On May 6, 2015, New York City became one of about a dozen jurisdictions that prohibit or restrict the use of consumer credit history in hiring and other employment-related applications. NYC joins California, Colorado, Connecticut, Delaware, Hawaii, Illinois, Maryland, Nevada, Oregon, Vermont, and Washington. There are exceptions, however, including for some jobs implicating cybersecurity concerns.
May 2015
The Security, Privacy and Legal Implications of the Internet of Things (“IoT”) Part one – The Context and Use of IoT
Disrupted, yet again. The world is fast preparing for the invasion of objects connected to the Internet, otherwise known as the Internet of Things (“IoT”).
IoT is here, and it will revolutionize how both individuals and corporations interact with the world. In this multi-part series we will explore this quickly evolving revolution and the privacy and security legal issues and risks that corporations will have to address in order to leverage IoT and move the world into a new reality. Part One of this series provides background and context surrounding IoT and highlights the legal issues organizations seeking to leverage IoT will face. Subsequent parts will dive much deeper into IoT.
To start, consider the following portrayal of a day in the life of IoT:
By the time Lazlo Hollyfeld’s smartwatch detected the proper biorhythms to roust him out of sleep, his coffee was brewing and his curtains were drawn back. “It is cold this morning, Mr. Hollyfeld, but no rain today in the forecast,” stated his computer assistant over the Bluetooth speaker by his bed. Lazlo haphazardly waved his watch at the T.V., which automatically began streaming his morning news program. He fumbled for the slippers by the bed, and reached for his morning smart pills which were remotely dosed according to a physician’s review of Laszlo’s wearable health monitoring devices. Health readings from the pills taken after ingested would later be sent to Lazlo’s physicians.
As he arose, motion detectors relayed to his home automation system to bring the lights up to 30%. Stumbling into the bathroom, both the lights and his television stream followed him. The shower was running at a comfortable temperature and Lazlo’s favorite album started to play on the shower stereo as he walked in.
Running late, Lazlo quickly dressed and dashed downstairs to grab his coffee. Tracking his motion and triangulating the Bluetooth signal from his watch, the home automation system brought up Laszlo’s schedule and to do list on the refrigerator screen, shut down the heat system in the house, turned off the lights in the living quarters, and signaled to his car to start the engine and turn on the seat warmers. Lazlo scanned his email on the fridge screen, and swiped a few emails to the car icon. As he ran to the garage, he grabbed the last of the orange juice in the fridge, triggering a reorder to be delivered by drone later that evening. By the time he pulled out of the driveway, his television stream was already playing in the car. Meanwhile, his home automation system locked the doors, set the alarm system, and turned on the sprinklers.
Lazlo entered the highway where his watch, reading his skin surface temperature, signaled the car to remove power from the seat warmers. As he comfortably locked in cruise control, his car began reading the emails he had swiped to the car icon on the fridge. Lazlo took his hands off the controls because his car was communicating with the other vehicles on the highway to maintain the proper speed and lane location. Lazlo dimmed the car windows and settled into to his traffic-free relaxing morning commute.
Does this sound like the distant future to you? Think again. Much of the technology discussed in this article already exists in the marketplace (or soon will). For businesses, IoT will present enormous competitive advantages and financial opportunities, and also pose challenging legal, security and privacy risks. To fully enable IoT organizations will have to consider privacy and security legal issues at the outset, and design IoT technologies and devices in way that address these issues and limit risk to both the users and companies. Let’s begin exploring.
The “EMV Liability Shift” Is Coming (What Merchants Need to Know)
Currently, almost half of the world’s credit card fraud happens in the U.S where magnetic stripe technology is the standard. Outside the U.S., an estimated 40% of the world’s cards and 70% of the terminals already use the EMV technology. These countries are reporting significantly lower counterfeit fraud levels with EMV cards than with the magnetic stripe cards.
By October 1, 2015, many people in the U.S. who use credit cards will likely notice changes when they pay for purchases at retail stores. The reason for the change is the “EMV liability shift” scheduled to occur on October 1 (EMV is an acronym for EuroPay, MasterCard, and Visa). As described in more detail below, the “liability shift” is an incentive for both merchants and card issuers to increase card security and reduce counterfeit fraud.
This post provides some background on EMV technology and describes the liability-related incentives the card brands are providing to encourage quicker adoption of EMV.
PCI DSS 3.0 Requires Some Service Provider Contract Changes
On April 15, 2015, the PCI Security Standards Council issued Payment Card Industry Data Security Standards (PCI DSS) version 3.1 (PCI DSS v3.1), which contains some “minor updates and clarifications” to PCI DSS v3.0, which went into effect on January 1, 2015.
CFTC views cybersecurity and data integrity as top priorities; may issue regulations
Cybersecurity has recently become a high priority issue at the US Commodity Futures Trading Commission (CFTC) – the agency overseeing designated contract markets, swap execution facilities, derivatives clearing organizations, swap data repositories (SDRs), swap dealers, futures commission merchants, commodity pool operators and other derivatives market participants.
CFTC articulates unique cybersecurity concerns
CFTC Chairman Timothy Massad has recognized cybersecurity as “the single most important new risk to market integrity and financial stability.” The Commission is particularly concerned about cyber-attacks on commodity markets and their participants – an exchange, clearing organization or SDR – that lead to the compromise of the integrity of market data. Such a compromise of data integrity could stop commodity markets from functioning and cause significant financial losses to the commodity futures trading ecosystem.
In support of its focus on cybersecurity, the CFTC recently convened a roundtable to articulate the industry’s strategy on addressing cybersecurity concerns. The event brought together representatives from the White House, Department of Homeland Security, FBI, NSA and Treasury, as well as exchanges, clearing organizations, SDRs and commodity market participants. One of the key initial concerns is assessing – through testing – the cybersecurity readiness of exchanges, clearing organizations and SDRs.