Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends

Tag Archives: cybersecurity

Posted in Cybersecurity & Data Breaches

Life is Short. Take Cybersecurity Seriously

This article is not about morality but about an urgently-needed change in behaviour. For real and for good. The much talked-about saga involving the theft and subsequent publication of customer data from extramarital affairs website Ashley Madison, has sparked many debates. Opinions have ranged from those who see this as a just punishment for the organised cheating industry to those who have ranked this hack as the most serious privacy violation since the invention of the Internet. The degree of sympathy for the victims has also been variable, but what appears to be a constant theme is the perception that this incident will have more dramatic consequences than any other cyber-attacks we have seen.

Posted in Cybersecurity & Data Breaches

NIST Requests Input on Revised Cryptographic Standards

On August 12, the National Institute of Standards and Technology published a Request for Information to help develop the next generation of technical encryption standards used by the U.S. Government and federal contractors to protect sensitive information. The new standard will update Fair Information Processing Standard 140-2, which has provided the baseline requirements for the development, testing, and validation of cryptographic modules since 2001. While the RFI seeks input on several questions, NIST is primarily interested in the risks and benefits of transitioning—in whole or in part—to a competing standard developed by the International Standards Organization and International Electrotechnical Commission: ISO/IEC 19790:2012.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

NIST Tackles Cybersecurity in the Smart City

After the recent release of the discussion draft of its Framework for Cyber-Physical Systems, the National Institute for Standards and Technology has continued its push to facilitate the development of a more secure interconnected environment by convening a workshop on cybersecurity for smart cities. Co-hosted by the Cyber Security Research Alliance and titled “Designed-in Cybersecurity for Smart Cities: A Discussion of Unifying Architectures, Standards, Lessons Learned and R&D Strategies,” the workshop brought together representatives of government, industry, and academia to discuss how cybersecurity and privacy might be designed into the infrastructure of smart cities.

Posted in Cybersecurity & Data Breaches

FCC Seeks Comment on Cybersecurity Recommendations for Communications Providers

The U.S. Federal Communications Commission’s Public Safety and Homeland Security Bureau has requested public input on a recent report on Cybersecurity Risk Management and Best Practices by the Communications Security, Reliability and Interoperability Council for communications providers. The Report represents the latest example of the U.S. government’s continued attention to these issues following the President’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Comments are due May 29, with replies due June 26.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Executive Order Authorizes Economic Sanctions as New Tool for U.S. Cyber Defense

On 1 April 2015, President Obama signed an Executive Order authorizing the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities constituting a significant threat to the national security, foreign policy, or economic health or financial stability of the United States. The Treasury Department’s Office of Foreign Assets Control simultaneously released FAQs related to the Order. The White House, in a statement by President Obama and in FAQs on the White House Blog, explained that the Order will be used to impose targeted sanctions against the “worst of the worst” malicious cyber actors, as well as companies that knowingly use stolen trade secrets.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

NIST Releases Discussion Draft on Cyber-Physical Systems Framework

This week, the National Institute of Standards and Technology released a preliminary discussion draft of its Framework for Cyber-Physical Systems. The draft has an ambitious goal: to create an integrated framework of standards that will form the blueprint for the creation of a massive interoperable network of cyber-physical systems (CPS), also known as the “Internet of Things.” In 2014, NIST established the cyber-physical systems public working group (CPS PWG)—an open public forum which includes representatives from government, industry, and academia—to develop the CPS framework. By creating a common framework at an early stage of the Internet of Things, the CPS PWG hopes to ensure the development of a secure, integrated, and interoperable ecosystem of connected devices. The CPS PWG will continue to solicit input as it refines the draft and works to finalize the framework for use in multiple industry sectors.

Posted in Cybersecurity & Data Breaches

New Study Provides Cybersecurity Insights for Corporate Counsel

A recently-released research study published by Indiana University’s Bloomington School of Law highlights the rising importance of cybersecurity law and provides current insights on the role lawyers are playing to help protect companies from cyber threats. The study, entitled “The Emergence of Cybersecurity Law,” is based on a survey of corporate law departments as well as interviews conducted with lawyers, consultants, and academic experts.

