Cybersecurity/Data Security

Following a draft Interagency Report published in February, the National Institute of Standards and Technology (“NIST”) has published NISTIR 8200: Interagency Report on the Status of International Cybersecurity Standardization for the Internet of Things (IoT), which seeks to assess the “current state of international cybersecurity standards development for IoT.” In this effort, the Report defines the major areas where IoT is currently being used and evaluates various IoT cybersecurity standards commonly applied in those areas. To evaluate the surveyed IoT standards, the Report relies on a framework that breaks the standards down into twelve core areas, each of which designates a distinct, common element of cybersecurity measures.

Where IoT is Being Used the Most

To help evaluate the current understanding of cybersecurity risks involved in IoT applications and the methods used to measure them, the Report overviews major IoT technologies and how they are deployed. It then breaks down the network-connected devices, systems, and services comprising IoT into five major categories of application, explaining the common components of each:


Continue Reading

On June 19, 2017, the Federal Trade Commission (FTC) issued a public comment regarding the National Telecommunications & Information Administration’s (NTIA) draft guidance titled Communicating IoT Device Security Update Capability to Improve Transparency for Customers.  In commenting on the guidance, the FTC acknowledged the benefits of and challenges to IoT device security, and encouraged

EU Ministers of Home Affairs push for Passenger Records Directive; EU Member States Data Protection Authorities: News Regarding Safe Harbor (continuous update).

EU Ministers of Home Affairs push for Passenger Records Directive

In the aftermath of the November 13 attacks in Paris, European Union Ministers of Home Affairs push for the release of a Passenger

On October 14, the National Association of Insurance Commissioners (NAIC) announced its cybersecurity “bill of rights” which outlines six rights of insurance consumers.   Generally speaking, the bill of rights is divided into three broad categories: (1) standard consumer information, (2) insurer safeguards and actions and (3) post-breach and identity theft protections.  Although most states have data breach laws, the proposed rights exceed what many states require.  Given the current differences in state laws governing how insurance companies must protect consumers’ data, this new bill of rights may spur additional privacy legislation and greater uniformity among state laws.

First, the bill of rights states that consumers have the right to know the information that is collected and stored by insurance companies, their agents or businesses contracting with these insurance companies.  Insurance consumers also have the right to expect that privacy policies be made available on the insurers’ websites and upon request.  Second, the bill of rights provides that insurance companies must take reasonable steps to protect consumers’ personal information.  Third, the bill of rights sets out specific notice requirements in the event of a data breach.  If a breach occurs, insurance consumers have the right to at least one year of identity theft protection paid for by the company or agent involved in the data breach.  Additionally, an insurance consumer whose identity is stolen has a right to, among other things, put a 90-day initial fraud alert on his or her credit report, put a credit freeze on his or her credit report, and obtain copies of documents related to the identity theft.  


Continue Reading

In conjunction with the 2015 American Bar Association annual State of Criminal Justice publication, Louisa Marion and I have published a new chapter on “Digital Privacy and E-Discovery in Government Investigations and Criminal Litigation.” The article provides an in-depth look at many of the current and cutting edge issues raised by digital privacy