The House of Representatives recently passed the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 (the Act).  The Act has been moved to the Senate for consideration. The legislation sets minimum security standards for all IoT devices purchased by government agencies.

IoT refers to the myriad of physical devices that are connected to the internet, collecting and sharing data.  They are used by both consumers and corporations.

Common examples include products used by consumers such as fitness trackers and home thermostats, to devices used by business and government that measure air quality and the operation of military components.

Despite the tasks that can be accomplished by IoT devices, they remain vulnerable to cyberattack.  Currently, there is no national standard addressing cybersecurity for IoT devices.  There have been several attempts in recent years to develop of a national IoT strategy. For example, in late 2017, a coalition of tech industry leaders released a report that put out a call for creation and implementation of a national strategy to invest, innovate and accelerate development and deployment of IoT, and stressed the need to enact legislation which would, inter alia, require IoT security measures in a “comprehensive manner.” Further, as far back as 2015, the FTC issued “concrete steps” businesses can take to enhance the privacy and security of IoT for consumers.

According to a statement issued by Rep. Robin Kelly (D-IL), sponsor of the Act in the House, “Securing the Internet of Things is a key vulnerability Congress must address. While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure in order to protect Americans’ personal data.”  Senator Mark Warner (D-VA), who introduced the Senate version of the legislation back in 2017, and again in 2019, stated that, “manufacturers today just don’t have the appropriate market incentives to properly secure the devices they make and sell – that’s why this legislation is so important.”  Rep. Kelly’s statement noted that many IoT devices are shipped with factory-set passwords that are frequently unable to be updated or patched. IoT devices also can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack.

The Act requires the National Institute of Standards and Technology (NIST) to publish standards and guidelines on federal government agencies’ use of IoT devices.  The Act states that the Office of Management and Budget is to review government policies to ensure they are in line with NIST guidelines. Federal agencies would be prohibited from procuring IoT devices or renewing contracts for such devices if it is determined that they do not comply with the security requirements.

New technologies and devices continuously emerge, promising a myriad of societal, lifestyle and workforce advancements and benefits including increased productivity, talent recruiting and management enhancements, enhanced monitoring and tracking of human and other assets, and improved wellness tools. While these advancements are undoubtedly valuable, the privacy and security risks should be considered and addressed prior to implementation or use, even without national IoT security legislation in place.

A coalition of the Information Technology Industry Council, the Semiconductor Industry Association, the U.S. Chamber of Commerce Technology Engagement Center, Intel, and Samsung, recently released a report that puts out a call for the creation and implementation of a national strategy to invest, innovate and accelerate development and deployment of the Internet of Things (“IoT”). The report recognizes that IoT is an extremely valuable part of our nation’s fabric, as it will facilitate a fundamental transformation in society through safety improvement, greater private and public sector efficiency, and significant economic growth in all sectors.

According to the report, the launch of the coalition’s IoT initiative was fueled by a “call of a chorus of technology leaders seeking a forum to proactively coordinate and drive industry’s trusted advisor role in helping the United States to fully realize the vast benefits of IoT for economic and societal good.” Through a series of analytical recommendations, the report, among other things, sets forth a definition for the IoT, the importance of having the federal government involved as a leader in the development of a national IoT strategy, and steps for approaching security within the IoT.

Starting with the basics, the report recommends an adoption of a “broad-based” definition for future IoT strategy and policy. To allow for all forms of IoT to be recognized, the report’s definition simply states, “[t]he IoT consists of ‘things’ (devices) connected through a network to the cloud (datacenter) from which data can be shared and analyzed to create value (solve problems or enable new capabilities).” This definition captures billions of existing devices and importantly leaves room for the inclusion of technologies and devices that might be invented one day in the future.

On developing a workable national IoT strategy, the report stressed the need to enact the Developing Innovation and Growing the Internet of Things Act, legislation which would, according to the report, ensure that a “national IoT strategy” becomes a priority and provide a clear “national IoT vision.” IoT industry experts have found that a “[n]ational IoT Strategy is a much-needed first step to drive U.S. IoT leadership, and some of the most important elements of a national strategy will require affirmative action from Congress and the administration.” Going a step further, the report makes “strategic recommendations for the U.S. government to work with the industry to drive American IoT leadership” by creating “a policy and regulatory environment that will attract unparalleled private sector investment and innovation in the IoT, thereby modernizing the nation’s infrastructure, improving American manufacturing, and growing [gross domestic product].”

