BIS has issued an interim final rule, and entities dealing with
cybersecurity exports are being asked to submit comments by early
December. In this latest edition of our Privacy and Security
Roundup, we share the details of the final rule’s two key
measures including export restrictions and a new License Exception,
provide an update on cyber incident reporting legislation, discuss
modifications to the GLBA Safeguards Rule and much more.
White-hat activities and potential impact of new cybersecurity
The Commerce Department’s Bureau of Industry and Security
(BIS) issued a long-awaited interim final rule on Oct. 21,
2021, imposing export controls on certain cybersecurity software,
equipment and technology. Citing concern that these items could be
misused to “abuse human rights or conduct other malicious
cyber activities,” BIS stated its aim is to ensure “U.S.
companies are not fueling authoritarian practices.” Broadly,
the rule has two key components:
- restrictions on export, re-export or in-country transfers of
certain cybersecurity-related items and tools that can be used for
malicious activities; and
- a new License Exception, Authorized Cybersecurity Exports
(ACE), allowing for exports of cybersecurity items to many
destinations, under certain conditions, without a BIS export
It should be noted that the ACE License Exception is unavailable
for exports to certain government and non-government end-users,
with some exports to even allied countries like Cypress, Israel and
Taiwan being restricted. That said, ACE does include carve-outs
that permit exports of “software specifically designed and
limited to providing basic updates and upgrades, vulnerability
disclosure or cyber incident response” to governments of these
and other allied governments.
BIS asserts these new export controls are narrow in scope and
will have minimal impact. However, cybersecurity service and
software providers, forensics firms, IT infrastructure
manufacturers and those engaged in vulnerability testing, research,
bug-bounty programs and other white-hat activities may take a
different view. In practice, entities engaged in these activities
could face significant implications if those activities potentially
involve the export, re-export or transfer of cybersecurity items.
BIS also recently signaled its intent to enforce cybersecurity
export controls, evidenced by its addition of four
cyber-surveillance firms to the U.S. Entity List (barring exports
of U.S. origin items to such parties), alleging their involvement
in developing, trafficking and using technologies for malicious
activities threatening the cybersecurity of civil society,
dissidents, government officials and organizations.
While the new rule does not take effect until Jan. 19, 2022, BIS
is seeking comments and public input “to ensure full
consideration of the potential impact,” including on the
potential cost of compliance and the impact on legitimate
cybersecurity activities. U.S. and non-U.S. entities dealing with
cybersecurity items and investors in U.S. entities who are active
with such technologies should assess the rule’s potential
impact and consider submitting comments by Dec. 6.
Update: Federal mandatory breach notification legislation
As covered previously, Congress is eyeing several pieces
of legislation that involve potentially mandatory cyber incident
reporting, a requirement that could have broad implications for
entities targeted for ransomware attacks and certain sectors like
critical infrastructure. To date, each bill varies in scope and
remains in the early stages of the legislative process. However, on
Oct. 25, the Congressional Research Service released its “Comparison of selected cyber
incident reporting bills.” The report provides a detailed
side-by-side comparison of the bills summarized below.
- The Cyber Incident Reporting for Critical Infrastructure Act
(H.R. 5440) would require reporting of qualifying incidents to the
Cybersecurity and Infrastructure Security Agency (CISA) no more
than 72 hours after discovery. At minimum, this would apply to
cloud service providers, Managed Service Providers and critical
infrastructure operators. Reporting entities would receive the
liability and disclosure protections found in the Cybersecurity Act of 2015.
- The Cyber Incident Notification Act of 2021 (S. 2407) would
involve providing CISA an initial report within 24 hours after
confirmation of a security incident with updates within 72 hours of
any new information. At minimum, reporting entities would include
federal agencies, contractors, critical infrastructure operators
and cybersecurity companies, but liability protection is somewhat
unclear compared to H.R. 5400.
- The Cyber Incident Reporting Act of 2021 (S. 2875) would
involve reporting to CISA within 72 hours of the discovery of an
incident and mandatory reporting of ransomware payments within 24
hours of such payment. S. 2875 would apply to critical
infrastructure owners and operators. Other mandatory reporting
requirements could apply based on the consequences of an attack and
the likelihood of targeting by malicious actors. Reporting entities
would receive the liability and disclosure protections found in the
Cybersecurity Act of 2015.
- Of the four leading mandatory reporting bills, The Ransom
Disclosure Act (S. 2943) could have the furthest reach but is more
limited in scope. The bill would require reporting to the
Department of Homeland Security (DHS) no later than 48 hours after
payment of a ransom by any public or private entity engaged in
interstate commerce or that receives federal funds (including local
governments). Unlike the three bills above, S. 2943 does not define
Entities that may fall within the potential scope of mandatory
reporting bills should carefully track their progress and
applicability. While several specifics still need to be addressed,
given recent headline-grabbing security incidents, there appears to
be general bipartisan agreement on the need for federal action.
