News & Insights

Newsletter

November 19, 2018

Data, Privacy & Security Practice Report – November 19, 2018


DHS, Pentagon To Work With Private Sector On Cyber Defense – The United States Department of Defense (“DOD”) and Department of Homeland Security (“DHS”) have reached an agreement for joint action on cyber defense, marking a shift in strategic direction and a new focus on private businesses in critical infrastructure sectors.  The agreement, signed by Defense Secretary James Mattis and DHS Secretary Kirstjen Nielsen, is intended to lead to increased sharing of information and intelligence relating to cyberattacks.  Concluded in the days leading up to the 2018 midterms, the agreement also makes resources available to protect elections from foreign interference.

The new DOD/DHS agreement follows a wider refresh of the U.S. government’s approach to cybersecurity and defense.  In September 2018, President Donald Trump signed an executive order lifting Obama-era restrictions on the Pentagon’s ability to respond in kind to cyberattacks launched by foreign governments.  The DOD subsequently published a new, more aggressive cyber defense policy, including “day-to-day competition to preserve U.S. military advantages and to defend U.S. interests.”

As DHS Assistant Secretary Jeanette Manfra explained to a joint session of the House Armed Services and House Homeland Security committees, “[t]his agreement clarifies roles and responsibilities between [DOD and DHS] to enhance U.S. government readiness to respond to cyber threats and establish coordinated lines of efforts to secure, protect, and defend the homeland.”

A new feature of the joint initiative is a range of pilot or “pathfinder” programs under which the government will share information about potential cyber threats with private industry, allowing businesses to protect network infrastructure from attacks.  For their part, private sector companies will provide information about security threats to DHS.  According to Kenneth Rapuano, Assistant Secretary of Defense for Homeland Defense and Global Security, such information will be passed on to the Pentagon “to inform DOD cyberspace operations.”

Under the proposed plan, DHS will provide cybersecurity advice and assistance to private businesses in 16 industries classed as “critical infrastructure,” with recipients ranging from chemical and power plants to companies operating in the energy, financial, and communications sectors.  Senior intelligence and military officials have raised concerns that hackers working for state actors are increasingly targeting the private sector, taking advantage of companies’ lack of sophisticated cyber defense tools and their inability to take offensive action in response to attacks.

Asked by lawmakers whether the new agreement would violate laws that restrict the DOD’s actions within the United States, Ms. Manfra and Mr. Rapuano said that the Pentagon would continue to operate within “constitutional constraints.”  Mr. Rapuano noted that, in the Pentagon’s view, any “significant threat to national critical infrastructure is a national security concern,” adding that countering domestic cyber threats “remains a DHS mission.”  Under the terms of the agreement, DOD would limit its involvement to “civil support to civil authorities in areas where their needs exceed their capabilities.”

As American voters went to the polls on November 6, 2018, the Pentagon dispatched 11 agents to the DHS’ National Cybersecurity and Communications Integration Center in Pensacola, Florida, to monitor cyber threat activity on Election Day.

Reporter, Edward Perkins, London, +44 20 7551 2169, eperkins@kslaw.com.

In Response To “Troubling” HHS OIG Report, Senator Questions FDA On Medical Device Cybersecurity Deficiencies – On November 9, 2018, Senate Judiciary Committee Chairman Charles Grassley (R-IA) wrote to U.S. Food & Drug Administration (“FDA”) Commissioner Scott Gottlieb requesting information on FDA’s efforts to address medical device cybersecurity threats following the November 1 release of the Department of Health and Human Services Office of Inspector General’s (“OIG”) report titled “The Food and Drug Administration’s Policies and Procedures Should Better Address Postmarket Cybersecurity Risk to Medical Devices.”

Senator Grassley’s letter to FDA Commissioner Gottlieb describes specific FDA medical device cybersecurity oversight and regulation deficiencies listed in the OIG report, noting that “OIG found that there was a lack of adequate testing of FDA’s ability to respond to medical device cybersecurity events, and two of its district offices had no written standard operating procedures to address recalls of medical devices that were vulnerable to cyber-attacks.”  The letter also highlights Grassley’s concerns regarding information sharing in response to cybersecurity incidents, citing OIG’s finding that “FDA’s efforts to address medical device cybersecurity vulnerabilities were susceptible to inefficiencies, unintentional delays, and potentially insufficient analysis.”

While Grassley recognizes FDA’s “proactive steps” to improve medical device cybersecurity, he states that the OIG report’s “revelations are particularly troubling because it is clear that foreign governments have focused on our governmental systems to leverage them for their benefit.”  To address those concerns, Grassley’s letter requests that the FDA provide a staff briefing, as well as written responses to various information requests, including:

  • Written summaries of the FDA’s efforts to implement the specific recommendations included in the OIG report;
  • Information regarding any FDA identification or assessment of foreign government/entity threats to “post market medical device cybersecurity”; and
  • Information regarding the FDA’s use of medical device reporting (“MDR”) data, including any cybersecurity-related uses.

Reporter, William Clarkson, Washington, D.C., +1 202 626 8997, wclarkson@kslaw.com.

