Cybersecurity and Data Privacy
|
|
- Shon McBride
- 5 years ago
- Views:
Transcription
1 DECEMBER 2015 NO. 2 Cybersecurity and Data Privacy Landmark Cybersecurity Legislation Included in Omnibus Package Action Item: Congress included the Cybersecurity Act of 2015 (the Act ) in the Consolidated Appropriations Act, 2016 (P.L ), passing comprehensive cybersecurity legislation for the first time since the major U.S. hacking incidents. The Act requires the federal government to timely share cyber threat information with the private sector. Consequently, the U.S. Secretary of Homeland Security and the Attorney General will soon issue privacy guidelines for protecting any personal information provided by private entities, and a model agreement will also be made available. Companies must follow the Act closely to receive its liability protections. EXECUTIVE SUMMARY The House and Senate were able, at the end of the first session of this Congress, to reach agreement on comprehensive cybersecurity legislation. The final agreement was added to the Consolidated Appropriations Act, 2016 (H.R. 2029, P.L ) as Division N, entitled the Cybersecurity Act of 2015 (hereafter the Act ). The Act encompasses provisions authorizing the sharing of cybersecurity threat indicators and defensive measures (defined below) between the private sector and the Department of Homeland Security ( DHS ), in exchange for which the private sector receives comprehensive liability protection in any court of the United States as long as the private sector complies with the to-be-issued federal guidelines for protection of personal information. The final bill limits the sharing of information with the DHS, as requested by the private sector, although the President may authorize sharing of information with other appropriate agencies that he may later designate. The Act also establishes the National Cybersecurity and Communications Integration Center ( NCCIC ) in the DHS as the main location for the information to be shared in order to receive the liability protection; provides antitrust protection for two private entities that share cybersecurity threat information; does not require any private entity to share its information with the federal government; limits the types of defensive measures that private entities can take against hackers; and prohibits the federal government, as well as state, local, and tribal governments, from using the threat information shared for regulatory or enforcement actions. Finally, the Act s cyber threat sharing provisions (title I of the Act) sunset in 10 years, or on September 30, As Chairman Michael McCaul (R-TX) of the House Homeland Security Committee stated upon the passage of this landmark law, [i]t is extremely important for private companies that voluntarily share cyber threat indicators and defensive measures with DHS, or each other, [to]have liability protections to ensure they are shielded from the threat of unfounded litigation. This will better secure public and private networks. The Ranking 2015, Blank Rome LLP. All rights reserved. Please contact Blank Rome for permission to reprint. Notice: The purpose of this update is to identify select developments that may be of interest to readers. The information contained herein is abridged and summarized from various sources, the accuracy and completeness of which cannot be assured. This update should not be construed as legal advice or opinion, and is not a substitute for the advice of counsel.
2 Cybersecurity Page 2 Member of the Committee, Congressman Bennie Thompson, also praised passage of the Act, stating that [t]he Cybersecurity Act of 2015 has the potential to usher in a new chapter in our Nation s effort to address cyber threats. Congressman Thompson also remarked that, while the privacy provisions could be more prescriptive, the bill does give significant attention to privacy concerns by solidifying DHS civilian role in the cyber information sharing space and tasking DHS and the Justice Department to work together to develop privacy guidelines. Following is a summary of the key provisions of the Act. TITLE I: THE CYBERSECURITY INFORMATION SHARING ACT OF 2015 Sec Sharing of information by the Federal Government. Directs the Director of National Intelligence, the Secretary of Homeland Security, the Secretary of Defense, and the Attorney General to jointly develop and issue procedures to facilitate and promote the timely sharing of cyber threat indicators and defensive measures in the possession of the federal government with relevant federal entities and non-federal entities. Cyber threat indicators include information that is necessary to describe malicious reconnaissance, a security vulnerability, malicious cyber command and control, the harm caused by an incident, or any other attribute of a cybersecurity threat, or combination thereof. Defensive measures include an action, procedure, technique, or other measure applied to an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability. But, the term defensive measure does not include a measure that destroys, renders unusable, or substantially harms an information system or information not owned by the private entity operating the measure. In other words, the Act does not authorize any counter-hacking by private companies. In developing the procedures, the agency leads are to consult with the Small Business Administration and the National Laboratories (of the Department of Energy) to ensure that the protocols for sharing information are effective, and, within 60 days from enactment of the Act, submit the procedures to Congress. Sec Preventing cybersecurity threats. Authorizes private entities, for cybersecurity purposes, to monitor their own and other information systems upon authorization and written consent of the other entity, and to share with or receive from any other non-federal entity or the federal government a cyber threat indicator or defensive measure. Authorizes a private entity, for cybersecurity purposes, to operate a defensive measure, as defined above, in order to protect the property rights of the private entity. Removal of Personal Information. Before sharing a cyber threat indicator with the government, the private entity must remove any personal information of a specific individual or information that identifies a specific individual. No regulatory action. Cyber threat information shared with either the federal government or any state, tribal, or local government cannot be used by such government or tribe to regulate, including an enforcement action, the lawful activity of any non-federal entity. Antitrust Exemption. This section also provides an antitrust exemption, as follows. It shall not be considered a violation of any provision of antitrust laws for two or more private entities to exchange or provide a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes. Sec Sharing cyber threat indicators and defensive measures with the Federal Government. The Attorney General and the Secretary of Homeland Security have to develop and submit to Congress, in 60 days from the date of enactment, interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the federal government; and final policies and procedures to be made publicly available within 180 days. The procedures must include sanctions for any federal officer or employee who knowingly and willfully conducts unauthorized activities.
