Category: cybersecurity

AUVSI and DOD’s Defense Innovation Unit Announce Collaboration for Cyber Standards for Drones

The Association for Uncrewed Vehicle Systems International (AUVSI), the world’s leading trade association for drones and other autonomous vehicles, announced a collaboration with the Department of Defense’s (DOD) Defense Innovation Unit (DIU) to further commercial cyber methodologies to design a shared standard. AUVSI’s effort is meant to expand the number of vetted drones that meet congressional and federal agency drone security requirements.

This pilot program would extend relevant cyber-credentialing across the U.S. industrial base and assist the DOD and other government entities in streamlining and accelerating drone capabilities across the board. Overall, this collaboration will help make the drone industry more secure. The program will work with numerous cybersecurity firms to conduct technical cyber assessments before the DIU, DOD, and other government entities conduct additional vetting as necessary.

Currently, the Blue UAS (Unmanned Aircraft Systems) Cleared List has 14 drones on it and 13 more drones are scheduled to be added. The Blue UAS Cleared List is routinely updated and contains a list of DOD-approved drones for government users. These drones are section 848 FY20 NDAA compliant, validated as cyber-secure and safe to fly, and are available for government purchase and operation. However, even with these additions, the demand for additional cleared drones with new capabilities and technology has outpaced the DIU’s ability to scale the program. This collaboration seeks to close that gap and offer cybersecurity certification in close cooperation with the DIU. With off-the-shelf drones serving as critical tools to help conduct diverse government operations, partnership with AUVSI and cybersecurity experts will make it easier for government users to use commercial technology and achieve effective operations in a secure manner.

Article By Kathryn M. Rattigan of Robinson & Cole LLP

For more cybersecurity and data privacy news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

White House Office of Science and Technology Policy Releases “Blueprint for an AI Bill of Rights”

On October 4, 2022, the White House Office of Science and Technology Policy (“OSTP”) unveiled its Blueprint for an AI Bill of Rights, a non-binding set of guidelines for the design, development, and deployment of artificial intelligence (AI) systems.

The Blueprint comprises of five key principles:

  1. The first Principle is to protect individuals from unsafe or ineffective AI systems, and encourages consultation with diverse communities, stakeholders and experts in developing and deploying AI systems, as well as rigorous pre-deployment testing, risk identification and mitigation, and ongoing monitoring of AI systems.

  2. The second Principle seeks to establish safeguards against discriminative results stemming from the use of algorithmic decision-making, and encourages developers of AI systems to take proactive measures to protect individuals and communities from discrimination, including through equity assessments and algorithmic impact assessments in the design and deployment stages.

  3.  The third Principle advocates for building privacy protections into AI systems by default, and encourages AI systems to respect individuals’ decisions regarding the collection, use, access, transfer and deletion of personal information where possible (and where not possible, use default privacy by design safeguards).

  4. The fourth Principle emphasizes the importance of notice and transparency, and encourages developers of AI systems to provide a plain language description of how the system functions and the role of automation in the system, as well as when an algorithmic system is used to make a decision impacting an individual (including when the automated system is not the sole input determining the decision).

  5. The fifth Principle encourages the development of opt-out mechanisms that provide individuals with the option to access a human decisionmaker as an alternative to the use of an AI system.

In 2019, the European Commission published a similar set of automated systems governance principles, called the Ethics Guidelines for Trustworthy AI. The European Parliament currently is in the process of drafting the EU Artificial Intelligence Act, a legally enforceable adaptation of the Commission’s Ethics Guidelines. The current draft of the EU Artificial Intelligence Act requires developers of open-source AI systems to adhere to detailed guidelines on cybersecurity, accuracy, transparency, and data governance, and provides for a private right of action.

For more Technology Legal News, click here to visit the National Law Review.
Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

‘Work From the Ballpark’—Is the Latest Remote Work Promotion a Foul Ball?

