Could federal data protection legislation similar to GDPR in Europe be coming to the US? It looks possible.

The American Data Privacy and Protection Act (ADPPA) emerged from the House Energy and Commerce Committee (by 53-2 vote), and versions of the bill are now working through both houses of Congress. Some obstacles stand in the way (more on that later). But this is the most significant piece of federal data protection legislation since 1974, many think it’s already overdue, and there’s clear momentum, not to mention bipartisan support. So it’s probably a matter of when and how more than if.

Let’s take a closer look at a bill that could change the digital landscape as we know it – with implications for every individual and company in America.

What Does ADPPA Do?

Fundamentally, ADPPA does two things. First, update existing data privacy and protection laws (which are quite weak), for a world awash with digital data. These laws have long lagged behind the realities of collecting, storing, and leveraging data on a massive scale. And with the passage of GDPR followed by similar legislation elsewhere, the US approach to data protection looks like an anachronism and a liability. ADPPA updates the law to the 21st century.

The second thing it does is create federal standards for data protection and privacy. Some states currently mandate data protection, but ADPPA would fill in the gaps for the states that don’t and set minimum standards for all states to follow. How state and federal laws will work together is a point of contention, as we shall see, but federal standards are nonetheless important for making data protection a national priority. ADPPA establishes those standards.

It’s a big bill, as one would expect, but the biggest changes pertain to how companies disclose their data collection practices. Instead of asking for lump permissions (eg. “accept all cookies), companies will have to disclose what type of monitoring they want to conduct and ask for individual permissions. This will make it more transparent what data companies are collecting and give individuals greater control over what companies can and can’t collect. Individuals will also have the right to access data collected over the last 24 months, the right to correct, delete, or transfer (where feasible) any data, and the right to opt-out of targeted advertising and data sharing with third parties.

The Federal Trade Commission (FTC) will enforce ADPPA violations through civil actions, but states attorney general may do the same, and individuals can also file suit. This bill, if it passes, makes data protection a requirement for every company in America. That means cyber attacks, which are already costly in more ways than one, are about to come with much larger legal consequences. ADPPA hasn’t passed yet – but everyone needs to be prepared for if and when it does.

Who Does ADPPA Apply to?

The short answer is everyone – that’s the point of federal legislation. But the law draws some distinctions that are important to highlight. Rules would apply to all data collectors (most companies) and data processors (companies that move data). Smaller companies would be exempt from certain provisions. Meanwhile, the largest data collectors (like Meta and YouTube) would face additional requirements in other cases.

Some critics have called for stricter requirements on the largest companies, noting that the ADPPA gives them broad latitude to collect and use data provided they don’t share it with third parties. Others have pointed out that data risks are the same at large and small companies, so ADPPA should forego size distinctions altogether. Who knows if or how these criticisms will affect the final form of the bill? The regulatory burden could be less or greater than we expect.

Still, no matter what the final form of the bill looks like, it will drastically raise data protection standards from where they are now and force action on the part of any company planning to keep collecting data. Unfortunately, so much about the timing and details remains up in the air.

What’s Standing in the Way of ADPPA?

The biggest obstacle is the California Consumer Privacy Act (CCPA), currently the most stringent data protection standard at the state level, and more demanding overall than what ADPPA requires. In its present form, ADPPA would supersede the California requirements, effectively lowering the bar and undercutting the (important and often impressive) working being done there.

The solution seems simple enough: change the language of the bill to make the ADPPA the minimum required standards, then let states erect stricter standards on top. But state’s rights issues inspire strange turf wars. And, as a result, the ADPPA is somewhat stuck in limbo. Some resolution is coming – even the most ardent critics of the bill acknowledge that it’s time for federal standards. But when it will arrive and what provisions look like is a guessing game.

I’m personally feeling optimistic about ADPPA passing before the mid-term elections. And even if it doesn’t, the fact that this bill enjoys such rare bipartisan support suggests that no change in the congressional makeup would prevent its passage – but perhaps I’m expecting too much from a governing body mostly known for gridlock.

#ADPPA #GDPR #Congress #DataProtection #DataPrivacy #Legislation

CISA has been taking their Industrial Control System security priority seriously with over 30 advisories released in the last couple months.

The most recent advisories cover Advantech R-SeeNet, a router monitoring application used; and Hitachi Energy APM Edge, an asset performance tracker specifically for power transformers.

These advisories cover a number of CVEs for each application and, in the case of R-SeeNet, involve the usual scumbag known as remote code execution.

ICSA-22-291-01 – R-SeeNet (Advantech)

Affected Critical Infrastructure Sectors: Critical Manufacturing, Energy, Water and Wastewater Systems

Reported by rgod, working with Trend Micro Zero Day Initiative.

Vulnerabilities:

CVE-2022-3387: “Path traversal attack. An unauthorized attacker could remotely exploit vulnerable PHP code to delete .PDF files.”

CVSS v3 score: 6.5

CVE-2022-3386: “Stack-based buffer overflow. An unauthorized attacker can use an outsized filename to overflow the stack buffer and enable remote code execution.”

CVSS v3 score: 9.8

CVE-2022-3385: “Stack-based buffer overflow. An unauthorized attacker can remotely overflow the stack buffer and enable remote code execution.”

CVSS v3 score: 9.8

Mitigation: Update R-SeeNet to Version 2.4.12 or later.

CISA also recommends minimizing network exposure for all control systems and isolating them from the Internet.

ICSA-21-336-06 – APM Edge (Hitachi Energy)

Affected Critical Infrastructure Sectors: Energy

Reported by Hitachi Energy

Vulnerabilities:

Reliance on Uncontrolled Component (CWE-1357): Because APM Edge uses a number of open-source software components, a successful exploitation could cause the product to become inaccessible.

29 total vulnerabilities are involved in this advisory, with the worst case given a CVSS v3 score of 8.2.

Mitigation: update APM Edge to v4.0.

Hitachi also recommends certain security practices and firewall configurations that can be found on the CISA advisory page (linked above) and Hitachi’s advisory that can be downloaded as a PDF from CISA’s advisory page as well.

Image by American Public Power Association

#CISA #Advisory #Industrial_Control_Systems