Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

SEC Encourages Internal Accounting Controls to Guard Against Cyber Fraud

Posted in Cybersecurity / Data Security, Data Breach, Government Agencies
Paul RosenDaniel ZelenkoKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/GPaul Mathis

Concluding its investigation into the internal accounting controls of nine public issuers who were recent cyber fraud victims, the Securities and Exchange Commission (“SEC”), Division of Enforcement explicitly reminded issuers to consider cyber-related threats in developing and deploying their Section 13(b)(2)(B) internal accounting controls.

The SEC emphasized the importance of tailoring internal accounting controls to cyber-related threats, noting that cyber frauds like those carried out in the nine cases it investigated have caused “over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017.” Continue Reading

NIST Offers Insight Into Updated Risk Management Framework

Posted in Cybersecurity / Data Security
Peter B. Miller, CIPP/G/US, CIPP/E, CIPM, CIPTKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/G

The National Institute of Standards and Technology (NIST) has recently provided a glimpse into their revised Risk Management Framework (RMF).  NIST issued a Final Draft of Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations–A System Life Cycle Approach for Security and Privacy.  The focus of the revised Framework, which is open for comment through October 31, 2018, is to integrate privacy and data security.  The RMF features several updates aimed at supply chain risk, the NIST Cybersecurity Framework, and the pending update to NIST SP 800-53, Revision 5, which is focused on information security for federal information systems but now with an added emphasis on privacy-by-design.  One of the key changes to the Framework is the introduction of a new step in the RMF process – “Prepare.”  The purpose of this step is to achieve more cost-effective and efficient security and privacy risk management processes. The revision also seeks comment about a new task to improve the quality of privacy and security risk assessments, “identify[ing] and understanding all stages of the information life cycle.” In addition, the updated Risk Management Framework includes among others the following objectives, which strike some familiar notes:

    • Integrating security-related, supply chain risk management concepts into the RMF to address untrustworthy suppliers (e.g., poor manufacturing, counterfeits, tampering, malicious code, etc.);
    • Demonstrating how the NIST Cybersecurity Framework can be combined with the RMF to establish NIST risk management processes;
    • Allowing an organization-generated control selection approach to support the use of the consolidated control catalog in the pending NIST SP 800-53, Revision 5.

The revised RMF reflects the increasing trend, at NIST and more broadly in both the public and private sectors, toward approaching risk assessment and risk management as a comprehensive, enterprise-wide responsibility rather than as a series of discrete activities divided into subject matter silos.

Navy Boils The Ocean on Cyber

Posted in Cybersecurity / Data Security, Privacy
Evan D. WolffKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/G

The Navy has recently issued a policy memorandum entitled “Implementation of Enhanced Security Controls on Select Defense Industrial Base Partner Networks” that calls for heightened cybersecurity requirements and oversight for “critical” government contractors handling their sensitive government data, broadly referred to as controlled unclassified information (“CUI”) or “covered defense information” (CDI) within the defense sector.  The memo reflects a continued focus within the Department of Defense on evaluating contractors’ compliance with the Defense Federal Acquisition Regulation Supplement (“DFARS”) 252.204-7012 Safeguarding Clause, which defines the baseline protections that all defense contractors need to implement to protect CDI.  Under the Clause, contractors must demonstrate their IT security compliance with 110 security controls found within the National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171 through documentation in a System Security Plan (“SSP”), even if that documentation discusses how certain controls are not yet implemented.  The Navy memo takes those requirements several steps further.  For example, the Navy will require select contractors to submit fully implemented SSPs for evaluation – something the DoD has generally discussed but not yet done on this programmatic scale.  The Navy’s evaluation will also ensure that historically challenging NIST requirements such as multifactor authentication and data encryption are satisfactorily met.  Additionally, the Navy will require wholly new requirements not found in the Clause.  Among them is the requirement to allow the Naval Criminal Investigative Services (“NCIS”) to install “network sensors” on contractors’ information systems when NCIS intelligence detects a potential vulnerability.

