The House of Representatives passed H.R. 3388, the “Safely Ensuring Lives Future Deployment and Research in Vehicle Evolution Act” or the “SELF DRIVE Act” last month. The bill would remove regulatory barriers to develop self-driving or autonomous cars by giving the National Highway Traffic Safety Administration (NHSTA) authority to establish federal safety, design, and performance standards for automated cars, excluding commercial vehicles, such as trucks and buses. States would still be responsible for the vehicle registration, driver’s licensing, insurance, and safety and emissions inspections. The bill would also allow states to impose stricter performance requirements than those set by NHTSA.
We have outlined the privacy and cybersecurity provisions of this bill, as well as the NHTSA’s voluntary security standards for self-driving cars.
Continue reading “Legislative Spotlight: Self-Driving Cars Part 1”
Most institutions of higher education are very familiar with the Family Educational Rights Protection Act (FERPA), which applies to all state and local, public and private educational institutions that receive federal funds through programs administered by the U.S. Department of Education (ED). Unless at least one of FERPA’s exceptions applies, institutions risk sanctions from ED – including the potential loss of all federal funding – if they disclose a student’s personally identifiable information (PII) from an education record without the student’s express prior written consent. Beyond FERPA, higher education institutions have additional legal responsibilities to assiduously secure and protect student data from inadvertent disclosure, particularly financial information maintained by an institution regarding students or their families.
Continue reading “Beyond FERPA: Safeguarding Student Data Is Key Obligation for Postsecondary Educational Institutions”
In the wake of the WannaCry global attack that impacted the U.K.’s National Health Service, the need to protect valuable health care data has never been more urgent. The U.S. government has begun to take steps in the right direction with the passing of executive orders on cybersecurity, the Cybersecurity Act of 2015, and the Government Accountability Office report on the Internet of Things.
Continue reading “Time to Focus on Cybersecurity in Health Care”
Formed by the Cybersecurity Act of 2015, a task force established to share cybersecurity information between federal government and private industry representatives has released its “Report on Improving Cybersecurity in the Health Care Industry.” They presented six major action items for Congress, the Department of Health and Human Services, other government agencies and private industry.
The Report organized its recommendations under six Imperatives:
- Define and streamline leadership, governance, and expectations for health care industry cybersecurity;
- Increase the security and resilience of medical devices and health IT;
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities;
- Increase health care industry readiness through improved cybersecurity awareness and education;
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure; and
- Improve information sharing of industry threats, weaknesses, and mitigations.
In a recent alert, we evaluated the action items and draft recommendations prepared by the Task Force, = and discuss how the Trump administration will react to these new proposals.
Read our review of the Health Care Cybersecurity Task Force Report
The Trump administration has issued two executive orders focusing on national cybersecurity. The first establishes the American Technology Council, tasking it with developing policy around the use of information technology by the federal government and providing insight into how information technology policy is delivered to the president.
The orders include aggressive deadlines for federal agencies to submit reports on the cybersecurity of critical infrastructure entities, which may be difficult to meet.
For more insight, read our detailed review of the executive orders.
The National Institute of Standards and Technology (NIST) issued an update to its Framework for Improving Critical Infrastructure Cybersecurity on January 10, 2017. The updated draft Version 1.1 was issued after NIST’s review of considerable public and private-sector feedback on Version 1.0.
The updated five Framework Core Functions remain the same as the previous iteration: Identify, Protect, Detect, Respond and Recover. Version 1.1 now includes enhanced categories, subcategories and guidance, including cyber supply chain risk management, safer information sharing, cybersecurity measurement and stronger measures for device authentication.
The updated draft includes improvements but is intended to remain a voluntary cyber risk management tool that organizations can customize.
Read our overview of the updates and insights on some of the highlights.