Privacy

Subscribe to Privacy via RSS

Following a draft Interagency Report published in February, the National Institute of Standards and Technology (“NIST”) has published NISTIR 8200: Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT), which seeks to assess the “current state of international cybersecurity standards development for IoT.” In this effort, the Report defines the major areas where IoT is currently being used and evaluates various IoT cybersecurity standards commonly applied in those areas. To evaluate the surveyed IoT standards, the Report relies on a framework that breaks the standards down into twelve core areas, each of which designates a distinct, common element of cybersecurity measures.

Where IoT is Being Used the Most

To help evaluate the current understanding of cybersecurity risks involved in IoT applications and the methods used to measure them, the Report overviews major IoT technologies and how they are deployed. It then breaks down the network-connected devices, systems, and services comprising IoT into five major categories of application, explaining the common components of each:Continue Reading NIST Surveys and Assesses Broad Landscape of IoT Cybersecurity Standards in Interagency Report

The Navy has recently issued a policy memorandum entitled “Implementation of Enhanced Security Controls on Select Defense Industrial Base Partner Networks” that calls for heightened cybersecurity requirements and oversight for “critical” government contractors handling their sensitive government data, broadly referred to as controlled unclassified information (“CUI”) or “covered defense information” (CDI) within the defense sector. 

When the European Commission re-approved the Privacy Shield agreement during its first annual review in the fall of 2017, permitting the transatlantic transfer of personal information to compliant U.S. companies to continue, it did so with a number of reservations. As the Privacy Shield agreement fast approaches its second annual review at the end of this week, it remains to be seen if the steps taken by the U.S. government at the close of the summer will be enough to satisfy skeptical European lawmakers.
Continue Reading Outcome of Privacy Shield Review Uncertain, Despite U.S. Steps Toward Compliance

Responding to the rise of interconnected technology, the National Institute for Standards and Technology (NIST) has recently issued an introductory document in a planned series of cybersecurity publications addressing Internet of Things (IoT) privacy risks.  Open for comment through October 24, 2018, the Draft NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and

The Colorado legislature recently passed a new data privacy law, House Bill 18-1128, which heightens requirements for corporate and public entities handling personal information of Colorado residents.  Effective September 1, 2018, the law aims to strengthen consumer data privacy by 1) shortening the time frame required to notify affected Colorado residents and the Attorney

Attorney General Jeff Sessions and EU Justice Commissioner Věra Jourová have met twice over the last two weeks, signaling momentum towards a new EU-U.S. solution for the sharing of electronic evidence. These meetings occurred in the wake of proposed regulations on the sharing of electronic evidence in the EU, and the passage of the Clarifying

On January 8, 2018, the FTC announced settlement of its first connected toy case with VTech Electronics Ltd (“VTech”) for violating the Children’s Online Privacy Protection Act (COPPA) Rules by failing to properly collect and protect personal information about and from children and violating the FTC Act by misrepresenting its security practices. In addition to paying a $650,000 civil penalty, VTech agreed to comply with COPPA, implement and maintain a comprehensive information security program with regular third-party security audits for the next twenty years, and not misrepresent its privacy and data security practices.

The settlement comes more than two years after VTech learned that a hacker had gained remote access to databases for its interactive electronic learning products (ELPs), including for its Kid Connect chat application, in what was described at the time as the largest known hack targeting children. According to the FTC’s Complaint, the hacker accessed VTech’s databases “by exploiting commonly known and reasonably foreseeable vulnerabilities,” and VTech was unaware of the intrusion until it was informed by a reporter.
Continue Reading FTC Settles First Connected Toy Case With VTech After Massive Data Breach

The Ninth Circuit Court of Appeals has joined the Third and Eleventh Circuits in ruling that any disclosure of an individual’s online viewing history along with their personally identifiable information confers standing to bring a suit for violation of the Video Privacy Protection Act (VPPA) in federal court.  The case, Eichenberger v. ESPN, Inc.,

The big takeaways from The Autonomous Vehicle Safety Regulation World Congress centered on the importance of a federal scheme for AV regulation and the reality of the states’ interest in traditional issues such as traffic enforcement, product liability, and insurance coverage.  In keeping with those messages, the World Congress kicked off with NHTSA Deputy Administrator and Acting Director, Heidi King, speaking about NHTSA’s goals and interest followed almost immediately with wide participation from the states including California, Michigan, and Pennsylvania, among others.

Deputy Administrator King emphasized NHTSA’s desire to foster an environment of collaboration among all stakeholders, including the states.  Ms. King emphasized that safety remains the top priority at NHTSA.  NHTSA has provided some guidance, and looks forward to hearing from stakeholders about the best way to support and encourage growth in autonomous vehicles.  NHTSA wants to provide a flexible frame work to keep the door open for private sector innovation.  It is necessary to build public trust and confidence in the safety of autonomous vehicles, and that can only accomplished by all stakeholders working together.

NHTSA is working on the next version of AV guidance, having already issues its 2.0 version, with an expected release of 3.0 in 2018.  The guidelines will remain voluntary, but NHTSA is ready to support entities as they try to implement the voluntary guidance.  Working with the states, DOT, OEMs, and other stakeholders, NHTSA hopes to continue to be flexible and allow for rapid changes.  Later in the conference lawyers emphasized the importance of compliance with the guidance in minimizing liability particularly in no-fault states such as Michigan.

Dr. Bernard Soriano, deputy director, California Department of Motor Vehicles, similarly confirmed that California’s overarching interest in regulating AV is the safe operation of vehicles on its roadways.  In summarizing California’s recent October 11, 2017 release of revised regulations, he emphasized that “change happens fast,” and that the state is pleased to now be close to allowing completely driverless testing.  He recognized the federal preemption on the design of the vehicle and its crashworthiness and emphasized the state’s interest in the operation of the vehicles and compliance with state traffic laws.
Continue Reading Report on the Autonomous Vehicle Safety Regulation World Congress 2017

On July 21, 2017, Governor Chris Christie signed the Personal Information Privacy and Protection Act (S-1913) (the “Act”) into law, further enhancing the protections afforded to consumers who make retail credit card purchases in New Jersey.  As technology has evolved, many retailers rely on electronic barcode scanners to review and capture information on