Posted in Consumer Privacy

The 2015 State of the Union Addresses Cybersecurity, Data Security, and Privacy

Tonight, the President’s State of the Union address covered, as he put it, “the tasks that lie ahead.” Among the policy initiatives that he proposed, he “urge[d]…Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.” What he was referring to is a set of cybersecurity and info sharing initiatives and privacy and data security proposals that the White House started rolling out last week. The President also alluded to a report to be released next month that will address the Administration’s actions to curtail domestic surveillance programs. We provide here excerpts of the President’s address that discuss cybersecurity, data security, and privacy.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

The White House Announces a Cybersecurity Summit and Information Sharing Proposals

President Obama today addressed cybersecurity for the second time in as many days in a speech at the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). Early this morning, the White House announced a February 13 Summit on Cybersecurity and Consumer Protection and released further details on several initiatives to promote cybersecurity information sharing between the private sector and government. The President then convened a meeting with congressional leaders in which he discussed cybersecurity issues. Speaking about his cooperation with House Speaker John Boehner (R-OH) and Senate Majority Leader Mitch McConnell (R-KY), the President noted “I think we agreed that this is an area where we can work hard together, get some legislation done and make sure that we are much more effective in protecting the American people from these kinds of cyber attacks.” Today’s developments follow the President’s address to the Federal Trade Commission (FTC) yesterday, in which he announced a legislative proposal on national data breach reporting and emphasized the importance of student and consumer privacy. Together, these events provide a preview of initiatives that the President is expected to highlight during his State of the Union address on January 20.

Posted in Consumer Privacy, Cybersecurity & Data Breaches

The White House Pushes Privacy and Data Security in Advance of the State of the Union

Today, the President spoke at the Federal Trade Commission on the importance of preventing identity theft and improving consumer and student privacy. Today’s speech has been billed as a first look at a broader White House policy initiative on cybersecurity, identity theft, and privacy that will continue this week and will be included in the President’s State of the Union address to Congress on January 20th. Tomorrow, the President will highlight the work of the Department of Homeland Security and the importance of public-private collaboration on cyber threats and is expected to release policy proposals over the coming weeks.

Posted in Cybersecurity & Data Breaches

NIST Issues Update on Cybersecurity Framework, Highlights Priorities Moving Forward

On December 5, the National Institute of Standards and Technology issued an update regarding its Framework for Improving Critical Infrastructure Cybersecurity. Since its release in February 2014, the Framework has become an important benchmark for corporate cybersecurity programs. NIST’s update addresses industry input received from an October workshop and an August Request for Information. It also describes NIST’s plans to support future use of the Framework.

Posted in Cybersecurity & Data Breaches

Conference on Medical Device and Healthcare Cybersecurity Highlights New Challenges

The medical internet of things is coming. That was the common recognition of participants at a two-day public workshop on “Collaborative Approaches for Medical Device and Healthcare Cybersecurity” co-sponsored by the Food and Drug Administration, Department of Health and Human Services, and the Department of Homeland Security. The workshop comes during a busy month for medical device cybersecurity, with the FDA issuing final guidance earlier this month and DHS indicating that it is reviewing dozens of potential cybersecurity vulnerabilities in medical devices.

Posted in Cybersecurity & Data Breaches

NIST Seeks Information on Cybersecurity Framework Experience

Six months after release of the Framework for Improving Critical Infrastructure Cybersecurity, on August 21 the National Institute of Standards and Technology put forward a draft Request For Information to learn more about experiences with and effectiveness of the Framework. Through the RFI process, NIST seeks to better understand how organizations in all critical infrastructure sectors are approaching and making specific use of the Framework. Responses to the RFI are expected to shape the agenda for NIST’s 6th Cybersecurity Framework Workshop, its first following the Framework’s release.

Posted in Cybersecurity & Data Breaches

DOJ and FTC Clarify Antitrust Implications of Cybersecurity Information Sharing

On April 10, 2014, the Department of Justice and Federal Trade Commission issued a joint policy statement on the antitrust implications of sharing cybersecurity information to help facilitate the flow of cyberintelligence throughout the private sector. The statement addresses the long-standing concern that sharing cyberintelligence may violate antitrust law under certain circumstances and explains the analytical framework for such arrangements to make it clear that legitimate cyberintelligence exchanges will not raise antitrust issues.