These Naval additions highlight the potentially divergent approaches that different arms of the DoD are beginning to take in response to their unique risk calculations.  The memo serves as a reminder that the extensive cybersecurity requirements of the DFARS are only the floor and remain subject to each government customer identifying its own ceiling.

Outcome of Privacy Shield Review Uncertain, Despite U.S. Steps Toward Compliance

Posted in GDPR, Privacy
Maarten StassenLee Matheson CIPP/US, CIPP/E, CIPP/A, CIPM

When the European Commission re-approved the Privacy Shield agreement during its first annual review in the fall of 2017, permitting the transatlantic transfer of personal information to compliant U.S. companies to continue, it did so with a number of reservations. As the Privacy Shield agreement fast approaches its second annual review at the end of this week, it remains to be seen if the steps taken by the U.S. government at the close of the summer will be enough to satisfy skeptical European lawmakers.

Continue Reading

New Internet of Things (IoT) NIST Draft Publication Provides Welcomed Guidance

Posted in Cybersecurity / Data Security, Government Agencies, Government Regulations & FISMA, Health IT, Internet of Things, Privacy
Cheryl A. FalveyKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/G

Responding to the rise of interconnected technology, the National Institute for Standards and Technology (NIST) has recently issued an introductory document in a planned series of cybersecurity publications addressing Internet of Things (IoT) privacy risks.  Open for comment through October 24, 2018, the Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks aims to increase awareness of federal agencies and other organizations concerning the cybersecurity and privacy risks related to IoT devices throughout their lifecycles.  NIST intends for NISTIR 8228 to be a high-level baseline publication for IoT device risk mitigation since few recommendations can apply to all IoT concerns due to the myriad uses for and types of IoT devices.  NIST plans to issue subsequent publications that provide more detailed recommendations for certain IoT device categories.  Notably though, Appendix A of the Draft NISTIR 8228 lists examples of possible universal IoT risk mitigation recommendations.

In the Draft NISTIR 8228, NIST highlights the unique risks that IoT devices present since they interact differently with information systems compared to traditional IT devices.  In addition, NIST raises the concern that many organizations are not aware of the large volume of IoT devices functioning within their information system environment, as well as how IoT devices can affect cybersecurity and privacy risk management, especially in terms of risk response.  The Draft NISTIR 8228 presents the following three risk mitigation goals for organizations:

  • Protect device security by preventing devices from being used to conduct attacks;
  • Protect data security by safeguarding the confidentiality, integrity, and availability of data handled by the device, including personally identifiable information (PII); and
  • Protect the privacy of individuals impacted by PII processing.

This draft publication is a much-anticipated addition to the NIST regulatory compendium, as IoT interfacing shows no signs of ceasing.

No Summer Vacation for Government as New Cybersecurity Legislation Passes

Posted in Cybersecurity / Data Security
Jeffrey L. PostonKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/G

The federal government has kept busy this summer by issuing multiple regulations impacting government contractors’ cybersecurity.  First, the Department of Defense released the 2019 National Defense Authorization Act (NDAA), which included notable cybersecurity provisions involving foreign ownership and Controlled Unclassified Information (CUI), among others.  Second, Congress passed the NIST Small Business Cybersecurity Act requiring the National Institute of Standards and Technology (NIST) to develop guidance and resources for small-and-medium-sized businesses to minimize cybersecurity risks.

This recent legislation emphasizes the federal government’s increased emphasis on safeguarding government data.  For more information, please contact the professional(s) listed here, or your regular Crowell & Moring contact. 


