Covington Files Comments on Cybersecurity Incentives

Posted by Kristen Eichensehr on April 30, 2013

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directs the National Institute of Standards and Technology (“NIST”) to develop a Cybersecurity Framework  of standards, methodologies, and processes for addressing cybersecurity risk.  It also charges the Department of Homeland Security with developing a Critical Infrastructure Cybersecurity Program to promote adoption of the Cybersecurity Framework by critical infrastructure entities.  To facilitate these initiatives, the Executive Order instructs the Secretaries of Homeland Security, Treasury, and Commerce to recommend incentives to promote participation in the Program.   

On March 28, the Department of Commerce, through the Office of the Secretary, NIST, and the National Telecommunications and Information Administration (“NTIA”), issued a Notice of Inquiry regarding “Incentives To Adopt Improved Cybersecurity Practices.”  Yesterday, representatives of Covington & Burling LLP and The Chertoff Group filed comments in response to the Notice of Inquiry.  The comments set out several principles for the Department of Commerce to consider in structuring incentives for participation in the Program.  The comments are based on the professional experience of the representatives and are not offered on behalf of any client of either firm or any other entity.

All of the comments submitted in response to the Notice of Inquiry are available on the NTIA website.

President Obama Issues Cybersecurity Executive Order

Posted by Kristen Eichensehr on February 14, 2013

In his State of the Union message on Tuesday, President Obama announced that he had signed an Executive Order addressing the cybersecurity of  critical infrastructure.  President Obama emphasized that in the face of threats to corporate secrets, the power grid, and financial institutions, among others, “We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

The Executive Order follows legislative efforts in the last Congress to pass comprehensive cybersecurity bills.  After the Cybersecurity Act of 2012 (S. 3414) failed to pass in August 2012, Deputy National Security Adviser John Brennan mentioned in an appearance at the Council on Foreign Relations that the President was considering issuing an Executive Order to implement portions of the cybersecurity legislation.  In the subsequent months, the White House sought industry input on the Order.

The Order has two main components: increasing information sharing from the government to the private sector and establishing a Cybersecurity Framework to buttress the security of critical infrastructure. 

Continue Reading

NIST Announces Privacy Technology Grants

Posted by Dan Kahn on September 22, 2012

Recently, the National Institute of Standards and Technology (NIST) announced over $9 million in grants to five U.S. entities to develop technologies to “pilot identity solutions that increase confidence in online transactions, prevent identity theft, and provide individuals with more control over how they share their personal information.”  Funded projects will address issues including commerce, preference sharing, use of technology by seniors, health and education.  NIST, which is housed within the Department of Commerce, made the grants to support the National Strategy for Trusted Identities in Cyberspace (NSTIC), a White House initiative designed to promote the development of secure, interoperable identity credential technologies.

NTIA Releases Notes from First Privacy Multistakeholder Meeting; Announces Next Meeting Dates

Posted by Kristin Shaffer on August 03, 2012

As noted in our coverage of the inaugural Privacy Multistakeholder Meeting, NTIA promised to release meeting notes and the results of informal polls taken during the meeting.  This information is now available on NTIA's website, and includes notes in document format and images of the flipcharts used during the meeting.

Additionally, NTIA has encouraged stakeholders to continue working with the list of ideas generated in the first meeting, and noted that a public, archived mailing list has been created by a group of meeting participants to facilitate this process.

Finally, NTIA has announced future meeting dates through the end of the year.  Two meetings will be held in August: one on Wednesday, August 22nd and the other on Wednesday, August 29th; both from 9:30 a.m. until 1:00 p.m. in the Auditorium of the Herbert C. Hoover Building, Department of Commerce at 14th Street and Constitution Avenue, N.W. in Washington, D.C.  No specific agenda has been set, but the NTIA encourages participants to continue to develop a code of conduct and build a process that will govern their efforts.

Additional monthly meetings have been scheduled through December 2012 as well.

