Regulatory—Policy, Best Practices, and Standards
NIST Evaluates Advances in Face Recognition Software
On November 30, 2018, the National Institute of Standards and Technology ("NIST") published a report evaluating the accuracy of facial recognition software. NIST's study found that between 2014 and 2018, facial recognition software became 20 times better at searching databases to find matching photographs. The evaluation used 127 software algorithms from 39 different developers, which represent the bulk of the industry.
NIST Proposes Steps to Modernize Technology Transfer and Innovation
On December 6, 2018, NIST released a draft green paper with proposed steps to modernize the transfer and commercialization of technology developed through federally funded research and development initiatives. The proposals include updating legal tools for the transfer of technology, such as intellectual property rights for the licensing and commercial development of federal research. The draft green paper includes input from federal stakeholders, such as the National Science and Technology Council's Lab-to-Market Subcommittee, as well as public comments.
Regulatory—Consumer and Retail
FTC Releases Do Not Call Registry Data for Fiscal Year 2018
On December 6, 2018, the Federal Trade Commission ("FTC") released the National Do Not Call Registry Data Book for Fiscal Year 2018, along with state-by-state analyses of the data. The number of registrants with the Do Not Call list has increased significantly, while the number of complaints has decreased and the most prevalent types of calls have changed.
FTC Holds Hearings on Data Security
On December 11-12, 2018, the FTC held hearings on data security as part of its examination of consumer protection in the 21st century. The hearings included discussions on incentives to invest in data security, consumer demand for data security, data security assessments, a U.S. consumer framework for data security, and the FTC's data security enforcement program. Video recordings and transcripts of the hearing are available on the FTC website.
Retailer Discloses Cybersecurity Attack
On December 21, 2018, a retailer disclosed that it was the victim of a cybersecurity attack involving suspicious log-in activity. The retailer planned to notify all customers whose usernames and passwords may have been used to access their accounts, even though there was no indication that the usernames and passwords used in the log-in attempts were obtained from its systems, or that any personal information stored on its customers' accounts were obtained.
Hotel Discloses Approximately 383 Million Records Affected in 2018 Breach
On January 4, a hotel chain disclosed that up to 383 million guest records were compromised in a breach of its reservation database that began in 2014. This is an increase from the figure reported when the company first announced the existence of the breach on November 30, 2018. The hackers accessed names, addresses, phone numbers, email addresses, and passport numbers stored in the reservation database. The incident affected approximately 8.6 million encrypted payment card numbers, 5.25 million unencrypted passport numbers, and 20.3 million encrypted passport numbers.
FTC Seeks Comments on Identity Theft Detection Requirements
On December 4, 2018, the FTC announced that it is seeking comments on whether it should change rules that currently require financial institutions and creditors to take steps to detect signs of identity theft affecting customers. The FTC is seeking comments on the costs these rules impose on consumers and businesses, whether there is a continuing need for the rules, and whether to expand the types of creditors covered by the rules.
SEC Office of Compliance and Examinations to Focus on Cybersecurity
On December 20, 2018, the SEC's Office of Compliance Inspections and Examinations ("OCIE") announced its 2019 examination priorities, which include a focus on cybersecurity and digital assets. The SEC reiterated that all OCIE examination programs "will prioritize cybersecurity with an emphasis on, among other things, proper configuration of network storage devices, information security governance, and policies and procedures related to retail trading information security."
DOE Announces Cyber Threats Targeting Cloud Services Providers
On December 20, 2018, the United States Department of Energy ("DOE") announced that a Chinese cyber group is engaging in cyber-enabled theft targeting global managed service providers, cloud service providers, and their clients. The DOE stated that the group operated on behalf of the Chinese Ministry of State Security and used a mix of sophisticated custom malware and off-the-shelf applications to compromise multiple service and cloud providers. The group targeted information from critical infrastructure companies in the areas of information technology, energy, health care, communications, and critical manufacturing.
DOE Announces $40 Million Grid Modernization Initiative
On January 24, the DOE announced a $40 million initiative in Fiscal Year 2019 for its Grid Modernization Initiative. The initiative aims to work with public and private partners to develop tools and technologies for a modern "grid of the future" that is resilient, reliable, and secure. The initiative will leverage subject matter expertise across national laboratories, including on the topics of cybersecurity, resilience modeling, advanced sensors, and energy storage. Additional details are expected to be released by March.
Pennsylvania Criminalizes Drone Misuse
On January 12, Pennsylvania's law imposing criminal penalties for unlawful use of drones went into effect. The new law prohibits the use of drones to intentionally or knowingly conduct surveillance of another in a private space, or the operation of a drone in a manner that places another person in reasonable fear of bodily injury. The law permits a $300 fine for violations.
HHS Releases New Health Industry Cybersecurity Practices
On December 28, 2018, the U.S. Department of Health and Human Services ("HHS") released the publication of "Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients." The publication suggests voluntary cybersecurity practices, resources, and templates for small, medium, and large health care organizations. The publication is the result of a two-year industry-led effort in response to Section 405(d) of the Cybersecurity Act of 2015 mandating the development of practice guidelines to reduce cybersecurity risks for the health care industry.
HHS Seeks Public Input on Modifications to the HIPAA Privacy Rule
On December 12, 2018, HHS issued a Request for Information seeking public input on how the HIPAA Privacy Rule could be modified to further the goal of protecting the privacy and security of individuals' health information while permitting information-sharing needed for important purposes, such as coordination of treatment and care.
Regulatory—Defense and National Security
Secretaries Issue Joint Statement on Chinese Cyber Attacks
On December 20, 2018, the Secretary of State and Secretary of Homeland issued a joint statement regarding hacks on managed service and cloud service providers by actors linked to the Chinese Ministry of State Security. The statement expressed concern that these hacks may have violated commitments made by China in 2015 to refrain from conducting or knowingly supporting "cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors."
Director of National Intelligence Unveils National Intelligence Strategy
On January 24, the Director of National Intelligence unveiled the National Intelligence Strategy, a quadrennial publication that sets intelligence strategy for the next four years. The strategy calls attention to cyber and space as new domains of warfare. In particular, the strategy notes that the relatively low cost of cyber operations and lack of attribution makes the cyber domain attractive to smaller nations, terror groups, transnational criminal networks, and individuals. The strategy also calls for the United States to be at the forefront of research on artificial intelligence, advanced automation, and nanotechnology.
Litigation, Judicial Rulings, and Agency Enforcement Actions
Hotel Chain Faces Multimillion-Dollar Data Breach Class Action
On December 1, 2018, an individual filed a putative class action complaint in New York federal court against a hotel chain alleging violations of federal securities laws related to a massive data breach that potentially affected up to 500 million hotel guests. The complaint alleges that the company made materially false and misleading statements in SEC filings regarding the security of customer data. The company seeks to combine this case with other class actions filed throughout the United States.
District of Columbia Sues Social Media Company Over Data Harvesting
On December 19, 2018, the Attorney General for the District of Columbia sued a social media company for violations of the District's Consumer Protection Procedures Act in relation to the harvesting of user data by a third-party application developer who sold the data to a political consulting firm. The complaint alleges that the company engaged in unfair and deceptive trade practices for allegedly failing to inform consumers that their personal information may be