3 Cybersecurity Page 3 Protection of Privacy and Civil Liberties. No later than 60 days from enactment, the Attorney General and the Secretary of Homeland Security must issue, and make available to the public, interim guidelines relating to privacy and civil liberties to govern the receipt, retention, use, and dissemination of cyber threat indicators by a federal agency, and final guidelines in 180 days. The guidelines must protect the confidentiality of cyber threat indicators containing personal information of specific individuals to the greatest extent practicable. The President may designate an appropriate federal entity, other than the Department of Defense (including the National Security Agency), to establish a capability and process to receive cyber threat indicators or defensive measures from a non-federal entity. Protection of Information Shared with the Federal Government. The provision of cyber threat indicators and defensive measures to the federal government shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection; and any such indicator or measure shall be considered the commercial, financial, and proprietary information of the providing private entity when so designated by the entity and is deemed exempt from disclosure under the Freedom of Information Act (section 552 of title 5, U.S.C.). The information provided to the federal government is to be used solely for a cybersecurity purpose, including the identification of a cybersecurity threat or a security vulnerability, or to respond to or prevent or mitigate a specific threat of death or serious economic harm. Sec Protection from liability. No cause of action shall lie or be maintained in any court against any private entity for monitoring information in accordance with this Act, or from sharing or receipt of a cyber threat indicator or defensive measure conducted in accordance with this Act if the sharing or receipt occurs the earlier of (i) the submission of interim policies and procedures to Congress or (ii) 60 days after enactment of the Act. The Act imposes no duty to share a cyber threat indicator or defensive measure or a duty to warn or act based on the receipt of an indicator or measure. Sec Oversight of Government Activities. No later than two years after enactment and no less than every two years thereafter, the inspectors general of the appropriate federal agencies must jointly submit to Congress a report on the actions of the federal government to carry out this title. No later than three years from enactment, the Comptroller General must submit to Congress a report on the actions taken by the federal government to remove personal information from cyber threat indicators or defensive measures. Sec Construction and Preemption; Anti-Tasking Restriction. This section provides protection to disclosures made by whistle blowers under section 2302(b)(8) of title 5, U.S.C. This section also prohibits price-fixing and other anti-monopolistic practices; does not limit or modify an existing information sharing relationship; preserves private contractual rights and obligations; and is not to be construed to require a non-federal entity to provide information to a federal entity or another nonfederal entity (the so-called anti-tasking restriction). In addition, no liability will be incurred by any entity that chooses not to engage in the voluntary activities authorized in this title. In general, this title supersedes any statute or law of a state or political subdivision that restricts or otherwise expressly regulates an activity authorized under this title; and does not authorize or establish any new regulatory authorities. Sec Report on Cyber Threats. The Director of National Intelligence ( DNI ) is directed, in 180 days from the date of enactment, to submit to the House and Senate Intelligence Committees a report on cybersecurity threats, including attacks, theft, and data breaches. Sec Sunset. This title shall be effective only from the date of enactment until September 30, 2025.