Security is another important area addressed by the report. According to the report, a “government-industry” collaboration is critical to improving the security of devices, data, networks and systems. IoT and security must be viewed in a “comprehensive manner,” the report notes, because security is an endless and evolving challenge to technology and “[t]here is no single ‘silver bullet’ in risk management and mitigation.” The “best” security policy would focus on the outcome rather than specific technologies or techniques because a specific requirement can “quickly become obsolete,” the report points out. Implementing this kind of security policy would be a “win-win proposition for makers, providers, and purchasers.” Therefore, the report concludes that future federal policies should be “flexible” as to encourage “ongoing innovation and best practices” for security.

On a related note, increasingly common security breaches can bring about the issue of liability. In fact, class action data breach litigation has increased significantly in recent years. In these actions, plaintiffs seek damages from the businesses that “failed” to provide sufficient data security. But, with the IoT, who should really be held liable? Many plaintiffs’ attorneys argue that all IoT businesses within the IoT “supply chain” should be held liable for damages arising from data breach and lack of security. Yet identifying and understanding exactly who is in the “supply chain” can be extremely challenging.

All in all, a nationally recognized, flexible and multi-stakeholder IoT policy can provide a “smart” solution to cybersecurity issues because “IoT risk mitigation is a constantly evolving, shared responsibility between government and the private sector.” Threat of IoT cyber attacks are not speculative, as we have seen a major wave of cyber attacks due to “vulnerable” devices that did not have sufficient security.

The coalition’s report is a critical framework for advancing the development of IoT in the United States. It is now incumbent on private industry as well as the federal government to implement many – if not all – of the report’s recommendations.

 

Recognizing the growing number of connected and interconnected devices, a bipartisan group of Senators recently introduced a bill which would convene a working group of Federal stakeholders to provide recommendations to Congress on how to appropriately plan for and encourage the proliferation of the Internet of Things (IoT).
The Developing Innovation and Growing the Internet of Things Act (DIGIT Act) would require the working group to examine the IoT for current and future spectrum needs, the regulatory environment (including identification of sector-specific regulations, Federal grant practices, and budgetary or jurisdictional challenges), consumer protection, privacy and security, and the current use of technology by Federal agencies and their preparedness to adopt it in the future.
While the working group would seek representatives from the Department of Transportation (DOT), the Federal Communications Commission (FCC), the Federal Trade Commission (FTC), the National Science Foundation, the Department of Commerce, and the Office of Science and Technology, the working group would also be required to consult with non-Governmental stakeholders – including: i) subject matter experts, ii) information and communications technology manufactures, suppliers, and vendors, (iii) small, medium, and large businesses, and (iv) consumer groups.  The findings and recommendations of the working group would be submitted to the appropriate committees of Congress within one year of the bill’s enactment.
Additionally, the DIGIT Act would also direct the FCC, in consultation with the National Telecommunications and Information Administration, to conduct its own study to assess the current and future spectrum needs of the IoT. The FCC would similarly have one year after the enactment of the Act to submit a report including recommendations as to whether there is adequate licensed and unlicensed spectrum availability to support the growing IoT, what regulatory barriers may exist, and what the role of licensed and unlicensed spectrum is in the growth of the IoT.
According to the bill, estimates indicate more than 50,000,000,000 devices will be connected by the year 2020 with the IoT having the potential to generate trillions of dollars in economic opportunity.  Similarly, the IoT will allow businesses across the country to simplify logistics, cut costs, and pass savings on to consumers by utilizing the IoT.  Believing the United States leads the world in the development of technologies that support the IoT and this technology may be implemented by the U.S. Government to better deliver services to the public, the DIGIT Act was introduced following a previous Senate Resolution (Senate Resolution 110, 114th Congress) calling for a national strategy for the development of the IoT.

The Internet of Things (IoT), as defined by Wikipedia, is the network of physical objects or “things” embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. The IoT allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for more direct integration between the physical world and computer-based systems, and resulting in improved efficiency, accuracy and economic benefit.  Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure.

In short, if we look at the objects we use in everyday life – from our phones, to our laptops, to even our copy machines or printers at work – each is able to collect and potentially exchange vast amounts of data.  While the capabilities of these devices and objects to collect data and exchange data will likely improve our daily lives, it is also important to examine how to protect the privacy and security of the information and data which is collected and shared.

