News & Insights

Newsletter

June 4, 2018

Data, Privacy & Security Practice Report – June 4, 2018


Congress Considers Cybersecurity Funding In Energy Sector – In May, the House and Senate Appropriations Committees approved legislation providing fiscal year 2019 funding for the Department of Energy (“DOE”). Both the House and Senate versions of the funding bill include significant cybersecurity funding components aimed at addressing emerging cybersecurity threats to U.S. energy infrastructure.

On April 11, the Senate Appropriations Energy and Water Development Subcommittee held a hearing on the fiscal year 2019 DOE budget proposal. In his testimony, Secretary of Energy Rick Perry acknowledged that “among the most critical missions at the Department is to develop science and technology that will ensure Americans have a resilient electric grid and energy infrastructure. Protecting this infrastructure means it has to be resilient and secure to defend against the evolving threat of cyber and other attacks.”

On May 24, the Senate Appropriations Committee approved its Fiscal Year 2019 Energy and Water Development Appropriations bill (S. 2975), which includes funding for the DOE’s cybersecurity programs and initiatives. Notably, the bill recommends $260 million for the Office of Cybersecurity, Energy Security, and Emergency Response (“CESER”), which is $164.2 million above the amount requested in the President’s budget. The Committee’s report also includes certain policy directives accompanying the funding recommendations. In recommending $81 million in cybersecurity funding for Energy Delivery Systems, for example, the Committee expressed its support for the “extension of cyber risk information sharing tools” and the continued investment in power system vulnerability research initiatives. The report also highlights the Committee’s focus on agency crosscutting initiatives, including a “Cybersecurity Crosscut,” which directs DOE to “develop a plan that integrates all of the Department’s cybersecurity research, development, and deployment investments.”

The House version of the bill (H.R. 5895), approved by the House Appropriations Committee on May 16, provides $146 million for CESER, $50.2 million above the President’s budget request, but $114 million less than in the Senate bill. In the accompanying Committee report, the House appropriators echo their Senate counterparts’ focus on risk information sharing among public and private stakeholders, as well as the need to provide additional dedicated research and development funding for energy delivery system cybersecurity.

While the full House is expected to vote on a package of three appropriations bills, including H.R. 5895, as soon as this week, it is unclear as to when the Senate will consider S. 2975. We will continue to monitor the bills’ progression and provide updates on any significant developments.

Reporter, William Clarkson, Washington, D.C., +1 202 626 8997, wclarkson@kslaw.com.

California Expected To Vote On New Data Privacy Law – This November, voters in California are expected to decide whether to adopt new online privacy requirements. Californians for Consumer Privacy, formed by Alastair Mactaggart, a California real estate developer who has donated over $2 million to research and develop the ballot initiative, is leading the effort to provide “important new consumer privacy rights to take back control of your personal information.”  Mary Stone Ross, former CIA analyst and counsel for the U.S. House Permanent Select Committee on Intelligence, along with Rick Arney, a financial industry executive with experience working as a staffer in the California state legislature, are co-directors of the ballot campaign “to address a world where a small number of mega-corporations have access to almost all of your most personal information.” 

Californians for Consumer Privacy promotes the Consumer Right to Privacy Act of 2018 as a means to restore transparency, control, and accountability to individuals’ personal information. The measure would require businesses, upon request by a consumer, to disclose what specific personal information is being collected, sold, or disclosed, as well as to whom. Consumers could opt out of having their data sold to third parties. If approved, the new law would require businesses to post a “clear and conspicuous link on the business's homepage, titled ‘Do Not Sell My Personal Information,’ to a webpage that enables a consumer, or a person authorized by the consumer, to opt out of the sale of the consumer's personal information.”  Businesses would be prohibited from discriminating against consumers who either request disclosure of how personal information is being used or opt out of having their data sold. The new law would impose civil penalties, and consumers, public entities, and whistleblowers could sue for security breaches. A portion of recoveries would be deposited to a newly established state Consumer Privacy Fund, which would “be used exclusively to offset any costs incurred by the state courts and the Attorney General in connection with this Act.” 

The Consumer Right to Privacy Act of 2018 is currently pending signature verification by the California Secretary of State. California requires 365,880 valid signatures to qualify an initiative, and over 600,000 signatures for this measure have been submitted.

The text of the Consumer Right to Privacy Act of 2018 can be found here.

The California Secretary of State tracking for initiative and referendum status can be found here.

Reporter, Allison Kassir, Washington, D.C., +1 202 626 5600, akassir@kslaw.com.

OMB Releases Cybersecurity Report On Federal Agencies – On May 30, the Office of Management and Budget (“OMB”) released the Federal Cybersecurity Risk Determination Report and Action Plan (the “Report”). The Report is the result of investigations ordered by President Trump pursuant to Presidential Executive Order 13800, Strengthening of Cybersecurity of Federal Networks and Critical Infrastructure (the “Order”), which made clear that agency heads will be held accountable for protecting their networks and called on government to reduce the threat from cyberattacks. According to the Report, seventy-one of the ninety-six agencies investigated were deemed to be either “At Risk” or “High Risk,” with twenty-five agencies being deemed as “Managing Risk.”