4 Cybersecurity Page 4 TITLE II: NATIONAL CYBERSECURITY ADVANCEMENT Subtitle A National Cybersecurity and Communications Integration Center ( NCCIC ) This subtitle is to be cited as the National Cybersecurity Protection Advancement Act of The subtitle confirms the position of the NCCIC as the lead agency in the DHS to receive from and share with the private sector cyber threat indicators and defensive measures. Sec The NCCIC is authorized to enter into a voluntary information sharing relationship with any consenting private entity for the sharing of cyber threat indicators and defensive measures for cybersecurity purposes. The NCCIC is to make available a standard agreement for the use of a private entity and existing agreements between the NCCIC and a private entity are deemed to be in compliance. Sec Information Sharing and Analysis Organizations. The Act recognizes the role of ISAOs and adds certain cyber risk definitions to section 212 of the Homeland Security Act of 2002 (6 U.S.C. 131). Sec National Response Framework. The Secretary of DHS is to regularly update, maintain, and exercise the Cyber Incident Annex to the DHS National Response Framework. Sec Report on Reducing Cybersecurity Risks in DHS Data Centers. The Secretary of DHS is to report to Congress, in one year from the date of enactment, on the feasibility of reducing cyber risks in DHS data centers. Sec Assessment. The Comptroller General is to submit a report to Congress in two years on how the Secretary of DHS has complied with this title. Sec Multiple Simultaneous Cyber Incidents at Critical Infrastructure. The DHS Under Secretary for Critical Infrastructure Protection and Cybersecurity is to report to Congress, in one year, on the feasibility of producing a plan to reduce the risk of multiple simultaneous cyber incidents affecting critical infrastructure. Sec Report on Cybersecurity Vulnerabilities of U.S. Ports. The Secretary of DHS, in 180 days from the date of enactment, shall submit a report to Congress on cybersecurity vulnerabilities at the 10 U.S. ports that are at greatest risk of a cybersecurity incident and recommend measures to mitigate such vulnerabilities. Sec Prohibition on New Regulatory Authority. No new regulatory authority is granted to the DHS as a result of this subtitle. Sec Termination of Reporting Requirements. All reporting requirements in this subtitle terminate on a date that is seven years after the date of enactment. Subtitle B Federal Cybersecurity Enhancement Sec This subtitle may be cited as the Federal Cybersecurity Enhancement Act of The purpose of this subtitle is to provide greater protection to the federal IT networks. It directs the Secretary of DHS, in coordination with the Director of the Office of Management and Budget ( OMB ), to develop and implement an intrusion assessment plan to proactively detect, identify, and remove intruders in agency information systems on a routine basis. The Secretary shall regularly deploy new technologies to its intrusion detection and prevention capabilities. Users of the government information systems are to be notified concerning access to communications on those systems. The Privacy Officer, in consultation with the Attorney General, shall review the policies and guidelines for carrying out these programs to ensure consistency with privacy laws. Agencies are directed to implement the intrusion detection and prevention capabilities provided by the DHS no later than one year after enactment or two months after the Secretary makes them available. Sec Advanced Internal Defenses. The DHS shall include advanced network security tools to detect and mitigate intrusions and anomalous activity.
5 Cybersecurity Page 5 Sec Federal Cybersecurity Requirements. The Secretary of DHS, in consultation with the Director of OMB, shall issue binding operational directives to assist the Director in ensuring timely agency adoption of and compliance with policies and standards, under section of title 40, U.S.C., for securing agency information systems. These requirements do not apply to the Department of Defense, a national security agency or an element of the intelligence community. Sec Assessments; Reports. The Secretary of DHS shall, no later than six months from enactment, and annually thereafter, submit a report to Congress on the status of implementation of the intrusion detection and prevention capabilities. The Director of OMB must submit a similar report no later than 18 months after enactment; and the Federal Chief Information Officer must do the same. Sec Termination. The authority and reporting requirements in this subtitle terminate on a date seven years from enactment. TITLE III: FEDERAL CYBERSECURITY WORKFORCE ASSESSMENT Sec This title may be cited as the Federal Cybersecurity Workforce Assessment Act of Sec National Cybersecurity