As we have previously discussed, the Fixing America’s Surface Transportation Act (FAST Act) includes a number of provisions related to privacy, including an amendment to the Gramm-Leach-Bliley Act (GLBA) as well as the enactment of the Driver Privacy Act of 2015.  Interestingly, the FAST Act also requires a report on the potential of the IoT to improve transportation services in rural, suburban, and urban areas.

Specifically, Section 3024 of Title III, requires the Secretary of Transportation to submit a report to Congress not later than 180 days after December 4, 2015 (the enactment date of the FAST Act).  The report, presumably to address the issues discussed above, is to include (1) a survey of the communities, cities, and States that are using innovative transportation systems to meet the needs of ageing populations; (2) best practices to protect privacy and security, as determined as a result of such survey; and (3) recommendations with respect to the potential of the IoT to assist local, State, and Federal planners to develop more efficient and accurate projections of the transportation.

While it is unclear exactly what information will be captured in the report, it’s clear the drafters of Section 3024 have recognized the importance of data privacy and security while utilizing the IoT to improve transportation.  On a more personal note, I have to believe I am not alone in hoping that the report will finally address (and correct!) the traffic patterns related to my daily commute!

In honor of Data Privacy Day, we provide the following “Top 10 for 2021.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2021.

  1. COVID-19 privacy and security considerations.

During 2020, COVID-19 presented organizations large and small with new and unique data privacy and security considerations. Most organizations, particularly in their capacity as employers, needed to adopt COVID-19 screening and testing measures resulting in the collection of medical and other personal information from employees and others. This will continue in 2021 with the addition of vaccination programs. So, for 2021, ongoing vigilance will be needed to maintain the confidential and secure collection, storage, disclosure, and transmission of medical and COVID-19 related data that may now include tracking data related to vaccinations or the side effects of vaccines.

Several laws apply to data the organizations may collect. In the case of employees, for example, the Americans with Disability Act (ADA) requires maintaining the confidentiality of employee medical information and this may include COVID-19 related data. Several state laws also have safeguard requirements and other protections for such data that organization should be aware of when they or others on their behalf process that information.

Many employees will continue to telework during 2021. A remote workforce creates increased risks and vulnerabilities for employers in the form of sophisticated phishing email attacks or threat actors gaining unauthorized access through unsecured remote access tools. It also presents privacy challenges for organizations trying to balance business needs and productivity with expectations of privacy. These risks and vulnerabilities can be addressed and remediated through periodic risk assessments, robust remote work and bring your own device policies, and routine monitoring.

As organizations work to create safe environments for the return of workers, customers, students, patients and visitors, they may rely on various technologies such as wearables, apps, devices, kiosks, and AI designed to support these efforts. These technologies must be reviewed for potential privacy and security issues and implemented in a manner that minimizes legal risk.

Some reminders and best practices when collecting and processing information referred to above and rolling out these technologies include:

  • Complying with applicable data protection laws when data is collected, shared, secured and stored including the ADA, Genetic Information Nondiscrimination Act, CCPA, GDPR and various state laws. This includes providing required notice at collection under the California Consumer Privacy Act (CCPA), or required notice and a documented lawful basis for processing under the GDPR, if applicable.
  • Complying with contractual agreements regarding data collection; and
  • Contractually ensuring vendors who have has access to or collect data on behalf of the organization implement appropriate measures to safeguard the privacy and security of that data.
  1. The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)

On January 1, 2020, the CCPA ushered in a range of new rights for consumers, including:

  • The right to request deletion of personal information;
  • The right to request that a business disclose the categories of personal information collection and the categories of third parties to which the information was sold or disclosed; and
  • The right to opt-out of sale of personal information; and
  • The California consumer’s right to bring a private right of action against a business that experiences a data breach affecting their personal information as a result of the business’s failure to implement “reasonable safeguards.”

The CCPA carves-out (albeit not entirely) employment-related personal information from the CCPA’s provisions. It limits employee rights to notice of the categories of personal information collected by the business and the purpose for doing so, and the right to bring a private right of action against a business that experiences a data breach affecting their personal information.

In November, California voters passes the California Privacy Rights Act (CPRA) which amends and supplements the CCPA, expanding compliance obligations for companies and consumer rights. Of particular note, the CPRA extends the employment-related personal information carve-out until January 1, 2023. The CPRA also introduces consumer rights relating to certain sensitive personal information, imposes an affirmative obligation on businesses to implement reasonable safeguards to protect certain consumer personal information, and prevents businesses from retaliating against employees for exercising their rights.  The CPRA’s operative date is January 1, 2023 and draft implementation regulations are expected by July 1, 2022. Businesses should monitor CCPA/CPRA developments and ensure their privacy programs and procedures remain aligned with current CCPA compliance requirements.

