The COVID-19, and the various restrictions that have been implemented in response to it, are causing extraordinary business disruptions. Many organizations have had to modify their operational controls and accommodate a shift to remote working (among other adjustments). One key impact of COVID-19 involves an organization’s relationships with its IT service providers, which often play important roles in securing their … Continue Reading
On July 25, New York Governor Andrew Cuomo signed into law a pair of bills establishing new requirements for businesses that process certain personal information related to New York residents. The changes include expanding the scope of information covered by New York’s data breach notification law; defining breaches to include incidents involving unauthorized access to covered information, even where the … Continue Reading
On July 16, 2019, Nathan Salminen, Allison Holt, and Paul Otto from the Hogan Lovells Privacy and Cybersecurity and Litigation teams presented a webinar, “Cyberthreats in the Internet of Things” where they explored some techniques that can be used to exploit potential vulnerabilities in connected devices and how those types of events impact organizations from a regulatory and litigation perspective.… Continue Reading
Late last month, California Governor Jerry Brown signed the first US Internet of Things (IoT) cybersecurity legislation: Senate Bill 327 and Assembly Bill 1906. Starting on January 1, 2020, manufacturers of regulated connected devices are required to equip such devices with “reasonable security features” designed to protect a connected device and any information it holds from “unauthorized access, destruction, … Continue Reading
In the third instalment of the 2018 Internet of Things Webinar (IoT) Series, Yarmela Pavlovic, Paul Otto, Elisabethann Wright, and Fabien Roy hosted an educational webinar focusing on the evolving world of connected medical devices.
Fabien described the regulatory framework applicable to digital health technologies regulated as medical devices in the EU. He explained the criteria which must be met … Continue Reading
The U.S. Federal Trade Commission has approved Sears Holdings Management Corporation’s request to amend the terms of Sears’ 2009 consent order (the “Order”) in a manner that helpfully clarifies the lead U.S. privacy regulator’s views of notice and consent in the marketplace for mobile applications (“mobile apps”). After reviewing Sears’ petition and public comments, the Commission agreed with Sears that, … Continue Reading
Earlier this year, the National Association of Corporate Directors (NACD) released an updated version of its Director’s Handbook on Cyber-Risk Oversight (Handbook). The updates add 16 pages of content to the previously 28-page document, including four additional appendices. While the use of and compliance with the Handbook is not mandatory, the Handbook is influential in shaping governance practices and thus … Continue Reading
As Hogan Lovells previously reported, the New York State Department of Financial Services (NYDFS) has launched a significant initiative to impose detailed cybersecurity requirements on covered financial institutions. On February 16, NYDFS issued its Final Rules, following the initial proposed rules published in September 2016 and two rounds of feedback via industry complaints and public comment. The Final Rules … Continue Reading
On January 12, 2017, prior to the new administration taking power, the National Telecommunications and Information Administration (NTIA) within the Department of Commerce (Department) released a Green Paper on “Fostering the Advancement of the Internet of Things,” which assesses the technological and policy landscape of the Internet of Things (IoT). The Green Paper is expansive in scope, reflecting the broad … Continue Reading
In the past month, the National Institute of Standards and Technology (NIST) has issued a draft update to its flagship cybersecurity framework as well as new standalone guidance on how organizations can plan to recover from cybersecurity events. The publication of these documents demonstrates NIST’s ongoing focus on providing substantive guidance to the private and public sectors alike on cybersecurity … Continue Reading
The Internet of Things continues to draw broad interest from policymakers and regulators around the globe. Following on the heels of a major distributed denial-of-service attack in October 2016 that leveraged potentially millions of compromised IoT devices, members of Congress have sent letters to US federal agencies regarding the risks posed by insecure IoT devices and held a hearing about … Continue Reading
Representatives from government and the private sector discussed the present state of healthcare cybersecurity, and experts discussed practical strategies for implementing the HIPAA Security Rule at the ninth annual “Safeguarding Health Information: Building Assurance through HIPAA Security” conference held from October 19–20, 2016 and co-hosted by the National Institute of Standards and Technology (NIST) and the Department of … Continue Reading
The Federal Trade Commission (FTC) recently presented an analysis of how its approach to data security over the past two decades compares with the Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework) issued in 2014 by the National Institute of Standards and Technology (NIST) and strongly endorsed by the White House.
