On September 12, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) published a Request for Information, seeking public comment on how to structure implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”). Written comments are requested on or before November 14, 2022 and may be submitted through the Federal eRulemaking Portal: http://www.regulations.gov.Continue Reading CISA Requests Public Comment on Implementing Regulations for the Cyber Incident Reporting for Critical Infrastructure Act
On February 19, 2021, the European Commission published two draft decisions finding that UK law provides an adequate level of protection for personal data. The first would allow private companies in the EU to continue to transfer personal data to the UK without the need for any additional safeguards (e.g., the Commission’s standard contractual clauses), while the second would allow EU law enforcement agencies to transfers personal data subject to Directive 2016/680 — the Data Protection and Law Enforcement Directive (LED) — to their UK counterparts.
Continue Reading European Commission Publishes Draft UK Adequacy Decisions
On July 25, 2019, the UK’s Information Commissioner’s Office (“ICO”) published a blog on the trade-offs between different data protection principles when using Artificial Intelligence (“AI”). The ICO recognizes that AI systems must comply with several data protection principles and requirements, which at times may pull organizations in different directions. The blog identifies notable trade-offs that may arise, provides some practical tips for resolving these trade-offs, and offers worked examples on visualizing and mathematically minimizing trade-offs.
The ICO invites organizations with experience of considering these complex issues to provide their views. This recent blog post on trade-offs is part of its on-going Call for Input on developing a new framework for auditing AI. See also our earlier blog on the ICO’s call for input on bias and discrimination in AI systems here.Continue Reading ICO publishes blog post on AI and trade-offs between data protection principles
The European Commission (“Commission”) has published a Recommendation on cybersecurity in the energy sector (“Recommendation”). The Recommendation builds on recent EU legislation in this area, including the NIS Directive and EU Cybersecurity Act (see our posts here and here). It sets out guidance to achieve a higher level of cybersecurity taking into account specific characteristics of the energy sector, including the use of legacy technology and interdependent systems across borders.
Continue Reading IoT Update: EU Commission Issues Recommendation on Cybersecurity in the Energy Sector
On February 27, 2019, Covington hosted its first webinar in a series on connected and automated vehicles (“CAVs”). During the webinar, which is available here, Covington’s regulatory and public policy experts covered the current state of play in U.S. law and regulations relating to CAVs. In particular, Covington’s experts focused on relevant developments in: (1) federal public policy; (2) federal regulatory agencies; (3) state public policy; (4) autonomous aviation; and (5) national security.
Highlights from each of these areas are presented below.Continue Reading IoT Update: Covington Hosts First Webinar on Connected and Automated Vehicles
One week from today, Covington will host its first webinar in a series on connected and automated vehicles (“CAVs”). The webinar will take place on February 27 from 12 to 1 p.m. Eastern Time. During the webinar, Covington’s regulatory and legislative experts will cover developments in U.S. law and regulations relating to CAVs. Those topics include:
- Federal regulation affecting CAVs, with a focus on the National Highway Traffic Safety Administration (“NHTSA”), the Federal Aviation Administration (“FAA”), the Federal Communications Commission (“FCC”), and the Committee on Foreign Investment in the United States (“CFIUS”) review.
- Where Congress stands on CAV legislation, including the AV START Act, the SELF DRIVE Act, and infrastructure legislation.
- State-level legislative, regulatory, and policy developments, including a closer look at California’s regulations.
- Updates and trends specific to the autonomous aviation industry.
- Foreign investment and export controls impacting CAVs.
Following an informal consultation earlier this year – as covered by our previous IoT Update here – the UK’s Department for Digital, Culture, Media and Sport (“DCMS”) published the final version of its Code of Practice for Consumer IoT Security (“Code”) on Oct. 14, 2018. This was developed by the DCMS in conjunction with the National Cyber Security Centre, and follows engagement with industry, consumer associations, and academia. The aim of the Code is to provide guidelines on how to achieve a “secure by design” approach, to all organizations involved in developing, manufacturing, and retailing consumer Internet of Things ‘IoT’ products. Each of the thirteen guidelines are marked as primarily applying to one or more of device manufacturers, IoT service providers, mobile application developers and/or retailers categories.
The Code brings together what is widely considered good practice in IoT security. At the moment, participation in the Code is voluntary, but it has the aim of initiating and facilitating security change through the entire supply chain and compliance with applicable data protection laws. The Code is supported by a supplementary mapping document, and an open data JSON file which refers to the other main industry standards, recommendations and guidance. Ultimately, the Government’s ambition is for appropriate aspects of the Code to become legally enforceable and has commenced a mapping exercise to identify the impact of regulatory intervention and necessary changes.Continue Reading IoT Update: The UK publishes a final version of its Code of Practice for Consumer IoT Security
Last week, I spoke on a panel at the IAPP Privacy Academy about upcoming changes to FCC regulations governing the “prior express consent” requirement for, among other things, autodialed promotional text message and prerecorded call programs under the Telephone Consumer Protection Act (TCPA). These changes will take effect next week, on October 16, 2013. Some…
A Michigan appellate court ruled last week that state discovery rules provide adequate safeguards for anonymous online speech. The opinion is a significant deviation from the rulings of other state courts, which have applied a First Amendment balancing test to determine whether to grant discovery requests for the identities of anonymous online speakers.
Thomas M. Cooley Law School sued several defendants for allegedly defaming the school online and issued subpoenas for their identities. Defendant John Doe 1, who operated a website about the law school, sought a protective order and moved to quash the subpoena to his Internet service provider. The trial court applied a First Amendment balancing test, first articulated by state appellate courts in New Jersey and Delaware, that considers factors including (1) whether the defendant is a person or entity who could be sued, (2) whether the plaintiff made a good-faith effort to serve the defendant with process, (3), whether the lawsuit could withstand a motion to dismiss, and (4) whether there is a reasonable likelihood that discovery would uncover information that would allow service of process. Under this analysis, the state trial court denied the motion to quash and denied the protective order.Continue Reading Michigan Court Rejects First Amendment Balancing Test for Online Anonymous Speech
Last week, the Federal Trade Commission (“FTC”) published a short guide for mobile app developers and entrepreneurs with suggestions on how to comply with basic truth-in-advertising and privacy principles. The guide is entitled “Marketing Your Mobile App: Get It Right From the Start” and includes many useful tips.
For advertising, the FTC advises that app…