SutherlandCybersecurity.com
content top

Report of Cybersecurity Commission Expected to be Released Friday

According to recent news reports (subscription required), the White House is expected on Friday, December 2, to publicly release the report prepared by the blue-ribbon commission on enhancing national cybersecurity. It is anticipated that this report will offer policy initiatives that can be implemented immediately by the next administration, and the report is expected to serve as a basis for cybersecurity related transition discussions between the Obama and Trump administrations. Update: As expected, the presidential Commission on Enhancing National Cybersecurity has released its...
Continue Reading

China Creates New Cybersecurity Regulation

China has recently released new cybersecurity regulations. The onerous set of rules affects individuals and businesses alike. Individuals are prohibited from sharing content that will “damage national unity” and must register for online services with their real name and other personal information. Corporations must store data locally, which would allow for Chinese surveillance. The Chinese government must also be given the access capability to shut down products and services as the government sees fit when responding to security incidents. Furthermore, all companies operating within...
Continue Reading

FCC Adopts Order Approving New Rules for ISPs

The Federal Communications Commission (“FCC”) has adopted new data privacy and security rules for internet service providers (“ISPs”). Under the new rules, ISPs must adopt “reasonable” data security and other measures, and obtain their customers’ explicit consent before using or sharing with third parties sensitive data. Sensitive data includes financial and health-related information, children’s information, precise geo-location information, and related data. For non-sensitive data (such as service tier information), the use and sharing of that information will be...
Continue Reading

ISAO Standards Group Releases Guidelines for Information Sharing

Information and Sharing and Analysis Organizations, or ISAOs, can now look to four new publications for guidance in establishing ISAOs and in sharing cybersecurity information and interacting with the intelligence community, law enforcement agencies, U.S. regulatory agencies, and the Department of Homeland Security (DHS). The guidance documents include: ISAO 100-1, Introduction to Information Sharing and Analysis Organizations, ISAO 100-2, Guidelines for Establishing an ISAO, ISAO 300-1, Introduction to Information Sharing, and ISAO 600-1, U.S. Government Relations, Programs, and...
Continue Reading

CFTC Finalizes Rules on Cybersecurity Testing for Futures Industry

Under new rules adopted by the Commodity Futures Trading Commission (CFTC), various entities in the futures industry must undertake cybersecurity testing. At its open meeting on Sept. 8, 2016, the CFTC amended its system safeguards rules for exchanges, clearinghouses, and data repositories to require cybersecurity testing and system safeguards risk analysis. Under the amended rules, specified entities must undertake five types of testing: (1) vulnerability testing, (2) penetration testing, (3) controls testing, (4) security incident response plan testing, and (5) enterprise technology risk...
Continue Reading

White House Cyber Commission Issues Requests for Information

The White House’s Commission on Enhancing National Cybersecurity has announced in a Federal Register Notice that it is seeking information on a variety of cybersecurity topics. The Notice indicates that the Commission is seeking information on topics including critical infrastructure cybersecurity, cyber insurance, research and development, the cyber workforce, federal governance, identity and access management, international markets, the Internet of Things, public awareness and education, and state and local government cybersecurity. According to the Notice, the Commission is seeking...
Continue Reading

Federal Judge Dismisses Class Action Arising from Data Breach

A D.C. federal judge has dismissed a putative class action against CareFirst BlueCross BlueShield that arose from a 2014 data breach. The judge determined that the alleged injuries suffered by the seven named plaintiffs failed to establish standing to sue, finding that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.”  Two of the seven named plaintiffs alleged they suffered tax refund fraud because of the breach but the judge determined that this alleged injury was not...
Continue Reading

Cyber Storm V Highlights Need for Greater Info-sharing and Formalized Incident Response

Results from the Department of Homeland Security’s  (“DHS”) “Cyber Storm V” national exercise revealed that challenges remain around information and cyber threat indictor sharing, and that a plan for widespread cyber response would help improve response from government and industry to cyberattacks. Though the exercise showed that challenges remain, it also revealed an increased awareness of DHS’s role and capabilities in information sharing and incident response.  The exercise involved cabinet level participants as well as states, international partners, and approximately 70...
Continue Reading

EU-U.S. Privacy Shield Adopted

The European Commission has adopted the EU-U.S. Privacy Shield data transfer procedure, which replaces the safe harbor arrangement that was struck down by the European Court of Justice in October 2015. The Privacy Shield provides for additional protection of personal data, including dispute resolution and review procedures. In the United States, the Department of Commerce is responsible for implementation of the Privacy Shield and will begin accepting self-certifications of compliance from U.S. companies on August 1.  
Continue Reading

EU Leaders Approve EU-U.S. Privacy Shield

The European Union’s (EU) Article 31 committee, which is made up EU member states, has voted to approve the EU-U.S. Privacy Shield. This Trans-Atlantic Privacy Shield data transfer procedure replaces the safe harbor data transfer arrangement that was struck down by the European Court of Justice in October of last year.  Formal sign off on the Privacy Shield by EU and U.S. officials is expected Tuesday, July 12.
Continue Reading

Electric Grid Cyberattacks

Utility companies and grids are becoming increasingly vulnerable to cyber attacks. The Manhattan Institute recently released a report warning that although greater grid-Internet connectivity results in greener, smarter grids, these grids are also more likely to be the targets of hackers. The frequency of cyberattacks has increased by 60% annually within the last twelve years, and electric utility companies are a common target of such breaches. Policymakers and industry professionals must develop security technologies to respond to the threat of cyberattacks. Mark Mills, senior fellow at...
Continue Reading

NIST Announces Smart Grid Advisory Committee Meeting

The National Institute of Standards and Technology (NIST) announced that its Smart Grid Advisory Committee will meet July 13-14 at the NIST headquarters in Gaithersburg, Maryland. The meeting will provide an update on the NIST Smart Grid and Cyber-Physical Systems Program activities, and an opportunity to discuss the resiliency and reliability of the electric gird. Written comments may be submitted prior to the meeting....
Continue Reading

NIST Releases Draft Guidance on Cybersecurity Event Recovery

The National Institute of Standards and Technology (“NIST”) released draft guidance that outlines practices for responding to and recovering from cyberattacks. The goal of this publication, according to NIST, is to offer “tactical and strategic guidance regarding the planning, playbook developing, testing, and improvement of recovery planning.” Public comments are being accepted through July 11,...
Continue Reading

DHS Issues Final Information Sharing Guidelines

The Department of Homeland Security has issued final guidance on the implementation of the Cybersecurity Information Sharing Act of 2015. The final guidance documents include: Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015, Privacy and Civil Liberties Final Guidelines, Sharing of Cyber Threat Indicators and Defensive Measures by the Federal Government under the Cybersecurity Information Sharing Act of 2015, and Final Procedures Related to the Receipt of Cyber Threat...
Continue Reading