Posted in Cybersecurity / Data Security, Government Agencies, Government Contracting, Government Regulations & FISMA, Litigation
Evan D. WolffMaida Oringher LernerMatthew B. Welling

After over a decade, the first action has been filed that may test the bounds of the Support Anti-Terrorism by Fostering Effective Technologies Act (“SAFETY Act”) of 2002. MGM Resorts International recently filed suit related to the October 2017 Mandalay Bay country music concert shooting, asking a federal court to rule that it cannot be held liable because the security technology used at the concert was certified by the Department of Homeland Security (“DHS”) under the SAFETY Act.

The SAFETY Act, enacted as part of the Homeland Security Act of 2002 (Pub. L. No. 107-296), provides incentives for the development and deployment of anti-terrorism technologies, including products, services and software (or combinations thereof), by creating systems of risk and litigation management. To benefit from SAFETY Act protections, a company must apply to DHS for approval of its technology as a qualified anti-terrorism technology (“QATT”). Upon submission of a SAFETY Act application, DHS engages in a detailed evaluation of the technology, including the effectiveness of the technology’s anti-terrorism capability.

Once a technology is deemed qualified, it is entitled, under federal law, to significant limitations on liability which may otherwise stem from a designated “act of terrorism.” For technology DHS “certifies” as qualified under the Act, the owner, seller and/or provider of the QATT is presumptively entitled to immunity from all tort claims for damages arising out of an act of terrorism associated with the protect or service. Alternatively, if the product or service receives a “designation” under the Act, potential tort liability is limited to the amount of insurance that DHS determines the applicant should maintain in connection with such losses. Significantly, the SAFETY Act affords protection not only to the owner of the QATT, it also protects other entities in the supply and distribution chains for the QATT products and services.

While DHS has approved over 800 SAFETY Act applications to date, the MGM suit is the first where a defense under the Act has been raised before a court. A key issue in the MGM suit will be whether the shootings were an “act of terrorism” under the Act. Because the suit is the first to raise a defense under the Act, the case will likely be of interest broadly to companies owning or deploying SAFETY Act QATTs, as well as those considering applications to DHS.

Upcoming NIST Hosted DFARS Safeguarding Clause & CUI Training – October 18, 2018

Posted in Cybersecurity / Data Security
Evan D. WolffMaida Oringher LernerPeter B. Miller, CIPP/G/US, CIPP/E, CIPM, CIPTKate M. Growley, CIPP/G, CIPP/USMichael G. Gruden, CIPP/G

The National Institute of Standards and Technology (“NIST”) is hosting a cybersecurity workshop on the Defense Federal Acquisition Regulation System (“DFARS”) Safeguarding Clause and related regulations on Thursday, October 18, 2018.  The workshop, in coordination with the Department of Defense (“DoD”) and the National Archives and Records Administration (“NARA”), will provide an overview of Controlled Unclassified Information (CUI), the DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting Clause, and NIST Special Publications 800-171 and 800-171A. The workshop will be webcast and held at NIST in Gaithersburg, MD.

In the event that you are unable to attend, Crowell & Moring attorneys will be in attendance and can provide a summary of notable takeaways from the workshop.

A draft agenda and on-site registration are available here.  

Colorado’s New Data Privacy Bill Increases Notification and Safeguarding Requirements

Posted in Cybersecurity / Data Security, Privacy
Evan D. WolffMaida Oringher LernerMatthew B. WellingMichael G. Gruden, CIPP/G

The Colorado legislature recently passed a new data privacy law, House Bill 18-1128, which heightens requirements for corporate and public entities handling personal information of Colorado residents.  Effective September 1, 2018, the law aims to strengthen consumer data privacy by 1) shortening the time frame required to notify affected Colorado residents and the Attorney General of a data breach within 30 days of determining a data breach occurred; 2) requiring business and third party entities to adopt “reasonable security procedures” to safeguard personally identifiable information (“PII”) handled; and 3) imposing data disposal rules for such entities.

