News & Insights

Newsletter

August 29, 2017

Data, Privacy & Security Practice Report – August 29, 2017


Presidential Council Releases Infrastructure Cybersecurity Report And Recommendations – On August 22, 2017, the President’s National Infrastructure Advisory Council (“NIAC”) issued a Report on securing critical U.S. infrastructure against cyber-attacks. The Report states that the U.S. is underprepared for the urgent threat it faces, noting that while the country is in a “pre-9/11-level cyber moment,” there is only a “narrow and fleeting window of opportunity to coordinate our resources effectively. ”  The Report lays out a number of recommendations and focuses on coordination between the federal government and the private sector.

NIAC was established in October 2001 by President George W. Bush to advise the President on security and resilience of critical infrastructures, including physical assets and cyber networks. The Council is composed of executives from industry, academia, and state and local governments. NIAC created the Report in response to President Trump’s May 2017 Executive Order entitled: “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. ”  King & Spalding previously reported on the President’s Executive Order here.

The Report notes that private companies are on the “front line” in the event of a cyber-attack on U.S. infrastructure. In addition, NIAC argues that the nation’s cybersecurity capabilities are fragmented, with unclear roles and responsibilities. Nonetheless, the Report states that the government and private sector have “tremendous cyber capabilities and resources” to defend against cyber-attacks. As such, the Report’s recommendations focus on how the government can work with the private sector.

The Report makes 11 recommendations, noting that they “reflect a strong consensus on what must be done next. ”  Among the key recommendations for the President are to:

  • Facilitate a private-sector-led pilot of machine-to-machine information sharing technologies. The Report recommends that such a pilot be led by the electricity and financial services sectors, and would allow parties to identify state-of-the-art technologies for information sharing and to work out any issues with such sharing.
  • Sponsor a public-private expert exchange program to strengthen the capabilities of the nation’s cyber workforce. As part of this recommendation, the Report also recommends expanding scholarship and internship programs to attract qualified employees to the field.
  • Establish limited time, outcome-based market incentives to encourage the private sector to upgrade cyber infrastructure. These incentives could include tax credits, regulatory relief from audit and reporting requirements when industry standards are implemented, and grant or investment programs to fund upgrades or security investments.
  • Create protocols to rapidly declassify cyber threat information. Declassification would allow governmental authorities to proactively share such information with the private owners and operators of critical infrastructure.
  • Pilot a task force of experts in government and in the electricity, finance, and communications industries. The Report recommends creating a three-tiered task force with (1) senior executives in industry and government with the authority to set priorities and direct resources, (2) operational leaders who work the issues and implement strategic direction, and (3) dedicated full-time operational staff from both industry and government that dig in and solve complex issues.
  • Establish an improved cybersecurity governance model to direct and coordinate cyber defense. The Report specifically points to “innovative” governance models now in use in Israel and the United Kingdom, both of which created new offices to handle cybersecurity. For example, the UK opened its National Cyber Security Centre in February 2017 as a central body to manage cybersecurity incidents and act as a hub for interagency cooperation. (King & Spalding previously reported on the NCSC here).

The NIAC Report is available here.

Reporter, Alex Yacoub, Atlanta, +1 404 572 2758, ayacoub@kslaw.com.

Delaware Expands Data Security Laws – On August 17, 2017, Delaware Governor John Carney signed into law an Act (“Act”) amending the Delaware Code (“Code”) as it relates to security breaches involving personal information. The Act revises the definition of what constitutes a security breach in this context and includes expanded data breach notification requirements, as well as a new requirement that those conducting business in Delaware implement and maintain reasonable security to protect the personal information of persons.

Under the revised Code, personal information is expanded to expressly include, among other things, passport numbers, usernames and email addresses in combination with passwords or security questions and answers that would permit access to an online account, medical information, health insurance information, and biometric data.

The new security requirement expressly states that any person (defined as “an individual; corporation; business trust; estate trust; partnership; limited liability company; association; joint venture; government; governmental subdivision, agency, or instrumentality; public corporation; or any other legal or commercial entity”) who conducts business in Delaware shall “implement and maintain reasonable procedures and practices to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business. ”

The revised Code further requires that owners and licensees of personal information provide notice to Delaware residents whose personal information is breached or reasonably believed to have been breached within 60 days of discovering the breach. No notice is required, however, if after an appropriate investigation, the person who would be charged with providing notice determines that the breach is unlikely to result in harm to the individuals whose personal information has been breached. In contrast, if a person maintains computerized data including personal information but is not the owner or licensee of such information, immediate notice and cooperation must be provided to the information’s owner or licensee after discovering the breach.

In addition, the revised Code requires notification to the Delaware Attorney General if there are more than 500 affected Delaware residents. When a breach includes social security numbers, the revised Code also requires offering credit monitoring services at no cost for a period of 1 year.

