Government Regulations & FISMA

Crowell & Moring LLP is pleased to release its “2016 Litigation & Regulatory Forecasts: What Corporate Counsel Need to Know for the Coming Year.” The reports examine the trends and developments that will impact corporations in the coming year—from the last year of the Obama administration to how corporate litigation strategy is transforming from the inside out. This year will bring remarkable change for companies, as market disruptions and the speed of innovation transform industries like never before, and the litigation and regulatory environments in which they operate are keeping pace.
Continue Reading Crowell & Moring’s 2016 Litigation & Regulatory Forecasts: What Corporate Counsel Need to Know for the Coming Year

Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors.  Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts.  The Interim Rule proposes to significantly expand the scope of covered information and to require subcontractors to report cyber incidents directly to the DoD (in addition to prime contractors).  Together, these changes will likely increase the scope of potential liability for government contractors and subcontractors who fail to implement adequate cybersecurity measures.

The Interim Rule seeks to enhance cybersecurity protections primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate.  Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors.  First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls.  Second, they must report various cyber incidents to the DoD within 72 hours of their discovery.  These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application. 

The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI).  CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule.  But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information,  marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.”  Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes.  To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.”Continue Reading Interim Rule Could Expand Already Onerous DFARS Cyber Requirements

The Federal Trade Commission (FTC) has struck again in the data privacy world, this time at 13 companies that allegedly misrepresented in their privacy statements that they were U.S.-EU or U.S.-Swiss Safe Harbor certified. This latest enforcement sweep demonstrates the FTC’s privacy focus and reinforces the need for companies to make accurate public representations.

The FTC charged the 13 companies with misleading consumers and has proposed placing them under a familiar 20-year consent order. The consent order requires the companies to refrain from  misrepresenting privacy or security program adherence and to keep strict records for the FTC’s overview. For the next 20 years, any companies that disobey the consent order will be subject to a $16,000 civil penalty per violation.Continue Reading Recent FTC Safe Harbor Enforcement Takeaways

The recent arrests of Chinese nationals for alleged economic espionage are raising eyebrows across American industries, who are rightfully asking how they can protect themselves from becoming the next foreign target. U.S. universities have been key figures in these headlines. The risk of economic espionage is a serious one for higher education because universities are

With Memorial Day unofficially kicking off summer, those keeping up on recent changes to state data breach laws are eyeing their calendars, as a series of state amendments are due to come into effect.  Beginning on July 1, both Nevada and Wyoming will expand their definitions of personal information.  One month later on August 1, North Dakota will follow suit, slightly limiting its definition of personal information but expanding its reporting duties.  Key takeaways from the state amendments are detailed below.

The states’ legislative actions will likely up the ante at a time when Congress is considering a national data breach notification standard.  The recent flurry of activity reflects the states’ growing interest in how data breaches affect their residents.  Even in the face of national legislation, that interest is unlikely to subside.
Continue Reading Three State Data Breach Laws Set to Change This Summer

One year ago, data broker Spokeo, Inc. asked the Supreme Court to reconsider the Ninth Circuit’s revival of a putative class action against it for willfully violating the Fair Credit Reporting Act (“FCRA”) by publishing personal information without notice.  This week, the Court heeded that request, granting certiorari.  In doing so, it has paved the way for yet another decision by the highest court on how the issue of standing plays out in the context of privacy violations.

Plaintiff Thomas Robins sued Spokeo under the FCRA after the data broker allegedly published false information about him without his knowledge.  Interestingly, Robins claims that the information falsely stated that he had more education than he actually did and that he was in a better financial position than he actually was.  But according to Robins’s complaint, these false facts made it more difficult for him to find employment, credit, or insurance and thus caused actual harm.  He seeks to represent a class of individuals whose personal information has been similarly misstated. 
Continue Reading Supreme Court to Consider Congressionally-Conferred Privacy Breach Standing

On Monday, the Senate passed Resolution 110, calling for the development of a national strategy that incentivizes and accelerates the country’s use of the “Internet of Things,” or IoT.  The Resolution comes amidst increased attention on the IoT industry, including the first Congressional hearings on the subject in both the House and the Senate.  The discussion has centered around the question of whether and to what extent the U.S. Government should regulate the burgeoning industry. 
Continue Reading The “Sense of the Senate” is Pro-Internet of Things

In conjunction with his remarks at the White House Summit on Cybersecurity at Stanford University earlier this month, President Obama signed Executive Order 13691, entitled “Promoting Private Sector Cybersecurity Information Sharing.”  Published in the Federal Register last week, the Order is intended to encourage and facilitate cybersecurity information sharing within the private sector, and

Last week, the Senate Committee on Commerce, Science, and Transportation convened to hold a hearing on “The Connected World: Examining the Internet of Things.” Signaling that Congress may be interested in delving into this area, Senators pressed witnesses about the best ways to strike a balance between fostering innovation and protecting consumer interests. Senators and witnesses also wrestled with whether lawmakers should take an industry-by-industry or global approach to regulating this area –or if lawmakers should enter this space at all.
Continue Reading Senate Hearing Examines Internet of Things

President Obama recently proposed several new laws reflecting the administration’s increased focus on privacy and cyber issues. The proposals seek to create a consistent national data breach notification law (to replace the current patchwork of 47 state laws), to encourage cyber threat information sharing, and to update cybercrime enforcement. Although Immediate reactions to the proposed