A bipartisan group of Senators wants to make it more difficult for hackers to enlist smart thermostats, wireless security cameras and other connected devices in future cyberattacks.

ZDNet reports that Sens. Mark Warner (D-VA) and Cory Gardner (R-CO) have introduced legislation that would require suppliers of devices to the federal government to ensure connected items such as wearables and smart sensors can be patched with security fixes. The bill would also prohibit the use of hard-coded usernames and passwords, which are considered one of the primary paths malware use to hijack smart devices. In addition, the legislation offers new legal protections to cyber security experts testing connected devices’ digital defenses.

The growing universe of poorly secured smart devices, often referred to as the Internet of Things (IoT), was blamed for last years’ distributed denial of service attack that temporarily took down services such as Twitter, Netflix and Spotify. Click here to read the legislation.

 

Two bills that provide new funds to the Department of Homeland Security to support public-private collaboration on development of innovative cybersecurity technologies have passed the U.S. House of Representatives.

The legislation – the Support for Rapid Innovation Act (H.R. 5388) and the Leveraging Emerging Technologies Act (H.R. 5389) – was passed with bipartisan support after winning the approval of the House Homeland Security Committee last week.

“We need more [capabilities] and the government can’t do it alone; the dangers are too pressing for Washington to protect the American people all by itself,” said Majority Leader Rep. Kevin McCarthy, (R-California).

“Cybercriminals continue to develop even more advanced cyber capabilities, and in 2016 these hackers pose an even greater threat to the U.S. homeland and our critical infrastructure,” bill sponsor Rep. John Ratcliffe (R-Tex.) said.

Democrats made similar statements in support of the bills.

Other, similar legislation is in the pipeline: the Cybersecurity and Infrastructure Protection Agency Act (H.R. 5390) and the Improving Small Business Cyber Security Act (H.R. 5064). No votes have been scheduled.

For more information about how new regulations may affect your organization contact the author or a member or Fox Rothschild’s Privacy & Data Security Practice Group.

Federal lawmakers took steps Wednesday to convert the Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) into a fully-operational agency dedicated to cybersecurity that would be called the Cybersecurity and Infrastructure Protection Agency.

The agency’s goal would be to “realign and streamline” federal cybersecurity initiatives and implement the recently passed Cybersecurity Information Sharing Act (CISA).

The legislation (H.R. 5390) was one of four cybersecurity-related bills that passed the U.S. House of Representatives Homeland Security Committee Wednesday.

“Every day, cybercriminals and nation-states are looking for vulnerabilities to exploit at companies like Target and Sony, our critical infrastructure sectors and our federal government,” Committee Chairman Michael McCaul (R-Texas), said.

The Committee also endorsed the Improving Small Business Cyber Security Act (H.R. 5064), the Support for Rapid Innovation Act (H.R. 5388), and the Leveraging Emerging Technologies Act (H.R. 5389).

The Improving Small Business Cyber Security Act allows DHS to provide greater resources and support to small business, and to work with small-business development centers to develop better cybersecurity infrastructure, and improve employee cybersecurity risk training.

The Support for Rapid Innovation Act adds a section to the Homeland Security Act directing DHS – itself or through other federal agencies, in academia, and/or through the private sector – to support research and development of new cybersecurity and data protection technology.

The Leveraging Emerging Technologies Act, would authorize DHS to work with emerging technology developers and startups to help address federal cybersecurity and technology needs, and establish offices in areas where tech and cyber-related businesses are concentrated.

All of the legislation now heads to the full House where nothing is certain. If enacted, the legislation will direct addition funding to companies operating with the cybersecurity and technology spaces, likely with increased government oversight and/or involvement.

For more information about how new regulations may impact your organization, contact the author or a Fox Rothschild Privacy and Data Security Practice Group member.

In February, the European Commission (EC) and U.S. Department of Commerce unveiled Privacy Shield, a proposed deal to replace the invalidated Safe Harbor framework for EU-to-U.S. data transfers.