Fifteen months after forming an Internet of Things (IoT) working group, on March 2, 2016, the Online Trust Alliance (OTA) released a final version of its IoT Framework (Framework) along with a companion Resource Guide that provides explanations and additional resources. The voluntary Framework sets forth thirty suggested guidelines that provide criteria for designing privacy, security, and sustainability into connected … Continue Reading
The FTC wants companies to listen. More precisely, the FTC wants companies to pay attention to and promptly to respond to reports of security vulnerabilities. That’s a key takeaway from the Commission’s recent settlement with ASUSTek (“ASUS”). In its complaint against the Taiwanese router manufacturer, the FTC alleged that ASUS misrepresented its security practices and failed to reasonably secure its … Continue Reading
Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Years in the making, CISA is intended to incentivize organizations to share cyber threat indicators with the federal government and to promote the dissemination of this information to organizations facing similar threats. CISA sponsors and supporters hope that such information … Continue Reading
One of the most common devices in the emerging Internet of Things (IoT) was reportedly discovered to have a bug. According to the research firm Fortinet, a popular fitness tracker was vulnerable to wireless attacks through its unsecured Bluetooth port. A savvy attacker could install malware wirelessly within ten seconds—simply by coming within a few feet of the tracker. When … Continue Reading
Consider this increasingly common scenario: an employee visits an apparently legitimate website. Unbeknownst to them, the website is hosted by an organized crime group. By visiting the site, the employee has allowed the group to quietly install ransomware on their organization’s file system. Malicious code begins to encrypt files on the server, before moving laterally to encrypt other servers on … Continue Reading
After a prolonged debate and months-long consideration of amendments, on Tuesday the Senate passed S. 754, which includes the Cybersecurity Information Sharing Act (“CISA”) of 2015, by a vote of 74-21. CISA has the support of the White House and many industry stakeholders, but some of the most well-recognized privacy advocacy organizations oppose it. The House of Representatives must now … Continue Reading
The HHS Office for Civil Rights (OCR) has launched an online portal designed to solicit questions from mHealth developers regarding compliance with Health Insurance Portability and Accountability Act (HIPAA) privacy and security requirements. The portal is designed to demystify HIPAA for app developers while providing guidance to regulators about which aspects of HIPAA may require clarification.
OCR emphasized that the … Continue Reading
Government officials and experts from the private sector discussed enabling precision medicine and efforts to bolster patients’ rights to access medical records, and also emphasized the importance of controlling access to protected health information (PHI) at the eighth annual “Safeguarding Health Information: Building Assurance Through HIPAA Security” conference held from September 2–3, 2015, and co-hosted by the National Institute of … Continue Reading
On August 12, the National Institute of Standards and Technology (NIST) published a Request for Information (RFI) to help develop the next generation of technical encryption standards used by the U.S. Government and federal contractors to protect sensitive information. The new standard will update Fair Information Processing Standard (FIPS) 140-2, which has provided the baseline requirements for the development, testing, … Continue Reading
The U.S. Federal Communications Commission’s (FCC) Public Safety and Homeland Security Bureau (Bureau) has requested public input on a recent report on Cybersecurity Risk Management and Best Practices (Report) by the Communications Security, Reliability and Interoperability Council (CSRIC) for communications providers. The Report represents the latest example of the U.S. government’s continued attention to these issues following the President’s 2013 … Continue Reading
On 1 April 2015, President Obama signed an Executive Order authorizing the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities constituting a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.