Six months after release of the Framework for Improving Critical Infrastructure Cybersecurity, on August 21 the National Institute of Standards and Technology put forward a draft Request For Information to learn more about experiences with and effectiveness of the Framework. Through the RFI process, NIST seeks to better understand how organizations in all critical infrastructure sectors are approaching and making specific use of the Framework. Responses to the RFI are expected to shape the agenda for NIST’s 6th Cybersecurity Framework Workshop, its first following the Framework’s release.
On April 10, 2014, the Department of Justice and Federal Trade Commission issued a joint policy statement on the antitrust implications of sharing cybersecurity information to help facilitate the flow of cyberintelligence throughout the private sector. The statement addresses the long-standing concern that sharing cyberintelligence may violate antitrust law under certain circumstances and explains the analytical framework for such arrangements to make it clear that legitimate cyberintelligence exchanges will not raise antitrust issues.
The Federal Trade Commission (“FTC”) has settled with two mobile application developers, Fandango and Credit Karma, over charges that they misrepresented the security of their mobile applications. According to the FTC, the developers failed to provide reasonable and appropriate security when their mobile applications transmitted consumers’ sensitive information. The particular issues noted by the FTC in its complaints against the developers differ to some degree, but the complaints share a common thread: the developers disabled the Secure Sockets Layer (SSL) protocol, which authenticates and encrypts communications across networks. In our post, we provide a high-level description of how SSL works, summarize the FTC’s complaints against Fandango and Credit Karma, and identify some important takeaways from these settlements.
On March 27, senior members of the Hogan Lovells Privacy and Cybersecurity practice will present a timely and practical webcast on how businesses can prepare for and address the risks of cybersecurity incidents in this time of high alert. Visit the full blog post to learn more and to register for this free event.
With cyberattacks prompting litigation, regulatory inquiries, and reactions from customers and media outlets on an almost daily basis, companies of every type are considering what they should be doing now to address the risks of cyber intrusions and data security breaches. The “Framework for Improving Critical Infrastructure Cybersecurity” issued earlier this month by the National Institute for Standards and Technology provides a comprehensive menu of measures that can be used by organizations to address cybersecurity risk. In this alert, the Hogan Lovells Privacy Team describes this new resource and its implications for companies and suggest steps organizations can take now to assess whether to use it to manage cyber risk.
A recent survey from the UK Government’s Department for Business, Innovation and Skills has highlighted that the majority of FTSE 350 firms are not regularly taking cyber risks into account in their decision making. Despite a growing international trend in cyber crime targeted at businesses, the survey showed that only 14 percent of FTSE 350 companies regularly consider cyber threats, and nearly half of those surveyed do not even include cyber risks on their company’s strategic risk register.
On 20 November 2013, Hogan Lovells hosted a cybersecurity seminar at its London offices, gathering a panel of experts in the field to discuss a subject that has become a growing concern for businesses worldwide. The seminar sought to address the cyber risks currently facing businesses, what businesses should do if a cyber attack occurs, the legal issues a business should consider when responding to a cyber attack, and the options for protecting your business with cyber risk and data protection insurance.
At a November 14 workshop convened by the National Insitute for Standards and Technology, experts and leaders across government and industry voiced alarm at the vulnerability of computerized systems and devices to a rising tide of threats from sources as varied as nation-state actors, cybercrime rings, and political movements. This blog post discusses the conference, including remarks by Hogan Lovells partner and Future of Privacy Forum advisory board member Harriet Pearson endorsing the consideration of privacy in cybersecurity efforts.
On October 22, NIST released the official Preliminary Cybersecurity Framework under development pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. A formal 45-day comment period will begin once the Preliminary Cybersecurity Framework is published in the Federal Register, which is expected next week. NIST remains on track to meet the Executive Order’s February 2014 deadline for issuance of the final Cybersecurity Framework.
On August 28, NIST released a discussion draft of the Preliminary Cybersecurity Framework that it is developing pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity. NIST invites stakeholder review and input of this discussion draft, leading into the publication of the Preliminary Cybersecurity Framework on October 10 for formal public comment. The discussion draft follows on what has already been an active summer with respect to cybersecurity.
In the past week, both the White House and Senate have taken some notable steps on cybersecurity. Both sets of developments largely relate to the Cybersecurity Framework being developed by the National Institute of Standards and Technology (NIST) pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity.
Under a new regulation on the notification of personal data breaches, providers of publicly available electronic communication services must provide notices to authorities of breaches within 24 hours. If the provider lacks full information about the data breach, a preliminary notice is required, with a subsequent notification within 3 days after the initial notification. The subscribers [...]
