Photo of David Krone

As the U.S. economy and educational system adapt to work and life at home, it is important to remember that cybersecurity (and related privacy) risks remain and are evolving. Remembering to think through measures that are in place to protect personal information, proprietary information, confidential information, and information needed for ongoing operations can help businesses avoid and mitigate these risks. Appropriate protective measures are specific to changing circumstances, but fortunately, guidance and helpful resources have quickly emerged. We have set forth below some important considerations in assessing administrative, technical, and contractual cybersecurity safeguards in virtual business and educational settings.

New tools bring new vulnerabilities

Many entities whose employees are now working from home for the first time are implementing new, sometimes expensive, tools to help their employees collaborate and maintain business operations. These new tools include videoconferencing, file-sharing, and other communication platforms. Even if the employer does not provide the tools, employees may find and use their own.

There are good reasons for implementing these tools at the business level, including consistent-use practices in the entity’s system, a process for regular software patches and updates, and discounted pricing. When selecting and implementing these tools, or modifying the manner and extent by which these tools will be used, it can be easy to overlook or minimize better practices for use of third-party information technology services: reasonable and appropriate diligence, contractual protections, and ongoing oversight and validation.

In addition, it is important to remember that the cybersecurity posture of many (if not most) online tools can vary widely depending on how the tool is configured, maintained, and used. This means considering whether the right virtual-IT skill set has been engaged and applied, and helping ensure that users have the information they need to make better privacy and data security decisions. Addressing these issues effectively can be especially challenging as work and learning environments change radically.Continue Reading U.S. cybersecurity – points to remember when business is not as usual

The Food and Drug Administration (FDA) published a draft update to its premarket cybersecurity guidance for device makers on October 18, 2018. The expanded draft guidance includes recommendations on tiered classification of cybersecurity risk, trustworthiness, cybersecurity bill materials, and device cybersecurity labeling that are specific enough to be helpful to manufacturers while at the same

California enacted Internet of Things (IoT) legislation intended to help protect consumer privacy and safety from potential hacking of connected devices. Under the state legislation that may apply to any connected devices sold in California, manufacturers of connected devices are required to equip the devices with security options suitable to the nature of the device

On February 28, 2018, the Federal Trade Commission (FTC) released a report about security update practices for businesses providing mobile phones and other connected devices. The report recommends that manufacturers and carriers provide security updates that are consistent with consumer expectations, provide better information regarding their security practices and educate consumers on their role in

On Jan. 5, 2018, the Department of Homeland Security (DHS) and the Department of Commerce (DOC) released their joint draft report on “Enhancing the Resilience of the Internet and Communications Ecosystem against Botnets and Other Automated, Distributed Threats” for public comment. The report provides a series of recommendations for addressing the threats presented by botnets as well as improving security for Internet-connected devices or the Internet of Things (IoT).

Chief among these was a call to “build coalitions between the security, infrastructure, and operational technology communities domestically and around the world.” The report called upon a wide array of stakeholders spanning different industries and both the public and private sectors. Key stakeholders mentioned in the report, along with corresponding recommendations, encompassed the following:

  • IoT Product Industry. The report calls for private sector organizations, such as IoT product developers, to take significant steps towards improving security. These include establishing standards for assessing and labeling IoT device security, which would allow consumers to make informed choices and would offer assurance for the use of IoT products in critical infrastructure. The report also recommends providing better interfaces in IoT products for user administration.

Continue Reading DHS and DOC Report on Botnets and IoT Security Recommends Increased Collaboration between Stakeholders in Private Industry and Government

On August 17, 2017, Delaware Governor John Carney signed into law House Substitute 1 for House Bill 180, making the first significant amendment to Delaware’s data breach notification law since 2005.  The bill, scheduled to go into effect April 14, 2018, requires private organizations to maintain reasonable security policies and procedures; expands the definition of “personal information” to include medical information, biometric identifiers, and electronic signatures; and adds additional breach notification and credit monitoring requirements.  The bill comes on the heels of other amendments to data breach notification requirements by states such as California, Illinois, Nebraska, Tennessee, and Arizona.

Reasonable Data Security

Delaware’s amended data breach law now requires that any “person” that conducts business in Delaware and “owns, licenses, or maintains” personal information shall “implement and maintain reasonable procedures and practices” for the protection of personal information collected or maintained in the course of business.

Delaware now joins at least 13 other states with data breach laws that affirmatively require private organizations to maintain reasonable security procedures and practices.  Under Delaware’s amended data breach law and similar state statutes, private organizations may incur liability for failing to maintain adequate security controls, even where breach notifications to residents are not required.

Breach Notification and Credit Monitoring

Delaware’s amended data breach law also requires that organizations shall provide notice to Delaware residents that their personal information was breached or is reasonably believed to have been breached without “unreasonable delay,” and no later than 60 days after the discovery of the breach, unless a shorter notification period is required by federal laws (e.g., HIPAA or the GLBA), or law enforcement requests a delay. Organizations are not required to provide notice if an investigation reveals that the breach was unlikely to result in harm to the affected residents.

The amended law also does not require notification for the breach of encrypted data, unless the breach includes an encryption key that the organization reasonably believes could render the encrypted information readable or useable.

In addition, the amended law now requires organizations to provide one year of credit monitoring to Delaware residents whose Social Security numbers may have been exposed as part of the breach. This provision mirrors similar provisions in California and Connecticut.
Continue Reading Delaware Amends Data Breach Notification Law to Require Reasonable Data Security and Expand the Scope of Personal Information Requiring Notice

On Monday, May 11, 2017, President Donald Trump signed an Executive Order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.”  The Executive Order comes after Trump had postponed signing a similar executive order on cybersecurity on Feb. 1, and another draft executive order had been circulated Feb. 10.

The final Executive

On January 4, 2017, the National Institute of Standards and Technology (“NIST”) published the final version of NIST IR 8062 “An Introduction to Privacy Engineering and Risk management in Federal Systems.”  The report introduces the concept of applying systems engineering practices to privacy and provides a new model for conducting privacy risk assessments on systems.  In the blog post accompanying the release, NIST notes that the report is intended to address the absence of a vocabulary for talking about privacy outcomes and to produce “processes that are repeatable and could lead to measurable results.”

To this end, the report introduces three (3) privacy engineering objectives, which are intended to help system designers, engineers and policy teams to help “bridge the gap between high-level privacy principles and their implementation within systems.” These objectives are defined as follows:
Continue Reading NIST Publishes Introduction to Privacy Engineering and Risk Management to Assist Agencies and Organizations in Designing Privacy-Compliant Systems

On Monday, November 14, 2016, the Securities and Exchange Commission (SEC) hosted a forum to discuss financial technology (FinTech) innovation in the financial services industry. The summit discussed several topics, but the second panel, titled “Impact of Recent Innovation on Trading, Settlement, and Clearance Activities,” specifically addressed blockchain-enabled distributed ledger technology and its applicability in corporate environments. The panel provided an opportunity for the SEC to highlight blockchain’s potential for assisting companies in meeting compliance requirements, cutting costs with respect to record keeping and tracking assets, and disintermediating transactions.

Corporations have begun to seriously examine the opportunities made available by blockchain-enabled distributed ledger technology beyond digital currency, in areas ranging from financial services and retail supply chains to art and music. Unlike Bitcoin, where the blockchain provides a transfer mechanism and ledger for the intangible currency, digital ledger technology also may provide a distributed, often a privately managed system of records for a wide variety of transactions.
Continue Reading Leveraging the Blockchain to Provide an Unalterable, Distributed Ledger for Transactions, Supply Chains and Other Corporate Processes