U.S. Government Releases Guide of ‘Minimum Baseline’ Cybersecurity Practices for Protecting Critical Infrastructure

The Cybersecurity & Infrastructure Security Agency (“CISA”) has released a guide to help organizations identify and prioritize the most impactful cybersecurity practices. The Cross-Sector Cybersecurity Performance Goals (“CPGs”) “are applicable across all [critical infrastructure] sectors and are informed by the most common and impactful threats and adversary tactics, techniques, and procedures (TTPs) observed by CISA and its government and industry partners.” The CPGs are intended to be “a minimum baseline of cybersecurity practices with known risk-reduction value” for critical infrastructure entities to implement in order to reduce cyber risk.

CISA Director Jen Easterly noted that the CPGs were created to be “easy to understand and relatively easy to communicate with non-technical audiences, including senior business leadership,” and to support cybersecurity professionals in “making a compelling argument to ensure adequate resources for driving down risk.”

CISA created the CPGs in response to President Biden’s July 2021 National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems, which required CISA to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. CISA intends to regularly update the CPGs every 6-12 months, and feedback and ideas for new CPGs can be submitted via CISA’s GitHub page.

Takeaway: While the CPGs are voluntary, businesses should note that CISA views the practices described therein as “a floor, not a ceiling” and “a minimum baseline” of cybersecurity best practices. Companies that are arguably considered critical infrastructure should consider adopting these, as companies that do not adopt the CPGs will likely face increased scrutiny in the event of a data breach.

EDPB Consults on New Guidelines on the Identification of the Lead Supervisory Authority

On October 21, the European Data Protection Board (“EDPB”) published an updated version of its guidelines for identifying a controller or processor’s lead supervisory authority (“Guidelines 8/2022”). The updated guidelines aim to clarify previous guidance (“WP244 rev.01”) in cases involving EEA joint controllers.

The Guidelines 8/2022 affirm that joint controllers should allocate responsibilities between them in a clear and transparent manner (“who does what”). The Guidelines 8/2022 also clarify that:

• Although joint controllers have to allocate their controller responsibilities between them, they cannot choose a lead supervisory authority if they are located in different jurisdictions: the relevant supervisory authority for each respective joint controller will be determined by the GDPR and will be the authority of the country where such controller has its central administration.
• Two or more controllers, acting as joint controllers, also may not designate a common main establishment under the GDPR, as this notion is inherently linked to a single controller and cannot be extended.
• Agreements between joint controllers on task allocation are not binding on supervisory authorities, including with regard to the designated point of contact.

The Guidelines 8/2022 clarify that two or more controllers acting as joint controllers do not have the authority to designate a lead supervisory authority in their joint controllership agreement. Each of the joint controllers will be subject to the jurisdiction of its local supervisory authority. It may be challenging in instances of joint controllership to reconcile regulatory approaches that are not aligned. Interested parties can submit comments on the updated parts of the Guidelines 8/2022 until December 2, by using the form provided by the EDBP.

Takeaway: EEA companies acting as joint controllers under the GDPR should carefully review the updated Guidelines 8/2022 and use the opportunity to seek clarification from the EDBP on aspects of the guidance that remain challenging for companies. Joint controller agreements should be reviewed to determine if they: (i) clearly allocate compliance obligations; and (ii) cover contact with data subject and supervisory authorities.

U.S. Congress Report Released on EU-U.S. Data Privacy Framework

On October 24, the U.S. Congressional Research Service published a short report (“CRS Report”) summarizing the issues surrounding the EU-U.S. Trans-Atlantic Data Privacy Framework (“TADPF”). As set out in Cyber Bits Issue 11, the European Commission (“EC”) and the U.S. reached an agreement on a new framework for transatlantic data flows on March 25, 2022, aiming to establish the basis for a new EC adequacy decision.

The CRS Report provides an overview of the background of the TADPF, summarizing the events leading to the cancelation of the Privacy Shield by the Court of Justice of the European Union (“CJEU”) in 2020 and ensuing impacts on EU – U.S. data flows. The CRS Report also highlights the relevant provisions of the Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities signed by President Biden on October 7, 2022.