Workforce Measurement Initiative. The head of each federal agency must identify all positions within the agency that require the performance of cybersecurity or cyber-related functions and assign a corresponding employment code under the National Initiative for Cybersecurity Education. Sec Identification of Cyber-Related Work Roles of Critical Need. In two years from enactment, the Director of OMB, in consultation with the Secretary of DHS, shall identify critical needs for information technology, cybersecurity, or other cyberrelated workforce across all federal agencies; and submit a progress report to Congress. TITLE IV: OTHER CYBER MATTERS Sec Study on Mobile Device Security. In one year from the date of enactment, the Secretary of DHS, in consultation with the Director of the National Institute of Standards and Technology ( NIST ), shall complete a study on threats relating to the security of the mobile devices of the federal government and submit an unclassified report to Congress. Sec International Policy. The Secretary of State, in 90 days from the date of enactment, shall produce a comprehensive strategy relating to U.S. international policy with regard to cyberspace. The strategy shall be made available to the public and to the respective House and Senate Foreign Relations/ Foreign Affairs Committees. Sec Apprehension and Prosecution of International Cyber Criminals. The Secretary of State is to provide an annual report to Congress on the location of international cyber criminals and its efforts to extradite such criminals. Sec Enhancement of Emergency Services. The Secretary of DHS is to establish a process for reporting on any cybersecurity risk or incident involving any information system used by emergency response providers; and the Director of NIST is directed to support the development of methods for reducing risks to such providers. Sec Improving Cybersecurity in the Health Care Industry. In one year from the date of enactment, the Secretary of Health and Human Services ( HHS ) shall submit to Congress a report on the preparedness of the Department of HHS and health care industry stakeholders in responding to cybersecurity threats. Sec Federal Computer Security. The Inspector General of each agency that maintains a national security system or a system with access to personally identifiable information shall report to Congress, in 240 days, on practices and procedures for protecting those systems.
6 Cybersecurity Page 6 CONCLUSIONS This is the first comprehensive piece of cybersecurity legislation to be enacted since the hacks of the Office of Personnel Management, State Department, White House, health insurer Anthem, Sony Pictures, and Target, to name a few. One could question whether the horse has already left the barn, but the Act is clearly intended to guard against future such attacks and to create an environment for two-way sharing of cyber threat information between the government and the private sector. The Act attempts to balance the interests of government in garnering all cyber threat data with the privacy interests of consumers and technology companies, and generally limits data sharing to the NCCIC at DHS, which most companies preferred. The Act puts in place voluntary procedures for companies to share cyber threats and defensive measures with the federal government, in exchange for which the companies are to receive liability protection in court and protection of proprietary data and information. It remains to be seen how many companies choose to share their information with the federal government. But the companies that do so may benefit by receiving more timely threat information in return and gain liability protection from customer lawsuits. BLANK ROME LLP For additional information about or questions on the Cybersecurity Act of 2015, please contact: Blank Rome s cybersecurity & data privacy group Steven L. Caponi Caponi@BlankRome.com Kate B. Belmont KBelmont@BlankRome.com Blank Rome s Government Relations LLC firm: Joan M. Bondareff Bondareff@BlankRome.com C.J. Zane Zane-CJ@BlankRome.com Stephen C. Peranich Peranich@BlankRome.com
Cybersecurity Information Sharing Legislation
Government entities and private-sector organizations in the United States now have a common framework that encourages the sharing of cybersecurity threat information among each other, thanks to new federal
More informationData Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)
Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001) Speakers: James T. McIntyre Partner McIntyre & Lemon, PLLC Janice Ochenkowski International Director
More informationBuilding Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust
Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust Jamie Danker Director, Senior Privacy Officer National Protection and Programs Directorate, U.S.
