Mar 212019

Tim Murphy reports:

MPs have revised privacy legislation to avoid a risk of ‘notification fatigue’ in which holders of data would be forced to advise the public of even minor data breaches.

Parliament’s justice select committee has raised the threshold in the Privacy Bill for when mandatory notifications to the Privacy Commissioner and affected individuals would be required from a breach causing “harm” to one of “serious harm”.


Now, the judgment of “serious harm” from a breach would be determined by a range of factors set out in the revised bill including: the actions a holder of data has taken to reduce the harm; the sensitivity of the information; the nature of the harm; those to whom the information might be disclosed; and whether the information is protected by security measures.

Read more on Newsroom. I wish they had linked to the actual language of the legislation. I’ll go look for it.

Update: Thanks to the Office of the Privacy Commissioner for the link to the actual text:

Mar 212019

Amber Thomson, Liisa Thomas, Elfin Noce, and Kari Rollins of SheppardMullin write:

Ohio recently followed South Carolina as the second state to adopt cybersecurity legislation modeled after the NAIC’s Insurance Data Security Model Law. The Ohio law, Senate Bill 273,applies to insurers authorized to do business in Ohio and goes into effect today, March 20, 2019 (the first day of Spring). Companies have, under the law, a year to put the security measures into place. The law, like the NAIC model, requires insurance providers to take several steps to protect personal information, including conducting risk assessments and having a written information security program and incident response plan.

Read more on Eye on Privacy.

Mar 152019

David Krebs and Jacey Safnuk of Miller Thomson LLP write:

… Data breach reporting obligations in Saskatchewan are influenced by a total of four relevant pieces of legislation, covering both public and private sectors. These laws will not all apply to every potential breach, of course, but it is crucial for organizations to understand that more than one of them may apply depending on the specific circumstances of the data breach:

  1. The Freedom of Information and Protection of Privacy Act (“FOIP”) applies to Government Institutions, such as ministries, Crown corporations, agencies, boards and commissions.
  2. The Local Authority Freedom of Information and Protection of Privacy Act (“LA FOIP”) applies to Local Authorities, such as school boards, post-secondary institutions, rural municipalities and regional health authorities.
  3. The Health Information Protection Act (“HIPA”) applies to wide range of organizations listed under 2(t) of HIPA who have custody or control over Personal Health Information.
  4. Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to any organization that collects, uses, or discloses personal information in a “commercial activity.” Saskatchewan does not have “substantially similar” privacy legislation, and, therefore, in Saskatchewan PIPEDA applies to all personal information used, collected, or disclosed in commercial activities and all personal information processed by “federal undertakings,” which then includes personal employee information of those organizations. Personal information of employees in the private sector is not governed by a provincial or federal law.

Read more on Lexology.

Mar 122019

Jacqueline Thomsen reports:

A bipartisan group of lawmakers on Monday unveiled legislation that would create cybersecurity standards for internet-connected devices, often known as the “internet of things.”

The bill, introduced in the Senate by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.) and in the House by Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), would require established standards for government use of the devices.

Read more on The Hill.

Senator Warren’s full press release appears below:

WASHINGTON – Bipartisan legislation to improve the cybersecurity of Internet-connected devices will be introduced today in the Senate and the House of Representatives. The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements.

The legislation is being introduced in the Senate by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner(R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT), while Reps. Robin Kelly (D-IL) and Will Hurd (R-TX) are introducing companion legislation in the House of Representatives.

“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner, a former technology entrepreneur and executive and Vice Chairman of the Senate Select Committee on Intelligence. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”

“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” Sen. Gardner said. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (NIST), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts. As co-chairs of the Senate Cybersecurity Caucus, Senator Warner and I remain committed to advancing our nation’s cybersecurity defenses.”

“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure. Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices,” said Rep. Kelly. “It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”

“Internet of Things devices will improve and enhance nearly every aspect of our society, economy and our day-to-day lives. This is groundbreaking work and IoT devices must be built with security in mind, not as an afterthought,” said Rep. Hurd, former computer science major, cybersecurity entrepreneur and Chair of the House Subcommittee on Information Technology. “This bipartisan legislation will make Internet of Things devices more secure and help prevent future attacks on critical technology infrastructure.”

“With everything from LED lights to thermostats connected to the internet, we need to act swiftly to step up security for ‘internet of things’ devices to prevent hackers from disrupting our economy and threatening public safety,” Sen. Hassan said. “By requiring the federal government to only purchase devices that meet certain cybersecurity standards, this bill will help protect federal agencies against hackers who are seeking to exploit internet of things devices in order to steal critical national security information and the private data of Granite Staters and Americans.”

“As the Internet of Things landscape grows – we must ensure that Montanan’s information is safe and the security of our critical infrastructure is protected,” said Sen. Daines. “This bill helps establish proper safeguards that balance the need to protect Montanan’s privacy and our national security with the growing tech economy and high-paying jobs it provides.”

The Internet of Things, the term used to describe the growing network of Internet-connected devices and sensors, is expected to include over 20 billion devices by 2020. While these devices and the data they collect and transmit present enormous benefits to consumers and industry, the relative insecurity of many devices presents enormous challenges. Sometimes shipped with factory-set, hardcoded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. IoT devices have been used by bad actors to launch devastating Distributed Denial of Service (DDoS) attacks against websites, web-hosting servers, and internet infrastructure providers. 

