Developments NA

Subscribe to Developments NA via RSS

Businesses active in California should promptly assess whether the law applies to their practices and start planning towards compliance with the new law.

By Jennifer Archie, Michael Rubin, and Scott Jones

Key Points:

  • A sweeping new privacy law — the California Consumer Privacy Act of 2018 — was signed into law on June 28, 2018.
  • The Act imposes substantial new obligations on businesses that collect, process, and disclose the data of California residents.
  • The Act was drafted, voted on, and enacted in a matter of days, but it will not go into effect for another 18 months: on January 1, 2020. Given this rushed process, changes to the law before its effective data can be expected.

Facing pressure from a significantly stronger ballot measure in the state, on Thursday, June 28, 2018, the Governor for the State of California signed into law the California Consumer PrivacyAct of 2018 (the CCPA). Effective January 2020, this law ushers in widespread changes to California’s law on the information practices for covered businesses collecting, processing, and disclosing information gathered from or about California consumers or their devices.

By Jennifer Archie, Serrin Turner, Kyle Jefcoat, Dean Baxtrasser and Morgan Maddoux

As of December 31, 2017, many United States government contractors face a new compliance requirement involving cybersecurity. This requirement will govern most new Department of Defense (DoD) contracts and, significantly, will apply to many current DoD contracts that include the applicable standard contract clause.

On October 21, 2016, DoD issued a final rule, Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 (DFARS Rule), which is intended to address “enhanced safeguarding for certain sensitive DoD information.” The DFARS final rule requires contractors to safeguard information systems and imposes investigation and reporting requirements in the case of cyber incidents.

Under the DFARS rule, contractors will be required to comply with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 — a requirement that goes into effect at the end of this month. The DFARS Rule focuses on protecting “covered defense information” (CDI) — that it defines broadly — and stipulates the basic security requirements a defense contractor must implement and maintain. A defense contractor generally must implement the security requirements in the version of NIST SP 800-1717, which were developed for use on contractors’ internal systems and should enable contractors to comply with the requirements using their existing systems and practices — rather than forcing contractors to build a new system and develop practices from scratch in order to be in compliance.

By Steven Croley*, Jennifer Archie and Serrin Turner

The Trump Administration has issued a much anticipated Executive Order (EO),“Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” directing federal executive agency heads to undertake various cyber-related reviews and to report findings back to the White House Electricity_Pylon_singleColColorwithin prescribed timetables. Unlike some of the Trump Administration’s executive orders receiving much attention in recent weeks, this new cybersecurity EO does not aim to unwind policies put in place or initiatives undertaken by the Obama Administration. In fact, subsequent steps by the Trump Administration following the new EO may likely build upon the previous Administration’s efforts, which had assigned responsibilities to various executive departments serving as “sector specific” agencies for different sectors (energy, communications, transportation, and so on) with critical infrastructure.

By Jennifer Archie and Alex Stout

Tax-related identity theft is nothing new, but tax season 2016 took tax schemes to a new level.

Last year, our cyber experts advised a large cluster of clients (public and private companies) over a period of only two weeks, following a nationwide explosion of deviously simple attacks—mostly targeted at mid-size companies—that followed the same fact pattern:  the Director of Human Resources or Chief Financial Officer received an email appearing to come from a senior executive (normally the CEO) asking for copies of all of the company’s W-2 tax forms; the recipient was fooled by the email and sent the requested records to the attacker; and hours or days later, the company came to the sickening realization that hundreds, if not thousands, of personnel records were compromised. Even worse, the stolen information was rapidly exploited in fraudulent tax return filings, diverting expected tax refunds to the scammers, and saddling often the most senior (highly compensated) company employees with a huge headache of sorting out their personal finances and tax return status with the IRS.

These tax refund thefts attacks are highly automated, quick, easy, and inexpensive to initiate, and last year fraudsters blanketed businesses with record volumes of attacks. As simple as the attacks are, it can be a difficult and painful process to protect your employees in the aftermath.

By Matt Murchison and Alex Stout

Today, the US Federal Communications Commission (FCC) approved far-reaching new information privacy rules that will govern how providers of broadband Internet access service collect, use, protect, and share data from their subscribers. These new rules, which were adopted by a 3 to 2 vote, are intended to fill a consumer protection gap that was created by the FCC’s reclassification of broadband Internet access service (or BIAS) as a Title II common carrier service as part of the 2015 Open Internet Order (the Federal Trade Commission (FTC) does not have jurisdiction over common carriers acting as common carriers). Although the full text of the today’s privacy order (the Order) has not yet been released, the agency provided a general outline of its new rules.

Today’s privacy rules are the result of a process that began in March, when the FCC circulated a Notice of Proposed Rulemaking (NPRM) on implementing Section 222’s privacy obligations for broadband providers. Section 222 was applied to broadband providers as part of the 2015 Open Internet Order, but until today’s Order the precise privacy obligations of broadband providers was not clear. The FCC’s NPRM had initially proposed sweeping new rules that in many ways went beyond the existing privacy framework of the FTC. For example, while the FTC has long embraced a unified, “technology neutral” approach applied equally to ISPs, websites, and all other participants in the Internet ecosystem, the FCC’s proposals focused solely on regulating ISPs. Moreover, whereas the FTC’s approach historically has turned on the sensitivity of the information being collected, used, or shared, the FCC’s initial proposal would have treated all forms of customer information equally, whether the information was a Social Security number or merely the customer’s first and last name. And while the FTC imposes a reasonableness standard for data security practices, the FCC proposed that broadband providers be required to “appropriately calibrate[]” their security practices to the data being collected, without an apparent reasonableness standard.  The FTC, in its comments to the FCC in this proceeding, suggested changes to the FCC’s proposal that would bring the two privacy regimes into greater harmony. Although the FCC did not accept all of these changes—and never wavered from its focus on regulating only ISPs—the final product is significantly changed from what we first saw in the NPRM.

