FERC Approves NERC’s Supply Chain Risk Management Reliability Standards and Directs NERC to Expand Their Scope
A string of Governmental announcements have increasingly sounded the alarm about the growing cybersecurity threat facing the energy sector. Among other things, these reports have announced that state-sponsored cyber actors have successfully gained access to the control rooms of utilities. The hackers, one of the reports notes, could have used such access to cause blackouts.
SEC Cautions Public Companies to Address Cyber Threats as Part of Internal Accounting Controls
On October 16, 2018, the U.S. Securities and Exchange Commission (SEC) took the unusual step of issuing a Report of Investigation cautioning public companies that they should consider cyber threats and related human vulnerabilities when designing and implementing their internal accounting controls. The report is an outgrowth of an investigation conducted by the SEC’s Enforcement Division into whether certain public companies that were victims of cyber fraud complied with the federal securities laws requiring public companies to implement and maintain internal accounting controls. The controls provided by these provisions must be sufficient to provide reasonable assurances that transactions occur (e.g., purchasing equipment), and access to assets is permitted (e.g., checking accounts, warehouses), only in accordance with management’s authorization.
EU Parliament Adopts Blockchain Resolution
On October 3, 2018, the European Parliament passed its long awaited resolution on distributed ledger technologies and blockchains (the “Blockchain Resolution”). The Blockchain Resolution was adopted to protect and empower EU citizens and businesses with respect to the specific issues that arise in relation to the blockchain or “distributed ledger” technology, one of which being the tension with data protection rights and the GDPR in general. (more…)
California and Preemption
As one of the epicenters of the Information Age and largest state in the Nation, California’s regulatory decisions can have an outsize impact on the data economy. Recently, the State has tried to use this pride of place to stamp its imprint on two important public debates. First, on September 30, 2018, Governor Brown signed into law the California Internet Consumer Protection and Net Neutrality Act of 2018 (Senate Bill 822), which seeks to impose, as a matter of state law, net neutrality regulation even more restrictive than the federal regime the Federal Communications Commission (FCC) repealed earlier this year. Second, earlier this year, California enacted (and then subsequently amended) the California Consumer Privacy of 2018, the broadest privacy law in the United States. As laid out below, these enactments have sparked legal and policy debates over whether California should be able to set rules that could become de facto national standards or whether federal rules do or should preempt California’s efforts. (more…)
White House and Pentagon Announce New Cyber Strategies
The Trump Administration continued to put its stamp on federal cybersecurity policy last week, as the White House issued its National Cyber Strategy while the Pentagon announced the Department of Defense Cyber Strategy. The former document is a helpful step forward that continues and advances the cyber policies the Trump Administration inherited from the Obama and Bush Administrations, while the Pentagon’s release primarily focused on the Strategy’s endorsement of “Defense Forward,” which was taken as a signal the United States would be adopting a more aggressive operational posture in the future. Data Matters readers will want to study both strategies, as each contains interesting insights into how the Trump Administration envisions the development of the cybersecurity ecosystem and see the public and private sectors working together to mitigate cyber risks. (more…)
The Trump Administration’s Approach to Data Privacy, and Next Steps
* This article originally appeared in Law360 on September 27, 2018.
On Sept. 25, 2018, the Trump administration proposed an approach and initiated a process to modernize U.S. data privacy policy. The administration’s approach is “risk-based” rather than rule-based, and, as such, signals a willingness to move away from a privacy model of mandated notice and choice that has “resulted primarily in long, legal, regulator-focused privacy policies and check boxes.” Rather, the administration is proposing that U.S. privacy policy “refocus” on achieving desirable privacy “outcomes,” such as ensuring that users are “reasonably informed” and can “meaningfully express” their privacy preferences, while providing organizations with the flexibility to continuing innovating with cutting-edge business models and technologies.
Senate Hearing on Federal Privacy Law: Question is Not Whether But What Form
On September 26, the Senate Commerce Committee invited tech and telecom companies to the Hill to discuss safeguards for consumer data privacy. “The question,” noted Chairman John Thune, “is no longer whether we need a federal law to protect consumers’ privacy. The question is what shape that law should take.” The Senators and testifying witnesses expressed strong support for a comprehensive federal privacy law. (more…)
Why it’s Unconstitutional for Politicians – Including the President – to Block People on Social Media
*This article first appeared in the Washington Post on September 26, 2018.
In a recent piece for Washington Post Outlook, Chris Fonzone and Josh Geltzer (from the Georgetown Law Center’s Institute for Constitutional Advocacy and Protection) explained why a legal case that began with a dispute between a Loudoun County supervisor and a constituent may help set a new standard for online interaction nationally:
A legal case that began with a dispute between a member of the Loudoun County Board of Supervisors and a constituent may help to set the rules for how government officials — up to and including President Trump — interact with the public online. A federal appeals court in Richmond will hear the case this week, and, while the stakes of the conflict may seem small at first — one man was banned for a day from an official’s Facebook page — it has potentially enormous First Amendment implications. (more…)
Developing IoT Policy from California to Washington, D.C.
The growing network of internet of things (IoT) devices is expected to reach 30 billion devices by 2020. Despite this tremendous growth, the state of IoT regulation is patchwork at best. Although the FTC is the primary security regulator for consumer IoT devices, there are no comprehensive regulations or laws specific to the unique challenges of the IoT market. This absence of clear and unambiguous standards can be a burden for IoT companies who are looking to innovate while maintaining their customers’ privacy. (more…)
Movement Towards a Comprehensive U.S. Federal Privacy Law: Witnesses Prepare to Testify in Senate Hearing
The last six months have been busy ones for privacy watchers, with the entry into force of the GDPR and the enactment and amendment of the California Consumer Privacy Act.
An increasing number of eyes are now turning to the U.S. Congress to see how it will react to these developments, and Data Matters – and the privacy community generally – will thus be closely watching the Senate Committee on Commerce, Science, and Transportation on Wednesday, September 26, 2018, when it hosts a hearing titled “Examining Safeguards for Consumer Data Privacy.” (more…)