By June 30, 2018, retailers accepting digital (online) credit card transactions must cease using encryption protocols known as SSL or TLS 1.0. Retailers must transition to TLS 1.1 or higher (such as the popular TLS 1.2) or else lose the ability to accept credit card payments.
Security
UK NIS Regulations impose new cybersecurity obligations (and a new penalties regime) on operators of essential services and digital service providers in the UK
The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the UK.
FTC Orders PCI DSS Compliance Reports
The Federal Trade Commission (FTC) has ordered nine companies to file Special Reports detailing how they assess their clients’ compliance with Payment Card Industry Data Security Standards (PCI DSS). Payment card issuing companies require businesses that process over one million card transactions per year to undergo PCI DSS compliance assessments, or audits, performed by PCI Qualified Security Assessors (QSAs), to ensure that the businesses comply with PCI DSS and are adequately protecting their customers’ sensitive personal information. The Order includes a laundry list of requests related to the targeted companies’ PCI DSS assessment process, from the bidding for and staffing of compliance assessments, to the number and percentage of clients that are ultimately determined to be PCI DSS compliant or non-compliant.
Senate passes cybersecurity bill, bringing immunity for sharing cyberthreat data closer to reality
On October 27, 2015, the Cybersecurity Information Sharing Act of 2015 (CISA), passed the Senate, by a 74-21 vote. The bill’s passing by such an overwhelming majority is a crucial step towards the controversial CISA becoming law, with support from some security experts and to the chagrin of other privacy advocates.
U.S. Department of Defense issues interim rule imposing network penetration reporting requirements and addressing cybersecurity of cloud computing services
On August 25, 2015, the Department of Defense (“DoD”) issued interim rule DARS-2015-0039, which amends the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement a network penetration reporting requirement for contractors. Additionally, this rule implements DoD policy on the purchase of cloud computing services.
Nevada amends data security law to expand definition of “Personal Information”
On May 13, 2015, Governor Brian Sandoval of Nevada signed Assembly Bill No. 179 (“AB 179”) into law. AB 179 amends Nevada Revised Statutes § 603A.040, which defines “Personal Information” for Nevada’s laws on the security of personal information. This amendment will take effect on July 1, 2015.
The Security, Privacy and Legal Implications of the Internet of Things (“IoT”) Part one – The Context and Use of IoT
Disrupted, yet again. The world is fast preparing for the invasion of objects connected to the Internet, otherwise known as the Internet of Things (“IoT”).
IoT is here, and it will revolutionize how both individuals and corporations interact with the world. In this multi-part series we will explore this quickly evolving revolution and the privacy and security legal issues and risks that corporations will have to address in order to leverage IoT and move the world into a new reality. Part One of this series provides background and context surrounding IoT and highlights the legal issues organizations seeking to leverage IoT will face. Subsequent parts will dive much deeper into IoT.
To start, consider the following portrayal of a day in the life of IoT:
By the time Lazlo Hollyfeld’s smartwatch detected the proper biorhythms to roust him out of sleep, his coffee was brewing and his curtains were drawn back. “It is cold this morning, Mr. Hollyfeld, but no rain today in the forecast,” stated his computer assistant over the Bluetooth speaker by his bed. Lazlo haphazardly waved his watch at the T.V., which automatically began streaming his morning news program. He fumbled for the slippers by the bed, and reached for his morning smart pills which were remotely dosed according to a physician’s review of Laszlo’s wearable health monitoring devices. Health readings from the pills taken after ingested would later be sent to Lazlo’s physicians.
As he arose, motion detectors relayed to his home automation system to bring the lights up to 30%. Stumbling into the bathroom, both the lights and his television stream followed him. The shower was running at a comfortable temperature and Lazlo’s favorite album started to play on the shower stereo as he walked in.
Running late, Lazlo quickly dressed and dashed downstairs to grab his coffee. Tracking his motion and triangulating the Bluetooth signal from his watch, the home automation system brought up Laszlo’s schedule and to do list on the refrigerator screen, shut down the heat system in the house, turned off the lights in the living quarters, and signaled to his car to start the engine and turn on the seat warmers. Lazlo scanned his email on the fridge screen, and swiped a few emails to the car icon. As he ran to the garage, he grabbed the last of the orange juice in the fridge, triggering a reorder to be delivered by drone later that evening. By the time he pulled out of the driveway, his television stream was already playing in the car. Meanwhile, his home automation system locked the doors, set the alarm system, and turned on the sprinklers.
Lazlo entered the highway where his watch, reading his skin surface temperature, signaled the car to remove power from the seat warmers. As he comfortably locked in cruise control, his car began reading the emails he had swiped to the car icon on the fridge. Lazlo took his hands off the controls because his car was communicating with the other vehicles on the highway to maintain the proper speed and lane location. Lazlo dimmed the car windows and settled into to his traffic-free relaxing morning commute.
Does this sound like the distant future to you? Think again. Much of the technology discussed in this article already exists in the marketplace (or soon will). For businesses, IoT will present enormous competitive advantages and financial opportunities, and also pose challenging legal, security and privacy risks. To fully enable IoT organizations will have to consider privacy and security legal issues at the outset, and design IoT technologies and devices in way that address these issues and limit risk to both the users and companies. Let’s begin exploring.
The “EMV Liability Shift” Is Coming (What Merchants Need to Know)
Currently, almost half of the world’s credit card fraud happens in the U.S where magnetic stripe technology is the standard. Outside the U.S., an estimated 40% of the world’s cards and 70% of the terminals already use the EMV technology. These countries are reporting significantly lower counterfeit fraud levels with EMV cards than with the magnetic stripe cards.
By October 1, 2015, many people in the U.S. who use credit cards will likely notice changes when they pay for purchases at retail stores. The reason for the change is the “EMV liability shift” scheduled to occur on October 1 (EMV is an acronym for EuroPay, MasterCard, and Visa). As described in more detail below, the “liability shift” is an incentive for both merchants and card issuers to increase card security and reduce counterfeit fraud.
This post provides some background on EMV technology and describes the liability-related incentives the card brands are providing to encourage quicker adoption of EMV.
FTC issues new privacy and security report on the internet of things
In advance of what will likely be a flood of interconnected devices to soon hit the market, the Federal Trade Commission (“FTC”) today announced the release of a new report on the Internet of Things (the “Report”). Focusing on privacy…
Sharing Cyber Threat Information: A Legal Perspective (ISSA Journal Article)
The ISSA Journal recently included an article, Sharing Cyber Threat Information: A Legal Perspective, authored by Utsav Mathur and I (David Navetta) concerning potential legal risks associated with intra-industry sharing of cyber-threat information. The article summarizes recent…