New Cyber Lexicon Developed For The Global Financial Services Sector – The global financial services sector can soon share a common lexicon to address cybersecurity issues.  The Financial Stability Board (“FSB”), the international body that monitors and makes recommendations about the global financial system, published its long-awaited Cyber Lexicon earlier this month after a working group it chartered, chaired by the U.S. Federal Reserve Board and members from 15 other jurisdictions, developed the common vocabulary.

The FSB set out to develop industry practices to assist in countering cyberattacks after a recent study identified that the global financial services sector had seen a remarkable 40 percent increase in cyber crimes over a three-year period.  According to a press release issued by the FSB, “the lexicon comprises a set of approximately 50 core terms related to cyber security and cyber resilience in the financial sector,” and “is intended to support the work of the FSB, standard-setting bodies, authorities and private sector participants, e.g. financial institutions and international standards organisations, to address financial sector cyber resilience.”

The Cyber Lexicon, although already published to the FSB website, will be officially unveiled to global financial leaders at the G-20 summit, which begins on November 30, 2018, in Buenos Aires.

Reporter, Julie Crawford, Washington, D.C., +1 202 661 7814, jcrawford@kslaw.com.

INTERNATIONAL NEWS

Brazil Prepares For Implementation Of Comprehensive Data Privacy Law – On August 14, 2018, Brazil followed the global trend of governments seeking to enhance consumer data protection by approving its first general law on the subject, the General Data Privacy Protection Law (Law No. 13.709/2018 –  Lei Geral de Proteção de Dados) (“LGPD”).  The LGPD mirrors the EU General Data Protection Regulation (“GDPR”) in several ways, notably by providing a heightened level of protection for personal data and establishing detailed rules for the collection, use, processing, and storage of electronic and physical personal data.  The LGPD will become effective in Brazil in February of 2020.

Once the LGPD goes into effect, consumer consent will be required for any processing of personal information collected or processed in Brazil and for all processing of data for the purpose of offering or providing goods or services in Brazil.  The LGPD represents a marked shift in consumer data privacy protection under Brazilian law, which previously did not provide consumers with any significant level of control over a company’s use of their personal data.  The key elements of the LGPD are as follows:

  • Broad definition of personal data: Personal data under the LGPD is defined as including any information related to an identified or identifiable individual.  The LGPD also includes the concept of “sensitive personal data,” which encompasses all data that could be related to allegedly discriminatory practices, such as racial or ethnic origin, religious belief, political opinions, health, sexual, genetic, and biometric data.  The LGPD provides that processing of sensitive personal data will be subject to more restrictive rules.
  • Scope and extraterritoriality: The LGPD applies to all individuals and entities processing personal data collected or processed in Brazil or to anyone that is processing data for the purpose of offering or providing goods or services in Brazil.
  • Processing principles:Ten general principles apply to the processing of personal data under the LGPD, including, but not limited to, (i) the purpose principle—all processing must be for a specific, legitimate, informed, and explicit purpose; (ii) necessity—limiting the scope of processing data to the minimal extent necessary to achieve the objective; (iii) free access and transparency—providing consumers with broader control and information about their data; and(iv) accountability—requiring the adoption of effective procedures and measures to protect personal data.
  • Legal basis to process data: The LGPD also establishes the legal basis for processing personal data pursuant to three factors: (i) consent, which must be provided in advance and for a specific purpose, and must be free, informed, and unequivocal, and (like the GDPR) can be revoked at any time; (ii) a legal or contractual obligation; and (iii) legitimate interest of the controller or a third party, except when it violates fundamental rights.
  • Best practices: The LGPD requires the implementation of procedures, policies, and controls, and the appointment of a Data Protection Officer, who will monitor the procedures.
  • Data breach notification: In the event of a breach, companies must inform the Data Protection Authority and the owner of the data about the breach in a reasonable timeframe.
  • Cross-border adequacy level:Cross-border transfers of personal data are restricted to countries that have an adequate level of protection that is compatible with the LGPD.

Among the penalties established by the LGPD are fines up to two percent of the company’s or economic group’s revenue in Brazil in the previous fiscal year, limited to R$ 50,000,000 per violation (approx. US$ 13,330,000, as of  November 16, 2018) and the disclosure of the violation.  Both the data controller and the data processor are responsible for complying with the LGPD.

Given that the LGPD will not take effect in Brazil until February 2020, companies have time to take the appropriate steps necessary to comply with the new requirements. Some steps that companies may consider taking to ensure compliance with the LGPD include:

  • Evaluating how the LGPD may apply to their business;
  • Reviewing the legal basis for processing any relevant data;
  • Reviewing current data privacy policies;
  • Reviewing the internal procedures related to data privacy to ensure they provide an adequate level of safety;
  • Implementing internal controls to record all processing data;
  • Reviewing contracts with third parties that address data processing and making any necessary adjustments; and
  • Reviewing or creating procedures and policies related to data breaches and incidents.

The LGPD initially provided for the creation of a National Data Protection Authority (“NDPA”) which would be in charge of the implementation and oversight of the law. President Michel Temer vetoed the articles related to this provision due to a procedural issue. President Temer has, however, acknowledged the importance of the NDPA, and it is expected that the government will submit a bill to Congress to address this gap prior to the LGPD’s effective date.

Reporters, Clarissa Moliterno and Rafaela Cálcena, New York, +1 212 556 2100, cmoliterno@kslaw.com and rcalcena@kslaw.com.