November Privacy And Security Roundup: Cybersecurity Export Controls, Mandatory Reporting Bills And Safeguards Rule Changes – Technology | #itsecurity | #infosec


BIS has issued an interim final rule, and entities dealing with
cybersecurity exports are being asked to submit comments by early
December. In this latest edition of our Privacy and Security
Roundup, we share the details of the final rule’s two key
measures including export restrictions and a new License Exception,
provide an update on cyber incident reporting legislation, discuss
modifications to the GLBA Safeguards Rule and much more.

RECENT DEVELOPMENTS

White-hat activities and potential impact of new cybersecurity
export controls

The Commerce Department’s Bureau of Industry and Security
(BIS) issued a long-awaited interim final rule on Oct. 21,
2021, imposing export controls on certain cybersecurity software,
equipment and technology. Citing concern that these items could be
misused to “abuse human rights or conduct other malicious
cyber activities,” BIS stated its aim is to ensure “U.S.
companies are not fueling authoritarian practices.” Broadly,
the rule has two key components:

  • restrictions on export, re-export or in-country transfers of
    certain cybersecurity-related items and tools that can be used for
    malicious activities; and

  • a new License Exception, Authorized Cybersecurity Exports
    (ACE), allowing for exports of cybersecurity items to many
    destinations, under certain conditions, without a BIS export
    license.

It should be noted that the ACE License Exception is unavailable
for exports to certain government and non-government end-users,
with some exports to even allied countries like Cypress, Israel and
Taiwan being restricted. That said, ACE does include carve-outs
that permit exports of “software specifically designed and
limited to providing basic updates and upgrades, vulnerability
disclosure or cyber incident response” to governments of these
and other allied governments.

BIS asserts these new export controls are narrow in scope and
will have minimal impact. However, cybersecurity service and
software providers, forensics firms, IT infrastructure
manufacturers and those engaged in vulnerability testing, research,
bug-bounty programs and other white-hat activities may take a
different view. In practice, entities engaged in these activities
could face significant implications if those activities potentially
involve the export, re-export or transfer of cybersecurity items.
BIS also recently signaled its intent to enforce cybersecurity
export controls, evidenced by its addition of four
cyber-surveillance firms to the U.S. Entity List (barring exports
of U.S. origin items to such parties), alleging their involvement
in developing, trafficking and using technologies for malicious
activities threatening the cybersecurity of civil society,
dissidents, government officials and organizations.

While the new rule does not take effect until Jan. 19, 2022, BIS
is seeking comments and public input “to ensure full
consideration of the potential impact,” including on the
potential cost of compliance and the impact on legitimate
cybersecurity activities. U.S. and non-U.S. entities dealing with
cybersecurity items and investors in U.S. entities who are active
with such technologies should assess the rule’s potential
impact and consider submitting comments by Dec. 6.

Update: Federal mandatory breach notification legislation

As covered previously, Congress is eyeing several pieces
of legislation that involve potentially mandatory cyber incident
reporting, a requirement that could have broad implications for
entities targeted for ransomware attacks and certain sectors like
critical infrastructure. To date, each bill varies in scope and
remains in the early stages of the legislative process. However, on
Oct. 25, the Congressional Research Service released its “Comparison of selected cyber
incident reporting bills.” The report provides a detailed
side-by-side comparison of the bills summarized below.

  • The Cyber Incident Reporting for Critical Infrastructure Act
    (H.R. 5440) would require reporting of qualifying incidents to the
    Cybersecurity and Infrastructure Security Agency (CISA) no more
    than 72 hours after discovery. At minimum, this would apply to
    cloud service providers, Managed Service Providers and critical
    infrastructure operators. Reporting entities would receive the
    liability and disclosure protections found in the Cybersecurity Act of 2015.

  • The Cyber Incident Notification Act of 2021 (S. 2407) would
    involve providing CISA an initial report within 24 hours after
    confirmation of a security incident with updates within 72 hours of
    any new information. At minimum, reporting entities would include
    federal agencies, contractors, critical infrastructure operators
    and cybersecurity companies, but liability protection is somewhat
    unclear compared to H.R. 5400.

  • The Cyber Incident Reporting Act of 2021 (S. 2875) would
    involve reporting to CISA within 72 hours of the discovery of an
    incident and mandatory reporting of ransomware payments within 24
    hours of such payment. S. 2875 would apply to critical
    infrastructure owners and operators. Other mandatory reporting
    requirements could apply based on the consequences of an attack and
    the likelihood of targeting by malicious actors. Reporting entities
    would receive the liability and disclosure protections found in the
    Cybersecurity Act of 2015.

  • Of the four leading mandatory reporting bills, The Ransom
    Disclosure Act (S. 2943) could have the furthest reach but is more
    limited in scope. The bill would require reporting to the
    Department of Homeland Security (DHS) no later than 48 hours after
    payment of a ransom by any public or private entity engaged in
    interstate commerce or that receives federal funds (including local
    governments). Unlike the three bills above, S. 2943 does not define
    liability protection.

