Make no mistake about it, the Department of Homeland Security’s newest agency, the Cybersecurity and Infrastructure Security Agency (CISA) is serious about cyber. Not even one year old, CISA has taken on the responsibility of protecting the nation’s critical infrastructure from cyber threats. Taking a collaborative approach, the agency states the following as its mission:

CISA partners with industry and government to understand and manage risk to our Nation’s critical infrastructure

On April 3, 2019, in furtherance of agency efforts, CISA’s Chief Counsel, Daniel Sutherland and Steven Kaufman, Principal Deputy General Chief Counsel, spoke about how CISA can help your organization and its clients protect against and respond to cyber incidents. This in-depth look into the agency, presented by McGuireWoods and the Mecklenburg County Bar, highlighted how CISA’s approach will benefit both federal and non-federal organizations. Continue Reading A Different Type of Federal Agency: How DHS’s Newest Cybersecurity Agency Can Help Your Business  

Please join McGuireWoods and the Mecklenburg County Bar, on April 3, 2019 from 10 – 11 a.m. EST,  for an exclusive look into the newly formed Cybersecurity and Infrastructure Security Agency (CISA). Hear from CISA’s Chief Counsel, Daniel Sutherland, about the agency’s mission, its statutory authorities, and how CISA can help your organization and its clients protect against and respond to cyber incidents.

Operating within the Department of Homeland Security, CISA is responsible for protecting the nation’s critical infrastructure from physical and cyber threats. As America’s electrical grid, water supply, internet, transportation, financial systems, healthcare networks and other infrastructure become increasingly interdependent and connected, CISA’s mission requires coordination and collaboration among a broad spectrum of government and private sector organizations.

Speakers:
• Daniel Sutherland, Chief Counsel, CISA
• Steven Kaufman, Principal Deputy General Chief Counsel, CISA

We hope you can find time to join this informative event.

Online Registration >>

–  Andrew Konia, Partner, and Chair of the Data Privacy and Security team

What is this bill?  A new bill introduced in the U. S. Senate on March 14, 2019 would require companies to obtain explicit user consent before facial recognition data could be collected and shared. The bill is known as the Commercial Facial Recognition Privacy Act of 2019, and was introduced by Sens. Brian Schatz. D- Hawaii and Roy Blunt, R-Missouri.

What does the bill prohibit?  The bill makes it unlawful for any covered entity to knowingly use facial recognition technology to collect facial recognition data, UNLESS the covered entity obtains explicit consent from the individual after providing notice to such individuals. The bill would also require that covered entities notify individuals whenever their facial recognition data is used or collected. Continue Reading Facial Recognition Bill to Require Explicit Consent by Individuals

FTC Seeks Comment on Proposed Amendments to Safeguards and Privacy Rules

The FTC is seeking comment on proposed changes to the Safeguards Rule and the Privacy Rule under the Gramm-Leach-Bliley Act. The Safeguards Rule requires a financial institution to maintain a comprehensive information security program. The Privacy Rule requires a financial institution to inform customers about its information-sharing practices. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, says the amendments are meant to, “better protect consumers and provide more certainty for business.”

NIST Privacy Framework

The National Institute of Standards and Technology (NIST) released working draft of a standard Privacy Framework meant to, “help organizations: better identify, assess, manage, and communicate privacy risks; foster the development of innovative approaches to protecting individuals’ privacy; and increase trust in products and services.”

AG Racine Proposes Changes to Data Breach Law

District of Columbia AG Racine introduced legislation to amend the District’s current data breach law in an effort to provide greater protection over personal data.  Specifically, the AG proposes:

  • Holding companies accountable for safeguarding a broader range of private information;
  • Creating security requirements for companies that handle personal information;
  • Requiring companies to provide identity theft protection if they expose Social Security numbers; and
  • Requiring companies to inform consumers of their rights when a data breach occurs.