Posted in Consumer Privacy

FTC Continues to Enforce Security Statements

The Federal Trade Commission (“FTC”) has settled with two mobile application developers, Fandango and Credit Karma, over charges that they misrepresented the security of their mobile applications. According to the FTC, the developers failed to provide reasonable and appropriate security when their mobile applications transmitted consumers’ sensitive information. The particular issues noted by the FTC in its complaints against the developers differ to some degree, but the complaints share a common thread: the developers disabled the Secure Sockets Layer (SSL) protocol, which authenticates and encrypts communications across networks. In our post, we provide a high-level description of how SSL works, summarize the FTC’s complaints against Fandango and Credit Karma, and identify some important takeaways from these settlements.

Posted in Cybersecurity & Data Breaches

New U.S. Cybersecurity Framework Issued: In Wake of Cyberattacks and Lawsuits, How Should Organizations Respond?

With cyberattacks prompting litigation, regulatory inquiries, and reactions from customers and media outlets on an almost daily basis, companies of every type are considering what they should be doing now to address the risks of cyber intrusions and data security breaches. The “Framework for Improving Critical Infrastructure Cybersecurity” issued earlier this month by the National Institute for Standards and Technology provides a comprehensive menu of measures that can be used by organizations to address cybersecurity risk. In this alert, the Hogan Lovells Privacy Team describes this new resource and its implications for companies and suggest steps organizations can take now to assess whether to use it to manage cyber risk.

Posted in Cybersecurity & Data Breaches, International/EU Privacy

Survey Exposes Gaps in UK Companies’ Readiness for Cyber Threats

A recent survey from the UK Government’s Department for Business, Innovation and Skills has highlighted that the majority of FTSE 350 firms are not regularly taking cyber risks into account in their decision making. Despite a growing international trend in cyber crime targeted at businesses, the survey showed that only 14 percent of FTSE 350 companies regularly consider cyber threats, and nearly half of those surveyed do not even include cyber risks on their company’s strategic risk register.

Posted in Cybersecurity & Data Breaches, News & Events

Cybersecurity Seminar Tackles Business Risks from Cyber Attacks

On 20 November 2013, Hogan Lovells hosted a cybersecurity seminar at its London offices, gathering a panel of experts in the field to discuss a subject that has become a growing concern for businesses worldwide. The seminar sought to address the cyber risks currently facing businesses, what businesses should do if a cyber attack occurs, the legal issues a business should consider when responding to a cyber attack, and the options for protecting your business with cyber risk and data protection insurance.

Posted in Cybersecurity & Data Breaches

Hogan Lovells Partner Advocates for Privacy, Contributes Strawperson to US Cybersecurity Framework Process

At a November 14 workshop convened by the National Insitute for Standards and Technology, experts and leaders across government and industry voiced alarm at the vulnerability of computerized systems and devices to a rising tide of threats from sources as varied as nation-state actors, cybercrime rings, and political movements. This blog post discusses the conference, including remarks by Hogan Lovells partner and Future of Privacy Forum advisory board member Harriet Pearson endorsing the consideration of privacy in cybersecurity efforts.

Posted in Cybersecurity & Data Breaches

NIST Releases Preliminary Cybersecurity Framework; Comment Period to Start Shortly

On October 22, NIST released the official Preliminary Cybersecurity Framework under development pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. A formal 45-day comment period will begin once the Preliminary Cybersecurity Framework is published in the Federal Register, which is expected next week. NIST remains on track to meet the Executive Order’s February 2014 deadline for issuance of the final Cybersecurity Framework.

Posted in Cybersecurity & Data Breaches

NIST Releases Discussion Draft of Preliminary Cybersecurity Framework

On August 28, NIST released a discussion draft of the Preliminary Cybersecurity Framework that it is developing pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. NIST invites stakeholder review and input of this discussion draft, leading into the publication of the Preliminary Cybersecurity Framework on October 10 for formal public comment. The discussion draft follows on what has already been an active summer with respect to cybersecurity.

Posted in Consumer Privacy, Cybersecurity & Data Breaches, Financial Privacy, International/EU Privacy

EU Commission: Data Breach Notification for Telecoms Providers and ISPs within 24 Hours

Under a new regulation on the notification of personal data breaches, providers of publicly available electronic communication services must provide notices to authorities of breaches within 24 hours. If the provider lacks full information about the data breach, a preliminary notice is required, with a subsequent notification within 3 days after the initial notification. The subscribers […]