In February 2013 the European Union published the EU Cyber Security Strategy and accompanying proposed Directive. Now, in anticipation of the implementation of the Directive, the UK’s Department for Business, Innovation and Skills (BIS) has published a call for evidence to look at the impact of the Directive upon businesses in the UK.
For the second year in a row, corporate directors and general counsel have ranked cybersecurity as a top-of-mind concern. On May 8, Corporate Board Member and FTI Consulting released the results of their 2013 Law in the Boardroom survey of over 550 directors and general counsel. As the report notes, “the newest area of major concern continues a trend noted in last year’s study: data security and IT risk is one of the most significant issues for both directors and general counsel.” Hogan Lovells partner Harriet Pearson explained why cybersecurity has become a top-of-mind concern as part of her article on “Cybersecurity: the Corporate Counsel’s Agenda,” which presented a ten-point agenda for managing cyber risk.
The survey found that data security was a close second for both directors and general counsel on the list of issues that will keep them up at night. And more than a quarter of all respondents ranked cyber risk oversight as an area that will require their attention in 2013. These results are unsurprising given the past year’s heightened congressional and executive scrutiny on cybersecurity issues (e.g., congressional hearings on cybersecurity and NIST’s development of a Cybersecurity Framework), coupled with increasing media coverage of cybersecurity incidents such as this report on a coordinated “cyberheist” that stole $45 million from 2,904 ATMs in a matter of hours.
On April 25, Hogan Lovells partner Harriet Pearson testified before the US House of Representatives on the relationship between cybersecurity and privacy in business. The Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the House Committee on Homeland Security held a hearing on “Striking the Right Balance: Protecting our Nation’s Critical Infrastructure from Cyber Attack and Ensuring Privacy and Civil Liberties” to examine existing privacy protections and learn more about potential improvements. Pearson first outlined several cybersecurity-related measures that may require access to personal information, and thus potentially implicate privacy concerns. Pearson then offered her views on steps business and government can take to incorporate respect for privacy into enhanced cybersecurity.
With cybersecurity now ranked as the top concern for general counsel and corporate board members, and with the regulatory and legislative landscape so active (e.g., the House’s passage of CISPA and the President’s Executive Order), Hogan Lovells is proud to be a sponsor of the inaugural Cybersecurity Law Institute, to be held at the Georgetown University Law Center in Washington, DC, on May 22–23, 2013.
On April 18, the US House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624, which would enable companies to share information about cyber threats while benefiting from certain liability protections. The bill passed despite a White House threat earlier this week to veto the bill. The vote was 288-127, with 196 Republicans and 92 Democrats in [...]
The February 21 edition of The Corporate Counsel.Net blog presents an audio interview with Hogan Lovells partner Harriet Pearson in which the following topics are addressed: Why cybersecurity is a hot topic for lawyers now, and not just IT staff. The signficance of recent interactions on this topic between Senator Rockefeller and the CEOs of the [...]
On February 28, Hogan Lovells will present a timely and complimentary program: “Hacked? What’s Next? Handling Cybersecurity Breaches in 2013.” Cybersecurity experts have said it is not a matter of “if” but “when” a company will have to address a security breach. With regulations tightening in Europe and in the United States, the responsibility for handling and preventing these [...]
On February 12, President Obama signed an Executive Order on “Improving Critical Infrastructure Cybersecurity,” and then referenced the Order and the need for additional congressional action during the State of the Union address on the same day: America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate [...]
Noting that security incidents affecting information systems “are becoming bigger, more frequent, and more complex,” and that the majority of respondents to its consultation on the topic reported having experienced such an incident in the past year, today the European Commission released a proposal for a Directive “concerning measures to ensure a high common level [...]
Cybersecurity is on the 113th Congress’ agenda given recent developments in the U.S. Senate. Today Senator Rockefeller, Chairman of the Commerce Committee, released a staff memorandum presenting the responses his office received to his September 2012 letter regarding cybersecurity practices. The letter, which we discussed in a previous post, went to the CEOs of every Fortune 500 company and requested responses to eight questions [...]
The Office of the Comptroller of the Currency (OCC) issued an alert today warning banks of a recent spate of distributed denial of service (DDoS) attacks directed at several U.S. banks, and reiterating its expectation that banks have risk management programs in place to identity and mitigate the “new and evolving threats” to online customer [...]
Michael Scheimer, an associate in the Government Contracts group, contributed to this entry. The National Defense Authorization Act for Fiscal Year 2013 (NDAA FY 13) has recently emerged from the congressional conference committee formed to reconcile the House and Senate versions of the bill. The compromise bill (HR 4310 – H Rept 112-705), which both [...]