Entities that may fall within the potential scope of mandatory
reporting bills should carefully track their progress and
applicability. While several specifics still need to be addressed,
given recent headline-grabbing security incidents, there appears to
be general bipartisan agreement on the need for federal action.

Changes to the GLBA Safeguards Rule

Citing recent widespread data breaches, cyberattacks and harm to
consumers, on Oct. 27, 2021, the Federal Trade Commission
(FTC) issued several updates to strengthen the Safeguards Rule.
Mandated under the Gramm-Leach-Bliley Act (GLBA), the Safeguards
Rule requires covered financial institutions to have measures in
place to keep customer information secure and imposes an obligation
to ensure affiliates and service providers safeguard customer
information in their care. The updated rule contains five
modifications that:

  • provide covered entities with more guidance on the development
    and implementation of specific aspects of an overall information
    security program (e.g., in-transit and at-rest encryption,
    monitoring/periodic pen-testing and assessments, multi-factor
    authentication, development of a written incident response plan and
    requirements for vendor safeguards).

  • improve the accountability of financial institution information
    security programs through a requirement to provide periodic reports
    to boards and governing bodies. Among other items, such reports
    must address the status of any recommend changes to an
    institution’s information security program and compliance with
    the rule. The update also requires the appointment of a single
    Qualified Individual that has ultimate responsibility for
    overseeing and managing a covered entity’s information security
    program.

  • except financial institutions that collect information on fewer
    than 5,000 consumers from incident response plan, annual reporting
    and written risk assessment requirements.

  • expand the definition of financial institutions,
    bringing finders – companies that bring together buyers and sellers
    of products or services – within the scope of the rule.

  • define several terms and provide examples of the rule
    itself.

Overall, the second modification noted above is significant in
that directors and leaders of financial institutions need to take a
deliberate and non-passive role in data security issues and
organizational efforts to address them. While directors certainly
may not need to be involved in the finite details, they should
understand the development and implementation of security efforts,
maintain accountability and ensure protection of consumer
information is an organization-wide endeavor.

ITEMS TO KNOW AND KEEP IN MIND GOING FORWARD

Who is Satoshi Nakamoto?

An ongoing trial in federal court in Miami, Fla., stemming from
a federal lawsuit filed in
February 2018 may finally determine who actually invented bitcoin,
the first and most well-known cryptocurrency.

The lawsuit was filed by the estate of Dave Kleiman, an American
computer forensic expert who passed away in 2013, against Craig
Wright, an Australian computer scientist, who claims to be the
creator of bitcoin. At issue in the case are 1.1 million bitcoins
(currently worth approximately $67 billion) and intellectual
property related to bitcoin software, which Wright allegedly
transferred to himself.

Bitcoin, a decentralized, digital currency utilizing a public
distributed ledger network referred to as a blockchain to verify
and record transactions, was created in 2008 with the publishing of
the white paper, “Bitcoin: A peer-to-peer electronic cash
system” by Satoshi Nakamoto, the pseudonym of bitcoin’s
creator. Hal Finney, a computer scientist who passed away in 2014,
is recognized as having received the first bitcoin transaction from
Satoshi and was an early contributor to its development. However,
the identity of Satoshi has never been conclusively confirmed,
although, in recent years, Wright has claimed to be Satoshi.

The estate of Kleiman seeks to show that Satoshi was, in fact, a
partnership involving both Wright and Kleiman through various
emails exchanged between the brother of Kleiman and Wright
following Dave Kleiman’s death.

Along with demonstrating the importance of documenting business
relationships, this case highlights the necessity of securely
storing bitcoins obtained from mining or other means and providing
a manner for transfer of ownership and access to one’s
successors.

Update: The Ohio Personal Privacy Act

As covered in our August edition, Ohio may soon
join California, Virginia and Colorado in passing a comprehensive
privacy statute. Broadly, the Ohio Personal Privacy Act
(OPPA) would provide Ohioans with legal rights to access, delete,
correct and opt-out of the sale of their personal data – elements
familiar to those found in other comprehensive privacy laws like
the EU’s General Data Protection Regulation (GDPR) and the
California Consumer Privacy Act (CCPA). However, Ohio’s
legislation takes a unique and perhaps more business-friendly
approach by encouraging companies to adopt privacy standards set by
the National Institute of Standards and Technology (NIST). In turn,
the OPPA would provide for an affirmative defense where an entity
can show compliance with NIST standards. Overall, this approach
might better encourage businesses to adhere to best practices as
they change over time while avoiding cumbersome regulations
unresponsive to changes in technology.

The OPPA was drafted by CyberOhio, a committee launched by Gov.
DeWine while he was attorney general and that is made up of members
from academia, business and government. Notably, unlike similar
legislation elsewhere, the OPPA has not received significant
opposition from privacy groups. While the OPPA likely will be
amended as it makes its way through the Ohio legislature, a private
right of action seems unlikely given concerns over a wave of
litigation seen after the enactment of privacy legislation in
Illinois and California. The OPPA has the support of Ohio’s governor
and lieutenant governor and, absent a private right of action, the
OPPA would be a different approach to providing baseline
protections while balancing legitimate business concerns related to
litigation and potential liability.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

41 + = fifty