More information-Eight types of cyber data, (Sec. 708(7))
WHAT INFORMATION MAY BE SHARED H.R. 624, the Cyber Intelligence sharing and Protection Act of 2013 (CISPA) (Rogers- -Notwithstanding any provision of law, S. 3414, the Cybersecurity Act of 2012 (Lieberman-Collins-
More information- Cyber threat information: information directly pertaining to,
WHAT INFORMATION MAY BE SHARED H.R. 3674, the PRECISE Act of 2011, as reported from HHSC Subcmte on Cybersecurity (Lungren) law, H.R. 3523, the Cyber Intelligence sharing and Protection Act of 2011, as
More informationHow Cybersecurity Initiatives May Impact Operators. Ross A. Buntrock, Partner
How Cybersecurity Initiatives May Impact Operators Ross A. Buntrock, Partner ross.buntrock@agg.com 202.669.0495 Agenda Rise in Data Breaches Effects of Increase in Cybersecurity Threats Cybersecurity Framework
More informationTHE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER
THE WHITE HOUSE Office of the Press Secretary FOR IMMEDIATE RELEASE May 11, 2017 EXECUTIVE ORDER - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority
More informationSTRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE
STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby
More informationTHE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER
FOR IMMEDIATE RELEASE May 11, 2017 THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE By the authority
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More information79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90
th OREGON LEGISLATIVE ASSEMBLY-- Regular Session Senate Bill 0 Printed pursuant to Senate Interim Rule. by order of the President of the Senate in conformance with presession filing rules, indicating neither
More informationPresidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure EXECUTIVE ORDER [13800] - - - - - - - STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS
More informationThe Department of Homeland Security The Department of Justice
The Department of Homeland Security The Department of Justice to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information
More informationCybersecurity and Information Sharing: Comparison of H.R and H.R as Passed by the House
Cybersecurity and Information Sharing: Comparison of H.R. 1560 and H.R. 1731 as Passed by the House Eric A. Fischer Senior Specialist in Science and Technology Stephanie M. Logan Research Assistant June
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationInvestigating Insider Threats
Investigating Insider Threats February 9, 2016 Jonathan Gannon, AT&T Brenda Morris, Booz Allen Hamilton Benjamin Powell, WilmerHale 1 Panelist Biographies Jonathan Gannon, AT&T, Executive Director & Senior
More informationDHS Cybersecurity: Services for State and Local Officials. February 2017
DHS Cybersecurity: Services for State and Local Officials February 2017 Department of Established in March of 2003 and combined 22 different Federal departments and agencies into a unified, integrated
More informationStephanie Zierten Associate Counsel Federal Reserve Bank of Boston
Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston Cybersecurity Landscape Major Data Breaches (e.g., OPM, IRS) Data Breach Notification Laws Directors Derivative Suits Federal Legislation
More informationISAO SO Product Outline
Draft Document Request For Comment ISAO SO 2016 v0.2 ISAO Standards Organization Dr. Greg White, Executive Director Rick Lipsey, Deputy Director May 2, 2016 Copyright 2016, ISAO SO (Information Sharing
More informationNew Grid Security Measures for 2016
New Grid Security Measures for 2016 Two new laws that may have escaped attention by the industry have the potential to dramatically change the grid security landscape By Joel dejesus 40 Public Utilities
More informationDepartment of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY
Department of Veterans Affairs VA DIRECTIVE 6502.3 Washington, DC 20420 Transmittal Sheet WEB PAGE PRIVACY POLICY 1. REASON FOR ISSUE: To establish policy for the Department of Veterans Affairs (VA) for
More informationNational Policy and Guiding Principles
National Policy and Guiding Principles National Policy, Principles, and Organization This section describes the national policy that shapes the National Strategy to Secure Cyberspace and the basic framework
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationH. R To reduce unsolicited commercial electronic mail and to protect children from sexually oriented advertisements.
I 0TH CONGRESS ST SESSION H. R. To reduce unsolicited commercial electronic mail and to protect children from sexually oriented advertisements. IN THE HOUSE OF REPRESENTATIVES MAY, 00 Ms. LOFGREN (for
More informationHacking and Cyber Espionage
Hacking and Cyber Espionage September 19, 2013 Prophylactic and Post-Breach Concerns for In-House Counsel Raymond O. Aghaian, McKenna Long & Aldridge LLP Elizabeth (Beth) Ferrell, McKenna Long & Aldridge
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationPD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection
PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection December 17, 2003 SUBJECT: Critical Infrastructure Identification, Prioritization,
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationSummary Comparison of Current Data Security and Breach Notification Bills
Topic S. 117 (Nelson) S. (Carper/Blunt) H.R. (Blackburn/Welch) Comments Data Security Standards The FTC shall promulgate regulations requiring information security practices that are appropriate to the
More informationCybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com
Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding
More informationCybersecurity and Hospitals: A Board Perspective
Cybersecurity and Hospitals: A Board Perspective Cybersecurity is an important issue for both the public and private sector. At a time when so many of our activities depend on information systems and technology,
More informationASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016
ASSEMBLY, No. STATE OF NEW JERSEY th LEGISLATURE INTRODUCED FEBRUARY, 0 Sponsored by: Assemblywoman VALERIE VAINIERI HUTTLE District (Bergen) Assemblyman DANIEL R. BENSON District (Mercer and Middlesex)
More informationThe Impact of Cybersecurity, Data Privacy and Social Media
Doing Business in a Connected World The Impact of Cybersecurity, Data Privacy and Social Media Security Incident tprevention and Response: Customizing i a Formula for Results Joseph hm. Ah Asher Marcus
More informationMYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414
MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414 The Cybersecurity Act of 2012, S. 3414, has not been the subject of a legislative hearing and has skipped regular order. HSGAC has not marked
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationCritical Information Infrastructure Protection Law
Critical Information Infrastructure Protection Law CCD COE Training 8 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia.
