Yesterday the White House Office of Management and Budget issued guidelines (the “Guidelines”) requiring all federal agencies to buy and use software that comply with “secure development practices” developed by the National Institute of Standards and Technology (“NIST”).  The Guidance follows an Executive Order (“EO”) of May 2021 on improving cybersecurity across government agencies and is congruent with a broader trend of privacy and cybersecurity being a top of mind issue for federal government stakeholders.  A press release from the White House explained that “[b]y strengthening our software supply chain through secure software development practices, we are building on the Biden-Harris Administration’s efforts to modernize agency cybersecurity practices, including our federal ‘zero trust’ strategy, improving our detection and response to threats, and our ability to quickly investigate and recover from cyber-attacks.”

EO 14028, Improving the Nation’s Cybersecurity, (dated May 12, 2021), addressed the security and integrity of the software supply chain and underscored the vital importance of secure software development environments.  EO 14028 directed NIST to issue guidance “identifying practices that enhance the security of the software supply chain.”  The Guidelines refer to (1) the NIST Secure Software Development Framework (SSDF), SP 800-218, and the (2) NIST Software Supply Chain Security Guidance (collectively, the “NIST Guidance”) as including specified practices that create a foundation for developing secure software.

The Guidelines require federal agencies to comply with NIST Guidance “when using third-party software on the agency’s information systems or otherwise affecting the agency’s information.”  This includes  firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.  The Guidelines exempt agency-developed software, although cautions that agencies are nevertheless expected to adopt secure software development practices for agency-developed software.

As set forth in the Guidelines, federal agency Chief Information Officers (CIOs), in conjunction with others, must take certain steps to ensure software producers have implemented and will attest to conformity with secure software development practices.  This includes, as specified in greater detail in the Guidelines:

  • Consistent with the NIST Guidance and by the timelines identified in the Guidelines, agencies are required to obtain a self-attestation from a software producer before using the software.
  • Agencies may obtain from software producers artifacts that demonstrate conformance to secure software development practices, as needed.

This development is part of a continued federal response to foreign governments and cybercriminals seeking to compromise digital infrastructure in the U.S.  The Guidelines were issued in response to “a string of cyber intrusions and significant software vulnerabilities over the last two years that have threatened the delivery of Government services to the public, as well as the integrity of vast amounts of personal information and business data that is managed by the private sector.”

For more on this, stay tuned.  CPW will be there to keep you in the loop.

CPW’s Kristin Bryan, a 2022 Law360 Privacy & Cybersecurity MVP as well as a featured subject matter expert for LexisNexis, Jesse Taylor and Shing Tse teamed up to co-author a chapter of the Lexis Practical Guidance titled “Privacy, Cybersecurity and Data Breach Litigation: Key Laws and Considerations. In this practice note, the trio explore key legal issues and considerations in privacy, cybersecurity, and data breach litigation.  This includes a discussion of key strategic considerations, frequently litigated data privacy and cybersecurity statutes, issues bearing upon class certification, and recent decisions of significance.

Kristin is a litigator with deep expertise representing clients in complex bet-the-company data privacy, cybersecurity and data breach disputes in federal and state courts nationwide.  She has obtained dismissals of numerous significant data privacy and cybersecurity litigations, in which plaintiffs collectively sought over US$280 billion in liquidated statutory damages for claims that her client’s business practices violated federal and state privacy laws.

Both Jesse and Shing have collaborated with Kristin and other SPB litigators on various data privacy litigations, including in the putative class action context, and are also subject matter experts in this field. Paired with Kristin’s experience, their combined knowledge of legal compliance and regulatory requirements make for an in-depth breakdown in this information-packed practical guide.

If you are interested in reading the practice note, please click here.

The second reading of the Data Protection and Digital Information Bill (the Bill) has been delayed following the election of the new Conservative Party leader. The new date is yet to be announced, but in the meantime, it is worth analysing some of the key changes the Bill proposes. While it promises more flexibility and less ambiguity, practically speaking, the Bill may not represent a fundamental divergence from the current regime.

