NIST has now finalized its guidance providing important information on selecting both security and privacy control baselines for the Federal Government. The guidance is available here: Special Publication 800-53B, Control Baselines for Information Systems and Organizations. As we previously discussed when the draft version was released, these control baselines are from NIST Special Publication 800-53, and have been moved to this separate publication as a consolidated catalog of privacy and security controls. While the implementation of a minimum set of controls is required for protecting federal information systems, NIST envisions that these control baselines can be implemented by any organization that processes, stores, or transmits information.
Continue Reading NIST Finalizes Guidance on Security and Privacy Control Baselines – SP 800-53B

The Department of Defense (DoD) recently published an interim rule that sets forth its Cybersecurity Maturity Model Certification (CMMC) program plan, as well as new requirements for a “NIST SP 800-171 DoD Assessment Methodology.” NIST SP 800-171 relates to protection of sensitive, but unclassified information (within a company’s system.) The interim rule will be effective November 30, 2020, and comments are due the same day. You can read our in-depth breakdown of the key provisions here.
Continue Reading Interim Rule Solidifies Cybersecurity Requirements for Defense Industrial Base

For the first time, the U.S. Supreme Court has agreed to review the Computer Fraud and Abuse Act (CFAA) in Van Buren v. United States, No. 19-783. A federal circuit split exists on the issue of whether the statute can only be used against hackers and unauthorized users of electronic systems, or also against authorized users who use the information for unauthorized purposes. In the context of data breaches, companies sometimes look to interpretations of the meaning of “authorization” in CFAA cases to analyze whether notification obligations may exist.
Continue Reading SCOTUS Review of CFAA May Impact Analysis in Data Breach Notification Obligations

During their COVID-19 preparations, companies are dusting off -and deploying- their business continuity plans. Also worth revisiting are incident response plans. Teams working remotely, if faced with a data breach, will still face privilege issues. For this reason simply moving to asynchronous forms of communication (email, chat, etc.) may not suffice, or may increase legal risk and exposure. Teams will thus need to be prepared for coming together virtually. Turning on the camera to converse remotely with video can be an impactful and important way to effectively handle a breach situation. To prepare, here are three key questions companies can consider:
Continue Reading Turn on the Camera Part Two: Are You Prepared to Handle a Breach Remotely and Do You Know Your Legal Security Obligations?

Businesses collecting personal information from New York residents will soon be expected to apply enhanced data security requirements. The New York SHIELD Act, signed into law in July 2019, expanded breach notice requirements in October 2019. Now, On March 21, 2020, the remaining provisions related to data security will also come into effect. As we wrote previously, businesses subject to the law must implement data security programs that include at least the following:
Continue Reading NY SHIELD Act Data Security Requirements Effective This Month

Israel’s investment industry has been reported as growing, and not surprisingly it has received interest from the Israeli Securities Authority. Late last year the ISA surveyed several funds and found that they were not following the requirements of Israel’s privacy laws. This resulted in a recent letter sent by the ISA to fund managers, warning the managers to take steps to protect customer information. Israel, like most countries around the globe, has a privacy law and corresponding regulations. Unlike many other jurisdictions, though, its privacy law has been deemed “adequate” by the EU, and as such, compliance can be a fairly rigorous exercise.  Accompanying the ISA letter were “insights” on how to protect information, including things like software updates and user authentication. Included in the insights were recommendations that are not included in Israel’s privacy law or regulation. However, the insights do mirror requirements that exist under Israeli laws for banks and insurance companies.
Continue Reading Israel Expresses Concerns Over Investment Fund Security Measures

Massachusetts’ breach notice law has been amended, requiring companies who suffer a data breach to provide more information to the Attorney General about the incident. The law will go into effect in a month, on April 11, 2019. As most know, already under MA’s breach notice law, companies that suffer a breach that impacted Massachusetts individuals are obligated to tell the MA AG. As part of that notice, they needed to explain the nature of the breach, number of residents impacted, and mitigation steps taken. Now, the MA AG will also need to be told if the company has a written information security program, as well as greater detail about the breach itself. These details include the person responsible for the breach of security, if known, as well as the name and title of the person reporting the breach and relationship to the entity that was breached. A sample copy of the notice sent to consumers also needs to be provided to the MA AG. That sample notice will be posted on the MA AG website within one day of receipt, provided that doing so does not “impede an active investigation” by either the MA AG or other law enforcement agency. The law also provides additional requirements on the AG to post information to its website about breaches.
Continue Reading US State Breach Law Modifications Begin in 2019 with Massachusetts

Vermont recently enacted a data broker security law, one of the first of its kind. The law requires data brokers to develop and implement a comprehensive security program. The program needs to include administrative and technical safeguards to protect personal information. Data brokers are defined as businesses that collect and sell or license data about consumers with whom the business does not have a direct relationship.
Continue Reading Vermont Is First Mover Regulating Data Brokers

Colorado’s governor recently signed into law an update to the state’s breach notice law.  As we reported yesterday the new law takes effect on September 1, 2018. As amended, the definition of “personal information” now also includes student, military or passport identification numbers, medical information, health insurance identification numbers, biometric data, and a resident’s username or email address (in combination with passwords or security questions). The law now calls for companies to conduct investigations when they become aware that a breach may have occurred (rather than when they become aware of a breach). Also modified is the window that companies have to provide notice, joining Florida in requiring notice within 30 days (as compared to the current “without unreasonable delay”).
Continue Reading Colorado Enacts Stringent Data Breach Notification Law