Posted in Cybersecurity

NIST Issues Draft Update to Cybersecurity Framework

Written by Jim Halpert and Michelle Anderson

The National Institute of Standards and Technology (NIST) released proposed revisions (draft Version 1.1) to its Framework for Improving Critical Infrastructure Cybersecurity (“Cybersecurity Framework”) on January 10, 2017. The latest draft is intended to “refine, clarify, and enhance” Version 1.0, released in February 2014 in response to Executive Order 13636 – Improving Critical Infrastructure Cybersecurity.

Notable changes in draft Version 1.1 include:

  • Additional information on mitigating supply-chain risks. NIST expanded Section 3.3 (“Communicating Cybersecurity Requirements with Stakeholders”) to address the importance of communicating and verifying cybersecurity requirements among stakeholders as part of cyber supply chain risk management (SCRM). In addition, NIST added SCRM as a property of the Implementation Tiers (Section 2.2) and to the Framework Core under the Identify Function.
  • A new section (Section 4.0) on cybersecurity measures and metrics. NIST notes that by using metrics and measurements the Cybersecurity Framework can be used as the basis for assessing an organization’s cybersecurity posture. According to the draft, “metrics” help “facilitate decision making and improve performance and accountability” while “measurements” are “quantifiable, observable, objective data supporting metrics.” For example, organizations can measure system uptime—and this measurement can be used as a metric against which an individual responsible for developing and implementing appropriate safeguards to ensure delivery under the framework’s Protect Function can be held accountable.

NIST invites comments on draft Version 1.1. Comments are due by April 10, 2017, and can be sent to After reviewing these comments and convening a workshop, NIST intends to publish a final Framework Version 1.1 in Fall 2017.

NIST reiterates that “[a]s with Version 1.0, use of the Version 1.1 is voluntary,” and says that users of Version 1.1 may “customize the Framework to maximize organizational value.”

That said, NIST’s encouragement of using cybersecurity measures and metrics for internal organizational accountability could lead to the creation of metrics that can also be used by third parties (e.g., regulators) to hold organizations accountable under the framework. While it remains to be seen what the Federal Trade Commission (FTC) will do under the incoming Trump administration, the FTC (and other regulators) could use such metrics as the bases for enforcement actions. Indeed, there is significant overlap between what the FTC considers to be “reasonable” security and the Cybersecurity Framework. According to the FTC’s blog post on The NIST Cybersecurity Framework and the FTC, “The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable. By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement.”

According to NIST, this latest draft incorporates feedback to Version 1.0, responses to its December 2015 request for information, and comments from NIST’s April 2016 Cybersecurity Framework Workshop.

Posted in Cross-Border Transfers Cybersecurity EU Data Protection Privacy and Data Security Uncategorized

Blog Post: Swiss-US Privacy Shield Adopted, Aligns with EU-US Privacy Shield

Written by Michelle Anderson

The Department of Commerce International Trade Administration and Swiss Federal Council announced on January 11, 2017, the creation of a Swiss-US Privacy Shield framework that will “apply the same conditions as the European Union” under the EU-US Privacy Shield framework.

This is welcome news for companies that transfer personal data from both the EU and Switzerland to the United States. Since the Department of Commerce began accepting certifications under the EU-US Privacy Shield in August 2016, companies that transfer personal data from both the EU and Switzerland to the United States have had to certify under two different frameworks. However, implementation of the Swiss-US Privacy Shield will help align the obligations for Switzerland-US transfers with those of EU-US transfers. Companies can begin certifying compliance on April 12, 2017.

The Swiss-US Privacy Shield Framework replaces the US-Swiss Safe Harbor Framework, the legitimacy of which has been in question since the European Court of Justice (ECJ) determined in October 2015 that the EU-US Safe Harbor framework was invalid. Following the ECJ decision, EU and US officials announced the EU-US Privacy Shield framework in February 2016 and finalized it in July 2016.

In its press release, the Swiss Federal Council highlighted “the stricter application of data protection principles by participant companies on the one hand and the administration and supervision of the framework by the US authorities on the other” as benefits of the Swiss-US Privacy Shield. It also underscored the creation of an arbitration body and the ability of people living in Switzerland to inquire with the US Department of State as to the processing of their data by US intelligence services.

The Department of Commerce has said that the new framework “will enhance transatlantic data protection and support the continued growth of U.S.-Swiss commercial ties.” Federal Trade Commission (FTC) Chairwoman Edith Ramirez has pledged that the FTC will “continue [its] vigilant approach to enforcement of the new Framework.”

