Page 36 - Sheppard Mullin Eye on Privacy 2018 Year in Review
P. 36
2018 Likely a Year of Rising Government Standards for Securing Information
Posted on January 10, 2018
For companies that do business with the government, 2017 was a year of transition, as many began to follow the NIST Cybersecurity Framework, worked to accomplish Federal Risk and Authorization Management Program (FedRAMP) certification, or rushed to rid their systems of products from Kaspersky Lab. Perhaps most significant was the rush of Pentagon contractors to come into compliance by year’s end with NIST Special Publication (SP) 800-171, as mandated by a new provision of the Defense Federal Acquisition Regulation Supplement (DFARS). This provision requires contractors to comply with NIST’s standards on protecting Controlled Unclassified Information (CUI).
The news for 2018 is that this heavy lift is coming for all government contractors, not just those dealing with the Defense Department. By all accounts, within a few months, the government will issue a new regulation and clause under the Federal Acquisition Regulation (FAR), following the Pentagon’s lead in applying NIST 800-171 to all government agencies. This is expected to bring a significant amount of tumult, as tens of thousands of companies will find themselves subject to comprehensive new standards on information security, when dealing with sensitive (but not classified) government information.
PUTTING IT INTO PRACTICE: Companies that do business with the federal government, or hope to, should begin planning to come into compliance with the NIST CUI standards. Doing so takes time and effort; those that start early will be rewarded with less time pressure and be in a better position to secure government contracts.
Will 2018 Bring Developments in Government Access to Electronic Records?
Posted on January 4, 2018
2018 should prove to be a particularly interesting year on the subject of government access to private electronic records, as 2017 has served as an interesting prelude to what’s ahead:
• On November 29, the Supreme Court heard oral argument in Carpenter v. United States. As I discussed in an analysis in June, the case addresses an individual’s expectation of privacy in his or her historical cellphone location records, but raises broader issues of privacy and law enforcement under the decades- old Stored Communication Act. The Supreme Court’s decision is expected in the first half of 2018.
• On February 27, the Supreme Court will hear oral argument in U.S. v. Microsoft, in which it will look at whether a company must comply with a warrant for electronic information that has been stored overseas.
• In late November, the high-stakes litigation between Uber and Waymo was thrown into chaos shortly before it was to go to trial when it came to light that Uber had been utilizing the ephemeral messaging service Wickr for communications among employees. This dispute is turning a new eye on the issue of ephemeral messaging and its relationship to document preservation and secure communications. Judge
Alsup’s rulings are sure to set the table for a period of legal developments in this area.
PUTTING IT INTO PRACTICE: Companies should follow developments in these cases, as they could affect their practices regarding securing and storing their data in the future.
35 Eye on Privacy 2018 Year in Review