In 2021, businesses can expect various states, including Washington, New York, and Minnesota to propose or enact CCPA-like legislation.

  1. Biometric Data

There was a continued influx of biometric privacy class action litigation in 2020 and this will likely continue in 2021. In early 2019, the Illinois Supreme Court handed down a significant decision concerning the ability of individuals to bring suit under the Illinois’s Biometric Information Privacy Act (BIPA). In short, individuals need not allege actual injury or adverse effect beyond a violation of his/her rights under BIPA to qualify as an aggrieved person and be entitled to seek liquidated damages, attorneys’ fees and costs and injunctive relief under the Act.

Consequently, simply failing to adopt a policy required under BIPA, collecting biometric information without a release or sharing biometric information with a third party without consent could trigger liability under the statute. Potential damages are substantial as BIPA provides for statutory damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation of the Act. There continues to be a flood of BIPA litigation, primarily against employers with biometric timekeeping/access systems that have failed to adequately notify and obtain written releases from their employees for such practices.

Like many aspects of 2020, biometric class action litigation has also been impacted by COVID-19. Screening programs in the workplace may involve the collection of biometric data, whether by a thermal scanner, facial recognition scanner or other similar technology. In late 2020, plaintiffs’ lawyers filed a class action lawsuit on behalf of employees concerning their employer’s COVID-19 screening program, which is alleged to have violated the BIPA. According to the complaint, employees were required to undergo facial geometry scans and temperature scans before entering company warehouses, without prior consent from employees as required by law. More class action lawsuits of this nature are likely on the horizon.

The law in this area is still lagging behind the technology but starting to catch up. In addition to Illinois’s BIPA, Washington and Texas have similar laws, and states including Arizona, Florida, Idaho, Massachusetts and New York have also proposed such legislation. The proposed biometric law in New York would mirror Illinois’ BIPA, including its private right of action provision. In California, the CCPA also broadly defines biometric information as one of the categories of personal information protected by the law.

Additionally, states are increasingly amending their breach notification laws to add biometric information to the categories of personal information that require notification, including 2020 amendments in California, D.C., and Vermont. Similar proposals across the U.S. are likely in 2021.

A report released by Global Market Insights, Inc. in November 2020 estimates the global market valuation for voice recognition technology will reach approximately $7 billion by 2026, in main part due to the surge of AI and machine learning across a wide array of devices including smartphones, healthcare apps, banking apps and connected cars, just to name a few. Voice recognition is generally classified as a biometric technology which allows the identification of a unique human characteristic (e.g. voice, speech, gait, fingerprints, iris or retina patterns), and as a result voice related data qualifies biometric information and in turn personal information under various privacy and security laws. For businesses exploring the use of voice recognition technology, whether for use by their employees to access systems or when manufacturing a smart device for consumers or patients, there are a number of privacy and security compliance obligations to consider including the CCPA, GDPR, state data breach notification laws, BIPA, COPPA, vendor contract statutes, statutory and common law safeguarding mandates.

  1. HIPAA

During 2020, the Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services was active in enforcing HIPAA regulations. The past year saw more than $13.3 million recorded by OCR in total resolution agreements. OCR settlements have impacted a wide array of health industry-related businesses, including hospitals, health insurers, business associates, physician clinics and mental health/substance abuse providers. Twelve of these settlements where under the OCR’s Right to Access Initiative, which enforces patients’ rights to timely access of medical records at reasonable cost. It is likely this level of enforcement activity will continue in 2021.

The past year produced a significant amount of OCR-issued guidance relating to HIPAA. In March OCR issued back-to-back guidance on COVID-19-related issues, first regarding the provision of protected health information (PHI) of COVID-19 exposed individuals to first responders, and next providing FAQs for telehealth providers. In July, the director of the OCR issued advice to HIPAA subject entities in response to the influx of recent OCR enforcement actions: “When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information.” Finally in September, the OCR published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization and improve HIPAA Security Rule compliance, and shortly after it issued updated guidance on HIPAA for mobile health technology.