Like New Mexico’s data breach notification law that went into effect on June 16, 2017 (discussed in a King & Spalding Client Alert from May 12, 2017), the revised Code accounts for persons who may be subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and the Gramm-Leach-Bliley Act. Under the revised Code, a person regulated by state or federal law is deemed to be in compliance with the Delaware Code’s breach notification requirements if the person maintains procedures for a security breach according to requirements from its regulator (for example, under HIPAA or the Gramm-Leach-Bliley Act) and notifies affected Delaware residents in accordance with those procedures when a breach occurs.

The Act is set to become effective on April 14, 2018, 240 days after its enactment. The time from enactment to effectiveness was extended from 120 days as originally proposed to allow additional time for businesses to comply with the notification requirements.

The text of the Act is available here.

Reporter, Stephen R. Shin, Atlanta, +1 404 572 3502, sshin@kslaw.com.

NIST Expands Info Security Guidance To Include Industry – On August 15, 2017, the National Institute of Standards and Technology (“NIST”) updated its Security and Privacy Controls for Information Systems and Organizations guidance (the “Guidance”) for federal information systems. Developed by a joint task force consisting of representatives of the civil, defense and intelligence communities, the Guidance is part of an ongoing effort to construct a homogenized information security framework for the federal government. The latest draft adds controls for the Internet of Things (“IoT”) business model that has emerged in recent years, and two new families of control systems that focus solely on privacy, thus fully integrating privacy controls throughout the Guidance.

The security controls provide technical and procedural safeguards for increasing security and privacy, and are designed to protect systems, organizations, and individuals. The latest draft extends these controls to the IoT business model, which interconnects a growing number of devices, buildings, cars, and other non-computer devices in order to optimize control, monitoring, or efficiency of those items. According to NIST fellow Ron Ross, the latest version “takes the [G]uidance in new directions [in order to] craft the next-generation catalog of controls that can also be applied to secure the Internet of Things. ”

In addition to extending the Guidance to cover the IoT, the latest draft also adds new privacy-focused controls. One of the new controls addresses data captured by sensors, such as those used in traffic-monitoring cameras. The control suggests the practice of configuring these sensors such that the system filters out information that is unnecessary for the traffic-monitoring system to perform its intended functions. Previously, the Guidance targeted federal agencies, but the updated controls apply to a more diverse user group, including enterprise-level security and privacy professionals, component product developers, and systems engineers focused on security and privacy. The changes in reach are intended to help non-government entities deploy the Guidance’s framework in conjunction with various other cybersecurity frameworks already in use, such as ISO 270001 and NIST’s Framework for Improving Critical Infrastructure Cybersecurity. The Guidance continues to evolve, however, and NIST is still receiving comments on the most current draft. Subsequent updates to the Guidance are therefore expected.

Reporter, Brett Schlossberg, Silicon Valley, +1 650 422 6708, bschlossberg@kslaw.com.

Russia Updates The List Of Countries With Adequate Protection Of Data – The Russian Personal Data Law refers to an official list of countries deemed to provide the  adequate level of data protection (the “List”). The List is maintained by the competent regulatory authority,  Roskomnadzor.

The significance of the List is that cross-border transfer of personal data of Russian citizens is allowed to countries from the List, and to the states that have ratified the Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data, which is a total of 51 countries, including all EU countries, without a specific consent for such a transfer.

On August 16, 2017, Roskomnadzor officially announced that the list was amended by including Costa Rica, Qatar, Mali, Singapore, Republic of South Africa, Gabon and Kazakhstan, and excluding Senegal (which ratified the Council of Europe Convention in 2016 and is now exempt from the consent requirement on that basis, rather than because of being in the List). Notably, the United States is not on the List.

Reporter, Xenia Melkova, Moscow, +7 495 228 8500, xmelkova@kslaw.com.

ALSO IN THE NEWS

King & Spalding To Host Medical Device Summit – King & Spalding, in conjunction with FDANews, invites you to register and participate in the Medical Device Summit 2017 on September 7, 2017, in Chicago. Exploring cutting-edge issues facing the medical device industry, the Summit features two tracks of in-depth presentations from which attendees can build a program to suit their interests and needs. The Summit will begin on Wednesday evening, September 6th, with a Welcome Dinner followed by a full day of sessions on Thursday, September 7th, and closing that evening with a networking reception. Subjects will include cybersecurity, regulatory, reimbursement, enforcement, compliance, commercial, litigation and other topics that demand the attention of medical device manufacturers in the coming year. Click here for more information and here to register.

10th Annual King & Spalding Pharmaceutical University – On Thursday, November 9, 2017, King & Spalding will host its 10th Annual Pharmaceutical University, a full day of presentations on subjects critical to drug and biologics manufacturers, their in-house counsel, managers, and executives. For almost a decade, King & Spalding’s Pharmaceutical University has provided timely, in-depth, practical insight into almost every area of law affecting the development, manufacture, and sale of pharmaceuticals and biologics. At our tenth annual event this November, Pharma U will again provide the sophisticated variety of presentations that hundreds of industry attendees have come to rely upon year after year. We hope you will save the date and join us in Philadelphia on November 9 at our three-track symposium addressing regulatory, enforcement, intellectual property, commercial, corporate, litigation, international trade, and political issues, among many other topics that will demand your attention in 2018. Registration will open in the Fall.