Pixelated shield icon on digital background,, illustrating security or EU-U.S. Privacy Shield conceptOn Wednesday, the Article 29 Working Party, a group of European data protection authorities (DPAs), weighed in, issuing an opinion criticizing the proposal. The opinion expresses significant concerns about the framework’s protections for EU citizens as they pertain to U.S. government surveillance programs. It is also a setback for U.S. companies awaiting an approved agreement on transatlantic data transfers.

The Working Party’s Concerns

While conceding that the Privacy Shield as proposed is a substantive improvement, the Working Party expressed numerous concerns over the ways that both commercial and government entities outside of the EU could use transferred data.

According to French data protection regulator and Working Party chair Isabelle Falque-Pierrotin, “some key data protection principles as outlined in European law are not really reflected in the [proposed framework] or have been inadequately substituted by alternative notions.” The Working Party noted the absence of data retention and deletion standards for U.S. businesses aimed at avoiding reuse or repurposing of data for broader purposes, as is common practice here.

The Working Party also raised concerns about onward transfer, i.e. the process of transmitting European data transferred to the U.S. on to a third country, particularly those with lower privacy and data security standards. Onward transfer has proven tricky to manage even under Safe Harbor – even access to data on U.S. servers from a third country could be deemed a violation of the prohibition against onward transfer.

Also at issue were proposed administrative mechanisms. For example, the Working Party expressed displeasure with the redress mechanism, which addressed questions about a judicial process through which Europeans could seek redress for misuse of their data. EU regulators prefer that European citizens have rights in European DPAs. Likewise, the Working Party welcomed the creation of an ombudsman at the U.S. Department of State to oversee national security-related complaints, but noted that the position’s powers were not yet clearly defined and expressed doubts that the role would have the authority or independence to adequately address “massive and indiscriminate” bulk collection of data by U.S. surveillance agencies.

Lastly, the Working Party urged agreement on a “revision” clause that would allow it to reexamine the deal in 2018 when the General Data Protection Regulation (GDPR) is slated to take effect. Recently finalized in principle, the GDPR will seek to unify and further strengthen privacy and data security laws across Europe.

What’s Next?

Although it is nonbinding, the opinion will nonetheless be influential. It comes as European Union member states must next vote to approve or reject Privacy Shield. The European Commission must then confirm the adequacy of the framework in light of the Schrems decision. In other words, unless the European Commission and U.S. negotiators address the concerns expressed by the Working Party, the odds will increase that Privacy Shield will be challenged in European courts.

For their part, business leaders and groups across the U.S. and Europe have widely disagreed with the opinion, and have expressed support for Privacy Shield generally. They contend that it does indeed rise to the Court of Justice’s standard that a transatlantic data transfer deal must provide an “essentially equivalent” level of protection for personal data transferred from the EU to the U.S.

Until this regulatory uncertainty ends, U.S. businesses will find substantive compliance all but impossible. As we await next steps, the risk of liability or new regulatory enforcement campaigns aimed at U.S. companies only grows.

In my previous post, I reviewed the New York State Department of Financial Services’ (NYDFS) findings and conclusions of survey results of financial institutions and insurers’ programs, costs, and future plans related to cybersecurity.

Anthony J. Albanese – Acting Superintendent of Financial Services – writes in a November 9, 2015 letter to Financial and Banking Information Infrastructure Committee (FBIIC) Members that these conclusions have demonstrated a need for new cybersecurity regulations for financial institutions.

Such “robust regulatory action” would be a coordinated effort between state and federal agencies to create a thorough cybersecurity framework addressing critical concerns as well as covering New York-specific interests.