The Report defined an “At Risk” agency as having “[s]ome essential policies, procedures and tools . . . in place to mitigate overall cybersecurity risk, but significant gaps remain,” whereas a “High Risk” agency was defined as not having “[k]ey fundamental cybersecurity policies, processes, and tools . . . in place or [having not been] deployed sufficiently.”  Those agencies which were deemed to be “Managing Risk” have instituted required policies, procedures and tools and actively manage their cybersecurity risks. The Report did not detail which agencies were assigned the various risk assessment levels; however, Stewart Baker, a former Assistant Secretary for Policy at the Department of Homeland Security, told the Washington Post that, “the scope of the issues described in the [R]eport makes it clear that both small and large agencies alike have a ton of work to do.”

Although the Report offered four core recommendations for ameliorative action, it nonetheless noted that, “[f]ederal agencies do not have the visibility into their networks to effectively detect data exfiltration attempts and respond to cybersecurity incidents. Simply put, agencies cannot detect when large amounts of information leave their networks, which is particularly alarming in the wake of some of the high-profile incidents across government and industry in recent years.” The Report also noted that only sixteen percent of agencies achieved the government-wide target for encrypting data at rest and that, “it is easy to see government’s priorities [with respect to data encryption] must be realigned.”

Whether the Report spurs agencies to act is yet to be seen, but the OMB stated that it will take necessary actions to implement various cybersecurity frameworks and help shape agency budgets for upcoming years to account for the threats assessed.

Reporter, Brett Schlossberg, Silicon Valley, CA, +1 650 422 6708, bschlossberg@kslaw.com.

GDPR Feature

This new feature will provide regular insights into GDPR and updates, with viewpoints from the regulators, corporations, and privacy professionals.

May 25th Has Come And Gone. GDPR Is In Force – What Now? – GDPR came into effect on May 25th. Many companies are still working on GDPR compliance and are asking, what now?  Will they be fined for failure to comply?  Will the regulators apply a period of grace before taking action?  What are the biggest threats?

A recent study of 1,000 US and EU companies confirms that around half of companies which are in scope to comply with GDPR are not yet compliant, because they have either not yet started or have not yet completed their GDPR compliance project. Many companies have expressed concern that they do not fully understand what is required to comply, whilst others say they are on the road to compliance, but the work required is significant. Companies in the financial services and technology sectors are nearer to achieving compliance than those in retail and manufacturing sectors.

The question that companies are asking is: Where does this leave us if we are still working towards compliance?  Will we be fined for compliance failings by the regulator?

The regulators have taken varied positions in terms of how they intend to approach their new and greatly enhanced fining and enforcement powers under GDPR. Here are some quotes from the leaders of a number of the EU regulators which illustrate the stance they intend to take:

“There will be fines, and they will be significant. I think it is quite clear that when we do identify an infringement that’s of the gravity, duration and scope that is serious, then we are obliged to administer an administrative fine.”

– Helen Dixon, Irish DPA

“You need to make sure that this question of compliance is not focused on the legal departments, but throughout the company. It is a strategy question; it’s not a technical legal question. It has to raise to all levels of the company and obey to a strategic decision from the top.”

– Isabelle Falque-Pierrotian, French DPA; Former Chair, A29WP

The aim of our office is to prevent harm, and we place support and compliance at the heart of our regulatory action. Voluntary compliance is still the preferred route, but we will back that up with tough action where it’s necessary.”

– Elizabeth Denham, U.K. Information Commissioner

“It’s not our first task to fine, it’s our first task to see if you’re compliant, and if you’re not compliant it will be a problem. There are no grace periods because the grace period was already two years.”

– Andrea Jelinek, Austrian DPA; Chair, A29WP

What is clear is that taking steps towards compliance will put companies in a better position than taking no steps at all—in other words, keep working towards your compliance goals, as the regulators will be mindful of what you have done, as well as what has not yet been achieved when investigating alleged compliance failings.

Threats other than regulator-led investigations are also concerning. Many fear activist-led campaigns which focus on GDPR breaches, such as whether specific consent for use of personal information has been obtained. On May 25th, the NGO Noyb.eu launched its formal complaint on this theme in France against two major tech giants. It was closely followed by another French activist group, La Quadrature du Net, which filed formal complaints solicited from 12,000 members of the public on a similar theme, this time against seven major tech giants. If these are indicators, NGOs across Europe are likely to be aggressive in their use of the new regulations to pursue actions for what they perceive to be historical data abuses.

We will track significant developments following the implementation of GDPR and provide you with regular updates in this feature.

Reporter, Kim Roberts, London, +44 20 7551 2133, kroberts@kslaw.com.

ALSO IN THE NEWS

The K&S FinTech and Beyond Summit – The K&S FinTech and Beyond Summit will be held on the afternoon of June 14, 2018, at the Palace Hotel in San Francisco.  The Summit is titled “The Regulation of Payments, Cryptocurrencies and the Blockchain,” and will include a dialogue between business, legal, and regulatory stakeholders to examine the opportunities and challenges recent developments in these sectors are presenting to regulatory compliance and product innovation.  Additional details about the upcoming Summit, including registration information and the agenda, can be found here.