BIS has issued an interim final rule, and entities dealing with cybersecurity exports are being asked to submit comments by early December. In this latest edition of our Privacy and Security Roundup, we share the details of the final rule’s two key measures including export restrictions and a new License Exception, provide an update on cyber incident reporting legislation, discuss modifications to the GLBA Safeguards Rule and much more.
White-hat activities and potential impact of new cybersecurity export controls
The Commerce Department’s Bureau of Industry and Security (BIS) issued a long-awaited interim final rule on Oct. 21, 2021, imposing export controls on certain cybersecurity software, equipment and technology. Citing concern that these items could be misused to “abuse human rights or conduct other malicious cyber activities,” BIS stated its aim is to ensure “U.S. companies are not fueling authoritarian practices.” Broadly, the rule has two key components:
- restrictions on export, re-export or in-country transfers of certain cybersecurity-related items and tools that can be used for malicious activities; and
- a new License Exception, Authorized Cybersecurity Exports (ACE), allowing for exports of cybersecurity items to many destinations, under certain conditions, without a BIS export license.
It should be noted that the ACE License Exception is unavailable for exports to certain government and non-government end-users, with some exports to even allied countries like Cypress, Israel and Taiwan being restricted. That said, ACE does include carve-outs that permit exports of “software specifically designed and limited to providing basic updates and upgrades, vulnerability disclosure or cyber incident response” to governments of these and other allied governments.
BIS asserts these new export controls are narrow in scope and will have minimal impact. However, cybersecurity service and software providers, forensics firms, IT infrastructure manufacturers and those engaged in vulnerability testing, research, bug-bounty programs and other white-hat activities may take a different view. In practice, entities engaged in these activities could face significant implications if those activities potentially involve the export, re-export or transfer of cybersecurity items. BIS also recently signaled its intent to enforce cybersecurity export controls, evidenced by its addition of four cyber-surveillance firms to the U.S. Entity List (barring exports of U.S. origin items to such parties), alleging their involvement in developing, trafficking and using technologies for malicious activities threatening the cybersecurity of civil society, dissidents, government officials and organizations.
While the new rule does not take effect until Jan. 19, 2022, BIS is seeking comments and public input “to ensure full consideration of the potential impact,” including on the potential cost of compliance and the impact on legitimate cybersecurity activities. U.S. and non-U.S. entities dealing with cybersecurity items and investors in U.S. entities who are active with such technologies should assess the rule’s potential impact and consider submitting comments by Dec. 6.
Update: Federal mandatory breach notification legislation
As covered previously, Congress is eyeing several pieces of legislation that involve potentially mandatory cyber incident reporting, a requirement that could have broad implications for entities targeted for ransomware attacks and certain sectors like critical infrastructure. To date, each bill varies in scope and remains in the early stages of the legislative process. However, on Oct. 25, the Congressional Research Service released its “Comparison of selected cyber incident reporting bills.” The report provides a detailed side-by-side comparison of the bills summarized below.
- The Cyber Incident Reporting for Critical Infrastructure Act (H.R. 5440) would require reporting of qualifying incidents to the Cybersecurity and Infrastructure Security Agency (CISA) no more than 72 hours after discovery. At minimum, this would apply to cloud service providers, Managed Service Providers and critical infrastructure operators. Reporting entities would receive the liability and disclosure protections found in the Cybersecurity Act of 2015.
- The Cyber Incident Notification Act of 2021 (S. 2407) would involve providing CISA an initial report within 24 hours after confirmation of a security incident with updates within 72 hours of any new information. At minimum, reporting entities would include federal agencies, contractors, critical infrastructure operators and cybersecurity companies, but liability protection is somewhat unclear compared to H.R. 5400.
- The Cyber Incident Reporting Act of 2021 (S. 2875) would involve reporting to CISA within 72 hours of the discovery of an incident and mandatory reporting of ransomware payments within 24 hours of such payment. S. 2875 would apply to critical infrastructure owners and operators. Other mandatory reporting requirements could apply based on the consequences of an attack and the likelihood of targeting by malicious actors. Reporting entities would receive the liability and disclosure protections found in the Cybersecurity Act of 2015.
- Of the four leading mandatory reporting bills, The Ransom Disclosure Act (S. 2943) could have the furthest reach but is more limited in scope. The bill would require reporting to the Department of Homeland Security (DHS) no later than 48 hours after payment of a ransom by any public or private entity engaged in interstate commerce or that receives federal funds (including local governments). Unlike the three bills above, S. 2943 does not define liability protection.
Entities that may fall within the potential scope of mandatory reporting bills should carefully track their progress and applicability. While several specifics still need to be addressed, given recent headline-grabbing security incidents, there appears to be general bipartisan agreement on the need for federal action.
