backNew Bipartisan Bill Calls For Study Of Cybersecurity Standards For Motor Vehicles – On Tuesday, January 24, 2017, U.S. Representatives Ted Lieu (D-CA) and Joe Wilson (R-SC) introduced the Security and Privacy in Your Car Study Act of 2017. The bill, H.R. 701, directs the National Highway Traffic Safety Administration (“NHTSA”) to undertake a study on cybersecurity standards for motor vehicles.
If enacted, the measure would require NHTSA to study and determine the “appropriate standards for the regulation of the cybersecurity of motor vehicles” and to make recommendations to be adopted by NHTSA or any other relevant federal agency. The legislation focuses on both the physical security of automobiles and the protection of users’ personal data. Specifically, the bill asks NHTSA to identify (1) isolation measures to separate critical and non-critical automobile software systems, (2) procedures for preventing software bugs, (3) techniques to detect or prevent malicious hacking, (4) best practices to secure driving data, and (5) the proper timeline to implement such protections and practices.
Under the proposal, NHTSA is asked to conduct the study in coordination with a number of public and private groups—including the Federal Trade Commission, the National Institute of Standards and Technology, the Department of Defense, the Automotive Information Sharing and Analysis Center, and SAE International, as well as automobile manufacturers, original equipment manufacturers, and relevant academic institutions. The bill demands a preliminary report to Congress one year after enactment, and a final report six months after that.
Representatives Lieu and Wilson introduced similar legislation, H.R. 3994, in the last Congress, but that bill was never passed out of committee. To date, no equivalent Senate bill has been introduced.
Reporter, Alex Yacoub, Atlanta, +1 404 572 2758, ayacoub@kslaw.com.
FCC Releases Cybersecurity Risk Reduction White Paper – On January 18, 2017, during the final days of the Obama Administration, the Federal Communications Commission (“FCC”) released a white paper (the “FCC Paper”) on cybersecurity risk mitigation in communications networks. The FCC Paper explains the agency’s cybersecurity policy paradigm, describes cyber risk mitigation actions taken by the FCC, and includes recommendations for additional risk reduction strategies. The FCC Paper covers a number of cyber topics affecting the communications sector, including situational awareness, security by design, and real-time cyber threat information sharing.
The FCC Paper notes that while businesses take certain steps to protect cyber infrastructure, a “cybersecurity gap” remains with respect to the most direct and prominent risks. Accordingly, the FCC affirms its “clear role and responsibility in addressing residual cybersecurity risk—i.e., the risk remaining after market participants have acted to remediate cyber risk that directly affects their business interest.” The FCC Paper points out that this residual cyber risk can be substantial and “is ultimately imposed on stakeholders that have scant awareness of its presence or means to remediate it.”
To meet the challenge of reducing cyber risk in communications networks and services, the FCC relies both on voluntary risk mitigation efforts by commercial entities and the agency’s regulatory oversight capabilities. The FCC’s risk reduction strategy features various “lines of effort” designed to combat cyber vulnerabilities. One line of effort is in the field of situational awareness, meaning, the collection and analysis of information about communications disruptions. The FCC Paper states that communications providers must submit reports about network outages that feature information about the possible cause of the outage and any remediation steps taken. This includes whether “carriers are aware of a malicious cause of an outage, which could be the result of a cyber incident.” Going forward, the FCC Paper encourages expanding outage reporting requirements to IP-based communications generally in light of the “increasing reliance on IP-based communications, including [in] support of essential public safety communications.”
Another of the FCC’s lines of effort relates to security by design. The FCC Paper points out that in the rush to bring equipment into the market, security features can get short shrift. The FCC cautions against this, noting that security by design “reduces cyber risk by using a disciplined process of continuous testing, authentication safeguards and adherence to best development practices.” Real-time cyber threat information sharing is another FCC line of effort, and the FCC Paper states that such information sharing among communications companies “enables an ecosystem where indicators of attempted compromise can be shared in real time, protecting companies and agencies from that particular threat.”
The FCC Paper concludes by stating that, in the future, “the continued convergence of packet-based communication technology in wireless, wireline, cable, broadcast and satellite coupled with network functional virtualization and software defined radios will lead to hybrid (co-mingled) control elements for many service providers,” and such “interdependencies will be inviting targets for threat actors.” The FCC Paper acknowledges the agency’s desire to address cyber issues with collaborative public/private partnerships, but nonetheless notes that the FCC will not hesitate to use its regulatory prerogatives to ensure a “tolerable risk outcome” in this space. Although a new administration has taken office since the release of the FCC Paper, companies operating in the communications sector still would be wise to diligently evaluate their cyber risk reduction strategies.
Reporter, Kyle Sheahen, New York, +1 212 556 2234, ksheahen@kslaw.com.
Data Breach Notification Archive Made Publicly Available Online By Massachusetts Office Of Consumer Affairs – On January 3, 2017, the Massachusetts Office of Consumer Affairs and Business Regulation announced the online public availability of data breach notification records that it receives and maintains pursuant to the Massachusetts Data Security Law (M.G.L. c.93H), which were previously only available through a public records request.
Under the Massachusetts Data Security Law, entities that keep personal information of Massachusetts residents are required to notify affected residents, in addition to the Massachusetts Office of Consumer Affairs and Business Regulation and the Massachusetts Attorney General, in the event of a breach of security or unauthorized acquisition or use of residents’ personal information. “Personal information” under the Massachusetts Data Security Law is defined as “a resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that ‘Personal information’ shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.”
Information available through the online Data Breach Notification Archive dates back to 2007, when the Massachusetts Data Security Law first became effective, and includes information on reported data breaches such as the reporting organization’s name, the breach type (electronic or paper), the number of Massachusetts residents affected, and an indication of the types of personal information breached (such as social security numbers, account numbers, driver’s license numbers).
Reporter, Stephen R. Shin, Atlanta, +1 404 572 3502, sshin@kslaw.com
ALSO IN THE NEWS
King & Spalding’s Data, Privacy & Security Group Recognized as Privacy Practice Group of the Year – On January 9, 2017, Law360 named King & Spalding’s Data, Privacy & Security practice its “Privacy Practice Group of the Year.” The accolade comes along with Law360 recognizing King & Spalding as one of three “Firms that Dominated in 2016,” and follows closely on the heels of Law360’s recent profile of practice leader, Phyllis Sumner, as a 2016 “Privacy MVP.” To access the Law360 article, please click here.
King & Spalding’s 2017 Cybersecurity & Privacy Summit – On Monday, April 24, 2017, please join the cybersecurity and privacy experts at King & Spalding for the 2017 Cybersecurity & Privacy Summit. This event is for legal and business professionals who want to participate in a discussion about the latest developments and strategies for data protection. King & Spalding will provide a registration link in the coming weeks.