Notable provisions of the bill include:

  • Expanding the Definition of Personal Information: The Colorado bill expands the definition of PII to a resident’s first name or first initial and last name plus one or more additional element: 1) Social Security Number or Personal ID Number; 2)  Passport Number; 3) Driver’s License or ID Card Number; 4) Employer, Student, or Military ID Number; 5) Password or Passcode; 6) Biometric Data; or 7) Financial Transaction Device (e.g., credit or debit card, etc.).
  • Increasing Data Safeguarding and Disposal Responsibilities:  Entities that possess PII of Colorado residents are required to implement “reasonable security procedures” appropriate to the nature of the data and the nature and size of the organization.   Entities must also maintain a written policy requiring destruction of PII when it is “no longer needed” in order to make the data “unreadable or indecipherable.”
  • Third Party Enforcement:  Entities that provide PII to a third party service provider must require that third party to implement and maintain the same reasonable security procedures as required of the entity.  However, an entity may decide to provide its own reasonable security protection for the information it provides to the service provider in order to eliminate the third party enforcement requirement.

For further information, please contact one of the attorney authors or your regular C&M professional.

The CLOUD Act and the Future of International Access to E-Evidence

Posted in Cloud Computing, Criminal Law, Cybersecurity / Data Security, Government Agencies, Preservation, Privacy
Joanne OleksykStephen Byers

Attorney General Jeff Sessions and EU Justice Commissioner Věra Jourová have met twice over the last two weeks, signaling momentum towards a new EU-U.S. solution for the sharing of electronic evidence. These meetings occurred in the wake of proposed regulations on the sharing of electronic evidence in the EU, and the passage of the Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) in the United States. The CLOUD Act, passed as a rider to the omnibus spending bill in March 2018, clarifies that warrants and subpoenas issued under the Stored Communication Act can reach data stored overseas and provides a streamlined process for foreign governments to obtain data stored in the United States.

Although the CLOUD Act establishes the government’s right to obtain data stored abroad under U.S. law, electronic communication or storage providers could have conflicting obligations under the laws of other countries. The CLOUD Act partially addresses this conflict by creating a process by which a recipient of legal process under the SCA can challenge it. But this challenge process is limited. Providers can only challenge the legal process due to conflicting obligations under another the law of a foreign government if (a) the subscriber whose information is sought is not a U.S. person or resident and (b) the foreign government has entered into an “Executive Agreement,” as defined by the CLOUD Act.

Executive Agreements under the CLOUD Act are agreements between the United States and a foreign government that allow each party reciprocal rights of access to data. An Executive Agreement would allow a foreign government to issue an order for electronic evidence to a provider subject to U.S. jurisdiction where the order is (a) issued in compliance with the domestic law of that country; (b) founded on reasonable justification; (c) related to the investigation of a serious crime; and (d) targets a non-U.S. person.

The Executive Agreement framework marks a substantial departure from prior practice, which required use of the Mutual Legal Assistance Treaty (MLAT) process to obtain data located in a foreign country. Where a foreign country seeks data stored in the U.S., the MLAT procedure requires an order to be issued by a United States magistrate judge. The Executive Agreement eliminates this ex-ante judicial check on foreign demands for data. As of May 24th, negotiations with foreign governments over Executive Agreements had not yet begun, although the Department of Justice has indicated that several foreign governments have expressed interest.

As domestic and foreign laws are updated to account for the trend of data becoming increasingly untethered to geographic location, greater international harmonization is necessary. Without harmonization, providers can face circumstances where the law of one country requires disclosure that the law of another prohibits. The CLOUD Act takes a step towards harmonization by creating the challenge process, but it presupposes that countries will enter into Executive Agreements under its terms. EU Justice Commissioner Věra Jourová has already been critical of this aspect of the CLOUD Act, tweeting that it “narrows the room for the potential compatible solution between EU-US.” Should countries find the CLOUD Act’s requirements for Executive Agreements untenable, the CLOUD Act’s legacy may be as an obstacle to rather than a tool for international electronic communication or storage providers.