Photo of Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley is a counsel in the Washington, D.C. office of Crowell & Moring, where she is a member of the firm's Privacy & Cybersecurity, Government Contracts, and Litigation groups. Her practice covers a wide range of counseling and litigation engagements, including cybersecurity compliance reviews, risk assessments, incident response, law enforcement cooperation, regulatory investigations, data breach class actions, trade secrets litigation, and health care disputes.

Kate is a Certified Information Privacy Professional for both the U.S. private and government sectors (CIPP/US, CIPP/G) and has been named a “Rising Star” by both Law360 (2018) and the American Bar Association's Science & Technology Section (2016).

 

 

The National Institute of Standards and Technology (“NIST”) has extended the comment period on its recently released draft documents, NIST SP 800-171 Revision 2 and NIST SP 800-171B. The comment period for both NIST SP 800-171 Revision 2 and NIST SP 800-171B was initially open until July 19, 2019. It was recently extended to

Oregon has recently passed a new cybersecurity statute, joining California in requiring manufacturers of “connected devices” to equip qualifying technology with “reasonable security features.” The new law will go into force on January 1, 2020. For further analysis, visit our recent client alert.

As the country’s new Congress settles into its term, several technology issues are coming to the forefront. A number of Senators recently questioned the Department of Justice over how it is collecting cellphone-location data in the wake of the Supreme Court’s landmark Carpenter decision. Carpenter v. United States, 138 S. Ct. 2206 (2018). The House of Representatives is considering a renewed version of legislation that would strengthen the security of “Internet of Things” technologies used by the federal government. And politicians and pundits throughout Capitol Hill are asking whether this will be the year that comprehensive federal privacy legislation becomes law. As it turns out though, some of the nation’s top courts are already tackling these tough issues. In fact, the Seventh Circuit’s opinion last year in Naperville Smart Meter Awareness v. City of Naperville, 900 F.3d 521 (7th Cir. 2018), has received relatively little reporting, but its impact will be broad when it comes to how courts interpret the Fourth Amendment in the era of big data.

In Naperville, the Seventh Circuit heard an appeal concerning the city’s “smart meter” program. Without residents’ permission, Naperville had been replacing traditional energy meters on its grid with “smart meters” for homes. Each smart meter collected thousands of readings a month, as opposed to just the previous single monthly readings. According to the plaintiffs, the repeated readings of the smart meters collected data at such a granular level that they revealed what appliances were present in homes and when they were used. Considering the potential privacy impact, the Seventh Circuit found that Naperville’s collection of smart meter data from residents’ homes constituted a “search” under the Fourth Amendment.
Continue Reading

The Department of Defense recently released a memorandum directing the Defense Contract Management Agency (DCMA) to implement and assess company-wide cyber compliance with the DFARS Safeguarding Clause and related security standard, NIST SP 800-171.  For further analysis, visit our Government Contracts Legal Forum blog post.

Following a draft Interagency Report published in February, the National Institute of Standards and Technology (“NIST”) has published NISTIR 8200: Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT), which seeks to assess the “current state of international cybersecurity standards development for IoT.” In this effort, the Report defines the major areas where IoT is currently being used and evaluates various IoT cybersecurity standards commonly applied in those areas. To evaluate the surveyed IoT standards, the Report relies on a framework that breaks the standards down into twelve core areas, each of which designates a distinct, common element of cybersecurity measures.

Where IoT is Being Used the Most

To help evaluate the current understanding of cybersecurity risks involved in IoT applications and the methods used to measure them, the Report overviews major IoT technologies and how they are deployed. It then breaks down the network-connected devices, systems, and services comprising IoT into five major categories of application, explaining the common components of each:


Continue Reading

Concluding its investigation into the internal accounting controls of nine public issuers who were recent cyber fraud victims, the Securities and Exchange Commission (“SEC”), Division of Enforcement explicitly reminded issuers to consider cyber-related threats in developing and deploying their Section 13(b)(2)(B) internal accounting controls.

The SEC emphasized the importance of tailoring internal accounting controls to cyber-related threats, noting that cyber frauds like those carried out in the nine cases it investigated have caused “over $5 billion in losses since 2013, with an additional $675 million in adjusted losses in 2017.”
Continue Reading

The National Institute of Standards and Technology (NIST) has recently provided a glimpse into their revised Risk Management Framework (RMF).  NIST issued a Final Draft of Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations–A System Life Cycle Approach for Security and Privacy.  The focus of the revised

The Navy has recently issued a policy memorandum entitled “Implementation of Enhanced Security Controls on Select Defense Industrial Base Partner Networks” that calls for heightened cybersecurity requirements and oversight for “critical” government contractors handling their sensitive government data, broadly referred to as controlled unclassified information (“CUI”) or “covered defense information” (CDI) within the defense sector. 

Responding to the rise of interconnected technology, the National Institute for Standards and Technology (NIST) has recently issued an introductory document in a planned series of cybersecurity publications addressing Internet of Things (IoT) privacy risks.  Open for comment through October 24, 2018, the Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and

The federal government has kept busy this summer by issuing multiple regulations impacting government contractors’ cybersecurity.  First, the Department of Defense released the 2019 National Defense Authorization Act (NDAA), which included notable cybersecurity provisions involving foreign ownership and Controlled Unclassified Information (CUI), among others.  Second, Congress passed the NIST Small Business Cybersecurity Act requiring the