SutherlandCybersecurity.com
content top

NIST Releases Revised Framework for Public Comment

The National Institute of Standards and Technology (NIST) has released draft revisions to its voluntary “Framework for Improving Critical Infrastructure Cybersecurity.” This update revises the Framework to reflect input from NIST’s December 2015 Request for Information as well as input received during the workshop hosted by NIST in April 2016. The revisions introduce the idea of using metrics to measure the business impact of using the Framework and include a common “vocabulary” to extend the use of the Framework to suppliers and vendors. The updated framework was released in three...
Continue Reading

NIST Issues Cyber Incident Response Guidance

The National Institute of Standards and Technology has issued a new guidance to help organizations develop a “game plan” for responding to cybersecurity incidents. NIST’s Guide for Cybersecurity Event Recovery comes as the federal government prepares to issue its finalized cyber incident response plan prior to President-elect Trump’s inauguration in January. NIST’s new guide consolidates existing NIST guidance and provides a process for organizations to develop a cyber incident recovery...
Continue Reading

Amendment to Criminal Procedure Rule 41 Impacts Data Privacy in U.S. and Abroad

On December 1, 2016, amended Rule 41 of the Federal Rules of Criminal Procedure (FRCP) went into effect, thus expanding federal law enforcement’s power to search and seize electronic data. The new rule will allow law enforcement to seek a warrant from a “magistrate judge with authority in any district where activities related to a crime may have occurred” and use that warrant to legally access and copy data from any computer system that may be “concealing” electronically stored information (ESI) pertinent to, or damaged by, the crime. The rule has caused consternation among privacy...
Continue Reading

Report of Cybersecurity Commission Expected to be Released Friday

According to recent news reports (subscription required), the White House is expected on Friday, December 2, to publicly release the report prepared by the blue-ribbon commission on enhancing national cybersecurity. It is anticipated that this report will offer policy initiatives that can be implemented immediately by the next administration, and the report is expected to serve as a basis for cybersecurity related transition discussions between the Obama and Trump administrations. Update: As expected, the presidential Commission on Enhancing National Cybersecurity has released its...
Continue Reading

China Creates New Cybersecurity Regulation

China has recently released new cybersecurity regulations. The onerous set of rules affects individuals and businesses alike. Individuals are prohibited from sharing content that will “damage national unity” and must register for online services with their real name and other personal information. Corporations must store data locally, which would allow for Chinese surveillance. The Chinese government must also be given the access capability to shut down products and services as the government sees fit when responding to security incidents. Furthermore, all companies operating within...
Continue Reading

FCC Adopts Order Approving New Rules for ISPs

The Federal Communications Commission (“FCC”) has adopted new data privacy and security rules for internet service providers (“ISPs”). Under the new rules, ISPs must adopt “reasonable” data security and other measures, and obtain their customers’ explicit consent before using or sharing with third parties sensitive data. Sensitive data includes financial and health-related information, children’s information, precise geo-location information, and related data. For non-sensitive data (such as service tier information), the use and sharing of that information will be...
Continue Reading

ISAO Standards Group Releases Guidelines for Information Sharing

Information and Sharing and Analysis Organizations, or ISAOs, can now look to four new publications for guidance in establishing ISAOs and in sharing cybersecurity information and interacting with the intelligence community, law enforcement agencies, U.S. regulatory agencies, and the Department of Homeland Security (DHS). The guidance documents include: ISAO 100-1, Introduction to Information Sharing and Analysis Organizations, ISAO 100-2, Guidelines for Establishing an ISAO, ISAO 300-1, Introduction to Information Sharing, and ISAO 600-1, U.S. Government Relations, Programs, and...
Continue Reading

CFTC Finalizes Rules on Cybersecurity Testing for Futures Industry

Under new rules adopted by the Commodity Futures Trading Commission (CFTC), various entities in the futures industry must undertake cybersecurity testing. At its open meeting on Sept. 8, 2016, the CFTC amended its system safeguards rules for exchanges, clearinghouses, and data repositories to require cybersecurity testing and system safeguards risk analysis. Under the amended rules, specified entities must undertake five types of testing: (1) vulnerability testing, (2) penetration testing, (3) controls testing, (4) security incident response plan testing, and (5) enterprise technology risk...
Continue Reading

White House Cyber Commission Issues Requests for Information

The White House’s Commission on Enhancing National Cybersecurity has announced in a Federal Register Notice that it is seeking information on a variety of cybersecurity topics. The Notice indicates that the Commission is seeking information on topics including critical infrastructure cybersecurity, cyber insurance, research and development, the cyber workforce, federal governance, identity and access management, international markets, the Internet of Things, public awareness and education, and state and local government cybersecurity. According to the Notice, the Commission is seeking...
Continue Reading

Federal Judge Dismisses Class Action Arising from Data Breach

A D.C. federal judge has dismissed a putative class action against CareFirst BlueCross BlueShield that arose from a 2014 data breach. The judge determined that the alleged injuries suffered by the seven named plaintiffs failed to establish standing to sue, finding that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.”  Two of the seven named plaintiffs alleged they suffered tax refund fraud because of the breach but the judge determined that this alleged injury was not...
Continue Reading

Cyber Storm V Highlights Need for Greater Info-sharing and Formalized Incident Response

Results from the Department of Homeland Security’s  (“DHS”) “Cyber Storm V” national exercise revealed that challenges remain around information and cyber threat indictor sharing, and that a plan for widespread cyber response would help improve response from government and industry to cyberattacks. Though the exercise showed that challenges remain, it also revealed an increased awareness of DHS’s role and capabilities in information sharing and incident response.  The exercise involved cabinet level participants as well as states, international partners, and approximately 70...
Continue Reading

EU-U.S. Privacy Shield Adopted

The European Commission has adopted the EU-U.S. Privacy Shield data transfer procedure, which replaces the safe harbor arrangement that was struck down by the European Court of Justice in October 2015. The Privacy Shield provides for additional protection of personal data, including dispute resolution and review procedures. In the United States, the Department of Commerce is responsible for implementation of the Privacy Shield and will begin accepting self-certifications of compliance from U.S. companies on August 1.  
Continue Reading

EU Leaders Approve EU-U.S. Privacy Shield

The European Union’s (EU) Article 31 committee, which is made up EU member states, has voted to approve the EU-U.S. Privacy Shield. This Trans-Atlantic Privacy Shield data transfer procedure replaces the safe harbor data transfer arrangement that was struck down by the European Court of Justice in October of last year.  Formal sign off on the Privacy Shield by EU and U.S. officials is expected Tuesday, July 12.
Continue Reading

Electric Grid Cyberattacks

Utility companies and grids are becoming increasingly vulnerable to cyber attacks. The Manhattan Institute recently released a report warning that although greater grid-Internet connectivity results in greener, smarter grids, these grids are also more likely to be the targets of hackers. The frequency of cyberattacks has increased by 60% annually within the last twelve years, and electric utility companies are a common target of such breaches. Policymakers and industry professionals must develop security technologies to respond to the threat of cyberattacks. Mark Mills, senior fellow at...
Continue Reading