Internet of Things (IoT) Cybersecurity Improvement Act of 2019

Bipartisan legislation meant to improve the cybersecurity of Internet-connected devices was introduced in the Senate and the House of Representatives. The legislation would require that devices purchased by the U.S. government meet certain minimum security requirements.

 

On January 25, 2019, the Illinois Supreme Court issued a highly anticipated ruling in the Rosenbach v. Six Flags case regarding enforcement of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (BIPA or the Act).  In its unanimous ruling, the Court held that a procedural violation of the Act, even absent a showing of actual injury, is sufficient to confer standing to sue for a BIPA violation.

This means that an employer who, for example, uses employee fingerprint data for timekeeping purposes could be on the hook for a BIPA violation for failure to follow the comprehensive notice-and-consent rules set forth in the Act.

Whether the Rosenbach ruling will trigger a spike in biometric privacy litigation against private employers remains to be seen.  For now, understanding BIPA and key compliance principles can help employers mitigate against some of the risks inherent in collecting employee biometric data. Continue Reading Rethinking Biometric Data Collection Practices After Rosenbach: Takeaways and Compliance Strategies for Employers

On 7 February 2019, the German competition law regulator, the Federal Cartel Office (FCO), concluded a lengthy investigation into Facebook.  It found that the company abused its dominant market position by making the use of its social network conditional on the collection of user data from multiple sources.

The FCO’s probe into Facebook is one of the first cases in the EU concerning the intersection between the EU’s new data privacy laws (contained in the General Data Protection Regulation or GDPR) and competition law. The abuse finding under German competition law (which is broadly the same as the pan-EU competition law in this regard) relied on what was, according to the FCO, a breach of EU data protection law. Continue Reading Federal Cartel Office vs. Facebook: When Data Privacy and Competition Law Collide

On February 26, 2019, the Daily Journal hosted its annual Cyber Forum in Beverly Hills, California.  The event, entitled “A California Perspective from the Epicenter of Data Security and Privacy,” focused primarily on the California Consumer Privacy Act of 2018 (CCPA) and federal law enforcement’s approach to data breach investigations. Continue Reading 2019 Cyber Forum Highlights CCPA

The Department of Health and Human Services (HHS) recently released a report titled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” HHS details the following notable statistics to underscore the need for continuing improvement in cybersecurity for those in the healthcare industry: (1) in the United States, four out of five physicians have reported experiencing some form of cyberattack; (2) ninety percent of small businesses do not use any data protection for customer information (including the healthcare industry), (3) fifty-eight percent of malware attack victims are small businesses, and (4) healthcare has the highest data breach cost per record of any industry — almost double of the second highest industry, the financial sector.  These statistics underscore the need for a robust cybersecurity plan for anyone in the healthcare industry, especially smaller companies or providers who may have traditionally ignored cybersecurity protection measures due to the associated costs. Continue Reading HHS Issues Voluntary Cybersecurity Guidance for the Healthcare Industry

At Password Protected we strive to inform readers of recent developments in data privacy law.  While California Consumer Privacy Act (CCPA) is forcing new changes to data privacy policies, procedures and practices, we want to remind you of an older California data privacy statute, called Shine the Light Law (STL), which still remains in effect following passage of the CCPA.  The STL may have fallen to the wayside in your compliance program with all the fervor surrounding the CCPA, and before that, the European Union’s General Data Protection Regulation.  However, with a significant uptick in STL class action lawsuits in California, we felt it was noteworthy to bring this to your attention. Continue Reading Consider California’s Shine The Light Statute When Updating Your Privacy Policy

Penetration testing or conducting a pen test can be a key element in a firm’s arsenal to protect itself against cyber intrusions. Firms use pen tests to test potential vulnerabilities of their networks, determine where there may be gaps, and assess their cybersecurity defenses. Today’s post is the fourth in a series of summaries sharing essential, timely insight on how these practices may impact your business. Please click here for the first, second, and third posts on cybersecurity practice impacts. Continue Reading FINRA’s 2018 Report on Cybersecurity Practices: Cybersecurity and Pen Testing: Why Go Looking for Trouble?