As states’ “top cops,” one of the primary responsibilities of state attorneys general (AGs) is consumer protection, and more and more AGs are focusing on how to protect consumer data privacy. Discussions at the recent Conference of Western Attorneys General (“CWAG”) Annual Meeting in Santa Barbara reflect this focus and demonstrate that state enforcers are

On 7 June 2019, Regulation (EU) 2019/881 on ENISA (the European Union Agency for Network and Information Security) and on information and communications technology cybersecurity certification, also known as the Cybersecurity Act, was given the final go-ahead and published in the Official Journal of the European Union.  The Cybersecurity Act will come into force

Singapore has set up a new Telecom Cybersecurity Strategic Committee (TCSC) to develop a plan to tackle ‘next-generation cyber threats’ in the telecommunications sector.

The committee is expected to publish a strategy report and outline a roadmap for telecommunications operators to develop cybersecurity capabilities later in 2019. The report and roadmap will include recommendations for new initiatives such as capability development, technology innovation, regulation and international partnerships.

In his opening address at the inaugural Infocomm Media Cybersecurity Conference on 25 January 2018, Dr Janil Puthucheary, senior minister of state for the Ministry of Communications and Information, highlighted the following points.

As “Singapore aims to be a Smart Nation and a leading digital economy”, there is a vital need for cybersecurity. He added that the telecom industry is key and fundamental to secure Singapore’s connectivity infrastructure and services.

The government and telecommunication industry players should collaborate on cybersecurity matters. To date, some examples of such collaborative efforts include:

  • The Infocomm Media Development Authority of Singapore (IMDA)’s launch of the Infocomm Singapore Computer Emergency Response Team in 2015 to respond to cybersecurity threats within the telecommunications and media sectors; and
  • IMDA’s revision in 2018 of the Telecommunications Cybersecurity Code of Practice to ensure that best practices from the industry can be applied to the telecom space.
  • The TCSC will identify challenges, key telecommunication technologies and market developments that will shape the cyber threat landscape. This is to ensure that Singapore keeps up to date on global, technological and industry trends.

Continue Reading Singapore announces series of initiatives to boost cybersecurity in the telecoms sector

The International Chamber of Commerce (ICC) has revised its code of conduct for advertising and marketing (the ICC code) to keep up with the “rapid evolution of technology and technologically-enhanced marketing communications and techniques”.

The revised ICC code considers emerging digital marketing and advertising practices, in order to set a “gold standard for modern rule-making in our digital world”.

The ICC code

The ICC code is a framework for self-regulation, which applies across the global advertising and marketing industry.

The basic principle of the ICC code is that all marketing communication should be “legal, honest, decent and truthful”. Other key principles include respecting human dignity, being transparent, fair competition, social responsibility, making the marketer’s identity apparent, and taking special care where communications are directed at children and teenagers under 18.

What’s new?

Continue Reading ICC updates marketing and advertising code to account for the digital world

The UK government has launched a Code of Practice (CoP) for the Internet of Things (IoT) security. This is aimed at improving baseline security and ensuring that devices that process personal data are General Data Protection Regulation (GDPR) compliant, as well as advancing an industry-wide ‘security by design’ approach.

The CoP provides outcome-focused practical steps for IoT manufacturers and industry stakeholders to improve the security of their products. To achieve this, it has specifically identified thirteen guidelines that it considers essential to the safeguarding of IoT devices:

  1. No default passwords – all IoT device passwords should be unique and not resettable to a universal factory default value.
  2. Implement a vulnerability disclosure policy – companies that provide IoT devices and services are to provide a public point of contact as part of a vulnerability disclosure policy, to enable issues to be reported. A disclosed vulnerability should be acted on in a “timely manner”.
  3. Keep software updated – updates should be timely and should not impact on the functioning of the device, and the need for which should be made clear to consumers.
  4. Securely store credentials and security-sensitive data – credentials must be stored securely within services and on devices. Hard-coded credentials in device software are not acceptable.
  5. Communicate securely – security-sensitive data should be encrypted and all keys managed securely.
  6. Minimise exposed attack surfaces – devices and services should operate on the principle of “of least privilege”.
  7. Ensure software integrity – software should be verified using secure boot mechanisms.
  8. Ensure that personal data is protected – personal data should be protected in accordance with the GDPR and Data Protection Act 2018.
  9. Make systems resilient to outages – resilience should be built into IoT devices.
  10. Monitor system telemetry data – telemetry data should be monitored for security anomalies.
  11. Make devices easy for consumers to delete personal data – devices should be configured so that an individual can easily delete their personal data from it.
  12. Make installation and maintenance for devices easy – this should employ minimal steps and should follow security best practice. Consumers should be given guidance on how to set up their device securely.
  13. Validate input data – data input via user interfaces and transferred via application programming interfaces (APIs) or between networks in services and devices must be validated.

