Internet-connected devices contributing to the Internet of Things (IoT) are projected to exceed 50 billion devices by 2025, according to the Federal Trade Commission’s Bureau of Consumer Protection in its June 2018 comments on the Consumer Product Safety Commission’s notice of public hearing and request for written comments on “The Internet of Things and Consumer Product Hazards.” Such widespread use of and access to these internet-connected devices—which can collect personal data from their users—has spurred legislative movement toward introducing security standards for IoT devices. These initial steps start with the US government’s use of IoT devices through the Senate’s third proposed bill on the subject, S.734. The bill, known as the Internet of Things Cybersecurity Improvement Act of 2019, aims to manage cybersecurity risks regarding secure development, identity management, patching, and configuration management of “covered devices.” Under the proposed bill, a “covered device” is one that can connect to the internet, has data processing capabilities, and “is not a general-purpose computing device.” The covered devices at the focus of this bill refer to devices “owned or controlled by” the federal government.
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
The New York State Assembly on June 17 passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, following approval in the State Senate on June 5.
More than 1,000 Support Anti-Terrorism by Fostering Effective Technologies Act (SAFETY Act) of 2,002 approvals have been granted by the US Department of Homeland Security (DHS) since the act’s inception. Many professional sports teams in the National Football League, Major League Baseball, and National Basketball Association have had their venues certified under the SAFETY Act. For example, New Era Field for the Buffalo Bills became the 14th NFL stadium to receive a SAFETY Act certification in October 2018. However, professional sports leagues do not have a monopoly on large sporting events that garner huge crowds—some universities have football stadiums with capacity for more than 100,000 people.
New York has increased its effort to enforce cybersecurity by creating a new unit designed to combat cybercrime and protect individuals’ sensitive data from attacks.
On May 22, New York appointed former federal prosecutor Justin Herring to lead the state’s newly created Cybersecurity Division at the New York Department of Financial Services (DFS).
As companies continue to improve the cyber defenses of their computer systems operating key enterprise and national infrastructure, one area that presents unique challenges is the supply chain. A single asset may depend on multiple vendors around the world, some of whom may only produce a single component or piece of software, but any of which can introduce critical vulnerabilities. Please join us for a one-hour webinar to discuss best practices in supply chain cybersecurity to mitigate these risks.
Morgan Lewis partner Peter Watt-Morse (Pittsburgh) and associate Eric Pennesi (Pittsburgh) will be participating in the Pennsylvania Bar Institute’s 2019 Cyberlaw Update, which will address trending topics, including blockchain and cryptocurrency and security and privacy concerns related to social media, in addition to GDPR.
Topics to be discussed include:
- Social Media Ethics – Its Use and Impact on the Practice of Law
- IP in the Age of Cloud Computing and Artificial Intelligence
- Responding to Data Breaches – Legal Update and Practical Counsel
The event will be hosted at the PBI Professional Development Center (Heinz 57 Center, 339 Sixth Avenue, 7th Floor, Pittsburgh PA, 15222) on Tuesday, April 30 from 9:00 am to 4:00 pm.
The Federal Trade Commission (FTC) is requesting comments on proposed amendments to two rules addressing the privacy and security of customer information under the Gramm-Leach-Bliley Act. The FTC plans to publish the notices in the Federal Register in the near future.
Russia’s Central Bank, the financial markets regulator in Russia, might soon receive the right to block websites. On 24 January, the State Duma, the lower house of the Russian parliament, approved amendments in the first reading to the Federal Law "On Information, Information Technologies and Protection of Information" and the Civil Procedure Code (the Proposed Amendments).
The Proposed Amendments are designed to give the Central Bank the right to block websites violating financial market legislation or used to maintain fraudulent activities.
As we previously discussed, nobody is safe from cybersecurity threats, and as our colleagues last reported, the US Securities and Exchange Commission (SEC) has heightened its cybersecurity scrutiny, issuing an investigative report on cyber fraud against publicly traded companies and signaling it will pursue both bad actors as well as companies failing to implement controls to detect and prevent hacking. A victim of a data breach itself, the SEC is now demonstrating how it intends to pursue bad actors.
On January 15, the SEC filed a civil suit in US District Court in the District of New Jersey related to its own hacking against individuals and business entities in Ukraine, Hong Kong, California, Belize, Russia, and Korea. The SEC alleges in the suit that the defendants hacked into the agency’s Electronic Data Gathering, Analysis and Retrieval (EDGAR) system through a variety of means—including phishing emails and malware—and stole information (namely, publicly-traded companies’ earnings information). The suit further alleges the defendants then traded securities based on the stolen information before it became public. The SEC argues all defendants were necessary participants in the “fraudulent scheme” as some defendants were required to “obtain, through deception, material nonpublic information from the SEC’s EDGAR system” and others were required to “monetize the material nonpublic information by making profitable trades.” The SEC requests the district court to permanently enjoin the defendants from engaging in unlawful conduct, order the return of all profits and/or gains realized from the trading, and impose civil penalties on the defendants.
Every January, electronics manufacturers descend upon Las Vegas for the annual Consumer Electronics Show (CES) to showcase their latest and greatest forays in devices. Not surprisingly, there was no shortage of shiny fresh connected devices with new and evolving applications in everything from workouts and personal care to the more usual suspects of television and virtual assistants. With Internet of Things (IoT) becoming more ubiquitous, it was only a matter of time before legislation followed. On September 28, 2018, California enacted the United States’ first IoT law, set to go into effect January 1, 2020, just in time for next year’s CES.