Some professional baseball teams are beginning to promote “Work From the Ballpark” days, encouraging fans to bring their laptops to a weekday afternoon game and work remotely from their seats. Under such promotions, fans can purchase tickets for a special section of the ballpark with access to WiFi, tables, and food so that they could stay logged on at work while enjoying the sights and sounds of the game. Employers are likely accustomed to dealing with employees who play hooky to attend an afternoon baseball game. But with the rise of remote work—and promotions such as these—should employers be concerned with employees logging into work from the ballpark?

While such a promotion might be cheeky marketing to increase attendance for midweek games, it highlights an ongoing concern for employers with remote employees—that instead of diligently working in home offices, employees are working, or attempting to appear to be working, while distracted or in a potentially problematic environment. Indeed, working from a sports stadium could put confidential work communications and information at risk with laptop screens in easy view of onlookers and lead to network security issues with public WiFi.

Employers may want to dust off their remote work policies and evaluate whether they provide clarity around appropriate locations to perform work.

What Can Employers Do About Nontraditional Remote Work Environments?

  1. Clear Remote Work Policies

Employers may want to review their policies to ensure there are clear provisions or guidelines governing what locations are appropriate for working remotely. As an additional element of security and visibility, employers may further want to require that employees performing certain kinds of sensitive work obtain consent to work from a secure location other than home when necessary.

  1. Employee Work Locations

In certain workplaces, employers may want to consider how they monitor employees and their productivity. Many technology tools enable employers to track employees’ online activities or the physical locations of company devices. Of course, employers may want to evaluate employee relations considerations tied to any monitoring program as well as the increasing and myriad state and local laws addressing employer monitoring programs.

  1. Network and Information Security Software

Employers mandating that employees perform any work on employer-provided hardware (e.g., employer-provided laptops) may want to ensure those devices have network and information security and location monitoring software installed and that the technology is up-to-date and sufficient for employees to perform their jobs. Employers that do allow employees to use their own devices (BYOD) may want to require the installation of similar remote work software on those devices. Employers may also want to consider providing employees with internet hotspots for times when employers know employees will be working in public locations to avoid having employees working from shared or open networks. At the same time, employers may want to beware of the risk that such hardware will be lost or stolen.

  1. Security Measures

In addition to hardware requirements, employers may want to consider implementing policies that require employees to take basic security measures on their own while working from a public location. Employers may consider requiring employees to take work phone calls in secure places, require the use of privacy screens over laptop monitors, warn against leaving laptops and other hardware unattended, and mandate other actions to address basic privacy and proprietary information concerns.

  1. Compensation for Time

If an employer does become aware that an employee has performed work at the ballpark or in another location where distractions may have been present, the employer may question whether it must pay the employee for the time the employee logged that day. There are a myriad of federal and state wage-and-hour laws that employers can consult (as well as a review of the employer’s policies) that will answer this question. Usually, however, if employees report that they performed work, the employer may decide to compensate them for their time and evaluate whether there is a separate counseling or disciplinary issue that relates to policy or rule violations to consider.

Key Takeaways

Employees working from home or remotely, at least part of the time, appears to be the future for many workplaces across the United States as technology has made it easier for employees to stay connected with work and complete work tasks. The “Work From the Ballpark” promotion may serve as a reminder for employers that they may want to consider ways to ensure employees are working from appropriate locations to maintain productivity and information security with a remote workforce.

For more Employment Law news, click here to visit the National Law Review.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

Former Uber Security Chief Found Guilty in Criminal Trial for Failure to Disclose Breach to FTC

On October 5, 2022, former Uber security chief Joe Sullivan was found guilty by a jury in U.S. federal court for his alleged failure to disclose a breach of Uber customer and driver data to the FTC in the midst of an ongoing FTC investigation into the company. Sullivan was charged with one count of obstructing an FTC investigation and one count of misprision, the act of concealing a felony from authorities.

The government alleged that in 2016, in the midst of an ongoing FTC investigation into Uber for a 2014 data breach, Sullivan learned of a new breach that affected the personal information of more than 57 million Uber customers and drivers. The hackers allegedly demanded a ransom of at least $100,000 from Uber. Instead of reporting the new breach to the FTC, Sullivan and his team allegedly paid the ransom and had the hackers sign a nondisclosure agreement. Sullivan also allegedly did not report the breach to Uber’s General Counsel.  Uber did not publicly disclose the incident or inform the FTC of the incident until 2017, when Uber’s new chief executive, Dara Khosrowshahi, joined the company.

