NIST Releases Cybersecurity Supply Chain Guidance
The National Institute of Standards and Technology (NIST) released guidance on supply chain cybersecurity this week in response to the Biden administration’s Executive Order 14028—Improving the Nation’s Cybersecurity. The guidance, Software Supply Chain Security Guidance, is designed for federal agencies that, according to NIST’s release, “become exposed to cybersecurity risks through the software and services that they acquire, deploy, use, and manage from their supply chain (which includes open source software components).” The guidance expands on NIST’s existing standards, as outlined in SP800-161 “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations.” The guidance recommends, per compliance expert Linn Foster Freedman: “Ensuring that suppliers of software products and services are able to produce a Software Bill of Materials (SBOM); Enhanced Vendor Risk Assessments; Implementing Open Source Software Controls, and; Vulnerability Management.”
Connecticut Governor Passes Privacy Law
Connecticut Governor Ned Lamont signed the Personal Data Privacy and Online Monitoring Act (CPDPA) into law last week. The comprehensive privacy law—which will go into effect in Connecticut in July 2023—closely resembles the Virginia Consumer Data Privacy Act. You can read ADCG’s compliance guide for CPDPA here.
ACLU Settles Suit With Clearview AI
Clearview AI has agreed to settle a two-year old lawsuit with the American Civil Liberties Union (ACLU). The suit alleges that Clearview AI violated the Illinois Biometric Privacy Act (BIPA) when it captured billions of faceprints from the internet without obtaining data subjects’ consent. Clearview, as part of the settlement, will comply with BIPA by restricting the sale of its faceprint database in the U.S., be banned from selling its faceprint database in the U.S. for five years (with a focus on Illinois), and must stop offering free trials of its database to law enforcement officers. Clearview must, via its website, also allow data subjects to opt-out of sale and collection of their data.
New California Bill Would Protect Worker Privacy
California Assemblyman Ash Kalra, D-San Jose introduced Assembly Bill 1651, the Workplace Technology Accountability Act, last month. AB 1651 could restrict employers from tracking employee activity. According to Protocol, “Worker surveillance technologies — which can track keystrokes or mouse movements, watch which programs are open on a computer and record how long workers stay on a website — have a new challenge in the California State Assembly.” National Law Review says that examples of covered data include, “personal identity information; biometric information; health, medical, lifestyle, and wellness information; any data related to workplace activities; and online information. The bill confers certain data rights on employees, including the right to access and correct their data.” The bill would also ban employers from using Emotion AI, electronic monitoring systems that use facial recognition or emotion recognition technology to monitor sales or customer service calls, for example. The bill has passed the California’s Assembly’s Committee on Labor and Employment.
UK Announces Extensive Post-Brexit Privacy Reform
The UK government will move forward with a “major ex ante competition reform aimed at Big Tech,” TechCrunch reported last week, noting: “In briefing notes to journalists published after the speech, the government said the largest and most powerful platform will face “legally enforceable rules and obligations to ensure they cannot abuse their dominant positions at the expense of consumers and other businesses.”’ That said, the UK government has not made clear exactly how it will protect privacy with its reforms.