More informationCYBERSECURITY. Protecting Against the Financial, Regulatory and Reputational Impacts of Cyber Attack
CYBERSECURITY Protecting Against the Financial, Regulatory and Reputational Impacts of Cyber Attack An Interview with the Department of Homeland Security s Office of Cybersecurity Since government agencies
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Executive Order 13800 Update July 2017 In Brief On May 11, 2017, President Trump issued Executive Order 13800, Strengthening
More informationPOSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS
POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, 2017 14TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS 1 Fact vs. Myth Let s Play: Fact vs. Myth The FDA is the federal entity
More informationInformation Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure
This document is scheduled to be published in the Federal Register on 07/18/2017 and available online at https://federalregister.gov/d/2017-15068, and on FDsys.gov 9110-9P P DEPARTMENT OF HOMELAND SECURITY
More informationPrivacy Law Doing Business In Canada
Privacy Law Doing Business In Canada Does Canada Have Privacy Legislation? Federal Legislation Canada has a comprehensive legal framework that governs the collection, retention, use and disclosure of the
More informationCOMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards
November 2016 COMMENTARY Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards The Board of Governors of the Federal Reserve System ( Federal Reserve Board ), the Federal Deposit Insurance
More informationDHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017
DHS Cybersecurity Election Infrastructure as Critical Infrastructure June 2017 Department of Homeland Security Safeguard the American People, Our Homeland, and Our Values Homeland Security Missions 1.
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationSection One of the Order: The Cybersecurity of Federal Networks.
Summary and Analysis of the May 11, 2017 Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Introduction On May 11, 2017, President Donald
More informationLegal, Ethical, and Professional Issues in Information Security
Legal, Ethical, and Professional Issues in Information Security Downloaded from http://www.utc.edu/center-information-securityassurance/course-listing/cpsc3600.php Minor Changes from Dr. Enis KARAARSLAN
More informationHF Markets SA (Pty) Ltd Protection of Personal Information Policy
Protection of Personal Information Policy Protection of Personal Information Policy This privacy statement covers the website www.hotforex.co.za, and all its related subdomains that are registered and
More informationSTATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)
ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE INTRODUCED NOVEMBER 0, 0 Sponsored by: Assemblywoman ANNETTE QUIJANO District 0 (Union) SYNOPSIS Requires certain persons and business entities to maintain
More informationNATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium
NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium Securing Cyber Space & America s Cyber Assets: Threats, Strategies & Opportunities September 10, 2009, Crystal Gateway Marriott, Arlington,
More informationGreg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security
1 Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security 2 Government Services 3 Business Education Social CYBERSPACE
More informationTHE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS
THE WHITE HOUSE Office of the Press Secretary EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical
More informationTestimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON
Testimony Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON Defending Our Democracy: Building Partnerships to Protect America
More informationRMU-IT-SEC-01 Acceptable Use Policy
1.0 Purpose 2.0 Scope 2.1 Your Rights and Responsibilities 3.0 Policy 3.1 Acceptable Use 3.2 Fair Share of Resources 3.3 Adherence with Federal, State, and Local Laws 3.4 Other Inappropriate Activities
More information300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0
P.O. Box 212 Philip D. Murphy, Governor 300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ 08625-0212 www.tech.nj.gov STATE OF NEW JERSEY TECHNOLOGY CIRCULAR Enterprise Information
More informationMember of the County or municipal emergency management organization
EMERGENCY OPERATIONS PLAN SUUPPORT ANNEX B PRIVATE-SECTOR COORDINATION Coordinating Agency: Cooperating Agencies: Chatham Emergency Management Agency All Introduction Purpose This annex describes the policies,
More informationSENATE, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED DECEMBER 12, 2016
SENATE, No. STATE OF NEW JERSEY th LEGISLATURE INTRODUCED DECEMBER, 0 Sponsored by: Senator STEPHEN M. SWEENEY District (Cumberland, Gloucester and Salem) Senator LINDA R. GREENSTEIN District (Mercer and
More informationHPE DATA PRIVACY AND SECURITY
ARUBA, a Hewlett Packard Enterprise company, product services ( Services ) This Data Privacy and Security Agreement ("DPSA") Schedule governs the privacy and security of Personal Data by HPE in connection
More informationDeveloping Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?
Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk 2011-2012: Can You Hack
More informationMarch 21, 2016 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES. Building National Capabilities for Long-Term Drought Resilience
This document is scheduled to be published in the Federal Register on 03/25/2016 and available online at http://federalregister.gov/a/2016-06901, and on FDsys.gov March 21, 2016 MEMORANDUM FOR THE HEADS
More informationCOMMENTARY. Information JONES DAY
February 2010 JONES DAY COMMENTARY Massachusetts Law Raises the Bar for Data Security On March 1, 2010, what is widely considered the most comprehensive data protection and privacy law in the United States
More informationPROTECTING ARIZONA AGAINST CYBER THREATS THE ARIZONA CYBERSECURITY TEAM
PROTECTING ARIZONA AGAINST CYBER THREATS THE ARIZONA CYBERSECURITY TEAM THE THREAT WE FACE On average, the Department of Administration information officers identify: 200 brute force attempts per day;
More informationExecutive Order on Coordinating National Resilience to Electromagnetic Pulses
Executive Order on Coordinating National Resilience to Electromagnetic Pulses The Wh... Page 1 of 11 EXECUTIVE ORDERS Executive Order on Coordinating National Resilience to Electromagnetic Pulses INFRASTRUCTURE
More informationSword vs. Shield: Using Forensics Pre-Breach in a GDPR World. September 20, 2017
Sword vs. Shield: Using Forensics Pre-Breach in a GDPR World September 20, 2017 The information and opinions expressed by our panelists today are their own, and do not necessarily represent the views of
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationStatement for the Record
Statement for the Record of Seán P. McGurk Director, Control Systems Security Program National Cyber Security Division National Protection and Programs Directorate Department of Homeland Security Before
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationFinancial Regulations, Enforcement & Cybersecurity
Financial Regulations, Enforcement & Cybersecurity Elizabeth P. Gray May 16, 2017 Copyright 2017 by Willkie Farr & Gallagher LLP. All Rights Reserved. These course materials may not be reproduced or disseminated
More informationThe Evolving Threat to Corporate Cyber & Data Security
The Evolving Threat to Corporate Cyber & Data Security Presented by: Sara English, CIPP/US Sara.English@KutakRock.com 1 http://blogs.wsj.com/law/2015/12/09/employee error leading cause of data breaches
More informationNY DFS Cybersecurity Regulations August 8, 2017
NY DFS Cybersecurity Regulations August 8, 2017 23 NYCRR Part 500 Asking Questions Anti-Trust Policy As a CPCU approved education program related to The Institutes Chartered Property Casualty Underwriter
More informationThe University of British Columbia Board of Governors
The University of British Columbia Board of Governors Policy No.: 118 Approval Date: February 15, 2016 Responsible Executive: University Counsel Title: Safety and Security Cameras Background and Purposes:
More informationGovernment Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer
IAPP Privacy Certification Certified Information Privacy Professional/Government (CIPP/G) Government Privacy Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer
More informationPrivacy Breach Policy
1. PURPOSE 1.1 The purpose of this policy is to guide NB-IRDT employees and approved users on how to proceed in the event of a privacy breach, and to demonstrate to stakeholders that a systematic procedure
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationHow to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016
How to Respond to a HIPAA Breach Tuesday, Oct. 25, 2016 This Webinar is Brought to You By. About HealthInsight and Mountain-Pacific Quality Health HealthInsight and Mountain-Pacific Quality Health are
More informationPROPOSED INTERPRETIVE NOTICE
August 28, 2015 Via Federal Express Mr. Christopher J. Kirkpatrick Secretary Office of the Secretariat Commodity Futures Trading Commission Three Lafayette Centre 1155 21st Street, N.W. Washington, DC
More informationKeeping It Under Wraps: Personally Identifiable Information (PII)
Keeping It Under Wraps: Personally Identifiable Information (PII) Will Robinson Assistant Vice President Information Security Officer & Data Privacy Officer Federal Reserve Bank of Richmond March 14, 2018
More informationG7 Bar Associations and Councils
COUNTRY PAPER UNITED STATES G7 Bar Associations and Councils SEPTEMBER 14, 2017 ROME, ITALY The American Bar Association P R E F A C E As we have witnessed, cyber terrorism is an extremely serious threat
More informationOCTOSHAPE SDK AND CLIENT LICENSE AGREEMENT (SCLA)