In December, Congress amended the Health Information Technology for Economic and Clinical Health Act to require the Secretary of Health and Human Services to consider certain recognized security practices of covered entities and business associates when making certain determination, and for other purposes. In 2021, businesses will want to review their information security practices in light of applicable recognized security practices in an effort to demonstrate reasonable safeguards and potentially minimize penalties in the event of a cybersecurity incident.

  1. Data Breaches

The past year was marked by an escalation in ransomware attacks, sophisticated phishing emails, and business email compromises. Since many of these attacks were fueled in part by vulnerabilities due to an increased remote workforce, 2021 will likely be more of the same. Continue Reading Top 10 for 2021 – Happy Data Privacy Day!

Setting up that new IoT device you received for Christmas? Maybe you’ve been derelict in feeding the dog and found a smart dog feeder under the tree, one that will alert you that Luna has been fed or that you have to refill the feeder. Smart gizmos are not just for the home, approximately 25% of businesses use Internet of Things (IoT) technology, a figure only expected to grow substantially. With that growth will be new and varied applications for IoT technology, along with a need to understand the different kinds of risks it presents. Earlier this month, on December 4, 2020, President Trump signed the Internet of Things Cybersecurity Improvement Act of 2020 (Act). The Act is directed at federal agencies, but is likely to have a significant impact in the private sector as well.

Passed by the House in September 2020, the Act mandates a cybersecurity framework be created for the appropriate use and management by federal agencies of IoT devices owned or controlled by an agency and connected to information systems owned or controlled by an agency. Perhaps that most notable provision of the Act is for contractors of federal agencies and their subcontractors – effective two years from enactment, December 5, 2022, and subject to limited opportunities for a waiver, federal agencies will be:

prohibited from procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device, if the Chief Information Officer of that agency determines during a review required by section 11319(b)(1)(C) of title 40, United States Code, of a contract for such device that the use of such device prevents compliance with the standards and guidelines developed under [the Act].

What are the Standards and Guidelines to be Developed under the Act?

Within 90 days following enactment, the Act requires the Director of the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines on the appropriate use and management by federal agencies of IoT devices they own or control and which are connected to information systems they own or control. Along with bearing in mind standards, guidelines, and best practices developed by the private sector, agencies, and public-private partnerships, the Director also must consider the following for IoT devices:

  • Secure Development.
  • Identity management.
  • Patching.
  • Configuration management.

In addition, within 180 days following enactment, the Director must publish guidelines for reporting, coordinating, publishing, and receiving of information about security vulnerabilities relating to information systems owned or controlled by an agency (including IoT devices) and resolving those vulnerabilities. The Director also must provide guidance for contractors and subcontractors on receiving information on potential information system vulnerabilities and disseminating information about resolutions.

What Does This Mean for IoT Devices?

For federal contractors and subcontractors, it will mean closely tracking and incorporating published security standards and guidelines by NIST, as well as being prepared to receive and act on information about potential security vulnerabilities received from federal agencies concerning devices and systems, and disseminate information on resolutions for those vulnerabilities. However, the Act also may establish recognized best practices for IoT devices, resulting broader adoption in the private sector. In the meantime, NIST has already started developing the standards and guidelines that will flow from the Act.

IT Inventory & Asset Management | Device42 SoftwareLast week, in its Cybersecurity Summer Newsletter, the Office of Civil Rights (OCR) published best practices for creating an IT asset inventory list to assist healthcare providers and business associates in understanding where electronic protected health information (ePHI) is located within their organization, and improve HIPAA Security Rule compliance.  OCR investigations often find that organizations “lack sufficient understanding” of where all of their ePHI is located, and while the creation of an IT asset inventory list is not required under the HIPAA Security Rule, it could be helpful in the development of a risk analysis, and in turn and implementing appropriate safeguards – which are HIPAA Security Rule requirements. Essentially, if an organization doesn’t know what IT assets it has or where its ePHI is, how can it effectively assess the risks associated with those assets and information and protect them?

The lack of an inventory, or an inventory lacking sufficient information, can lead to gaps in an organization’s recognition and mitigation of risks to the organization’s ePHI.  Having a complete understanding of one’s environment is key to minimizing these gaps and may help ensure that a risk analysis is accurate and thorough, as required by the Security Rule.

In general, an organization’s IT asset inventory list consists of “IT assets with corresponding descriptive information, such as data regarding identification of the asset (e.g., vendor, asset type, asset name/number), version of the asset (e.g., application or OS version), and asset assignment (e.g., person accountable for the asset, location of the asset.”

