On 13 September 2023, negotiations began between European institutions to adopt the text of the EU Cyber Resilience Act (the “CRA”). If adopted, the CRA will impose a set of software security, cybersecurity, and vulnerability management requirements on products with digital elements (i.e., software or hardware products and their remote data processing solutions) placed on the EU market.

Continue reading.

On September 25, 2023, the Consumer Financial Protection Bureau (“CFPB”) began its most substantial Fair Credit Reporting Act (“FCRA”) rulemaking yet with an outline of proposed changes to Regulation V, which implements FCRA, ahead of the Bureau’s Small Business Advisory Review Panel.1  The proposals under consideration could have a substantial impact on the data brokerage industry, if implemented. In this Legal Update, we look at the key components of the CFPB’s initial proposals for revising Regulation V.

Continue reading.

Cybersecurity Awareness Month is a good time to highlight one trend in federal efforts to address cyber risk: proscriptive regulation of the information and communications technology and services (“ICTS”) supply chain.

Supply chain risk management is a broad field encompassing, among other things, federal efforts to improve software security, and proposals to revise the FAR to standardize cybersecurity and incident reporting requirements for US government contractors. This Legal Update concerns a different trend toward restricting use of equipment and services with ties to jurisdictions viewed as high-risk by the US government. That regulatory impulse has implications for buyers and sellers alike: it signals the salience of the issue from a cybersecurity standpoint, it leads to limitations on what companies in the United States can purchase, and it may encourage the development of so-called “trusted markets” in other jurisdictions. Here, we outline the origin of those authorities and provide the current status on how they have been deployed so far, according to public information.

Continue reading.

Recent high-profile cyber incidents involving exploitation of software vulnerabilities—such as the SolarWinds and MOVEit incidents—have increased scrutiny of the security of the software upon which corporate and government customers rely. Though phishing and social engineering continue to be leading causes of cyber incidents, there is growing potential legal exposure for companies from security vulnerabilities in software. For that reason, an expanding body of government guidance, key artifacts, and expectations is developing around software security.

Continue reading.

On the eve of the “Golden Week” in China, the Cyberspace Administration of China (CAC) published the draft Provisions on Regulating and Promoting Cross-Border Data Transfers (the “Draft Provisions”) on 28 September 2023.1

The Draft Provisions provide a welcome rollback of some of the onerous cross-border data transfer regime, first introduced by the Personal Information Protection Law (PIPL) in November 2021,2 and seem to address some of the concerns raised by many companies operating in the People’s Republic of China (PRC) that compliance with the cross-border data transfer requirements was very difficult to achieve.

Continue reading.

Last week, the government announced two sets of proposed revisions to the Federal Acquisition Regulation (FAR) to improve the cybersecurity of the government’s information systems. Both sets of revisions relate to President Biden’s May 2021 Executive Order 14028 on Improving the Nation’s Cybersecurity.

First, the Department of Defense (DoD), the General Services Administration (GSA), and NASA proposed revisions to the FAR that will standardize cybersecurity requirements for unclassified federal information systems (FISs). Because government contract requirements are “largely based on agency-specific policies and regulations” that can result in “inconsistent security requirements across contracts,” the new regulations seek to harmonize the requirements across federal agencies.

Continue reading.

Recently, world leaders and key stakeholders gathered for the 78th session of the United Nations General Assembly (“UNGA”) to discuss global challenges with the goal of furthering peace, security, and sustainable development. A key topic of discussion was the “digital revolution,” focusing on the opportunities and challenges presented by artificial intelligence (“AI”), as well as the continued importance of strengthening global cybersecurity.

Continue reading.

Today, the UK Department for Science, Innovation and Technology announced further details on the new transatlantic data flow mechanism for UK-to-US personal data transfers. In particular, the UK Secretary of State for Science, Innovation, and Technology today laid new adequacy regulations before the UK Parliament to give effect to the proposed arrangement. The deal, announced “in principle” in June, is a UK extension to the EU-US Data Privacy Framework (“DPF”), finalised in July. The extension creates a UK-US data bridge, allowing organisations to transfer personal data subject to the UK General Data Protection Regulation (“UK GDPR”) to participating US organisations.

Continue reading.

India—the fifth largest economy in the world—just passed a comprehensive privacy law. On August 11, 2023, the Digital Personal Data Protection Act, 2023 (the “DPDP”) was approved by the president of India, adding India to the list of global powers with a comprehensive privacy law. The law is expected to come into force in June 2024. Guest author Stephen Mathias, from Kochhar & Co., provides a detailed breakdown of the DPDP.

Continue reading.

On August 8, 2023, the National Institute of Standards and Technology (“NIST”) released a draft of The NIST Cybersecurity Framework (CSF) 2.0,1 (the “CSF” or “Framework”) along with a Discussion Draft of the Implementation Examples.2 This draft makes the most significant changes to the Framework since its initial release in 2014. It follows more than a year’s worth of community feedback, with NIST issuing the first request for information on the CSF in February 2022 and a concept paper regarding potential changes in January 2023.3 Both drafts are open for public comment until November 4, 2023. NIST announced that it plans to publish the final version in early 2024, without releasing another version for public comment.

Continue reading.