A PubKGroup Product
PubKCyber is the go-to source for the most critical regulatory, policy, and oversight developments related to federal cybersecurity. Our coverage includes federal cyber regulations and policy, local and state activity, international law and agreements, federal regulatory body activity, congressional and agency oversight, and industry standards, as well as legal actions and court decisions related to cybersecurity, privacy, and fallout from security breaches.
Ability to subscribe and post job announcements and advertisements online
A daily email summarizing the day’s top cyber developments relevant to contractors
PubK Event Board
A weekly community calendar emailed to your inbox
Coming in 2017:
A bimonthly update collecting critical developments, with added insight and context, and links to important resources
An updated national strategy that will guide how the White House handles cyber defense and threats is being debated and should be released in the near future. That strategy will then inform a Defense Department cyber posture document that will likely come out in August.
Former Homeland Security Adviser Tom Bossert said before his recent resignation that the strategy was likely to include priorities from the cyber executive order issued in May 2017.
The three pillars of that executive order were: improving the security of federal government computer networks; leveraging government resources to better secure critical infrastructure, such as hospitals, banks and financial firms; and establishing norms of good behavior in cyberspace and punishing bad behavior.
Compliance Week‘s Joe Mont writes that the revelation of Facebook sharing the data of tens of millions of its users with Cambridge Analytica has finally brought the issue of data privacy home to the general public. He says it will likely affect even more online offerings, as a chorus of critics demand an end to the self-regulation free-for-all that tech companies have thus far enjoyed in the United States.
The FTC is investigating whether the exposure of personal data is a violation of its 2011 consent decree with the company over privacy failings. In a worst-case scenario, assessing a $40,000 fine for each violation of the decree could add up to trillions of dollars in fines.
Facebook CEO Mark Zuckerberg has been talking about simplifying and improving customer privacy settings, allowing more control over what data is, or isn’t shared. But that isn’t likely to stop debate over increased regulation, according to Mont.
In the past the focus in these matters has been on security, but the fact that the Cambridge Analytica “breach” was a matter of policy and protocol rather than technical vulnerability exploitation is shifting the focus to privacy. That is the key focus of the EU’s impending General Data Protection Regulation, which could serve as a model for US legislation.
With Alabama and South Dakota becoming the last two states to adopt breach notification laws, notification processes become more complicated, says privacy attorney Adam Greene in an interview.
That’s particularly the case for healthcare entities and business associates that are also liable for breach notification under HIPAA. When there’s a breach, healthcare entities and their vendors should consider prioritizing compliance with state breach notification requirements, he says.
Greene discusses a range of issues, including:
- Why all types of entities need to pay especially close attention to the intricacies of each state’s breach notification requirements;
- States that have the most stringent breach reporting requirements;
- Why Texas was previous considered as having a “de facto” national breach law, and what changes now that all 50 states have their own;
- The likelihood that Congress will pass a national breach notification law.
Chinese telecom company Huawei shot back at an FCC proposal that would make it more difficult for telephone and internet companies to buy the company’s products. This follows several months of claims by federal and congressional officials that Huawei is too closely tied to the Chinese government.
The company issued a statement that said, “No government agency has ever tried to intervene in our operations or decisions” and that “U.S. authorities should not base major legislative decisions on speculation and rumor.”
The FCC proposal would disallow spending money from FCC’s Universal Service Fund – used to lower the cost of services in high-cost areas and to expand service in rural and low-income areas – on “companies that pose a national security threat to United States communications networks or the communications supply chain”.
A fact sheet issued by the FCC mentions congressional concern about both Huawei and its compatriot ZTE. In February, Senators Marco Rubio (R-FL) and Tom Cotton (R-AR) introduced a bill banning the two companies and their partners from federal networks.
Following high-profile, large-scale breaches such as that of Equifax, there’s been increasing call to create federal legislation setting standards for notification, rather than just state laws which cannot address the national scope of incidents. But the attorneys general of 32 states have spoken up objecting to a bill to do that.
The Data Acquisition and Technology Accountability and Security Act would preempt state laws that require consumers and attorneys general be notified about data breaches. The group of state officials argues that removing those requirements would deprive them of valuable information and enforcement opportunities.
The bill would only address breaches of 5,000 or more consumers, leaving the many smaller, regional ones unreported. It would also allow companies to determine whether to notify consumers of a breach based on their own judgment. This reduced transparency would likely result in fewer data breach notifications being sent out to consumers who may be at the risk of harm, they argue.
“Instead, we believe there is a place for both state and federal agencies to act to protect consumers’ important personal information,” the group concluded.