Changes to the GLBA Safeguards Rule
Citing recent widespread data breaches, cyberattacks and harm to
consumers, on Oct. 27, 2021, the Federal Trade Commission
(FTC) issued several updates to strengthen the Safeguards Rule.
Mandated under the Gramm-Leach-Bliley Act (GLBA), the Safeguards
Rule requires covered financial institutions to have measures in
place to keep customer information secure and imposes an obligation
to ensure affiliates and service providers safeguard customer
information in their care. The updated rule contains five
- provide covered entities with more guidance on the development
and implementation of specific aspects of an overall information
security program (e.g., in-transit and at-rest encryption,
monitoring/periodic pen-testing and assessments, multi-factor
authentication, development of a written incident response plan and
requirements for vendor safeguards).
- improve the accountability of financial institution information
security programs through a requirement to provide periodic reports
to boards and governing bodies. Among other items, such reports
must address the status of any recommend changes to an
institution’s information security program and compliance with
the rule. The update also requires the appointment of a single
Qualified Individual that has ultimate responsibility for
overseeing and managing a covered entity’s information security
- except financial institutions that collect information on fewer
than 5,000 consumers from incident response plan, annual reporting
and written risk assessment requirements.
- expand the definition of financial institutions,
bringing finders – companies that bring together buyers and sellers
of products or services – within the scope of the rule.
- define several terms and provide examples of the rule
Overall, the second modification noted above is significant in
that directors and leaders of financial institutions need to take a
deliberate and non-passive role in data security issues and
organizational efforts to address them. While directors certainly
may not need to be involved in the finite details, they should
understand the development and implementation of security efforts,
maintain accountability and ensure protection of consumer
information is an organization-wide endeavor.
ITEMS TO KNOW AND KEEP IN MIND GOING FORWARD
Who is Satoshi Nakamoto?
An ongoing trial in federal court in Miami, Fla., stemming from
a federal lawsuit filed in
February 2018 may finally determine who actually invented bitcoin,
the first and most well-known cryptocurrency.
The lawsuit was filed by the estate of Dave Kleiman, an American
computer forensic expert who passed away in 2013, against Craig
Wright, an Australian computer scientist, who claims to be the
creator of bitcoin. At issue in the case are 1.1 million bitcoins
(currently worth approximately $67 billion) and intellectual
property related to bitcoin software, which Wright allegedly
transferred to himself.
Bitcoin, a decentralized, digital currency utilizing a public
distributed ledger network referred to as a blockchain to verify
and record transactions, was created in 2008 with the publishing of
the white paper, “Bitcoin: A peer-to-peer electronic cash
system” by Satoshi Nakamoto, the pseudonym of bitcoin’s
creator. Hal Finney, a computer scientist who passed away in 2014,
is recognized as having received the first bitcoin transaction from
Satoshi and was an early contributor to its development. However,
the identity of Satoshi has never been conclusively confirmed,
although, in recent years, Wright has claimed to be Satoshi.
The estate of Kleiman seeks to show that Satoshi was, in fact, a
partnership involving both Wright and Kleiman through various
emails exchanged between the brother of Kleiman and Wright
following Dave Kleiman’s death.
Along with demonstrating the importance of documenting business
relationships, this case highlights the necessity of securely
storing bitcoins obtained from mining or other means and providing
a manner for transfer of ownership and access to one’s
Update: The Ohio Personal Privacy Act
As covered in our August edition, Ohio may soon
join California, Virginia and Colorado in passing a comprehensive
privacy statute. Broadly, the Ohio Personal Privacy Act
(OPPA) would provide Ohioans with legal rights to access, delete,
correct and opt-out of the sale of their personal data – elements
familiar to those found in other comprehensive privacy laws like
the EU’s General Data Protection Regulation (GDPR) and the
California Consumer Privacy Act (CCPA). However, Ohio’s
legislation takes a unique and perhaps more business-friendly
approach by encouraging companies to adopt privacy standards set by
the National Institute of Standards and Technology (NIST). In turn,
the OPPA would provide for an affirmative defense where an entity
can show compliance with NIST standards. Overall, this approach
might better encourage businesses to adhere to best practices as
they change over time while avoiding cumbersome regulations
unresponsive to changes in technology.
The OPPA was drafted by CyberOhio, a committee launched by Gov.
DeWine while he was attorney general and that is made up of members
from academia, business and government. Notably, unlike similar
legislation elsewhere, the OPPA has not received significant
opposition from privacy groups. While the OPPA likely will be
amended as it makes its way through the Ohio legislature, a private
right of action seems unlikely given concerns over a wave of
litigation seen after the enactment of privacy legislation in
Illinois and California. The OPPA has the support of Ohio’s governor
and lieutenant governor and, absent a private right of action, the
OPPA would be a different approach to providing baseline
protections while balancing legitimate business concerns related to
litigation and potential liability.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.