The OCR Newsletter suggests including the follow types of assets in an organization’s IT asset inventory list:

  • Hardware assets that comprise physical elements, including electronic devices and media, which make up an organization’s networks and systems. This can include mobile devices, servers, peripherals, workstations, removable media, firewalls, and routers.
  • Software assets that are programs and applications which run on an organization’s electronic devices. Well-known software assets include anti-malware tools, operating systems, databases, email, administrative and financial records systems, and electronic medical/health record systems. Though lesser known, there are other programs important to IT operations and security such as backup solutions, virtual machine managers/hypervisors, and other administrative tools that should be included in an organization’s inventory.
  • Data assets that include ePHI that an organization creates, receives, maintains, or transmits on its network, electronic devices, and media. How ePHI is used and flows through an organization is important to consider as an organization conducts its risk analysis.

In addition, the OCR Newsletter recommends the inclusion of IT assets that don’t necessarily store or process ePHI, but that still may lead to a security incident, such as Internet of Things (IoT) or other smart devices.  For example, a recent study by Quocirca, a security research firm, found that approximately 60 % of businesses in in the U.S., U.K., France and Germany have suffered a IoT printer related data breach in 2019, with the average breach costing an organization approximately $400,000.

The OCR Newsletter also provides other cybersecurity-related and HIPAA compliance benefits an IT asset inventory list can provide, beyond the risk analysis. For example, HIPAA requires that covered entities and business associates “[i]mplement policies and procedures that govern the receipt and removal of hardware and electronic media that contain [ePHI] into and out of a facility, and the movement of these items within the facility”, which will be more efficient if the organization has IT asset inventory list that has location/owner/assignment information in place.  Moreover, an IT asset inventory list can aid an organization in identifying and tracking devices to ensure timely updates, patches and password changes.

HIPAA compliance is no doubt a significant challenge for large and small covered healthcare providers, and other covered entities and business associates, and data breaches are almost inevitable. Preparation of a comprehensive IT asset inventory, while not required, can go a long way in both ensuring HIPAA compliance, and preventing a security incident.  Below are some additional basic compliance measures:

  • Provide training and improve security awareness for workforce members when they begin working for the organization and periodically thereafter.
  • Maintain written policies and procedures that address required administrative, physical, and technical safeguards required under the Security Rule.
  • Maintain business associate agreements with all business associates.
  • Document compliance efforts.
  • Maintain and practice an incident response plan in the event of a data breach.

The National Security Agency (NSA) recently released helpful guidance on how to effectively limit location data exposure for its staffers, which also can be helpful information for the general public. Businesses likely will have different perspectives about location data than the NSA, which is trying to protect its staffers and its vital national security missions. For business, they may want to have location data about their consumers and workforce members for several reasons, but some may not realize they are even collecting this data. As laws such as the California Consumer Privacy Act (CCPA) begin to become more widespread in the U.S., business will need to be more deliberate and aware of the data they are collecting.

The NSA guidance provides an outline of categories of mobile device geolocation services and recommendations on how to prevent exposure of sensitive location information and limit the amount of location data shared. The NSA also recommends pairing its guidance with an earlier Cybersecurity & Infrastructure Security Agency (CISA) security tip on privacy and mobile device apps.

As many businesses think about the categories of personal information they collect from consumers, members of their workforce, others, geolocation may be the last thing that comes to mind. However, businesses are increasingly deploying apps, mobile phones, and devices to further their business needs. Consider the response to the COVID-19 pandemic, as many businesses have obtained or developed various devices and apps enabling them to more efficiently screen employees and consumers for coronavirus symptoms and to maintain social distancing. The data collected by the use of those technologies may not be apparent; businesses may be more focused on quickly meeting CDC and state guidance. More traditionally, businesses  might provide their workforce members company-owned iPhones, fitbits for a wellness programs, tablets to interact with consumers, or some other smart device or app, while not realizing all of its capabilities or configurations.

“A cell phone begins exposing location data the second it is powered on because it inherently trusts cellular networks and providers. Devices’ location data, from GPS to Wi-Fi or Bluetooth connections, may be acquired by others with or without the user or provider’s consent,” states the NSA. “Anything that sends and receives wireless signals has location risks similar to phones, including Internet of Things (IoT) devices, vehicles and many products with “smart” included in the name.”