OCTOSHAPE SDK AND CLIENT LICENSE AGREEMENT (SCLA) This is a License Agreement (the "Agreement") for certain code (the Software ) owned by Akamai Technologies, Inc. ( Akamai ) that is useful in connection
More informationInformation Security Incident Response Plan
Information Security Incident Response Plan Purpose It is the objective of the university to maintain secure systems and data. In order to comply with federal, state, and local law and contractual obligations,
More informationINFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES
INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES 1. INTRODUCTION If you are responsible for maintaining or using
More informationCALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS
CALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS INTRODUCTION: Before the California State Teachers Retirement System (hereinafter "CalSTRS," "We," or "Us") will provide services found at mycalstrs.com (the
More informationStrengthening the Cybersecurity of Federal Networks and Critical Infrastructure:
This document is scheduled to be published in the Federal Register on 07/12/2017 and available online at https://federalregister.gov/d/2017-14553, and on FDsys.gov Billing Code: 3510-13 DEPARTMENT OF COMMERCE
More informationCERT Symposium: Cyber Security Incident Management for Health Information Exchanges
Pennsylvania ehealth Partnership Authority Pennsylvania s Journey for Health Information Exchange CERT Symposium: Cyber Security Incident Management for Health Information Exchanges June 26, 2013 Pittsburgh,
More informationDATA PROTECTION LAWS OF THE WORLD. Bahrain
DATA PROTECTION LAWS OF THE WORLD Bahrain Downloaded: 7 April 2018 BAHRAIN Last modified 25 January 2017 LAW There is currently no standalone data protection law in Bahrain. A draft is being reviewed before
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationGENERAL ASSEMBLY OF NORTH CAROLINA SESSION 2007 H 1 HOUSE BILL 1699
GENERAL ASSEMBLY OF NORTH CAROLINA SESSION 0 H HOUSE BILL Short Title: Option to Stop Junk Mail. (Public) Sponsors: Representatives Fisher; Alexander, Faison, Harrison, and Samuelson. Referred to: Judiciary
More informationDEPARTMENT OF JUSTICE. [CPCLO Order No ] Privacy Act of 1974; System of Records
This document is scheduled to be published in the Federal Register on 12/04/2017 and available online at https://federalregister.gov/d/2017-25994, and on FDsys.gov Billing Code: 4410-02-P DEPARTMENT OF
More informationMark Your Calendars: NY Cybersecurity Regulations to Go into Effect
Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect CLIENT ALERT January 25, 2017 Angelo A. Stio III stioa@pepperlaw.com Sharon R. Klein kleins@pepperlaw.com Christopher P. Soper soperc@pepperlaw.com
More informationDecember 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development
December 10, 2014 Statement of the Securities Industry and Financial Markets Association Senate Committee on Banking, Housing, and Urban Development Hearing Entitled Cybersecurity: Enhancing Coordination
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationTIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE
TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE Association of Corporate Counsel NYC Chapter 11/1 NYC BDO USA, LLP, a Delaware limited liability partnership,
More informationData Breach Preparation and Response. April 21, 2017
Data Breach Preparation and Response April 21, 2017 King & Spalding Data, Privacy & Security King & Spalding s 60 plus lawyer Data, Privacy & Security ( DPS ) Practice is best known for: Experienced crisis
More informationPRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology
PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology 24 October 2017 Content Overview of Cyber Security Law Observations on Implementation of Cyber
More information1 Privacy Statement INDEX
INDEX 1 Privacy Statement Mphasis is committed to protecting the personal information of its customers, employees, suppliers, contractors and business associates. Personal information includes data related
More informationBYOD (Bring Your Own Device): Employee-owned Technology in the Workplace
BYOD (Bring Your Own Device): Employee-owned Technology in the Workplace MCHRMA Spring Conference April 4, 2014 PRESENTED BY: Sonya Guggemos MCIT Staff Counsel for Risk Control sguggemos@mcit.org The information
More informationUTAH VALLEY UNIVERSITY Policies and Procedures
Page 1 of 5 POLICY TITLE Section Subsection Responsible Office Private Sensitive Information Facilities, Operations, and Information Technology Information Technology Office of the Vice President of Information
More information