Potential regulations implemented by the NYDFS would require covered financial entities to meet specific cybersecurity obligations in the following areas:

  • Cybersecurity policies and procedures;
  • Third-party service provider management;
  • Multi-factor authentication (i.e., requiring covered entities to apply such authentication to customer, internal, and privileged access to confidential information as well as any access to internal systems or data from an internal network);
  • Chief Information Security Officer (i.e., covered entities will be required to have a CISO responsible for overseeing and implementing a cybersecurity policy, among other duties);
  • Application security (i.e., covered entities must have and set forth written policies, procedures, and guidelines to ensure the security of all applications utilized by the entity which need to be updated annually by the CISO);
  • Cybersecurity personnel and intelligence (i.e., covered entities will need to hire cybersecurity personnel who can handle certain cyber risks and perform core functions of “identify, protect, detect, respond and recover,” as well as providing mandatory training to such personnel);
  • An audit function; and
  • Notice of cybersecurity incidents.

Some of these proposed requirements are set forth in more detail below.

 

Cybersecurity Policies and Procedures

Covered entities, Albanese writes, would need to implement and maintain written cybersecurity policies and procedures addressing the following areas:

(1) information security;

(2) data governance and classification;

(3) access controls and identity management;

(4) business continuity and disaster recovery planning and resources;

(5) capacity and performance planning;

(6) systems operations and availability concerns;

(7) systems and network security;

(8) systems and application development and quality assurance;

(9) physical security and environmental controls;

(10) customer data privacy;

(11) vendor and third-party service provider management; and

(12) incident response, including by setting clearly defined roles and decision making authority.

 

Third-party Service Provider Management

Albanese wants covered entities to ensure that third-party cybersecurity policies and procedures are implemented. Third-party service providers who hold or have access to sensitive data or systems will need to adhere to certain contractual terms, including the following provisions:

(1) the use of multi-factor authentication to limit access to sensitive data and systems;

(2) the use of encryption to protect sensitive data in transit and at rest;

(3) notice to be provided in the event of a cyber security incident;

(4) the indemnification of the entity in the event of a cyber security incident that results in loss;

(5) the ability of the entity or its agents to perform cyber security audits of the third party vendor; and

(6) representations and warranties by the third party vendors concerning information security.

 

Audits

Annual penetration testing as well as quarterly vulnerability assessments will be a new requirement for covered entities. Such entities will also be responsible for maintenance of an audit trail system that perform the following functions:

(1) logs privileged user access to critical systems;

(2) protects log data stored as part of the audit trail from alteration or tampering;

(3) protects the integrity of hardware from alteration or tampering; and

(4) logs system events, including access and alterations made to audit trail systems.

 

Notice of Cybersecurity Incidents

Covered entities, Albanese writes, will need to immediately notify the NYDFS of any cyber security incident that is reasonably likely to materially affect such entity’s normal operation, including a cybersecurity incident

(1) that triggers certain other notice provisions under New York Law;

(2) of which the entity’s board is notified; or

(3) that involves the compromise of “nonpublic personal health information” and “private information” as defined under New York Law, payment card information or any biometric data.

 

These potential requirements are subject to further review and revision by the NYDFS, and there is no timetable for when these requirements will become the law of the land in New York. It will be interesting to see if and when covered entities begin implementing these requirements in advance of a legal obligation to do so. Will other states’ regulatory agencies enact similar regulations modeled on the NYDFS proposals? Look for developments on this topic in the news and on this website.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

In reaction to two surveys of more than 150 regulated banking organizations and 43 regulated insurers in New York, the state’s Acting Superintendent of Financial Services issued a letter to all Financial and Banking Information Infrastructure Committee (FBIIC) Members addressing the need for potential new cybersecurity regulations in the financial sector.

The New York State Department of Financial Services (NYDFS) expects that the November 9, 2015 letter will trigger more “dialogue, collaboration and, ultimately, regulatory convergence” among New York agencies on “strong” cybersecurity norms for financial institutions.