Continue Reading Data Protection and Digital Information Bill Delayed – Aspects to Consider While We Wait

Recently, eyewear brands that offer virtual try-on (“VTO”) tools—which allow website visitors to “try before they buy” while shopping online—have faced a barrage of class action lawsuits alleging violations of the Illinois Biometric Information Privacy Act (“BIPA”). Importantly, however, BIPA suits are not the only legal risks that continue to increase for eyewear retailers today, especially those that sell prescription contact lenses. So, too, are the risks for non-compliance with the Federal Trade Commission’s (“FTC”) Contact Lens Rule, which sets forth a range of compliance obligations on sellers of contact lenses.

CPW’s David Oberly examines a recent FTC enforcement action involving alleged violations of the Contact Lens Rule and FTC Act—resulting in the largest Contact Lens Rule FTC settlement to date—and provides several key takeaways for mitigating legal risks associated with the Contact Lens Rule and FTC liability exposure—in this Law360 article: FTC Settlement Puts Contact Lens Compliance in Sharp Focus.

Earlier this month, Law360 released the names of those chosen for the 2022 MVP awards. Of the 900 attorneys who were nominated for the honor, Law360 notes that, “[t]he attorneys chosen as Law360’s 2022 MVPs have distinguished themselves from their peers by securing hard-earned successes in high-stakes litigation, complex global matters and record-breaking deals.”

Continue Reading Congratulations to CPW’s Kristin Bryan on Being Named a 2022 Cybersecurity & Privacy MVP by <em>Law360</em>!

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

FCC Reportedly Issues Letters of Inquiry Seeking Further Information on Wireless Providers Data Privacy Practices | Consumer Privacy World

Webinar Registration Open: Navigating Cross-border Challenges Relating to HR Data Protection and Employee Right-to-Work Compliance | Consumer Privacy World

HR and B-to-B Data Compliance Deadline Looming – Legislative Efforts to Extend California Consumer Privacy Act Exemptions Fail | Consumer Privacy World

Speaker Pelosi Expresses Concerns With Federal Privacy Bill’s Preemption Provision | Consumer Privacy World

The Cookie Crumbles – Lessons from First California Consumer Privacy Act (CCPA) Monetary Settlement | Consumer Privacy World

The NYDFS Proposes Substantial Amendments to Cyber Regulations | Consumer Privacy World

September 8: Can’t Miss Webinar on Privacy in AI | Consumer Privacy World

CPW’s David Oberly Discusses Practical Tips for Building Comprehensive Biometric Privacy Programs to Manage Legal Risks and Mitigate Liability Exposure in Biometric Update | Consumer Privacy World

Federal Court Clarifies the Article III Standing Requirement for FDCPA Violations | Consumer Privacy World

FTC Sues Data Broker for Purportedly Selling Geolocation Information, Alleging “Unfair Sale of Sensitive Data” | Consumer Privacy World

Delaware Federal Court Quickly Denies Motion for a Preliminary Injunction Based Upon Alleged Data Incident | Consumer Privacy World

FCC Gathers and Releases Information on Wireless Carrier Data Privacy Practices

TikTok Settlement Receives Final Court Approval

Federal Court Rejects Terms in Franchise Agreement Retaining Data Access Rights As Sufficient to Plead Section 15(b) BIPA Claim

The Southern District of Florida Issues Ruling Further Limiting Claims in Data Breach MDL 

Law360 Quotes CPW Lawyers in “India, Canada Lead International Privacy Laws To Watch”

Upcoming Webinar: IAPP’s Virtual KnowledgeNet Series – Reasonable Security: Exploring a day in the life of a Chief Information Security Officer (CISO)

 

As previously reported, the Federal Communications Commission last month released responses from the 15 major wireless carriers concerning their data retention and privacy practices, particularly with respect to location information.

In doing so, the FCC Chairwoman announced that she had asked the agency’s “Enforcement Bureau to launch a new investigation into mobile carriers’ compliance with FCC rules that require carriers to fully disclose to customers how they are using and sharing geolocation data.”

Continue Reading FCC Reportedly Issues Letters of Inquiry Seeking Further Information on Wireless Providers Data Privacy Practices

With the implementation of new regulations involving the handling of “HR data” across the US and the EU, transatlantic employers can expect to face unique challenges as they make efforts to incorporate these new regulations with existing procedures. In the coming months, managing data subject rights and business obligations that apply to HR data will be of the utmost importance for those involved in managing employees, hiring new talent, maintaining legal compliance, and/or overseeing a company’s overall operations.

