Beginning in 2020, California residents will have the right to opt out of the sale of their personal information under the California Consumer Privacy Act of 2018 (CaCPA or also called CCPA). It is time to revisit your third-party service provider agreements. Companies now have two reasons to ensure that service provider agreements restrict the use or sale of personal information: to comply with CaCPA and to reduce risk of an FTC enforcement action. Continue Reading Preparing for 2020: Check In On Your Vendors
As a part of National Cybersecurity Month, last week the Federal Trade Commission (FTC) launched a campaign to help educate and assist small businesses with cybersecurity. In conjunction with the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Small Business Administration (SBA), the FTC has published a collection of materials for small businesses about cybersecurity. These materials include information about the following:
- Cybersecurity Basics;
- Understanding the NIST Cybersecurity Framework;
- Physical Security;
- Business Email Imposters;
- Tech Support Scams;
- Vendor Security;
- Cyber Insurance;
- Email Authentication;
- Hiring a Web Host; and
- Secure Remote Access.
Additional information about the cybersecurity campaign and access to the materials can be found here.
On October 16, 2018, the Securities and Exchange Commission (SEC) issued a report on the results of investigations made by the SEC’s Division of Enforcement into nine public companies that were victims of cyber-related frauds. In each case, the SEC investigation focused on whether the target companies had complied with the applicable requirements of the Securities Exchange Act of 1934, as amended (Act). The Act requires public companies to devise and maintain a system of internal control over financial reporting designed to provide reasonable assurance that, among other things, transactions are executed in accordance with company management’s authorization, that transactions are properly recorded and that access to assets is permitted only with management’s authorization.
Ultimately, the SEC did not pursue enforcement actions against any of these companies, but released the report to advise public companies that cyber-fraud incidents must be taken into account when designing and maintaining internal control procedures. Continue Reading SEC Report Reiterates Cybersecurity Implications for Internal Control Requirement
Effective October 1, 2018, Connecticut has the most stringent requirement—24 months—for free mitigation services that must be provided to those affected by a data breach of personally identifiable information (in the case of Connecticut: (A) Social Security number; (B) driver’s license number or state identification card number; (C) credit or debit card number; or (D) financial account number in combination with any required security code, access code or password that would permit access to such financial account).
With a new high-water set, it is likely that other states will quickly follow suit. In the meantime, for entities that are responding to a multi-state data breach that includes Connecticut, there will now be a business decision of whether or not to offer 24 months of services to all affected individuals regardless of state law requirements (some of which are silent and the rest of which require 12 months of services).
CA IoT Cybersecurity Bill Heads To Governor’s Desk
The bill (SB-327), if signed by Gov. Brown, will take effect on January 1, 2020. It is aimed at securing connected devices. The bill states that, “a manufacturer of a connected device shall equip the device with a reasonable security feature or features.”
House Approves Financial Sector Data Breach Bill
On Sept. 13 the House Financial Services Committee approved bill (H.R. 6743) to create a national data breach notification standard for the financial sector. The bill would amend the GLBA and preempt state law for institutions covered under the financial services law.
Department of Commerce Launches Collaborative Privacy Framework Effort
NIST announced it has launched a collaborative project to develop a voluntary privacy framework to help organizations manage risk. NIST will hold a public workshop on Oct. 16, 2018, in Austin, Texas—in conjunction with the International Association of Privacy Professionals’ Privacy. Security. Risk. 2018.
McGuireWoods HIPAA Webinar Series: September 24, 2018
This webinar will examine the application of HIPAA to the ever-growing array of mobile health applications and devices, with an emphasis on the design and security implications of such devices.
NIST has published Special Publication (SP) 1800-5, “IT Asset Management” to help financial service companies monitor and manage IT assets. According to the release:
“The example solution…gives companies the ability to track, manage, and report on information assets throughout their entire life cycle. This can ultimately increase cybersecurity resilience by enhancing the visibility of assets, identifying vulnerable assets, enabling faster response to security alerts, revealing which applications are actually being used, and reducing help desk response times.”
A copy of the SP can be found here.
The convergence of the General Data Protection Regulation and the investigation into Russian interference in the 2016 election has created a perfect privacy storm. Social media platforms’ complacency on this front, and the resulting public backlash, have further amplified the pressure on legislatures to react. Although state legislatures have been quick to do so (most notably California, which passed a sweeping new privacy law in June), Congress has not.
Recently, Senator Mark Warner (D-VA) issued a draft white paper proposing 20 policy approaches to combat these issues. The proposals seek to enhance user privacy, increase transparency, and dam the deluge of misinformation that, to date, has run through social media platforms largely unchecked.
CTIA, a trade association representing the wireless communications industry, recently announced a new cybersecurity certification program for IoT cellular-connected devices. The announcement comes shortly after NIST hosted a workshop in July regarding Considerations for Managing IoT Cybersecurity and Privacy Risks.
CTIA states, “[t]he program will protect consumers and wireless infrastructure, while creating a more secure foundation for smart cities, connected cars, mHealth and other IoT applications.” Tom Sawanobori, SVP and Chief Technology Officer at CTIA states that, “[t]he IoT Cybersecurity Certification Program harnesses CTIA’s network of authorized labs and reflects our commitment to securing networks and devices in an increasingly connected wireless world.”
According to CTIA, the Cybersecurity Certification Program is built upon NTIA and NIST IoT security recommendations. The Program will begin accepting devices for certification testing in October 2018.
More information about the Cybersecurity Certification Program can be found here.
On August 14, 2018, President Trump signed into law S. 770, the “NIST Small Business Cybersecurity Act.” This Act requires the National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses to help reduce their cybersecurity risks. The Act states that the resources should be:
- “Generally applicable and usable by a wide range of small business concerns;
- Vary with the nature and size of the implementing small business concern, and the nature and sensitivity of the data collected or stored on the information systems or devices of the implementing small business concern;
- Include elements, that promote awareness of simple, basic controls, a workplace cybersecurity culture, and third-party stakeholder relationships, to assist small business concerns in mitigating common cybersecurity risks;
- Include case studies of practical application;
- Technology-neutral and can be implemented using technologies that are commercial and off-the-shelf; and
- Based on international standards to the extent possible, and are consistent with the Stevenson-Wydler Technology Innovation Act of 1980.”
The eighteen month transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies expires on September 4, 2018. These requirements apply to entities, “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” In less than a month, these Covered Entities subject to Part 500 are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
These requirements include:
- Implement and maintain audit trail requirements (500.06);
- Adopt written application security requirements (500.08);
- Adopt written data retention requirements (500.13);
- Implement monitoring/unauthorized access requirements (Section 500.14(a)); and
- Implement encryption requirements (500.15).
The final compliance deadline is March 1, 2019. In addition to those aforementioned Covered Entities, credit reporting agencies with significant operations in New York were recently required to comply with the cybersecurity regulations. More information about the Cybersecurity Requirements can be found here.