In the letter, Anthony J. Albanese – Acting Superintendent of Financial Services – discusses the NYDFS’ review of the two surveys which were conducted in 2013 and 2014. The surveys asked about the banks’ and insurers’ programs, costs, and future plans pertaining to cybersecurity. Albanese writes that the findings of those surveys led to some additional actions:

  • The NYDFS expanded its information technology examination procedures to focus more attention on cybersecurity;
  • NYDFS began conducting risk assessments of its financial institutions in late 2014 and early 2014 to compile information about risks and vulnerabilities;
  • In response to a realization of the financial industry’s reliance on third-party service providers for banking and insurance functions, the NYDFS conducted an additional survey of regulated banks in October 2014, specifically pertaining to banks’ management of third-party service providers; and
  • NYDFS published an April 2015 update to its earlier report with the most critical observations.

Those reports and risk assessments as well as the “dozens of discussions” the NYDFS has held with New York financial entities, cybersecurity experts, and other stakeholders have led to several “broad conclusions,” Albanese writes:

  • Financial institutions need to stay “dynamic” to keep pace with ever-changing technological advances and sophisticated cyberthreats;
  • Financial institutions’ third-party service providers must also have sufficient cybersecurity protections as these service providers often have access to an institution’s sensitive data and information technology systems; and
  • Cybersecurity is a “global concern” that affects every industry as evidenced by recent data breaches.

My next post will analyze the proposed regulatory actions and requirements NYDFS is considering for financial institutions and insurers.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

The White House is building on recent laws addressing cybersecurity in the United States with the release of a new Cybersecurity National Action Plan (“CNAP”). The plan focuses on:

  • improving cybersecurity awareness and protections;
  • additional privacy and security protections for individuals through the creation of a permanent Federal Privacy Council;
  • maintenance of public safety, economic security and national security through a new Commission on Enhancing National Security; and
  • encouraging citizens to take better control of their digital information and security.

CNAP includes a request to Congress to invest over $19 billion for the 2017 Fiscal Year Budget, which is a 35% increase to resources allocated to cybersecurity during FY 2016.

The plan is highlighted by a new Commission on Enhancing National Security (“Commission”). The Commission will be comprised of top technical, strategic, and business advisors in the private sector chosen by bipartisan Congressional leadership.  It will make detailed recommendations to improve cybersecurity awareness both inside and outside the government.  The Commission will also make specific findings about improving national security and empowering citizens to better handle their digital security.  These recommendations and findings must be reported to the President before the end of this year.

The White House looks to make significant improvements in government cybersecurity as part of a $3.1 billion Information Technology Modernization Fund, which will allow agencies to modernize outdated IT infrastructure, networks and systems. A new Federal Chief Information Security Officer will be solely dedicated to developing, managing, and coordinating cybersecurity policies, strategies and operations in the federal government.  The Department of Homeland Security will have new federal civilian cyber defense teams to protect associated networks, systems and data.  The plan also calls for disrupting cyberattacks and improving cyber incident response.

CNAP’s concern for citizens’ privacy and security is reflected in an Executive Order making the Federal Privacy Council permanent. Privacy officials from across the government will help ensure that more strategic and comprehensive federal privacy guidelines are implemented.  The Administration wants citizens to leverage multiple layers of authentication when logging into online accounts instead of just a password. Extra factors like a fingerprint or a single use code via text message are ways to improve online security. The federal government is accelerating adoption of this approach for citizen-to-government digital services, such as tax and health benefit information.  The White House’s new milestones for the 2014 BuySecure Initiative will build upon the already 2.5 million issued Chip-and-PIN payment cards.

Research and development will continue to be a focus with a new Federal Cybersecurity Research and Development Strategic Plan. The strategic plan outlines research and development goals so that U.S. can advance cybersecurity technologies.  CNAP further mentions working with the Linux Foundation’s Core Infrastructure Initiative to maintain and improve internet infrastructure.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

U.S. Capitol Building, Washington, D.C.A recent bill proposed by the U.S. Senate states requirements for publicly traded companies to increase transparency about cybersecurity threats, risks and breaches. The bill includes disclosure standards such as having publicly owned companies reveal whether anyone on its board of directors has cybersecurity expertise or specialization. Companies would provide this information through U.S. Securities and Exchange Commission investor reports.