As set out in the CRS Report, the Executive Order is the latest step towards implementing the TADPF, and aims to address two main concerns raised by the CJEU:

• the lack of adequate safeguards for data protection: the Executive Order introduces 12 legitimate objectives to carry out intelligence activities (e.g. protecting against terrorism, protecting the integrity of elections, etc.), and four objectives for which no intelligence activities are allowed, (e.g. suppressing criticism or dissent, or suppressing privacy interests); and
• the lack of an adequate legal remedy: the Executive Order foresees a redress mechanism under the oversight of a new Data Protection Review Court staffed with independent judges.

The CRS Report also highlights two outstanding hurdles that may affect the effective implementation of the TADPF:

• whether Congress will want to reduce the risk of revocation of the Executive Order by introducing the relevant safeguards through legislation; and
• whether the EC – and the CJEU – would view safeguards in the Executive Order as sufficient for purposes of an adequacy decision.

Privacy advocates have already criticized the new framework for not sufficiently addressing the concerns raised by the CJEU.

Takeaway: Although the adoption of the Executive Order brought the TADPF one step closer to implementation, significant hurdles remain, subsequent legal challenges are likely, and the viability of the TADPF remains precarious. Companies may want to assess the risks of relying on the new framework for EU-U.S. data transfers before moving away from Standard Contractual Clauses while continuing to monitor the processes in the EU and U.S.

Securing Smart Homes: U.S. to Give Cybersecurity Ratings to IoT Devices in 2023

On October 19, representatives from the U.S. Government, academic institutions, and technology giants—including Amazon, Google, Samsung, and Comcast—gathered at the White House to discuss cyber threats in modern American homes. The conversation focused on the implementation of a national cybersecurity labeling program for Internet-of-Things (“IoT”) devices, with the goals of providing American consumers the peace of mind that the technology they are bringing into their homes is safe, incentivizing manufacturers to meet higher cybersecurity standards, and encouraging retailers to market secure devices.

The White House reported that the participants discussed how best to implement such a program, drive improved security standards for Internet-enabled devices, and generate a globally recognized label. The label, which will likely first appear on common devices such as routers and home cameras in spring 2023, will be a scannable barcode linking to information based on standards, such as software updating policies, data encryption, and vulnerability remediation. The barcode system will also allow for the labels to be updated as needed.

While the White House has not provided details on what the label may look like, Carnegie Mellon University, an attendee at the summit, has created a label and tested it with consumers.

Takeaway: Companies that create, market, and sell home technology products should prepare for the potential impacts of such labels, including consumer pressure to label products, and consider the implications of increased costs associated with updating home technology products (and the accompanying labels) to respond to new and emerging cybersecurity threats.

U.S. Department of Commerce Appoints Members for new Internet of Things Advisory Board

The U.S. Department of Commerce has appointed sixteen experts to the first Internet of Things Advisory Board (“IoTAB”). The IoTAB was created pursuant to the 2021 National Defense Authorization Act, will publicly meet at least twice a year, and includes a range of stakeholders with expertise relating to the Internet of Things (“IoT”).

The IoTAB will advise the IoT Federal Working Group on matters including “the identification of any federal regulations, programs or policies that may inhibit or promote the development of IoT; situations in which IoT could deliver significant and scalable economic and societal benefits to the United States . . .; IoT opportunities and challenges for small businesses; and any IoT-related international opportunities for the U.S.” The appointees will serve two-year terms, and will represent a broad range of disciplines from across academia, industry, and civil society—including organizations like Microsoft, Consumer Reports, Lawrence Berkely National Laboratory, Morgan State University, and TGL Enterprises LLC.

Takeaway: With the White House pushing the implementation of a national cybersecurity labeling program for IoT devices and the establishment of the new IoTAB, it is clear that regulators are increasingly interested in addressing privacy and data security in IoT products. Companies creating IoT-related products should therefore stay up to date on potentially rapid changes in the regulatory landscape.