Posted in Cybersecurity Privacy and Data Security

Presidential Commission Issues Recommendations for Improving Public and Private Sector Cybersecurity

Written by James Duchesne

The President’s Commission on Enhancing National Cybersecurity (the “Commission”) recently issued a thoughtful report on improving the United States’ cybersecurity posture.  (The full report can be read here.)  The majority of the Commission’s recommendations would require action by the Trump Administration but may nonetheless prove influential.   The Commission was charged under President Obama’s February 2016 Executive Order 13718 with “mak[ing] detailed recommendations to strengthen cybersecurity in both the public and private sectors while protecting privacy, ensuring public safety and economic and national security, fostering discovery and development of new technical solutions” and enhancing partnerships between the private sector and all levels of government. The Commission recently issued a report detailing its recommendations.

As part of its cybersecurity study, the Commission conducted several open meetings and issued a request for information. The Commission also analyzed previous federal agency and legislative cybersecurity reports and initiatives, although it found that many of these previous reports’ recommendations were unrealistic. The Commission focused its study on ten topics: federal governance, critical infrastructure; cybersecurity research and development; cybersecurity workforce; identity management and authentication; Internet of Things (IoT); public awareness and education; state and local government cybersecurity; insurance; and international issues.

In preparing its recommendations, the Commission analyzed cybersecurity issues through a set of principles that are useful for any organization when considering cybersecurity issues. Some principles include:

  • Responsibility, authority, capability and accountability for cybersecurity and cyber risk management should be explicit and aligned within an enterprise’s risk management and governance strategy.
  • Effective cybersecurity depends on consumer and workforce awareness, education, and engagement in protecting their digital experience.
  • Technologies and products should make the secure action the easy option as users continue to rely on defaults and human behavior tends to follow the “easy” option.
  • Security, privacy, and trust must be primary considerations at the outset when new cyber-related technologies and policies are conceived.

The Commission identified a number of hurdles that create challenges—in both the public and private sectors—to implementing effective cybersecurity measures.

  • First to market pressures. The drive to bring products to market quickly often leads to cybersecurity being an afterthought. While security features may be added later through product updates, the result is a lower level of security when compared to products for which security was integrated into product development.
  • Flexible and mobile work environments introduce cyber risk. The myriad devices that now connect to an organization’s network, from employees’ personal mobile devices to vendors’ devices, hampers an enterprise’s ability to protect its networks. As the Commission stated, “[T]he classic concept of the security perimeter is largely obsolete.”
  • Many organizations and individuals fail to implement basic security measures.
  • Complexity creates vulnerabilities. As the size and complexity of software and devices and their supply chains grow, so too do the number of vulnerabilities. Systems and software must be managed and updated, which can become difficult as the environment expands, especially with legacy systems and even new systems, such as IoT devices.

The Commission organized its findings and recommendations into six issue areas. The areas and some of the key recommendations under each follow.

1.  Protect, defend, and secure today’s information infrastructure and digital networks:

  • The public and private sectors must collaborate to protect networks and infrastructure. The Commission recommends the creation of a National Cybersecurity Private-Public Program to define the cybersecurity roles of the respective sectors, share classified information, and conduct and improve training. The federal government should build on and improve its information sharing programs and should work with industry to identify statutes, rules, and policies that discourage the private sector from sharing cyber information (e.g., FOIA, use in civil discovery or regulatory enforcement action, waiver of attorney-client privilege). The new administration should build on the NIST Cybersecurity Framework, and regulatory agencies should harmonize their regulations with the Cybersecurity Framework (which would both simplify and enhance cybersecurity compliance).

2.  Innovate and accelerate investment for the security and growth of digital networks and the digital economy:

  • The federal government and private sector partners should work together to improve security in IoT devices, such as through the creation of voluntary standards, which agencies should consider when undertaking rulemakings. Federal agencies should initiate an interagency study to evaluate “the current state of the law with regard to liability for harm caused by faulty IoT devices and provide recommendations” to incentivize companies to design secure products.

3.  Prepare consumers to thrive in the digital age:

  • The private sector should work with the FTC to identify ways to provide consumers, through a public awareness campaign, with better information so consumers can make informed decisions when purchasing and using connected products and services. This campaign should be coupled with security improvements in devices and systems. The Commission recommends an independent organization develop a “cybersecurity nutrition label” for technology products and services. The FTC, working with industry and consumer advocates, should develop a Consumer’s Bill of Rights and Responsibilities for the Digital Age that would improve consumer education, clarify privacy protections and how information is used, and identify products’ security attributes.

4.  Build cybersecurity workforce capabilities:

  • The federal government should launch a national cybersecurity workforce program to train new cybersecurity practitioners.

