The UK NIS Regulations (implementing the NIS Directive) come into force in the UK today (10 May 2018). These Regulations have received limited press attention, in part due to the emphasis that has been placed on GDPR implementation. However, the NIS Regulations represent a significant change in the legal environment relating to cybersecurity in the UK.

The Federal Trade Commission (FTC) has ordered nine companies to file Special Reports detailing how they assess their clients’ compliance with Payment Card Industry Data Security Standards (PCI DSS). Payment card issuing companies require businesses that process over one million card transactions per year to undergo PCI DSS compliance assessments, or audits, performed by PCI Qualified Security Assessors (QSAs), to ensure that the businesses comply with PCI DSS and are adequately protecting their customers’ sensitive personal information. The Order includes a laundry list of requests related to the targeted companies’ PCI DSS assessment process, from the bidding for and staffing of compliance assessments, to the number and percentage of clients that are ultimately determined to be PCI DSS compliant or non-compliant. 

On August 25, 2015, the Department of Defense (“DoD”) issued interim rule DARS-2015-0039, which amends the Defense Federal Acquisition Regulation Supplement (“DFARS”) to implement a network penetration reporting requirement for contractors. Additionally, this rule implements DoD policy on the purchase of cloud computing services.

Disrupted, yet again. The world is fast preparing for the invasion of objects connected to the Internet, otherwise known as the Internet of Things (“IoT”).

IoT is here, and it will revolutionize how both individuals and corporations interact with the world.  In this multi-part series we will explore this quickly evolving revolution and the privacy and security legal issues and risks that corporations will have to address in order to leverage IoT and move the world into a new reality.  Part One of this series provides background and context surrounding IoT and highlights the legal issues organizations seeking to leverage IoT will face.  Subsequent parts will dive much deeper into IoT.

To start, consider the following portrayal of a day in the life of IoT:

By the time Lazlo Hollyfeld’s smartwatch detected the proper biorhythms to roust him out of sleep, his coffee was brewing and his curtains were drawn back.  “It is cold this morning, Mr. Hollyfeld, but no rain today in the forecast,” stated his computer assistant over the Bluetooth speaker by his bed.  Lazlo haphazardly waved his watch at the T.V., which automatically began streaming his morning news program.  He fumbled for the slippers by the bed, and reached for his morning smart pills which were remotely dosed according to a physician’s review of Laszlo’s wearable health monitoring devices.  Health readings from the pills taken after ingested would later be sent to Lazlo’s physicians.

As he arose, motion detectors relayed to his home automation system to bring the lights up to 30%.  Stumbling into the bathroom, both the lights and his television stream followed him.  The shower was running at a comfortable temperature and Lazlo’s favorite album started to play on the shower stereo as he walked in.

Running late, Lazlo quickly dressed and dashed downstairs to grab his coffee.  Tracking his motion and triangulating the Bluetooth signal from his watch, the home automation system brought up Laszlo’s schedule and to do list on the refrigerator screen, shut down the heat system in the house, turned off the lights in the living quarters, and signaled to his car to start the engine and turn on the seat warmers.  Lazlo scanned his email on the fridge screen, and swiped a few emails to the car icon.  As he ran to the garage, he grabbed the last of the orange juice in the fridge, triggering a reorder to be delivered by drone later that evening.  By the time he pulled out of the driveway, his television stream was already playing in the car.  Meanwhile, his home automation system locked the doors, set the alarm system, and turned on the sprinklers. 

Lazlo entered the highway where his watch, reading his skin surface temperature, signaled the car to remove power from the seat warmers.  As he comfortably locked in cruise control, his car began reading the emails he had swiped to the car icon on the fridge.  Lazlo took his hands off the controls because his car was communicating with the other vehicles on the highway to maintain the proper speed and lane location.  Lazlo dimmed the car windows and settled into to his traffic-free relaxing morning commute.    

Does this sound like the distant future to you?  Think again.  Much of the technology discussed in this article already exists in the marketplace (or soon will).  For businesses, IoT will present enormous competitive advantages and financial opportunities, and also pose challenging legal, security and privacy risks.   To fully enable IoT organizations will have to consider privacy and security legal issues at the outset, and design IoT technologies and devices in way that address these issues and limit risk to both the users and companies.  Let’s begin exploring.

Currently, almost half of the world’s credit card fraud happens in the U.S where magnetic stripe technology is the standard. Outside the U.S., an estimated 40% of the world’s cards and 70% of the terminals already use the EMV technology. These countries are reporting significantly lower counterfeit fraud levels with EMV cards than with the magnetic stripe cards.

By October 1, 2015, many people in the U.S. who use credit cards will likely notice changes when they pay for purchases at retail stores. The reason for the change is the “EMV liability shift” scheduled to occur on October 1 (EMV is an acronym for EuroPay, MasterCard, and Visa). As described in more detail below, the “liability shift” is an incentive for both merchants and card issuers to increase card security and reduce counterfeit fraud.

This post provides some background on EMV technology and describes the liability-related incentives the card brands are providing to encourage quicker adoption of EMV.