Continue Reading UK government releases IoT security code of practice

California enacted Internet of Things (IoT) legislation intended to help protect consumer privacy and safety from potential hacking of connected devices. Under the state legislation that may apply to any connected devices sold in California, manufacturers of connected devices are required to equip the devices with security options suitable to the nature of the device

On 10 July 2018, the Council of the European Union has published a draft of revisions to the proposed ePrivacy Regulation (ePR). The ePR is likely to come into force in 2019.

The ePR will repeal and replace the Privacy and Electronic Communications Directive 2002/58/EC. The ePR will align Europe’s ePrivacy regime more closely with privacy regime set out in the General Data Protection Regulation (GDPR). The GDPR took effect on 25 May 2018.

Objectives

The ePR focuses on the confidentiality of users’ electronic communications. It will also regulate activities such as:

  • direct marketing,
  • website audience measurement,
  • the transmission of communications across devices and browsers, and
  • cookies set on users’ machines.

According to ePR Recital 2, it intends to “particularise and complement the provisions for personal data laid down by the GDPR by “translating its principles into specific rules”.Continue Reading Proposed amendments to the ePrivacy Regulation

Last month, the European Commission (Commission) announced plans to bolster the future of artificial intelligence (AI) across the bloc. In a paper on ‘Artificial Intelligence for Europe’, the Commission proposed a three-pronged approach to: (i) increase public and private investment in AI; (ii) prepare for socio-economic changes; and (iii) ensure an appropriate ethical and legal framework for AI. This blog will look at what AI is and the Commission’s proposed strategy.

What is AI?

The Commission defines AI as “systems that display intelligent behaviour by analysing their environment and taking actions – with some degree of autonomy – to achieve specific goals”. AI can be software-based, in the virtual world (such as image-analysis software, search engines or recognition systems) or embedded in hardware (for example, self-driving cars, Internet of Things applications, and advanced robots).

AI is increasingly prominent in our society and used on a near daily basis by most people. Many AI technologies utilize data to improve their performance and guide automated decision-making. The number of technological and commercial AI applications continues to increase, enabling AI to have a transformative effect on society as a whole.Continue Reading European Commission outlines plans to boost artificial intelligence

In November 2017, the House of Commons Committee on Exiting the European Union (the Committee) published impact assessment reports of Brexit on various UK business sectors. The Report on the Technology (ICT) Sector (the Report) is a mix of qualitative and quantitative analysis. For each business sector, the Report includes: (i) a description of the sector; (ii) the current EU regulatory regime in which the sector operates; and (iii) an explanation of the frameworks governing how trade is facilitated between countries in the sector. Information provided by the government to the Committee about specific sector views has been withheld by the Committee.

Sector overview

The UK digital sector is vast. It covers digital goods, digital services and digitally enabled transactions of goods and services. It includes the following services and products: (i) audio-visual; (ii) e-commerce; (iii) telecommunications; (iv) data; (v) emerging industries, such as artificial intelligence; (vi) FinTech (dealt with in a separate report); (vii) the Internet of Things; and (viii) cybersecurity. Though London is a prominent hub, digital companies are spread across the UK. Several other cities have highly ranked digital clusters.

The Report highlights:

  • the extent of the UK’s investment in the digital sector;
  • how tech companies are investing in the UK since the Brexit referendum; and
  • information about the value added by the ICT industry, including its contribution to national economy statistics, employment, national balance of trade and international trade.

Continue Reading Brexit sectoral analysis – ICT report

On Jan. 5, 2018, the Department of Homeland Security (DHS) and the Department of Commerce (DOC) released their joint draft report on “Enhancing the Resilience of the Internet and Communications Ecosystem against Botnets and Other Automated, Distributed Threats” for public comment. The report provides a series of recommendations for addressing the threats presented by botnets as well as improving security for Internet-connected devices or the Internet of Things (IoT).

Chief among these was a call to “build coalitions between the security, infrastructure, and operational technology communities domestically and around the world.” The report called upon a wide array of stakeholders spanning different industries and both the public and private sectors. Key stakeholders mentioned in the report, along with corresponding recommendations, encompassed the following:

  • IoT Product Industry. The report calls for private sector organizations, such as IoT product developers, to take significant steps towards improving security. These include establishing standards for assessing and labeling IoT device security, which would allow consumers to make informed choices and would offer assurance for the use of IoT products in critical infrastructure. The report also recommends providing better interfaces in IoT products for user administration.

Continue Reading DHS and DOC Report on Botnets and IoT Security Recommends Increased Collaboration between Stakeholders in Private Industry and Government