In virtually all cases, the NSA will have different considerations for collecting and managing location data. For businesses, such information can be helpful to serve legitimate business needs. However, under the CCPA, for example, businesses need to provide “consumers” (which currently includes employees and applicants residing in California) with a notice at collection. This notice must explain the categories of personal information that the business collects, and one of those categories is geolocation data. The notice also must explain the purposes that such data will be used by the business. As businesses work through the process of rolling out new technologies, therefore, they’ll need to consider the scope of data collection, even if they are not interested in the data capable of being collected. If a business determines location data is not needed, the NSA guidance can be helpful as it provides mitigation tips to help limit the collection of same:

  • Disable location service settings on the device.
  • Disable radios when they are not actively in use: disable Bluetooth and turn off Wi-Fi if these capabilities are not needed.
  • Use Airplane Mode when the device is not in use.
  • Apps should be given as few permissions as possible (e.g. set privacy settings to ensure apps are not using or sharing location data).
  • Turn off settings (typically known as FindMy or Find My Device settings) that allow a lost, stolen, or misplaced device to be tracked.
  • Set browser privacy/permission location settings to not allow location data usage.
  • Use an anonymizing Virtual Private Network (VPN) to help obscure location.
  • Minimize the amount of data with location information that is stored in the cloud, if possible.

Of course, there are situations where the business will want to have location data collected, such on company-provided devices with Find My Device capabilities that allow lost, stolen, or misplaced devices to be located.

As many who have gone through compliance with the General Data Protection Regulation in the European Union, the CCPA and other laws that may come after it in the U.S. will require businesses to think more carefully about the personal information they collect, including location data. The NSA guidance is a helpful step in thinking about steps the business can take to apply best practices to its collection of location data.

 

 

On April 17th, the National Institute of Standards and Technology (“NIST”), a component of the U.S. Commerce Department, released Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework Version 1.1”), which incorporates feedback from NIST-led workshops, public comments, and questions received by NIST team members over the last two years.

The Cybersecurity Framework development process was initiated by President Barak Obama’s Executive Order 13636, released on February 12th 2013. In the Executive Order, NIST was tasked with the development of a framework that would introduce efforts for sharing cybersecurity threat information and creating a set of current and successful approaches that would reduce cybersecurity risks to critical infrastructure. The original Cybersecurity Framework Version 1.0 was released on February 12, 2014 providing a systematic methodology for managing cybersecurity risk. It was intended to compliment, not replace, an organization’s cybersecurity and risk management program providing frameworks for industries vital to national and economic security including energy, communications, banking and defense. Nonetheless, it has since demonstrated that it is adaptable for both small and large businesses across all industries.

Cybersecurity Framework Version 1.1 has evolved with the changes in cyber threats, technologies, and industries since the release of Version 1.0 in 2014. “The release of the Cybersecurity Framework Version 1.1 is a significant advance that truly reflects the success of the public-private model for addressing cybersecurity challenges,” said Under Secretary of Commerce for Standards and Technology and NIST Director Walter G. Copan. Moreover, Matt Barrett, Program Manager for the Cybersecurity Framework, emphasized that in the updated version “We’re looking forward to reaching more industries, supporting federal agencies, and especially helping more small businesses across the U.S. benefit from the framework”.

A Factsheet for the Cybersecurity Framework Version 1.1 provided by NIST indicates several key points:

  • Refined for clarity, it’s fully compatible with Cybersecurity Framework Version 1.0 and remains flexible, voluntary, and cost-effective;
  • Declares applicability for “technology,” which is minimally composed of Information Technology, operational technology, cyber-physical systems, and Internet of Things;
  • Clarifies utility as a structure and language for organizing and expressing compliance with an organization’s own cybersecurity requirements;
  • Enhances guidance for applying the Cybersecurity Framework Version 1.1 to supply chain risk management;
  • Summarizes the relevance and utility of Cybersecurity Framework Version 1.1’s measurement for organizational self-assessment;
  • Better accounts for authorization, authentication, and identity proofing.

“This update refines, clarifies and enhances Version 1.0,” said Barrett. “It is still flexible [enough] to meet an individual organization’s business or mission needs and applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things.”

In the coming months, NIST anticipates release of the Roadmap for Improving Critical Infrastructure Cybersecurity Version 1.1, a companion document to the Cybersecurity Framework Version 1.1 which will identify key areas of development, alignment and collaboration. In addition, NIST will host a public webcast on April 27, 2018 at 1p.m., EST to discuss updates to the Cybersecurity Framework, and plans to hold a Cybersecurity Risk Management Conference in November 2018. This set of NIST cybersecurity resources is flexible and user-friendly, and can benefit small and large businesses across a broad range of industries in their approach to cybersecurity and risk management policies and procedures.

