Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Years in the making, CISA is intended to incentivize organizations to share cyber threat indicators with the federal government and to promote the dissemination of this information to organizations facing similar threats. CISA sponsors and supporters hope that such information exchange will help organizations prepare for and respond more effectively to cyber threats.
In addition to CISA, the spending bill included a number of other cybersecurity provisions covering topics ranging from federal preparedness to foreign policy strategy. Most notably, the bill directs the Department of Health and Human Services (HHS) to develop cybersecurity best practices for organizations in the healthcare industry. The bill also directs federal agencies to create new plans to fortify federal information systems and identify cyber-related gaps in the federal workforce.
We summarize here key cybersecurity provisions in the spending bill. Continue Reading
A legal tsunami of overwhelming proportions. A ground breaking piece of legislation. A sweeping digital-privacy regime. A strict new legal framework that will have ripple effects globally. These are all hyperbolic expressions used to describe the impact of the newly agreed EU General Data Protection Regulation (GDPR). Anyone who has read and digested the GDPR will appreciate the truth of these comments, but hyperbole should always be filtered through a process of calm and objective reflection to ascertain the reality of the situation. Otherwise, our cynical human nature is likely to dismiss all of that as baseless exaggerations and choose to largely ignore this development – at least until it becomes enforceable in more than two years from now. Continue Reading
One of the most common devices in the emerging Internet of Things (IoT) was reportedly discovered to have a bug. According to the research firm Fortinet, a popular fitness tracker was vulnerable to wireless attacks through its unsecured Bluetooth port. A savvy attacker could install malware wirelessly within ten seconds—simply by coming within a few feet of the tracker. When the device’s owner returned home to sync daily activity with a computer, the malware could, in principle, infect the computer as well.
Recent developments in the United States suggest that cybersecurity of the maritime sector will come under increasing focus in 2016. On December 16, 2015, H.R. 3878, “Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015,” passed the House of Representatives. The Bill’s language echoes and expands upon recommendations made by the General Accountability Audit’s June 5, 2014 study Maritime Port Cybersecurity. It also reflects congressional focus on enabling cybersecurity information sharing as seen in the recent passage of the Cybersecurity Information Sharing Act (CISA). (Indeed, but for the lack of a Senate companion bill, H.R. 3878 might otherwise have been included in the budget package in which CISA was enacted.)
The “Right to be Forgotten Law” (the “Law”) was signed by the Russian President on 13 July 2015 and will take effect on 1 January 2016.
The Law imposes an obligation on search engines that disseminate advertisements targeted at consumers located in Russia to remove search results listing information on individuals where such information is unlawfully disseminated, untrustworthy, outdated, or irrelevant (i.e. the information is no longer substantially relevant to the individual in question due to subsequent events or the actions of individuals). The Law includes exemptions where a search engine does not have to comply – (i) information on events reporting a crime where the limitation period for criminal liability has not expired; as well as (ii) crimes committed by an individual where their conviction record has not been erased.
Ana María Calero Pinero, an associate with Brigard & Urrutia, a Colombian law firm, contributed to this article.
The Colombian Data Protection Authority (the Superintendence of Industry and Commerce, or SIC) has issued regulations requiring all data controllers that are (i) private legal entities registered in Chambers of Commerce in Colombia (i.e., incorporated in Colombia) or (ii) partially government owned corporations (“sociedades de economía mixta”) to register their databases by November 8th, 2016. The regulations were issued on November 3, 2015, and the National Database Registry (the “Registry”) required by Colombian data protection laws was enabled on November 9, 2015. In this post, we describe the registration requirements and potential penalties for noncompliance.
It has finally happened. Like that train you are waiting for that keeps getting delayed but eventually arrives. The all-powerful trio comprising the European Parliament, the Council of the EU and the European Commission arrived at their destination after a journey of four years, and on December 15th, 2015, agreed the final text of the EU General Data Protection Regulation (GDPR). Once formally adopted in the coming weeks, the GDPR will create a completely new legal framework for the collection, use and sharing of personal information that will apply well beyond Europe. Continue Reading
Consider this increasingly common scenario: an employee visits an apparently legitimate website. Unbeknownst to them, the website is hosted by an organized crime group. By visiting the site, the employee has allowed the group to quietly install ransomware on their organization’s file system. Malicious code begins to encrypt files on the server, before moving laterally to encrypt other servers on the network. The crime group then demands ransom in exchange for unencrypting the files.
The threat of ransomware is one of three example scenarios highlighted in a recent white paper released by the National Institute of Standards and Technology (NIST), titled Data Integrity: Reducing the Impact of an Attack. The paper launches a joint project led by the National Cybersecurity Center of Excellence (NCCoE), with participation by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and several private sector organizations. Continue Reading
At a trialogue meeting on December 7, the Luxembourg Presidency of the Council of the European Union reached agreement with the European Parliament on common rules to strengthen network and information security (NIS) across the EU. The new directive will set out the first ever EU-wide cybersecurity obligations for operators of essential services and digital service providers. Essential service sectors include energy, transport, banking, financial market, health and water supply. Operators in essential service sectors and digital service providers will be required to take measures to manage cyber risks and report major security incidents, but the two categories will be subject to different regimes. For many such organizations, the NIS Directive constitutes the first breach reporting requirement in Europe. Continue Reading
The need for proper and legitimate powers to enable intelligence and law enforcement agencies to do their job and keep everyone safe requires little justification. We live in a dangerous and uncertain world where anyone can be a victim of intolerance. So in a show of political awareness and legislative dexterity, the UK government is currently seeking to adopt a comprehensive and sophisticated framework of modern law enforcement and intelligence gathering powers. However, in our data-rich and uber-connected way of life, those powers necessarily involve a substantial degree of intrusion into our digital comings and goings, and that makes things complicated—in a democratic state, at least.
In November 2015, the UK Government presented its draft Investigatory Powers Bill—an attempt to strike a balance between intelligence and law enforcement needs with the protection of ordinary citizens’ privacy. The bill is currently being scrutinised by a parliamentary committee and subject to public consultation. The document—including explanatory notes—stands at 299 pages and the Bill itself is made up of 202 clauses and nine schedules. As complex pieces of legislation go, this one is right at the top.