes Privacy and Security Regulations for Internet Service Providers.
This February, the California Attorney General released the “California Data Breach Report,” summarizing developments from 2012-2015. Drawing from 657 reports filed with the California AG impacting 49 million records, the report is notable for its “recommendations.” These recommendations are ostensibly non-binding guidance that may nonetheless serve as the basis for the AG’s understanding of what constitutes “reasonable” data security in future investigations and enforcement actions.