This past week, co-defendants in a class action related to the theft of cryptocurrency engaged in their own lawsuit over alleged security failures. IRA Financial Trust, a retirement account provider offering crypto-assets, sued class action co-defendant Gemini Trust Company, LLC, a crypto-asset exchange owned by the Winklevoss twins, following a breach of IRA customer accounts.
Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.
In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.
Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.
On February 4, 2022, the National Institute of Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products (“IoT Criteria”). The IoT Criteria make recommendations for cybersecurity labeling for consumer IoT products, in other words, for IoT products intended for personal, family, or household use.
The purpose of the publication, as described by NIST, is to identify “key elements of a potential labeling scheme.” The publication makes clear, however, that the scheme would not be established or managed by NIST, but rather “by another organization or program,” referred to in the publication as the “scheme owner.” The identity of the scheme owner is undetermined, but it “could be a public or private sector” entity.
The publication of the IoT Criteria represents another step toward a national cybersecurity labeling scheme for consumer IoT products. We should expect that the framework established by NIST in this publication will serve as a model for these requirements.
IoT Criteria Framework. The IoT Criteria establish recommended considerations for three key aspects of a potential cybersecurity IoT labeling program:
- Baseline Product Criteria
- Conformity Assessments
On January 4, 2022, the Federal Trade Commission published a warning to companies and their vendors to take reasonable steps to remediate the Log4j vulnerability (CVE-2021-44228). The FTC provided a list of recommended remedial actions for companies using the Log4j software. The FTC’s warning references obligations under the FTC Act and Gramm Leach Bliley Act…
On December 15, 2021, the U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of a warning for “critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks” before the upcoming holiday season. CISA’s warning emphasizes that “[s]ophisticated threat actors…
On November 8, 2021, New York Governor Kathy Hochul signed a new electronic monitoring law (S2628) requiring New York businesses that monitor or intercept employees’ e-mails, telephone calls, or internet usage to notify employees in writing of these practices. The new law amends the state’s civil rights law and takes effect on May…
- seeks to remove obstacles to sharing threat information between the private sector and federal agencies;
- mandates that software purchased by the federal government meet new cybersecurity standards;
- discusses securing cloud-based systems, including information technology (IT) systems that process data, and operational technology (OT) systems that run vital machinery and infrastructure;
- seeks to impose new cyber incident reporting requirements on certain IT and OT providers and software product and service vendors and establishes a Cyber Safety Review Board to review and assess such cyber incidents and other cyber incidents; and
- addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of Internet of Things (IoT) devices.
The Order contains eight substantive sections, which are listed here, and discussed in more detail below:
- Section 2 – Removing Barriers to Sharing Threat Information
- Section 3 – Modernizing Federal Government Cybersecurity
- Section 4 – Enhancing Software Supply Chain Security
- Section 5 – Establishing a Cyber Safety Review Board
- Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
- Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
- Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
- Section 9 – National Security Systems
The summaries below discuss highlights from these sections, and the full text of the Order can be found here.