The latest round up of legal and regulatory developments and other news on cybersecurity from the Datonomy blogging team at Olswang LLP.
EU policy and regulatory developments
- General Data Protection Regulation (GDPR): As Datonomy readers will by now be well aware, on 15 June the GDPR reached another key milestone with the EU Council (i.e. Member States) adopting their “general approach” to negotiating the whole proposal with the Parliament and the Commission. This means that all three EU institutions have declared their negotiating stance on the wide ranging proposal and that three way negotiations can now begin. The first such trilogue is scheduled for 24 June, with a six month provisional timetable recently outlined by a group of MEPs here, aimed at adoption of the proposal by the end of 2015. Given the complexity of the proposal and the fact that it has already taken three and a half years to reach this milestone, it remains to be seen whether adoption by the end of 2015 (and by implication its coming into force by the end of 2017) is realistic or optimistic. For those interested in the respective negotiating positions and with an appetite for detail, the relevant texts are: the Commission’s original 2012 proposal here, the text approved by the EP in 2014 here and the Council’s proposed revisions (text dated 11 June 2015) which are available via a search of the Consilium website here or via direct link here.
- In terms of security and breach notification requirements, the Council reached its partial approach on these matters in October 2014. It takes a more risk-based approach to notification obligations and, like the EP, favours a 72 hour notification target time to regulators. However, unlike the EP (and in tune with the Commission), it favours maximum fines of up to 2% of global turnover. On 17 June, the Article 29 Working Party (representing national DP regulators) wrote open letters to key individuals representing the three institutions responsible for negotiating the final text, highlighting a number of areas of the draft which, in the regulators’ opinions, require improvement in order to safeguard individuals’ rights. These areas include breach notification. The letters and a detailed annex setting out the areas of concern can be found on the Article 29 WP’s site here. Datonomy will continue to track the future progress of the GDPR and its practical implications over the weeks and months to come.
- Network Information Security Directive (NISD): Again, no major news on the progress of the draft Directive in the past week, although work towards a further trilogue is evidently continuing at Council level. The Consilium website flags up a new document dated 18 June entitled preparation for the informal trilogue although this has not yet been made available. “Preparation for Coreper mandate” in relation to the proposal was on the agenda for discussion by the European Council’s Working Party on Telecommunications and Information Society on 19 June.
- The European Commission has announced the launch of four new National Coalitions for Digital Skills and Jobs (in Belgium, Cyprus, the Netherlands and the UK). These four join the eight existing coalitions (Bulgaria, Greece, Italy, Malta, Lithuania, Latvia, Poland and Romania) in supporting grass-root initiatives to provide people with ICT skills that grow the digital economy.
- The European Union Network and Information Security Agency (ENISA) held the “EU28 Cloud security Conference: Reaching the cloud Era in the European Union” on 16 June 2015. The legal and compliance issues of technical advancements, privacy and personal data protection, critical information infrastructures and cloud certification were discussed by 150 governmental and corporate decision-makers along with cybersecurity practitioners and researchers.
- ENISA also held another conference on 16 June 2015: the “Workshop on the Protection of Electronic Communications Infrastructure & Information Sharing”. Representatives of the public and private sectors were brought together to discuss the protection of underground infrastructure, and how this will need to evolve as information sharing increases.
US policy and regulatory developments
- The Cybersecurity Information Sharing Act (CISA) recently failed to make it out of the Senate, being voted down in a 40 to 56 vote. The Bill, which sought to encourage companies to share threat information with each other and with the government, apparently did not do enough to alleviate privacy concerns regarding the increased amount of personal information that would become accessible to the government.
- The US Chamber of Commerce has published a response to the Office of Personnel Management (OPM) hack, in which it advocates for the passage of new cyber intelligence sharing legislation. “The U.S. and its business community need legislative solutions like the ones that passed the House earlier this year: the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPAA) of 2015. The measures would shield American firms that share cybersecurity-related information from, for instance, regulatory actions, lawsuits and FOIA requests stemming from their disclosures. Senate leaders are currently charting a path forward for similar legislation, which passed with overwhelming bipartisan support out of the Senate Intelligence Committee in March.” The piece also states that as many as 14 million government employees’ records may have been compromised in the hack (not 4 million as previously reported).
Attacks, reports and other news
- CERT-UK’s latest weekly update features a report on a vulnerability found to exist within Samsung mobile phones. Samsung uses a keyboard called SwiftKey which has been using unencrypted communication when talking to servers to check for updates. A patch is being developed, but it is thought that the unencrypted communication method has created a window for hackers which could affect up to 600 million devices. The weekly update also features vulnerabilities found in Adobe, Linux Kernal and Novell’s software.
- The BBC is reporting that several of the Canadian government’s websites were overrun by a “DDOS” (“distributed denial of service”) attack on Wednesday, 17 June. The hacker group, Anonymous, has taken credit for the attack, posting a video in which it states that the attack was retaliation for the recently-passed anti-terrorism legislation, “C-51”, which the group believes unfairly targets minorities and dissidents.
- EurActiv has written an opinion piece about the threat hackers pose to the airline industry. It was previously thought that hacking into a plane’s controls would be near impossible, but with the use of drones, big industry players like Airbus and Boeing are reviewing their strategies.
- EurActiv is reporting that a cyber attack led to the cancellation of 10 flights departing from Warsaw airport on 21 June 2015. Luckily the attack did not occur in the air, but the hackers did manage to infiltrate the airline’s ground operations system which meant that the airline was unable to create flight plans.
- The Japan Times has written a piece about the Chinese hacking group, Deep Panda (a.k.a. Shell Crew), who are believed to be behind the recent US OPM hack. An interview with the Jared Myers of the cybersecurity company RSA, after his first-hand experience battling the group, reveals the multitude of methods they use to hack targets.
- Barrons is highlighting the success of PureFunds’ ISE Cyber Security exchange-traded fund, HACK. The fund, made of a mix of anti-hacker software companies, has quadrupled in value since January and has just hit the $1 billion mark.
- The Washington Times is reporting that three teenage boys, from Rio Rancho, New Mexico, orchestrated a cyber attack on the website of the baby formula company, Enfamil, using school computers. The boys posted vulgar messages on the site’s message boards, and when banned by the site, retaliated with a cyber attack. As well as being in serious trouble with their parents, the boys face felony charges of computer abuse and conspiracy.
Contributors to this week’s update: Tom Pritchard, Paralegal and Claire Walker, Head of Client Knowledge.