The Federal Trade Commission recently presented an analysis of how its approach to data security over the past two decades compares with the Framework for Improving Critical Infrastructure Cybersecurity issued in 2014 by the National Institute of Standards and Technology and strongly endorsed by the White House. The FTC first explains how this question has a faulty premise, as the Framework is not designed to be a compliance checklist. Instead, in this new blog post, the FTC outlines how the FTC’s enforcement actions comport with the Framework’s five Core functions—Identify, Protect, Detect, Respond, and Recover—and emphasizes how both the Framework and the FTC’s approach highlight risk assessment and management, along with implementation of reasonable security measures, as the touchstones of any data security compliance program.
The US government has been increasingly active in cybersecurity legislation and enforcement. Congress recently passed the Cybersecurity Act of 2015, which has spurred renewed attention to cybersecurity requirements and cyber threat information sharing. The US government continues to draw attention to how organizations can align their cybersecurity programs with the NIST Cybersecurity Framework. Moreover, a number of federal agencies including the Consumer Financial Protection Bureau, Federal Trade Commission, and Federal Communications Commission have all issued settlements relating to cybersecurity enforcement actions in recent months. In the health sector, the US Department of Health and Human Services has been increasingly focused on cybersecurity, primarily through its HIPAA enforcement activities. Against that backdrop, three recent developments demonstrate the ways in which HHS and the health sector are expanding their cybersecurity focus beyond HIPAA Security Rule compliance.
Corporate boards and senior management are more focused than ever before on cyber incident prevention and preparedness. Recently thecorporatecounsel.net, an influential resource for corporate governance lawyers, addressed this topic in a program entitled “Cybersecurity: Working the Calm Before the Storm,” describing what the board’s and senior management can do to prepare for the inevitable cybersecurity breach The program featured Hogan Lovells Partner Harriet Pearson.
The Hogan Lovells Privacy Team looks forward to seeing many of you this week at the International Association of Privacy Professionals (IAPP) Global Privacy Summit in Washington, D.C. We are delighted to once again participate in the Summit as a gold level sponsor and hope you will visit us at Booth 7 in the Exhibition Hall to learn more about our Global Privacy and Information Management Practice. Hogan Lovells attorneys will also be featured at a number of breakout sessions.
On February 12 at a White House event headlined by two Cabinet Secretaries, the President’s Chief of Staff, and three CEOs, the National Institute of Standards and Technology released version 1.0 of a “Framework for Improving Critical Infrastructure Cybersecurity.” Likely to become a highly influential benchmark for assessing the reasonableness of corporate cybersecurity programs, the Framework was developed with input from hundreds of private sector, governmental, and other experts pursuant to the President’s Executive Order on Improving Critical Infrastructure Cybersecurity.
At a November 14 workshop convened by the National Insitute for Standards and Technology, experts and leaders across government and industry voiced alarm at the vulnerability of computerized systems and devices to a rising tide of threats from sources as varied as nation-state actors, cybercrime rings, and political movements. This blog post discusses the conference, including remarks by Hogan Lovells partner and Future of Privacy Forum advisory board member Harriet Pearson endorsing the consideration of privacy in cybersecurity efforts.