Recapping the NTIA Multistakeholder Meeting

Posted by Kurt Wimmer on July 13, 2012

By Kristin Shaffer

Yesterday marked the inaugural Privacy Multistakeholder Meeting at the Department of Commerce, hosted by the National Telecommunication & Information Administration (“NTIA”).  The meeting brought together representatives of technology companies, advertisers, consumer groups, and  other stakeholders for a discussion of mobile application transparency and the process for future discussions and meetings.  While the meeting did not bring consensus on either process or goals, it did engender considerable discussion between a large number of participants, both in-person and through the online meeting tool.

Representatives from NTIA worked with an outside facilitator to solicit stakeholder views on 1) potential key elements of a mobile transparency policy and 2) methods that the group might employ to move the conversation forward in the future. The use of the facilitation process itself generated a considerable amount of debate and substantive discussions were often interrupted by questions about or objections to the process.

By the end of the day, the participants had generated a substantial list of items to consider during future meetings and had informally “voted” to express whether they felt the item needed to be addressed early in the process.  John Verdi, Director of Privacy Initiatives, stated that the list of ideas and the results of the informal poll would be released next week.  Verdi also announced that NTIA would schedule an additional meeting in August, though no specific date was announced.

Continue Reading

NTIA Seeks Comment on Beginning Conduct-Code Discussions

Posted by Michael Beder on March 02, 2012

The Department of Commerce’s National Telecommunications and Information Administration (NTIA) sought public comment Wednesday on how to begin the process of developing voluntary codes of conduct governing consumer privacy, as called for in the privacy framework released by the White House last month.

That report argues that companies should follow seven basic principles — a Consumer Privacy Bill of Rights — when collecting, using, or disclosing consumers’ personal data. These principles are: individual control; transparency; respect for context; security; access and accuracy; focused collection; and accountability.

The framework calls on Congress to codify the general principles through legislation while stakeholders develop voluntary codes of conduct to implement the principles in particular sectors. The framework tasks the NTIA with setting up an open process in which all interested stakeholders — including companies, consumer advocates, and government officials — would develop conduct codes by consensus.

Continue Reading

White House Releases "Consumer Privacy Bill of Rights"

Posted by Laura Brookover on February 23, 2012

The White House released a report today containing its “Consumer Privacy Bill of Rights,” referring to the new privacy framework as a “comprehensive blueprint to protect individual privacy rights and give users more control over how their information is handled.”  The report is entitled “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy,” and it outlines a plan for implementing Consumer Privacy Bill of Rights that calls for the cooperation of industry, Congress, and international stakeholders. 

The Consumer Privacy Bill of Rights identifies seven fundamental principles that apply to personal data, which is defined as “any data, including aggregations of data, that is linkable to a specific individual.”  Those principles are individual control, transparency, respect for context, security, access and accuracy, focused collection, and accountability.

The report asks companies to work with federal agencies such as the Department of Commerce and the Federal Trade Commission to develop enforceable codes of conduct that adhere to the new Bill of Rights.  If companies voluntarily agree to abide by such codes, the report suggested, violations of the codes could be construed as deceptive or unfair trade practices under Section 5 of the FTC Act.  Congress is called on to enact comprehensive privacy legislation that embodies the proposed principles.  The report also sets forth a plan for promoting interoperability, which includes developing a streamlined approach to regulating companies that transfer personal data across borders.

The report is the product of a comprehensive review of national privacy policy in an Internet economy.  The Commerce Department’s Internet Policy Task Force began the review in 2010.

NIST Issues Guidelines on Public Cloud Security, Privacy

Posted by Michael Beder on January 26, 2012

The U.S. Department of Commerce’s National Institute of Standards and Technology on Tuesday released a final version of its guidelines for how organizations — particularly federal agencies — should manage security and privacy concerns when considering the use of public cloud-computing services. Public cloud services, unlike private clouds, require users to store their data on the provider’s shared equipment rather than on the organization’s own servers.

The new NIST security guidelines do not recommend any particular services, providers, or service models; instead, the guidelines highlight the steps organizations should take and the issues they should consider when evaluating any public cloud service.

Continue Reading

White House To Roll Out "Privacy Bill of Rights"

Posted by Rob Sherman on November 16, 2011

In a speech this week at the U.S. Chamber of Commerce, White House Deputy Chief Technology Officer for Internet Policy Daniel Weitzner announced that the Administration will soon roll out a “privacy bill of rights,” which he described as a “broad, high-level statement of principles” that could be enforced by the FTC.  Weitzner emphasized that the Administration wanted to move quickly on privacy, even if that means doing so without legislation.  “We’re not going to wait for Congress,” Weitzner said.