5.  Better equip government to function effectively and securely in the digital age:

  • Federal civilian agencies should be allowed to consolidate and share network connections while moving to an enterprise risk management approach for handling cybersecurity. Government at all levels must clarify cybersecurity mission responsibilities across departments and agencies to protect, defend against, respond, and recover from cyber incidents; to accomplish this, the next administration should issue a National Cybersecurity Strategy while Congress should consider consolidating cybersecurity and infrastructure protection functions under a single federal agency.

6.  Ensure an open, fair, competitive, and secure global digital economy.

  • The Administration should work with the international community to harmonize cybersecurity policies and practices. The next administration should appoint an Ambassador for Cybersecurity to engage the international community on cybersecurity issues. NIST and the Department of State should work with international partners to develop cybersecurity standards and to promote the NIST Cybersecurity Framework’s risk management approach.

Most of these recommendations are both thoughtful and non-ideological. It remains to be seen whether the Trump Administration will embrace them, although they sketch out many areas for potential progress.  Its recommendations also make interesting reading for private sector businesses with regard to strategies to improve cybersecurity at the federal level as well as on private sector networks and products and services.

Posted in Data transfers EU Data Protection Privacy and Data Security

EU – First GDPR Guidance published by Article 29 WP

The Article 29 Working Party (‘WP29’) has issued its first guidance on GDPR topics. This guidance (including FAQs) relates to:

  • the right to Data Portability;
  • Data Protection Officers (DPO); and
  • the Lead Supervisory Authority.

While WP29 announced that more opinions and guidance will follow – for example, guidelines on Data Protection Impact Assessments and Certification will be ready in 2017 – the first three guidelines already provide a first glance on WP29’s view on GDPR topics.

Guidelines on the right to Data Portability

In article 20 GDPR, a new right to data portability is created. This right aims at empowering data subjects regarding their own personal data as it facilitates their ability to move, copy or transmit personal data easily from one IT environment to another. The WP29 opinion provides guidance on the way to interpret and implement the right to data portability. It clarifies the conditions under which this new right applies and also provides concrete examples and criteria to explain the circumstances in which this right applies.

From this opinion it appears for example that:

  • this right is only applicable if the legal basis of the data processing is the data subject’s consent or the necessity to perform a contract;
  • this right is limited to personal data provided by the data subject (including personal data that relate to the data subject activity or result from the observation of an individual’s behaviour but not subsequent analysis of that behaviour);
  • data controllers must inform the data subjects regarding the availability of the new right to portability (e.g., WP29 recommends that data controllers always include information about the right to data portability before any account closure);
  • data controllers are encouraged to ensure the interoperability of the data format provided in the exercise of a data portability request.

The WP29 Guidelines on Data Portability can be found here.

Guidelines on Data Protection Officers

Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. From the WP29 guidelines it becomes clear that DPOs are not personally responsible in case of non-compliance with the GDPR.

WP29 also provides some further details and concrete examples on when a DPO must be appointed. For example it states that ‘core activities of the controller or processor’ (which triggers the appointment of a DPO as set out in Article 37 GDPR)  refers to  the key operations necessary to achieve the controller’s or processor’s goals, which can also be part of other activities (e.g. a hospital processing patient data).

Article 37 GDPR doesn’t require that the DPO is someone working within the controller or processor, this can also be a third party. However, WP29 does state that the ‘personal availability of a DPO (whether physically on the same premises as employees, via a hotline or other secure means of communication) is essential’, such in order to ensure that data subjects will be able to contact the DPO.

WP29 states that the DPO should be involved in all issues relating to the protection of personal data, such from the earliest stage possible.

In its guidelines, WP29 further defines the (independent) position and tasks of the DPO.

The WP29 guidelines on the DPO can be found here.

Guidelines on the Lead Supervisory Authority

In its third opinion, WP29 provides guidelines for identifying a controller or processor’s lead supervisory authority. This topic is relevant where a controller or processor is carrying out the cross-border processing of personal data.

In accordance with Article 56 GDPR, WP29 states that identifying the lead supervisory authority depends on determining the location of the controller’s ‘main establishment’ or ‘single establishment’ in the EU. In principle, for the controller this will be the place of its central administration. However, WP29 makes it very clear that there can be situations where more than one lead authority can be identified, i.e. a controller has separate decision making centres, in different countries, for different processing activities. The example given by WP29 relates to a bank, whose banking decisions are made in one jurisdiction where also HQ is based, but whose insurance division is based in another jurisdiction. In that case, there are two supervisory authorities.

In its guidelines, WP29 provides further criteria on how to identify the main establishment in cases where it is not the place of central administration in the EU.

Controllers without any establishment in the EU must deal with local supervisory authorities in every Member State they are active in, through their local representative.

The WP29 Guidelines on the Lead Supervisory Authority can be found here.