By Serrin Turner

Typically, the process for amending the Federal Rules of Criminal Procedure is a sleepy affair. Proposed amendments wend their way through a series of judicial committees and, if approved by the Supreme Court, take effect automatically by the end of the year. Theoretically, Congress may choose to intervene and block the change – but it does so rarely. This year, however, a proposed amendment has caught the congressional eye.

Over the past several days, legislators in both the Senate and the House of Representatives have introduced legislation to block a proposed change to Rule 41 of the Federal Rules of Criminal Procedure, which regulates the issuance of search warrants in federal criminal investigations. Law enforcement already uses Rule 41 routinely to obtain warrants to search computers recovered from physical premises or otherwise taken into law enforcement custody. The proposed amendment addresses a different scenario: when law enforcement has identified a computer being used to perpetrate a crime but cannot determine where it is located. With the proliferation of anonymizing technologies used by hackers and other criminals operating on the Internet, this fact pattern is increasingly common. The rule change under consideration would enable law enforcement to obtain a warrant in such circumstances to search the target computer “remotely” – that is, by hacking into it.

By Serrin Turner

Last week saw action on two fronts regarding the Stored Communications Act (SCA) – the US federal statute regulating government searches of online accounts in criminal investigations. In Congress, a proposal to reform the SCA advanced in the House; and in the courts, Microsoft sued to challenge a provision of the SCA as unconstitutional. Although the reform bill has been portrayed as a major piece of privacy legislation, the version now under consideration is quite modest and would not substantially change how the SCA is applied in practice. However, the Microsoft lawsuit, if successful, could significantly reshape and restrict how the SCA is used by law enforcement.

What is the Stored Communications Act?

The SCA sets forth the procedures by which US law enforcement authorities can compel electronic communications service providers to disclose the contents of (and other records pertaining to) user accounts. While the SCA is applied most often in the context of email accounts, it applies equally to social-networking accounts, cloud-storage accounts, web-hosting accounts, and any other type of account where a user may store electronic communications. Like everyone else, criminals are increasingly communicating over the Internet, and as a result the SCA is now routinely used by law enforcement to obtain the contents of online accounts used by criminal suspects to communicate and do business.

By Amanda Potter and Alex Stout

As we highlighted in a post last month, the FCC has proposed sweeping new privacy rules on broadband providers. Since our last post, the FCC has released its proposal in the form of a Notice of Proposed Rulemaking. This proposal would institute new customer privacy and data breach rules on broadband providers and follows the Commission’s landmark Open Internet proceeding, in which the Commission imposed common-carrier telecommunications rules on broadband. The public has until May 27 to submit initial comments and June 27 to submit reply comments.

While the proposal includes updates to existing FCC rules, the focus is on broadband providers. The proposed rules would express exclude providers of “edge services” (like search engines, video streaming, and mobile applications), reasoning that consumers can readily avoid edge services and that broadband providers act as “gateways” that could potentially track consumers across the Internet.

The proposed rules would cover two categories of information. First, the rules would apply to “customer proprietary network information” (CPNI), a type of data defined by the Section 222 of the Communications Act to include a customer’s technical usage or billing data. For broadband, the FCC proposes to include, at minimum, Internet service plan and pricing, geo-location data, MAC address, Device ID, IP address, and traffic statistics. Second, the rules would protect personally identifiable information (PII). The FCC only recently began to use the term PII, which it defines here

By Matt Murchison and Alex Stout

Last week, the FCC announced that Chairman Tom Wheeler had circulated a Notice of Proposed Rulemaking (NPRM) on implementing Section 222’s privacy obligations for broadband providers. Section 222’s requirements were originally crafted for telephone companies, and were first applied to broadband providers as part of the 2015 Open Internet Order, which reclassified broadband providers as telecommunications carriers. However, the FCC expressly forbore from applying to broadband providers the rules it had adopted over the years implementing Section 222 in the telephone context. The upcoming NPRM, which the full Commission will vote on at its March 31 Open Meeting, will, for the first time, propose specific requirements implementing Section 222’s privacy obligations in the broadband context.

The FCC’s fact sheet about the NPRM reiterates the three guiding principles that the Chairman has identified in recent weeks—choice, transparency, and security—and provides some new details on the specific proposals under consideration.

By Ulrich Wuermeling, Gail Crawford and Jennifer Archie

Earlier this week, the European Commission announced that a “political” agreement has been reached on a new framework for data flows from the EU to the US. The announcement highlights a few changes from the old Safe Harbor regime, such as more direct and active oversight by US regulators, more stringent privacy protections, and establishing an ombudsman at the State Department for EU citizens who wish to complain about data protection matters. However, as a legal and compliance matter, US companies who previously relied upon Safe Harbor to transfer EU data take significant compliance risk if they do nothing in anticipation of newly branded EU-US Privacy Shield framework being formally approved, given it is not yet documented and will be subject to review by the EU data protection supervisory authorities in the so-called Article 29 Working Party as well as representatives of the Member States and the European Parliament.