Patching Regulations Development [December, 2022]

This is our third edition of the proposed periodic update on regulatory changes in security requirements including patching and liability relating to security breaches.

We appreciate any contribution to this newsletter based on your own research or internal enterprise discussions.

The pdf version of the newsletter can be downloaded here.

EU Developments

• NIS2 Directive Adopted: The EU has officially adopted the NIS2 Directive on 10 November 2022. Member States will have 21 months from its entry into force to incorporate its provisions into their national law. The NIS2 introduces some of the most widespread cybersecurity rules to date, and lays down the first minimum cybersecurity standards, including vulnerability management. source

• Initial feedback on the CRA: The Czech presidency circulated a first draft of the Cyber Resilience Act (CRA) significantly altering its scope and free movement principles. Primarily, they argue that the scope should extend to software as a service (SaaS), military products and include a national security intervention clause. In addition, there appears to be an overarching call from Member States to clarify the definition of ‘critical products’ and the interaction of the CRA with other EU regulation. Different opinions on the proposal have also been compiled into a Briefing Report by the EU Parliamentary Research. It is clear however, from the Commission’s recent report on the EU Security Strategy, that they view the CRA as imposing a legitimate obligation to ‘ensure the availability of patches’. source1, source2 and source3

• EDPB and ENISA Sign Memorandum of Understanding: ENISA and the European Data Protection Board (EDPB) have signed a Memorandum of Understanding on Strategic Cooperation going forwards. The memorandum is intended to serve as a basis for future collaboration on achieving mutual goals, particularly in areas of privacy and security by design. Some of the proposed collaboration will include guidelines and harmonized feedback. source

• Irish DPA fines Meta 265 Million: The Irish Data Protection Authority has presented Meta with a 265 Million Euro fine, for a failure to upkeep privacy and security by design. In 2018 and 2019 Meta’s failure to implement appropriate security measures led to widespread dataset leaks. Following the Irish Data Protection Authority’s decision, the EDPB published 3 binding decisions regarding contractual obligation as a legal ground for processing, to be published next month. source1 and source2

• Polish DPA fines Virgin Mobile: The Polish DPA has fined Virgin Mobile approx. 350.000 euros following a data breach. Notable about the decision is the focus of the DPA on the failure of Virgin to timely detect vulnerabilities, as they failed to run regular tests. source

US Developments

• Personal Data Expiration Dates: Following the FTC’s Drizly case, where Drizly’s CEO was individually penalized for failing to uphold standards of data security, the FTC has now somewhat introduced the concept of ‘expiration dates’ for personal data. In essence, under the new CPRA, to be implemented on the 1st of January next year (2023), organisations will be required to present expiration dates of categories of personal data prior to collection. The circumstances of this case also present a stronger incentive to preventatively take cybersecurity and vulnerability mitigation steps, or risk full and personal liability. source1

Global Developments

• CJEU bans inaccurate personal data on the web: In an arrest made by the CJEU on 8 December 2022, the Court decided that, under the GDPR, a search engine is required to remove links that could lead to factually inaccurate information, if such is proven by the person requestion the deletion. This arrest could have very interesting implications for the long-ongoing “Fake News” debate. source1 and source2 (summary in Dutch)

• UK First to Adopt Cybersecurity Code of Conduct for Apps: The United Kingdom has introduced the first Code of Conduct for app operators and app platforms. Primarily, the Code introduces stronger requirements for app operators to inform users of their security standards, and allow for usage even if privacy settings are not ‘optimal’. Importantly, the Code explicitly requires app operators to reduce security vulnerabilities through patches, and introduces the notion of coordinated vulnerability disclosure mechanisms between the app operators and platforms, aiming to avoid public exploitation. Where the Code is voluntary, the UK DCMS will start checking for compliance in 9 months’ time. source

• Cyberveilig Nederland feedback on NLCS: The Dutch organization, Cyberveilig Nederland, has drafted a letter in response to the new Dutch Cybersecurity Strategy. Where the organisation praises the ambitious stance taken by the strategy, they do call for further specification of the action points and the private scope of the strategy. source (in Dutch)