Former Department of Homeland Security Chief Privacy Officer Hugo Teufel III and Sidley’s Edward McNicholas addressed a packed room on Chinese Cybersecurity Law at the 2018 Privacy + Security Forum hosted at George Washington University. The timely presentation highlighted how, with significant attention in the past few years focused on the GDPR, many have not fully appreciated the significant policy and legal developments coming out of Beijing. In particular, China has been creating a materially different approach to cybersecurity which serves the central purpose of defending the Chinese notion of cyber sovereignty. Much uncertainty remains about the newly-effective laws and regulations, but it is clear that foreign technology and other companies operating in China should rapidly focus on its significant restrictions on outbound data transfer, the expansive definitions of “important data”, as well as reviews of network equipment security. Their presentation is available here.
The Trump Administration continued to put its stamp on federal cybersecurity policy last week, as the White House issued its National Cyber Strategy while the Pentagon announced the Department of Defense Cyber Strategy. The former document is a helpful step forward that continues and advances the cyber policies the Trump Administration inherited from the Obama and Bush Administrations, while the Pentagon’s release primarily focused on the Strategy’s endorsement of “Defense Forward,” which was taken as a signal the United States would be adopting a more aggressive operational posture in the future. Data Matters readers will want to study both strategies, as each contains interesting insights into how the Trump Administration envisions the development of the cybersecurity ecosystem and see the public and private sectors working together to mitigate cyber risks. (more…)
An increasing number of eyes are now turning to the U.S. Congress to see how it will react to these developments, and Data Matters – and the privacy community generally – will thus be closely watching the Senate Committee on Commerce, Science, and Transportation on Wednesday, September 26, 2018, when it hosts a hearing titled “Examining Safeguards for Consumer Data Privacy.” (more…)
Companies subject to New York’s Cybersecurity Regulation are acting quickly to finalize their compliance obligations as the fifth “due date,” September 4, 2018, quickly approaches.
By September 4, 2018, Covered Entities must ensure that their cybersecurity programs have in place certain additional safeguards:
- an audit trail that shows detection of and response to material cybersecurity events;
- written security procedures, guidelines, and standards for the development of in-house applications and for the evaluation and testing of externally developed applications;
- data retention policies and procedures for the disposal on a periodic basis of nonpublic information no longer necessary for business operations;
- risk-based policies, procedures, and controls to monitor the activity of authorized users and detect unauthorized access; and security controls, such as encryption, to protect non-public business relations and personal information.
Notably, for this upcoming deadline, Covered Entities that have received a limited exemption must still comply with the regulatory provision regarding data retention policies and procedures for the periodic disposal of nonpublic information. (more…)
*This article first appeared in the July 2018 issue of Digital Health Legal
Massive data breaches. Threats to medical devices. The Internet of Persons. Healthcare entities are all too familiar with the rising cyber threat. But they are also familiar with the complex array of laws and regulations in the United States that attempt to address the threat and the potentially significant compliance costs and risks caused by that complexity. The US Court of Appeals for the Eleventh Circuit’s recent and long-awaited decision in LabMD v. Federal Trade Commission, which trimmed the sails of one of the primary regulators of the healthcare information security landscape, may thus appear to some, at first blush, to be a necessary corrective. Yet closer inspection shows that the Eleventh Circuit’s decision raises more questions than it answers – and that its true implications will only become clear once we see how federal regulators, the courts, and perhaps Congress respond.
In October 2017, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law. According to NAIC’s news release announcing this development, the Model Law was meant to build on the organization’s cybersecurity progress and create a “platform that enhances our mission of protecting consumers.” (For more information on the development of the Model Law, see our prior coverage.) (more…)
*This article originally appeared in Practical Law Journal July/August 2018.
In her regular column on corporate governance issues, Holly Gregory discusses the rapidly changing cybersecurity landscape, and the role of the board in addressing cybersecurity risks to the company.
Soon after he took office, President Trump issued Executive Order (EO) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Given that the President spent much of his campaign and early Presidency trying to distance his Administration from that of his predecessor, commentators noted a surprising amount of continuity between Trump’s cybersecurity EO and the Obama Administration’s approach to cybersecurity. A focus on critical infrastructure and transparency from publicly traded companies that control it; an emphasis on the public and private sectors working together; reliance on standards promulgated by the National Institute of Standards and Technology; a focus on protecting the Federal Government’s networks, including by taking steps toward using shared infrastructure such as the cloud – EO 13800 builds on existing policies and initiatives in each of these areas and others. (more…)
In recent years, the Federal Trade Commission has increasingly exercised its enforcement authority to target deceptive and unfair information security practices. During this time, enforcement actions have targeted companies for failing to honor their promises to implement “reasonable” or “industry standard” security practices, defend against well-known security threats, put in place basic security measures, or take many other basic data security steps. And despite challengers arguing that the FTC provided insufficient notice before pursuing these actions or that the actions otherwise exceeded the FTC’s Section 5 enforcement authority, the Commission generally has a track record of successfully defending its prerogatives. (more…)
Although the prospect of federal legislation on data privacy remains uncertain, states appear to be stepping up the range of their activity on privacy and security. Washington State notably adopted a law on net neutrality and there is the prospect of a ballot initiative in California that would give individuals the right to know which categories of their or their children’s personal data have been collected or traded by businesses. Though Vermont is one of the smallest states, it has been active in privacy regulation and, on May 22, 2018, enacted the first state-level measure aimed at data brokers. (more…)