In the aftermath of the cyber attack on the Office of Personnel Management and the significant loss of corporate intellectual property, the U.S. government has announced new tools to respond to and to deter such harmful attacks. On December 31, 2015, the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued new U.S. Cyber-Related Sanctions Regulations, set forth in 31 C.F.R. § 578 (“Cyber-Related Sanctions Regulations”). The Cyber-Related Sanctions Regulations are designed to implement Executive Order 13694, which targets perpetrators of malicious cyber-activities (e.g., hacking and Distributed Denial of Service (DDoS) attacks) as well as those who support such activities and certain recipients and users of stolen trade secrets. For a more detailed discussion of E.O. 13694, which was issued by President Obama on April 1, 2015, see our previous alert.
In this two-part article, the authors provide an overview of government cybersecurity resources, and encourage companies to consider whether and when it makes sense to take advantage of this assistance. The first part, which appeared in the October 2015 issue of Pratt’s Privacy & Cybersecurity Law Report, introduces the jurisdictional landscape and cybersecurity resources available from the Department of Justice and the Department of Homeland Security. This second part of the article discusses the cybersecurity resources available from the Federal Bureau of Investigation, the United States Secret Service, and regulators.
On Friday, December 4, President Obama signed the Fixing America’s Surface Transportation (“FAST”) Act, a $300 billion-plus highway and transportation law and the first comprehensive transportation spending law in a decade. Despite its title, the bill impacts a number of regulated sectors. Nestled within this 490-page law are 13 pages that pertain to cybersecurity and other protections for the electric grid. As detailed below, the FAST Act also includes a number of privacy and cybersecurity provisions relating to privacy notices by financial institutions as required by the Gramm Leach Bliley Act, event data records in vehicles, Internet of Things technologies, and connected cars.
On October 27, 2015, the Senate passed S. 754, the Cybersecurity Information Sharing Act (“CISA”), with bi-partisan support. Although some raised privacy concerns, CISA received backing from the Administration and support from many industry participants. The Senate bill must be reconciled with similar bills in the House (H.R. 1560 and H.R. 1731) before a conference version is produced. This process may be contentious as privacy advocates seek to strengthen protections for personal information, and Senator Richard Burr, Chairman of the Senate Intelligence Committee and co-sponsor of CISA, indicated that the conferencing process is unlikely to produce a resolution before January 2016.
On October 29, 2015, the European Parliament adopted a resolution on the electronic mass surveillance of EU citizens (the “Resolution”). Positioned as a follow-up to its resolution of 12 March 2014 in which the Parliament called for the immediate suspension of Safe Harbor and put forward a number of recommendations to limit access to personal data of European citizens as part of mass surveillance, the Resolution calls on the European Commission to “reflect immediately on alternatives to Safe Harbor and on the impact of the judgment [from the Court of Justice of the European Union in the Schrems case] on any other instruments for the transfer of personal data to the U.S.” It also calls for the European Commission to “report on the matter by the end of 2015.” In addition, the European Parliament demanded that the Commission urgently provide an update on the ongoing negotiations between US authorities and the Commission.
In Schrems v. Data Protection Commissioner, the Court of Justice of the European Union invalidated the US-EU Safe Harbor agreement on the basis that the European Commission had failed to sufficiently assess the protection of personal data of Europeans under the U.S. data protection regime. The Court alluded to U.S. surveillance activities under the PRISM program authorized by Section 702 of the Foreign Intelligence Surveillance Act, and appeared to assume U.S. law permits mass surveillance of Europeans with few limits, little clarity, and no opportunity for redress. However, the Court did not actually review or assess the applicable legal authorities, remedies, or array of checks and balances, safeguards, and independent oversight. If it had done so, it would have found numerous overlapping controls that assure that such surveillance is neither massive nor indiscriminate, but instead targeted to specific individuals and limited purposes, and provides legal remedies for Europeans. Indeed, prior to the scheduled expiration of the 702 program in 2017, U.S. congressional oversight committees will likely be comparing whether privacy safeguards in place for similar foreign programs are as effective as those of Section 702.
Significantly, the independent Privacy and Civil Liberties Oversight Board reviewed surveillance under Section 702 and found: “[T]the Section 702 program is not based on the indiscriminate collection of information in bulk. Instead the program consists entirely of targeting specific [non-U.S.] persons about whom an individualized determination has been made.” Key safeguards and controls include…
In an effort to address growing concerns about security vulnerabilities in both the public and private sectors, the National Institute of Standards and Technology (NIST) has released a flurry of new and updated information security recommendations. The latest recommendations address protections for sensitive data held by federal contractors, encryption standards, and security for federal Smart ID cards.
On July 1, 2015, China’s top legislature adopted a new National Security Law (中华人民共和国国家安全法), highlighting cyber security and paving the way for a coordinated crisis management system. The law aims to provide a general legislative framework to cover a wide range of areas, ranging from finance, politics, the military and cyber security to culture, ideology and religion.
The European Parliament has voted in a plenary session on March 12, 2014 to fully endorse the draft EU Data Protection Regulation (the Regulation) and the draft EU resolution calling for the immediate suspension of Safe Harbor (the Resolution), both of which were adopted previously by the European Parliament’s Civil Liberties Committee (the LIBE Committee).
According to the European Commission’s press release “today’s plenary vote means the position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the European elections in May.”
On February 12, the White House released the widely anticipated Framework for Improving Critical Infrastructure Cybersecurity (“the Framework”). Developed pursuant to Executive Order 13636 (issued in February 2013), the Framework strongly encourages companies across the financial, communications, chemical, transportation, healthcare, energy, water, defense, food, agriculture, and other critical infrastructure sectors to implement and comply with its voluntary standards. The provisions set forth in the Framework may establish a new baseline for industry standard practices, and may impact or guide FTC enforcement actions and plaintiff data breach lawsuits.