Data Security Roundup—December 2016
Executive and Regulatory Developments
DoD Issues Further Revisions to Contractor Cybersecurity Rules
Last month, the Department of Defense (DoD) again updated the cybersecurity rule that governs defense contractors who may transmit, store, or process "covered defense information" on their systems. The rule, which was first implemented in August 2015, contains two basic components: (1) a requirement that contractors ensure "adequate security" on covered systems; and (2) a requirement that contractors report any cyber incidents that may have affected covered systems. The recent amendments include several significant changes. First, the definition of "covered defense information" is now harmonized with the "controlled unclassified information" (CUI) registry maintained by the National Archives, which also recently released a rule broadly prescribing the steps federal agencies must take to safeguard CUI. (Eventually, non-DoD contractors will also be governed by a cybersecurity rule that flows from the CUI registry.) In addition to the changes to the definition of covered defense information, the revised DoD rule also exempts Commercial Off the Shelf (COTS) procurements from the rule, providing some relief to commercial contractors (although non-COTS commercial procurements are still subject to the rule). The amendments also helpfully clarify where fundamental research is not subject to the rule. Less helpfully, the amendments put new limits on which cloud service providers can be used by DoD contractors. Finally, the amendments make a number of procedural changes to how contractors are to flow down the rule to subcontractors or request to vary from its adequate security requirements (which are based on NIST SP 800-171). Additional amendments to the DoD rule are expected, particularly before December 31, 2017, when all DoD contractors must be fully compliant with NIST SP 800-171 if they handle any covered defense information). Further information is available in our November 2016 Advisory.
NIST Releases Cybersecurity Guidance for Interconnected Devices
On November 15, 2016, National Institute of Standards and Technology (NIST) published security-implementation guidance for interconnected devices, including the Internet of Things. The special publication, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems, spans more than 250 pages and serves as a guide for systems engineers seeking to address security issues by developing more defensible and survivable systems. The guidance principally focuses on engineering-based solutions to address security risks in the design and building of trustworthy, secure systems. With sophisticated cyberattacks on the rise, this guidance may serve as an important resource for businesses in identifying and mitigating security risks.
Department of Transportation Proposes Cybersecurity Best Practices for Vehicles
This fall, the Department of Transportation's National Highway Traffic Safety Administration (NHTSA) issued proposed guidance on cybersecurity best practices for the automotive industry. The proposed cybersecurity guidance encourages manufacturers and designers of vehicle systems and software to prioritize vehicle cybersecurity by proactively adopting the non-binding guidance, which focuses on a layered approach to vehicle cybersecurity. This layered approach "reduces the probability of an attack's success and mitigates the ramifications of a potential unauthorized access." The guidance also recommends that stakeholders in the automotive industry implement a number of key changes, including making cybersecurity a priority throughout the entire life-cycle of the vehicle development process; allocating dedicated resources to addressing cybersecurity vulnerabilities; adopting a vulnerability reporting/disclosure program and incident response process to facilitate information-sharing; and considering penetration testing to detect cybersecurity vulnerabilities.
FTC Releases Guidebook on Data Breach Response for Businesses
In late October, the Federal Trade Commission published a 16-page guidebook called Data Breach Response: A Guide for Business. The guidebook provides general guidance for businesses that have experienced a data breach, focusing on three critical steps: (1) securing systems to prevent additional data loss; (2) working with service providers and computer forensics experts to fix cybersecurity vulnerabilities; and (3) notifying the appropriate parties, including law enforcement agencies, affected businesses and individuals, and any parties required to be notified under applicable federal and state laws. The guidebook also contains a model letter businesses can send to individuals whose personal information may have been compromised. Short on time? Watch the FTC's three-minute video on data breach response here.
California Amends Data Breach Notification Laws
Once again, California has amended its data breach notification laws, this time to remove a safe harbor pertaining to encrypted data. Under the statutes currently in effect, businesses are only required to notify California residents of data breaches that compromise unencrypted personal information. Under the amendment, however, notification obligations will also trigger when a data breach affects encrypted personal information, but only if the corresponding encryption key or security credential has also been comprised and if the business has a reasonable belief that the acquisition of any such encryption key or security credential could render the encrypted personal information readable or usable. The amended law also clarifies that the terms "encryption key" and "security credential" mean "the confidential key or process designed to render data usable, readable, and decipherable." The full text of California's amended data breach notification law, which was approved by Governor Jerry Brown on September 13, 2016, and which will take effect on January 1, 2017, is available here.