At a hearing of the Senate Armed Services Committee last year, the Director of the Defense Intelligence Agency, Lt. General Robert Ashley, described exploitation of insecure IoT devices as one of the two “most important emerging cyber threats to our national security.” Last May, the Departments of Commerce and Homeland Security published a report highlighting the IoT market forces that reward low-price and convenience at the expense of security. The signature recommendation of the May 2018 report was that the Federal government should “lead by example” by requiring the acquisition of more secure and resilient products and services, particularly IoT. The IoT Cybersecurity Improvement Act will address both this market failure and the supply chain risk to the federal government stemming from insecure IoT devices by establishing light-touch, minimum security requirements for procurements of connected devices by the government.

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would:

  • Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
  • Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
  • Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
  • Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
  • Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.

“BSA applauds Senators Warner and Gardner for their leadership in securing the IoT, and calls on Congress to act swiftly to advance this important legislation,” said Tommy Ross, Senior Policy Director, BSA | The Software Alliance. “As IoT devices increasingly bring greater productivity and quality of life to consumers and businesses across sectors, we must be proactive in addressing the unique security considerations they bring.” 

“Internet-aware devices raise deep and novel security issues, with problems that could arise months or years after purchase, and spill over to people who aren’t the purchasers. This bill leverages the government procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ basic security measures in their products,” said Jonathan Zittrain, Co-Founder of Harvard University’s Berkman Klein Center for Internet & Society.

“Insecure and unsecured IoT devices are a risk we must address, and it will only happen if the government and the private sector both step up. I’m glad that Senators Warner and Gardner and Representatives Kelly and Hurd are continuing to push this issue,” said Jeff Greene, Vice President of Global Government Affairs & Policy at Symantec.

“Weak IoT security with little oversight puts the American public at risk, particularly as these devices become more and more common in our offices and in our homes. We need a coordinated approach. Empowering NIST to set standards for the development and management of these devices, as the IoT Cybersecurity Improvement Act of 2019 proposes, will help secure the sensitive data held by the government and the private information shared within our homes,” said Alan Davidson, Vice President of Global Policy, Trust, and Security at Mozilla. 

“The proliferation of insecure Internet-connected devices presents an enormous security challenge. The risks are no longer solely about data; they affect flesh and steel. The market is not going to provide security on its own, because there is no incentive for buyers or sellers to act in anything but their self-interests. I applaud Senator Warner and his cosponsors for nudging the market in the right direction by establishing thorough, yet flexible, security requirements for connected devices purchased by the government,” said Bruce Schneier, Fellow and Lecturer at Harvard Kennedy School of Government.

“Cloudflare applauds Senators Warner and Gardner, Representatives Kelly and Hurd, and their cosponsors for their continued efforts to address the risks posed by improperly secured IoT devices with the introduction of this latest bill. Using the government procurement process to encourage security research and innovation will make the U.S. Government a leader in this area, and should open up a robust discussion of these issues. Cloudflare looks forward to continuing to work with them as this bill moves forward,” said Doug Kramer, General Counsel, Cloudflare Inc.

“IoT device insecurity is a serious problem that needs to be addressed. Although much must be done to address this problem, the longest journey begins with a single step—and this bill is just such a step in moving the ball forward on IoT security for government procurements,” said Dr. Herb Lin, senior research scholar for cyber policy and security at the Center for International Security and Cooperation and Hank J. Holland Fellow in Cyber Policy and Security at the Hoover Institution, both at Stanford University.

The bill is also supported by Rapid7, CTIA, and Tenable. Similar legislation was previously introduced in the 115th Congress.

Sen. Warner wrote to the Federal Trade Commission (FTC) in July 2016 raising concerns about the security of children’s data collected by Internet-connected “Smart Toys.” In May 2017, the Senator wrote a follow-up letter to Acting FTC Chairwoman Maureen Ohlhausen reiterating his concerns following comments by the Chairwoman that the risks of IoT devices are merely speculative. In response to the Senator’s concerns, the FTC issued updated guidance on protecting children’s personal data in connected toys. Immediately in wake of October’s devastating DDoS attack on the nation’s internet infrastructure by the Mirai botnet, Sen. Warner wrote the FCC, FTC, and NCCIC to raise concerns about the proliferation of botnets composed of insecure devices. Sen. Warner also wrote to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly in May 2017 asking what steps the Federal Government had taken to defend against WannaCry ransomware.

Sen. Warner, the Vice Chairman of the Senate Select Committee on Intelligence and former technology executive, is the co-founder and co-chair of the bipartisan Senate Cybersecurity Caucus and a leader in Congress on security issues related to the Internet of Things (IoT).

Bill text is available here.


Mar 082019

Mike Nonaka, Libbie Canter, David Stein and Sam Adriance of Covington & Burling write:

On March 5, 2019 the Federal Trade Commission (“FTC”) published requests for comment on proposed amendments to two key rules under the Gramm-Leach-Bliley Act (“GLBA”). Most significantly, the FTC is proposing to add more detailed requirements to the Safeguards Rule, which governs the information security programs financial institutions must implement to protect customer data.

In addition, the FTC is proposing to expand the definition of “financial institution” under the Safeguards Rule and the Privacy Rule to include “finders.” Finally, the FTC is proposing to amend the Privacy Rule to make technical and conforming changes resulting from legislative amendments to GLBA in the Dodd-Frank Act and FAST Act of 2015.

Read more on Inside Privacy.