This case is significant because it represents the first time a company executive has faced criminal prosecution related to the handling of a data breach.

For more Privacy Law news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Cyber Incident Reporting for Critical Infrastructure Act

On September 12, 2022, the Cybersecurity and Infrastructure Security Agency (“CISA”) released a Request for Information (“RFI”) seeking public input regarding the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). The public comment period will close on November 14th, 2022. The RFI provides a “non-exhaustive” list of topics on which CISA seeks public input, including:

  • Definitions and criteria of various terms, such as “covered entity,” “covered cyber incident,” “substantial cyber incident,” “ransom payment,” “ransom attack,” “supply chain compromise” and “reasonable belief;”
  • Content of reports on covered cyber incidents and the submission process (e.g., how entities should submit reports, report timing requirements, and which federal entities should receive reports;
  • Any conflict with existing or proposed federal or state cyber incident reporting requirements;
  • The expected time and costs associated with reporting requirements; and
  • Common best practices governing the sharing of information related to security vulnerabilities in the U.S. and internationally.

In March 2022, President Biden signed CIRCIA into law. CIRCIA creates legal protections and provides guidance to companies that operate in critical infrastructure sectors, including a requirement to report cyber incidents within 72 hours, and report ransom payments within 24 hours. The CISA website features more information about the law, the RFI, and a list of public listening sessions with CISA to provide input.

Article By Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

California Law Prohibits Cooperation with Out-of-State Entities Regarding Lawful Abortion

In response to Dobbs v. Jackson Women’s Health Organization, California Governor Gavin Newsom recently signed AB 1242 into law, which “prohibits law enforcement and California corporations from cooperating with out-of-state entities regarding a lawful abortion in California.”

In particular, AB 1242 prohibits California companies that provide electronic communication services from complying with out-of-state requests from law enforcement regarding an investigation into, or enforcement of, laws restricting abortion.

Sponsored by California Assembly member Rebecca Bauer-Kahan and California Attorney General Rob Bonta, AB 1242:

takes an innovative legal approach to protect user data. The bill prohibits California law enforcement agencies from assisting or cooperating with the investigation or enforcement of a violation related to abortion that is lawful in California. This law thereby blocks out-of-state law enforcement officers from executing search warrants on California corporations in furtherance of enforcing or investigating an anti-abortion crime. For example, if another state wants to track the movement of a woman traveling to California seeking reproductive health care, the state would be blocked from accessing cell phone site tower location data of the woman by serving a warrant to the tech company in California. In addition, if another state wants Google search history from a particular IP address, it could not serve an out-of-state search warrant at Google headquarters in CA without an attestation that the evidence is not related to investigation into abortion services. Although the first state to enact such a law, as California often is when it comes to privacy rights, we anticipate that other states will follow suit and that these laws will be hotly contested in litigation.

Article By Linn F. Freedman of Robinson & Cole LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

Hackers Caused a Traffic Jam in Moscow

Hackers caused a massive traffic jam in Moscow by exploiting the ride-sharing app Yandex Taxi and using it to summon dozens of taxis to a single location. While Yandex has not confirmed the attacker’s identity, the hacktivist group Anonymous claimed responsibility on Twitter. The group has been actively taking aim at Russian targets in response to the Russian Federation’s ongoing invasion of Ukraine.

Yandex claims that it has implemented new algorithms to detect this type of attack in the future and will compensate the affected drivers.

This traffic jam is a new application of an old hacktivist tactic: flood the system to make it unusable. Other techniques in this vein include blackouts (which target fax machines) and distributed denial of service (which targets websites and networks). No word yet on whether this new rideshare jam exploit will merit a snappy title.

Blair Robinson contributed to this article. 

