Policy

DFARS and DIB: Compliance Steps for DoD’s Newly Finalized Cybersecurity Rules for Contractors

Department of Defense Finalized Cybersecurity Rules for Contractors and Other Awardees. The First rule amends the Defense Federal Acquisition Regulation Supplement and went into effect on October 21, 2016 (“DFARS Rule”). The other rule modifies the previously voluntary DoD cybersecurity information sharing program (“DIB Rule”) and is set to come into effect on November 3, 2016. Aerial view of the Pentagon, the Department of Defense headquarters in Arlington, Virginia

For businesses that work with the U.S. Department of Defense (“DoD”), two important rules for safeguarding certain categories of sensitive information and reporting cyber incidents were recently finalized, updating the interim rules promulgated in late 2015. The first rule amends the Defense Federal Acquisition Regulation Supplement (“DFARS Rule”) and went into effect on October 21, 2016.  The second rule modifies the previously voluntary DoD cybersecurity information-sharing program in connection with the Defense Industrial Base (“DIB Rule”) and went into effect on November 3, 2016.

We previously explained the changes brought about by the interim rules. Here, we explain what changed after the rules’ comment periods, and provide suggestions for compliance.

READ MORE

What is the FTC Doing About Privacy and Drones?

4 Major Takeaways from Federal Trade Commission FTC October 2016 panel on drones & privacy

Last week, as part of its Fall Technology Series, the Federal Trade Commission (“FTC”) hosted a much-anticipated workshop to explore the privacy concerns associated with drones. Although many in the audience hoped that this workshop would provide some insight into the FTC’s perspective and position on regulation of drones and privacy, the workshop left attendees with more questions than answers. We were there, and provide you with some of the key takeaways.

READ MORE

What Happens When My Company Receives a National Security Letter? A Primer.

Cyber Security Keyboard Button National Cybersecurity Awareness Month

Even today, most companies—even technology companies—do not think they have information that the U.S. Government wants or needs, particularly as it might relate to a national security investigation. The reality is that as terrorists and others who threaten national security use a broader spectrum of technology resources to communicate and to finance and conduct operations, the U.S. Government has significantly increased its collection of data from technology companies and others.

READ MORE

Is Your Data Safe? National Cybersecurity Awareness Month

Cyber Security Keyboard Button National Cybersecurity Awareness Month

Happy U.S. National Cybersecurity Awareness Month! One year ago, in recognition of the Department of Homeland Security’s annual campaign to raise awareness about cybersecurity, Orrick’s Cybersecurity & Data Privacy Group launched its award winning blog Trust Anchor.

Almost daily we hear news about data breaches, cybersecurity and privacy enforcement proceedings, litigation, and new laws and regulations. Trust Anchor covers it all: recent cases, legislative and regulatory developments, emerging compliance standards and best practices for cybersecurity and privacy risk management, insurance trends and more! But, we don’t just report on these events, we highlight key takeaways and what these developments mean for you.

READ MORE

SDNY Refuses to Enforce Uber’s Online “Sign-In-Wrap” Terms, Arbitration Provision and Jury Waiver Clause

Privacy policy

On July 29, 2016, the Southern District of New York, in Meyer v. Kalanick, refused to enforce mandatory arbitration and jury waiver provisions against a putative class of Uber consumers.  In a lengthy and strongly worded decision by Judge Rakoff, the Court held that consumers had not received sufficient notice of, and did not assent to, the online terms of service that contained the arbitration and waiver clauses at issue.

Every company that seeks to implement contractual commitments through online terms and policies should pay close attention to this decision.  While not binding in other jurisdictions outside the SDNY, Meyer reflects a growing trend of more exacting judicial scrutiny on the enforceability of online agreements across the country, and represents an important development in a rapidly developing area of the law.

READ MORE

EU-U.S. Privacy Shield: Companies Can Now Certify

Privacy Shield

As of, August 1st, 2016, U.S. companies can now join the Safe Harbor successor EU-U.S. Privacy Shield (the “Privacy Shield”) for personal data transfers from the EU to the U.S.

This post gives a high level summary of what companies should consider with the Privacy Shield.

Background:

On July 12, 2016, the European Commission (the “Commission”) formally adopted the adequacy decision necessary to implement the Privacy Shield. This means that transfers of personal data from the EU to the U.S. that are made pursuant to the Privacy Shield’s requirements are lawful under EU law.  The Privacy Shield replaces the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (“CJEU”) on October 6, 2015.

READ MORE

Déjà Vu Not All Over Again: Ninth Circuit Strengthens CFAA In Nosal II

computer fraud

On July 5, 2016, the Ninth Circuit Court of Appeals issued its highly anticipated decision in the most recent chapter of United States v. Nosal, holding that an individual acts “without authorization” as used in the Computer Fraud and Abuse Act (“CFAA”) when, after his/her own access has been revoked, the individual utilizes legitimate log‑in information of another to access company databases.  This decision has important consequences for organizations as they consider how to implement policy and technical controls on user access to ensure they are protected against unauthorized access under the CFAA.

READ MORE

European Parliament Passes Long-Anticipated Network and Information Security Directive

NIS Directive

On July 6, 2016, the European Parliament passed the Network and Information Security (“NIS”) Directive, over three years after the initial draft was proposed.  The Directive will enter into force in August 2016.  EU Member States will then have 21 months to transpose the Directive into their national laws and 6 additional months to identify the operators of certain essential services that are subject to the Directive’s requirements.

READ MORE

CFPB Jumps Into Cyber Enforcement Pool

Financial Institutions

In a much anticipated move, on March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered the cybersecurity foray with its first enforcement action against Dwolla, Inc., an online payment processing start-up.  Pursuant to its authority under Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, the CFPB fined Dwolla $100,000 and secured a five-year consent order imposing strict requirements on management and the Board of Directors.  This CFPB enforcement action offers important insights into the contours of “reasonable cybersecurity” for certain financial services entities, and important lessons for conducting cybersecurity risk assessments.  These issues dovetail with significant activity we recently reported on in the cybersecurity arena by the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the Federal Trade Commission (FTC), the Department of Health and Human Services’ Office of Civil Rights (HHS-OCR), and a host of other state and federal regulators.

READ MORE

POTUS Declares Cybercrime a National Emergency, Announces New Penalties for Trade Secrets Theft

Declaring cybercrime a “national emergency,” President Obama today empowered Treasury to freeze assets that are the fruits of cybercrime, according to an Executive Order issued this afternoon. The agency can block money or property in the United States or in the control of any United States person determined to have engaged in “cyber-enabled activities” originating or directed from outside the United States. Targeted activities include harming computer networks in critical infrastructure sectors; significantly disrupting a computer network; or causing significant misappropriation of trade secrets and other protected information. The EO also enables seizure of money or property of any persons involved in misappropriating trade secrets by “cyber-enabled means” that impact the national security, foreign policy, or economic health or financial stability of the United States.

TSW is tracking the EO and will report further developments.