Join Squire Patton Boggs experts Alan Friel, Michael Kelly, Annabel Mace, David Naylor and Gregory Wald in this “one-stop-shop” webinar on the pitfalls of hiring globally and the privacy/compliance matters related thereto, hosted in conjunction with the British American Business Council (BABC), on Wednesday, October 12, from 9:00 to 10:15 am PDT.

Our panelists will address:

  • How the UK and EU GDPR and data protection authorities and works councils impact US organizations, including intercompany and cross-border access and transfers
  • The January 1, 2023 implementation of the full HR data requirements under the California Consumer Privacy Act, including data subject access rights
  • Steps employers can take to safeguard HR data, manage data subject requests and prepare for enforcement actions
  • An overview of US and UK employment verification and right-to-work compliance and interplay with employee data protection

If you would like to attend or know someone who would, please click here to register.

The California Consumer Privacy Act (CCPA) currently has limited carve-outs for personal information (PI) collected from a job applicant, employee, owner, director, officer, medical staff member, or independent contractor of a business acting in such capacity (including, without limitation, communications, emergency contact and benefits PI) (HR data). An even broader exception applies to B-to-B communications and related PI (e.g., vendor, supplier and business customer contacts and communications) (B-to-B data). As a result, businesses subject to the CCPA are not currently required to honor CCPA rights requests received from persons concerning HR data and B-to-B data. These carve-outs are set to sunset on January 1, 2023, when the California Privacy Rights Act (CPRA), which substantially amends the CCPA, goes into full effect, at which point HR data and B-to-B data will be fully subject to all of the requirements of the CCPA/CPRA. Many business administrators had hoped that either the California legislature would extend the HR data exceptions (or maybe even make them permanent), or a federal law that limited data subject rights to traditional consumers would pass and preempt CCPA/CPRA. It is now clear that the former is impossible and the latter is highly unlikely. Accordingly, many companies have a lot to do by year-end to prepare to stand up a CCPA/CPRA program for HR data and B-to-B data.

Continue Reading HR and B-to-B Data Compliance Deadline Looming – Legislative Efforts to Extend California Consumer Privacy Act Exemptions Fail

In case you missed it, below are recent posts from Consumer Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Speaker Pelosi Expresses Concerns With Federal Privacy Bill’s Preemption Provision | Consumer Privacy World

The Cookie Crumbles – Lessons from First California Consumer Privacy Act (CCPA) Monetary Settlement | Consumer Privacy World

The NYDFS Proposes Substantial Amendments to Cyber Regulations | Consumer Privacy World

September 8: Can’t Miss Webinar on Privacy in AI | Consumer Privacy World

CPW’s David Oberly Discusses Practical Tips for Building Comprehensive Biometric Privacy Programs to Manage Legal Risks and Mitigate Liability Exposure in Biometric Update | Consumer Privacy World

Federal Court Clarifies the Article III Standing Requirement for FDCPA Violations | Consumer Privacy World

FTC Sues Data Broker for Purportedly Selling Geolocation Information, Alleging “Unfair Sale of Sensitive Data” | Consumer Privacy World

Delaware Federal Court Quickly Denies Motion for a Preliminary Injunction Based Upon Alleged Data Incident | Consumer Privacy World

FCC Gathers and Releases Information on Wireless Carrier Data Privacy Practices

TikTok Settlement Receives Final Court Approval

Federal Court Rejects Terms in Franchise Agreement Retaining Data Access Rights As Sufficient to Plead Section 15(b) BIPA Claim

The Southern District of Florida Issues Ruling Further Limiting Claims in Data Breach MDL 

Law360 Quotes CPW Lawyers in “India, Canada Lead International Privacy Laws To Watch”

Upcoming Webinar: IAPP’s Virtual KnowledgeNet Series – Reasonable Security: Exploring a day in the life of a Chief Information Security Officer (CISO)

VIXIO Regulatory Intelligence Quoted CPW’s Kristin Bryan in Recent Article on FTC and CFPB Data Protection and Privacy Legislation