Skip to content

2017

On July 11, 2017, the US Coast Guard (USCG) and the Department of Homeland Security (DHS) proposed new cybersecurity draft guidelines for Maritime Transportation Security Act (MTSA) regulated facilities. The guidelines follow the White House’s May 2017 Executive Order to strengthen the cybersecurity of critical infrastructure. The draft guidelines are open for public comment until September 11, 2017.  The guidelines outline a position on addressing cybersecurity that is consistent with the National Institute for Standards and Technology (NIST) Cybersecurity Framework and other cybersecurity guidance. Similar to the Executive Order, the draft reflects a growing emphasis on mitigating cyber threats to critical infrastructure.

The guidelines are divided into two sections. One provides draft guidance on existing regulatory requirements and how they relate to cybersecurity. The second advises regulated facilities on how to implement a cyber risk management governance program.

On 10 July 2017 the Cyberspace Administration of China (CAC) issued a draft Regulation on the Protection of Critical Information Infrastructure (CII Regulation) for public comment. The comment period ends on 10 August 2017. This long-anticipated regulation, formulated pursuant to Article 31 of the Cyber Security Law of China (Cyber Security Law), is a key implementing measure for the Cyber Security Law. In this client update we outline the key features of the draft CII Regulation and highlight its implications for businesses.

This is the first of a two-part series discussing the privacy and security issues associated with the widespread use of automated vehicle technology.  This first post focuses on potential privacy issues, while the second post – coming soon – will address security issues.

Background

As the development and testing of self-driving car technology has progressed, the prospect of privately-owned autonomous vehicles operating on public roads is nearing. Several states have passed laws related to autonomous vehicles, including Nevada, California, Florida, Michigan, and Tennessee. Other states have ordered that government agencies support testing and operations of these vehicles. Industry experts predict that autonomous vehicles will be commercially available within the next five to ten years. A 2016 federal budget proposal, slated to provide nearly $4 billion in funding for testing connected vehicle systems, could accelerate this time frame. In addition, the National Highway Traffic Safety Administration (NHTSA) set a goal to work with stakeholders to “accelerate the deployment” of autonomous technologies.

This post will explore some of the  privacy issues that should be addressed before these vehicles are fully commercialized.

A new strain of malware began infecting computer systems across the globe on Tuesday.  Similar to the WannaCry ransomware that struck last month, the malware used in this week’s attack spreads quickly across multiple computers on a network, encrypting files and displaying a ransom note that requests $300 worth of bitcoin for a decryption key.

Reports of infection began in Ukraine, where computer systems belonging to government ministries, financial institutions, transportation systems, and major energy companies began malfunctioning.  The attack was first believed to be caused by a variant of the “Petya” strain of ransomware, however recent reports from security experts indicate that the malware used during this week’s attack was altered so that, even with a decryption key, encrypted files cannot be recovered.  This fact has lead several sources to dub the malware “ExPetr” and speculate that the attacker’s motivations were destructive instead of financial.

How to pitch, explain, defend and collaborate on cybersecurity

The board demands answers on cybersecurity. We discuss how executives can effectively respond to and collaborate with the board.

Boards have now recognized that their companies, and board members themselves, face operational, financial, legal, and reputational consequences if they fail to address cybersecurity risk. Now, boards are asking company executives to explain the company’s current state of readiness and a plan of action – presenting both a challenge and an opportunity.

Join us on July 11 in New York for an engaging discussion on how to meet the challenge of explaining cybersecurity to boards and leverage the conversation to empower company executives with focus and resources to address cybersecurity risks.

Challenging questions. Practical, insightful answers.

Broker-dealers and investment advisers in Colorado will soon be required to comply with new rules designed to protect the electronic information they collect and maintain.  On May 19, 2017, the Colorado Division of Securities adopted final cybersecurity rules under the Colorado Securities Act.  In addition to requiring written procedures that are “reasonably designed to ensure cybersecurity,” the rules also mandate annual risk assessments of firms’ data security practices.  The Colorado Attorney General approved the rules on June 7, 2017, and the effective date of the rules is July 15, 2017.

On May 23, 2017, it was announced that Target Corporation had settled the investigation initiated by the Attorneys General[1] of 47 states and the District of Columbia resulting from its 2013 data security incident.  Besides the $18.5 million being paid (the largest State AG data breach settlement amount to date), it is the promised remedial measures that are of most interest to those following data breach enforcement actions.