For more Global Law news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

FTC Commercial Surveillance and Data Security Forum Highlights Industry and Consumer Perspectives

On September 8, 2022, the Federal Trade Commission hosted a virtual public forum on its Advanced Notice of Proposed Rulemaking (“ANPR”) concerning “commercial surveillance and lax data security.” The forum featured remarks from FTC Chair Lina Kahn, Commissioner Rebecca Kelly Slaughter and Commissioner Alvaro Bedoya, as well as panels with industry leaders and consumer advocates.

Remarks from Chair Khan and Commissioners Slaughter and Bedoya focused on the need for public participation in the rulemaking process and the FTC’s role in privacy regulation in the absence of comprehensive federal legislation. Commissioner Slaughter noted that, until such federal legislation is passed, the FTC will continue to use its Section 5 authority to regulate unfair and deceptive practices related to privacy and data security.

The industry panel was moderated by FTC Senior Advisor Olivier Sylvain and focused in part on how the FTC should structure a potential rule. Multiple industry panelists emphasized the need for rules that limit out-of-context data use or tracking, while still allowing in-context use to as consumers expect. Industry panelists also highlighted the need for heightened rules for “dominant” industry players and financial penalties for bad behaviors.

The consumer advocate panel focused on issues surrounding meaningful consumer consent and the negative effects of commercial surveillance on consumers, such as one-click background checks and demographic-tailored advertising that disproportionately affects minority groups in negative ways. Similar to the industry panel, consumer advocate panelists also highlighted out-of-context data use and dominant industry actors as some of the major issues the FTC should address in its rulemaking.  The FTC will receive public comments on the ANPR until October 21, 2022.

Article By Privacy and Cybersecurity Practice Group of Hunton Andrews Kurth

For more antitrust and FTC legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Speaker Pelosi Expresses Concerns With Federal Privacy Bill’s Preemption Provision

On Thursday, House Speaker Nancy Pelosi expressed concerns with certain features of the American Data Privacy and Protection Act (“ADPPA”) and its broad preemption provision, which as currently drafted would override the California Consumer Privacy Act (“CCPA”) and its subsequent voter- approved amendments.  The ADPPA was favorably reported by the House Committee on Energy and Commerce in July by a vote of 53-2.  The bill has not yet been scheduled for a vote on the House floor. Speaker Pelosi “commended” the Energy and Commerce Committee for its efforts, while also praising California Democrats for having “won the right for consumers for the first time to be able to seek damages in court for violations of their privacy rights.”  Speaker Pelosi noted that California leads the nation in protecting consumer privacy and it was “imperative that California continues offering and enforcing the nation’s strongest privacy rights.”

Speaker Pelosi stated that she and others would be working with Chairman Frank Pallone (D-NJ) to address concerns related to preserving  California privacy laws.  Although Speaker Pelosi’s comments cast doubt on the future of the ADPPA, we continue to believe that it will clear the House. We anticipate only modest tweaks to the preemption provision, which must be acceptable to the Republican leadership of the committee for the bill to move forward. As Speaker Pelosi noted, the bill contains a private right of action for consumers—the single most important provision to Republicans in return for strong preemption language. After more than a decade of effort, the Democratic leadership of the House will be hard pressed to let the perfect be the enemy of the really good.

Article By Kristin L. Bryan, Jeffrey L. Turner, and Kyle R. Fath of Squire Patton Boggs (US) LLP

For more privacy and cybersecurity legal news, click here to visit the National Law Review.

© Copyright 2022 Squire Patton Boggs (US) LLP

Acronis Reports Ransomware Damages Will Exceed $30B by 2023

In its Mid-Year Cyberthreat Report published on August 24, 2022, cybersecurity firm Acronis reports that ransomware continues to plague businesses and governmental agencies, primarily through phishing campaigns.

According to the report over 600 malicious email campaigns were launched in the first half of 2022, with the goal of stealing credentials to launch ransomware attacks. Other attack vectors included vulnerabilities to cloud-based networks, targeting unpatched or software vulnerabilities, and cryptocurrency and decentralized finance systems.

According to Acronis, “ransomware is worsening, even more so than we predicted.” It estimates that global damages related to ransomware attacks will top $30 billion by 2023.

Article By Linn F. Freedman of Robinson & Cole LLP

For more cybersecurity legal news, click here to visit the National Law Review.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.