At a glance.
- NIST seeks public comment on CSF 2.0.
- Privacy groups oppose India’s Digital Personal Data Protection bill.
- Chinese government proposes restrictions on facial recognition tech.
- Cross-border compliance.
NIST seeks public comment on CSF 2.0.
The US National Institute of Standards and Technology (NIST) has been working to update its Cybersecurity Framework (CSF), and yesterday the first draft of the CSF 2.0 was released, NextGov reports. Perhaps the biggest change is that a sixth pillar, “Govern,” has been added to the documents five initial functions of “Recover,” “Identify”, “Respond,” “Detect,” and “Protect.” Other changes include more clarity about assessing improvements in a system’s cybersecurity, and more emphasis on integrating other guidance documents like the Artificial Intelligence Risk Management Framework and Secure Software Development Framework.
Cherilyn Pascoe, the framework’s lead developer, said in a press release, “With this update, we are trying to reflect current usage of the Cybersecurity Framework, and to anticipate future usage as well. The CSF was developed for critical infrastructure like the banking and energy industries, but it has proved useful everywhere from schools and small businesses to local and foreign governments. We want to make sure that it is a tool that’s useful to all sectors, not just those designated as critical.” Comments are open to the public until November 4th.
Privacy groups oppose India’s Digital Personal Data Protection bill.
Lawmakers in India’s lower house are expected to approve the new Digital Personal Data Protection (DPDP) bill, despite concerns from the government's opposition party, the India Bloc, and privacy rights advocates. As Dark Reading explains, the purpose of the DPDP is to give individuals more control over their data, and violators of the new law could face penalties of $30 million. However, there are concerns that the bill gives fiduciaries too much power over data principals, making it difficult for regulators to detect and investigate possible violations.
DPDP also gives the central government the power to select the members of the Personal Data Protection Board, meaning it won’t be a truly independent body. Privacy advocates are particularly concerned about a mandate that grants the government the power to access and remove digital content, potentially allowing for monitoring and censorship. Privacy and policy attorney Raktima Roy said, "Not only is there rightful dissent over this by judges, opposition members, and civil society in every iteration of the bill that has carried this exemption so far, it is also commercially unsound because it might make it hard to obtain an adequacy decision from any country that needs to see strong data protection laws in place in India before permitting data transfers here.”
Ani Chaudhuri, CEO of Dasera, sees the Digital Personal Data Protection Bill as likely to have mixed effects. "In today's hyper-connected world," Chaudhuri writes, "data is businesses, governments, and individuals lifeblood. The Digital Personal Data Protection Bill, 2023, tabled by the Indian Parliament, promises to reshape India's digital ecosystem fundamentally. However, some provisions raise eyebrows, and some sigh relief. As the CEO of a leading data security and governance firm, here's my perspective:
"1. Applicability and Scope: The Bill's clarity on what constitutes digital and non-digital data is commendable. This distinction is pertinent in our digital transformation era, where data can easily traverse between these forms. However, the territorial applicability might leave room for data misuse if foreign entities do not offer goods or services but still process Indian data.
"2. Consent: The Bill strengthens the individual's position as the custodian of their data. The stipulation around explicit affirmative action for consent is a commendable step forward. However, the reliance on "consent managers" might introduce new business complexities.
"3. Grounds of Processing: The shift from 'deemed consent' to 'legitimate uses' presents challenges and opportunities. While it offers clarity, it significantly burdens businesses to rethink their data collection and processing strategies.
"4. Data Fiduciaries: The onus on data fiduciaries to ensure compliance even when they outsource the processing is a welcome move. This will ensure a chain of responsibility and enforce better data practices.
"5. Cross-border Transfers: A 'negative list' approach, while seemingly liberal, might lead to complications if the principles on which countries are barred aren't transparently laid out.
"6. Blocking Power: A potentially controversial move. Any power to block public access must be exercised with utmost caution, ensuring it does not stifle freedom of expression or business continuity.
"7. Exemptions: A double-edged sword. While exemptions might be necessary for state functionality, they shouldn't become a backdoor to bypass the very essence of the bill.
"8. Penalties: Reducing the maximum penalty suggests a softer stance on non-compliance. Whether this is conducive to robust data protection or simply a concession to businesses is up for debate.
"Overall, the 2023 Bill is a thoughtful attempt to balance protecting individual rights and fostering business growth. However, the concerns around compliance costs, especially for startups, are genuine. Without 'deemed consent' will undoubtedly introduce more rigidity into the system. While data protection is of utmost importance, we must ensure that we do not inadvertently stifle innovation and business growth.
"Although lacking specific timelines, the phased approach to implementation gives businesses a window to adapt. However, startups may bear the brunt, given the high compliance costs. The bill in its current form appears to swing the pendulum more towards protection and less towards ease of doing business."
"While the Bill addresses several data protection concerns, it remains to be seen how its implementation will affect the digital landscape in India. What's imperative is a continuous dialogue between stakeholders to ensure the Bill serves its purpose without stifling the Indian digital ecosystem.
Chinese government proposes restrictions on facial recognition tech.
After years of pervasive use of facial recognition technology in both the public and private sectors, Beijing is looking to better regulate how and when the tech is employed. The Cyberspace Administration of China (CAC) yesterday released proposed measures to "regulate the application of face recognition technology, protect the rights and interests of personal information and other personal and property rights, and maintain social order and public safety." As TechCrunch explains, the proposals give individuals the power to opt out of facial recognition in certain situations, stating that the tech should be limited to “specific purposes and full necessity” that would require individual approval or written consent (or that of a parent, in the case of minors). The rules also call for clear signage when facial recognition tech is used in public spaces, and places like hotels and airports will not be allowed to coerce people into allowing facial scans by implying they are necessary for “business operations” or “service enhancements.”
The Register (with heavy irony) notes that the measure says, “No organization or individual shall use face recognition technology to analyze personal race, ethnicity, religion, sensitive personal information such as beliefs, health status, social class, etc.” This rule is especially interesting given that face scans are allegedly regularly used to surveil Uyghurs in order to oppress the Turkic ethnic group. The measure, however, does not state whether the Chinese Communist Party is included in this definition of "organization."
Cross-border compliance.
A study by Addigy suggests that 42% of global organizations aren't ready for cross-border compliance with data regulations. Regulatory regimes can be notoriously difficult to negotiate, and when several different jurisdictions are involved, the challenges increase exponentially. Pedro Fortuna, CTO and Co-founder of Jscrambler, commented on the challenges and how to approach them:
“The survey by Addigy highlights a concerning statistic: 42% of global organizations are unprepared to meet cross-border compliance regulations. This suggests a significant gap in understanding and implementing regulatory requirements that apply across different jurisdictions.
"It’s important for businesses to recognize the importance of cross-border compliance, especially considering the increasingly interconnected global economy. Besides the legal and regulatory consequences of non-compliance, companies that are not compliant with regulations and standards such as GDPR or PCI DSS are also exposed to several data security risks like data breaches. Also, the lack of compliance can eventually damage a company’s reputation and customer trust.
"To avoid legal, financial, and reputational risks, businesses must invest in strategies and resources that enable them to navigate regulatory requirements effectively, ensuring that their activities are safe in multiple countries.
"Security standards like PCI DSS 4.0 will only become mandatory in 2025, but responsible businesses should not wait until then to enhance their security practices and start protecting their customers today. This might involve evaluating existing procedures, systems, and data management practices to pinpoint any gaps in compliance. Leveraging technological solutions, remaining updated on regulatory modifications and seeking expert guidance is also crucial to guarantee that business operations are aligned with the legal expectations of each regulation and country in which they operate.”