On November 2nd, New York Attorney General Eric T. Schneiderman announced his proposal of the SHIELD Act – Stop Hacks and Improve Electronic Data Security Act – a bill that would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information.

“It’s clear that New York’s data security laws are weak and outdated. The SHIELD Act would help ensure these hacks never happen in the first place. It’s time for Albany to act, so that no more New Yorkers are needlessly victimized by weak data security measures and criminal hackers who are constantly on the prowl,” said Attorney General Eric Schneiderman.

Key aspects of the proposed SHIELD ACT include:

  • Covering any business that holds sensitive data of New York residents. Interestingly, the proposed legislation would amend the existing breach notification requirement to remove language currently limiting application of the notification rule to persons or businesses that conduct business in New York
  • Requiring all covered businesses to implement “reasonable” administrative, technical, and physical safeguards to protect sensitive data
  • Businesses that are already regulated by and comply with certain applicable state or federal cybersecurity laws (e.g., HIPAA, NY DFS Reg 500, Gramm-Leach-Bliley Act) are considered “compliant regulated entities” under the SHIELD Act. These entities and others that are annually certified by an authorized and independent third party to be compliant with certain data security standards, such as the most up to date version of the ISO /NIST standards, are called “certified compliant entities.” These entities are deemed to be compliant with the proposed law’s reasonable safeguard requirements, and a safe harbor from state enforcement actions would apply to “certified compliant entities”
  • A more flexible standard would exist for small businesses (less than 50 employees and under $3 million in gross revenue; or less than $5 million in assets)
  • Data breach notification obligations would become broader by (i) adding “access to” (in addition to the current trigger “acquisition”) as a trigger for notification, and (ii) expanding the data elements that if breached would require notification to include username-password combination, biometric data, and HIPAA covered health data
  • Deeming inadequate security to be a violation of General Business Law § 349 and permitting the Attorney General to bring suit and civil penalties under General Business Law § 351

AG Schneiderman’s proposed bill comes on the heels of several massive data breaches and ransomware attacks (e.g., Wanncry). The proposed SHIELD Act has the support of two major sponsors in the State Legislature: Senator David Carlucci (D-Clarkstown) of the Independent Democratic Conference and Assemblyman Brian Kavanaugh (D-Manhattan) who led their chamber’s consumer protection committees.

Although the SHIELD Act is a significant step forward for the Empire State, it does not come as a surprise. Attorney General Schneiderman has been vocal and proactive in the pursuit of heightened data security. Following a recent massive credit reporting agency breach, Schneiderman sent formal inquiries to the two other major credit reporting agencies, asking them to detail their security measures, steps they have taken since learning the breach and how they will further assist consumers in protection of their personal information.

In addition, AG Schneiderman has issued several enforcements actions in 2017 against companies that have failed to effectively protect consumer information. In January, Schneiderman announced a settlement with Acer Service Corporation, a computer manufacturer in Taiwan, after a data breach of its website exposed 35,000 credit card numbers. An investigation by the AG office revealed that sensitive customer information had not been protected for almost a full year. Acer agreed to pay $115,000 in penalties and improve data security practices. In April, Schneiderman announced that TRUSTe, Inc., agreed to settle allegations that it failed to properly verify that customer websites aimed at children did not run third-party software to track users. TRUSTe agreed to pay $100,000 and “adopt new measures to strengthen its privacy assessment”. In June, Schneiderman issued his first enforcement action against a wireless security company, Safetech Products LLC, for failing to implement adequate security in its Internet of Things (IoT) devices. It was found that Safetech did not force users to reset default passwords, and did not encrypt passwords sent over the network. As part of the settlement agreement, Safetech agreed to implement a written comprehensive security program.

AG Schneiderman did not begin enforcing New York’s data security laws and regulations in 2017; the issue has been a growing area of concern in his office for some time. In January of 2015, on the heels of former President Obama’s announcement of a cybersecurity legislative proposal, AG Schneiderman indicated his own plans to propose legislation to heighten New York’s data security laws.

The SHIELD Act, if enacted, would have far reaching effects, as any business that holds sensitive data of a New York resident would be required to comply.  Moreover, given the nation’s heightened awareness of cybersecurity in the wake of the recent massive data breaches, other states may also consider similar legislation.