Changes to the GLBA Safeguards Rule
Citing recent widespread data breaches, cyberattacks and harm to consumers, on Oct. 27, 2021, the Federal Trade Commission (FTC) issued several updates to strengthen the Safeguards Rule. Mandated under the Gramm-Leach-Bliley Act (GLBA), the Safeguards Rule requires covered financial institutions to have measures in place to keep customer information secure and imposes an obligation to ensure affiliates and service providers safeguard customer information in their care. The updated rule contains five modifications that:
- provide covered entities with more guidance on the development and implementation of specific aspects of an overall information security program (e.g., in-transit and at-rest encryption, monitoring/periodic pen-testing and assessments, multi-factor authentication, development of a written incident response plan and requirements for vendor safeguards).
- improve the accountability of financial institution information security programs through a requirement to provide periodic reports to boards and governing bodies. Among other items, such reports must address the status of any recommend changes to an institution’s information security program and compliance with the rule. The update also requires the appointment of a single Qualified Individual that has ultimate responsibility for overseeing and managing a covered entity’s information security program.
- except financial institutions that collect information on fewer than 5,000 consumers from incident response plan, annual reporting and written risk assessment requirements.
- expand the definition of financial institutions, bringing finders — companies that bring together buyers and sellers of products or services — within the scope of the rule.
- define several terms and provide examples of the rule itself.
Overall, the second modification noted above is significant in that directors and leaders of financial institutions need to take a deliberate and non-passive role in data security issues and organizational efforts to address them. While directors certainly may not need to be involved in the finite details, they should understand the development and implementation of security efforts, maintain accountability and ensure protection of consumer information is an organization-wide endeavor.
ITEMS TO KNOW AND KEEP IN MIND GOING FORWARD
Who is Satoshi Nakamoto?
An ongoing trial in federal court in Miami, Fla., stemming from a federal lawsuit filed in February 2018 may finally determine who actually invented bitcoin, the first and most well-known cryptocurrency.
The lawsuit was filed by the estate of Dave Kleiman, an American computer forensic expert who passed away in 2013, against Craig Wright, an Australian computer scientist, who claims to be the creator of bitcoin. At issue in the case are 1.1 million bitcoins (currently worth approximately $67 billion) and intellectual property related to bitcoin software, which Wright allegedly transferred to himself.
Bitcoin, a decentralized, digital currency utilizing a public distributed ledger network referred to as a blockchain to verify and record transactions, was created in 2008 with the publishing of the white paper, “Bitcoin: A peer-to-peer electronic cash system” by Satoshi Nakamoto, the pseudonym of bitcoin’s creator. Hal Finney, a computer scientist who passed away in 2014, is recognized as having received the first bitcoin transaction from Satoshi and was an early contributor to its development. However, the identity of Satoshi has never been conclusively confirmed, although, in recent years, Wright has claimed to be Satoshi.
The estate of Kleiman seeks to show that Satoshi was, in fact, a partnership involving both Wright and Kleiman through various emails exchanged between the brother of Kleiman and Wright following Dave Kleiman’s death.
Along with demonstrating the importance of documenting business relationships, this case highlights the necessity of securely storing bitcoins obtained from mining or other means and providing a manner for transfer of ownership and access to one’s successors.
Update: The Ohio Personal Privacy Act
As covered in our August edition, Ohio may soon join California, Virginia and Colorado in passing a comprehensive privacy statute. Broadly, the Ohio Personal Privacy Act (OPPA) would provide Ohioans with legal rights to access, delete, correct and opt-out of the sale of their personal data — elements familiar to those found in other comprehensive privacy laws like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). However, Ohio’s legislation takes a unique and perhaps more business-friendly approach by encouraging companies to adopt privacy standards set by the National Institute of Standards and Technology (NIST). In turn, the OPPA would provide for an affirmative defense where an entity can show compliance with NIST standards. Overall, this approach might better encourage businesses to adhere to best practices as they change over time while avoiding cumbersome regulations unresponsive to changes in technology.
The OPPA was drafted by CyberOhio, a committee launched by Gov. DeWine while he was attorney general and that is made up of members from academia, business and government. Notably, unlike similar legislation elsewhere, the OPPA has not received significant opposition from privacy groups. While the OPPA likely will be amended as it makes its way through the Ohio legislature, a private right of action seems unlikely given concerns over a wave of litigation seen after the enactment of privacy legislation in Illinois and California. The OPPA has the support of Ohio’s governor and lieutenant governor and, absent a private right of action, the OPPA would be a different approach to providing baseline protections while balancing legitimate business concerns related to litigation and potential liability.