The bill stems from an urgency to combat cyber threats in light of investigative findings from cybersecurity practices of top 100 financial firms as well as recent attacks on major publicly traded companies like Sony and Home Depot. If the bill passes, investors and shareholders can monitor how well public companies secure private data and information, motivating companies to enhance security measures.

The U.S. House of Representatives has passed legislation authorizing the Department of Homeland Security to create a National Computer Forensics Institute (NCFI).

The new entity, operated by the U.S. Secret Service, would train state and local law enforcement authorities, as well as prosecutors and judges on cyber threat investigations and forensic examination of mobile devices.

The NCFI has its origins in Alabama. The state proposed creating a cyber crime training facility for state and local law enforcement in 2007, asking that it be operated by the Secret Service and Department of Homeland Security. The NCFI was created in 2008, but never formally authorized.

After passing the House on November 30, the Strengthening State and Local Cyber Crime Fighting Act (H.R. 3490) now moves on the Senate.

The legislation details institute operations and requires it to disseminate information on investigating and preventing cyber crime. House Judiciary Committee Chairman Bob Goodlatte (R-VA) said the NCFI is a “vital” part of addressing cyber crime, which he said has the ability to affect “national security, economic prosperity and public safety.”

The U.S. Senate voted 74-21 to pass the Cybersecurity Information Sharing Act (CISA) on Tuesday in part as a reaction to the EU’s rejection of the Safe Harbor Agreement. Sen. Dianne Feinstein (D-CA) introduced the bill in June 2014 following a flurry of major cyberattacks on U.S. organizations.

U.S. Capitol Building, Washington, D.C.The CISA bill was authored to promote information-sharing from companies that experience cyberattacks. CISA offers liability protections to organizations that work with the Department of Homeland Security (DHS) when threats arise or defensive protocols are implemented. Those that criticize the bill point out that “liability protections” could burden a company with unnecessary or unwanted levels of government surveillance, and that shared information could pass to other federal agencies such as National Security Agency (NSA) and the Federal Bureau of Investigation (FBI). However, Sen. Richard Burr (R-NC), who co-sponsored the bill, emphasized that companies are not required to participate as the program is voluntary. It remains unknown whether CISA may potentially replace the Safe Harbor Agreement invalidated by the EU Court of Justice.

Four amendments addressing privacy concerns did not pass the Senate, in addition to Sen. Rand Paul’s (R-KY) amendment that proposed removing immunity from companies that break privacy agreements with their consumers.

The House will initiate a conference to determine how information should be shared with the government. The final measure, which both chambers must pass, will include a combination of three bills. Signaling potential approvals, the House passed two cybersecurity bills in April: the Protecting Cyber Networks Act (H.R.1560) (PCNA) and the National Cybersecurity Protection Advancement Act (H.R. 1731) (NCPAA). In fact, CISA and PCNA share broad similarities as both focus on incentivizing companies to share cyberattack and cyber threat information with government agencies. The PCNA was passed in hopes that it would create in-the-moment response and notice systems that efficiently warn other networks about hacker strategies and the vulnerabilities they exploit. PCNA privacy provisions require companies to remove Personally Identifying Information irrelevant to the threat at hand.

Also sharing similarities with CISA, the NCPAA provides liability protections to companies who voluntarily share cyber threat data with the DHS. These liability protections are meant to insulate companies from class actions or heightened regulatory oversight they could otherwise experience under the PCNA. Authors of the NCPAA also sought to safeguard individual privacy for citizens and included a number of provisions ensuring that cyber threat information may only be used for cybersecurity issues.

According to Sen. Burr, the conference with the House may commence this week, but the final measure will be ready by 2016. Congress expects the president to approve the final measure.