Although Weitzner did not describe the details of the program -- which probably will be included in the Department of Commerce’s forthcoming privacy report -- he explained that the program would be “voluntary” but “enforceable.”  That likely means that it will follow the approach followed by other self-regulatory programs, such as the Digital Advertising Alliance’s Self-Regulatory Program for Online Behavioral Advertising, in which participating companies voluntarily submit to an enforcement mechanism but also publicly represent that they comply with the program.  This, proponents argue, could trigger the FTC’s existing authority to take action against “deceptive” trade practices when a company tells consumers that it complies but actually does not.

When the Administration announces its “bill of rights,” we expect that it will reflect an effort to update traditional notions of privacy to today’s diverse online economy, including broad principles that companies can implement in the particular contexts in which they operate.  We also anticipate efforts to make theoretical privacy concepts more practical and understandable to the average consumer and to empower consumers to make decisions about their own privacy.

According to a report from veteran tech policy reporter Cecelia Kang at The Washington Post, Weitzner implied in his remarks that European privacy rules are too stringent and said that the administration would work with European regulators to adopt a so-called “hybrid” approach to privacy, involving both a self-regulatory program and enforcement, which is similar to the approach that the Administration endorsed at APEC this past week.  Such a program, Weitzner said, would be both “flexible” and “pro-innovation.”

NIST Releases Draft Roadmap for the U.S. Government's Implementation of Cloud Technology

Posted by Mike Nonaka on November 07, 2011

Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released for public comment a draft roadmap for implementing cloud computing technology across U.S. government agencies.  The roadmap is intended to foster adoption of cloud computing by federal agencies, reduce uncertainty surrounding cloud computing by improving the information available to policymakers, and facilitate the further development of the cloud computing model.  The deadline for comments is December 2, 2011. 

The roadmap is composed of three volumes: Volume I establishes priorities for implementation and provides a general understanding and overview of the background, purpose, and next steps for the U.S. government’s cloud computing initiatives.  Volume II is a technical reference guide for people actively working on cloud computing initiatives, while volume III is intended for policymakers who are implementing cloud computing solutions.  Volume I identifies ten requirements that must be satisfied in order for cloud computing initiatives to be implemented, including international interoperability, portability, and security standards; defined government regulatory requirements, technology gaps, and solutions; and defined and implemented reliability design goals.

Social Media: Legal Risks and Rewards

Posted by Rob Sherman on August 04, 2011

Your company has just launched an innovative new social media service, and you’ve received fanfare from the press, increased website traffic, and a spike in advertising revenues.  In short, the service is a complete success — until you’re served with a class action complaint seeking millions of dollars in damages and a civil investigative demand from the FTC.  What did you do wrong, and what can you do to get out of this mess?

That’s the question that I recently explored as a part of a panel at the summer meeting of the Virginia Bar Association on the benefits and risks of social media.  On the panel, we discussed the many ways that social media has influenced law and policy over the past few months and highlighted what businesses and their lawyers need to understand about privacy issues online in order to avoid litigation and regulatory enforcement. 

One of the main reasons that companies face litigation and investigations in the social media area is that they haven’t fully evaluated the information that they are collecting through social media and how that information is (or could be) used.  That is why the discussion on privacy today is coalescing around the concept of “privacy by design,” which Kashmir Hill at Forbes recently described as companies “bak[ing] privacy into their products” rather than considering privacy only reactively.  (You can read more about privacy by design here.)

Continue Reading

FTC, Commerce Department Reiterate Support for Industry Codes of Conduct

Posted by Josephine Liu on July 21, 2011

Jon Leibowitz, chairman of the Federal Trade Commission, and Cameron Kerry, general counsel of the Department of Commerce, spoke today about the need for industry codes of conduct to address emerging privacy issues.  They were the featured speakers at an event held by the Brookings Institution on strategies to protect consumer privacy while ensuring continued innovation on the Internet.

As we previously discussed, the Commerce Department has called for baseline consumer privacy protections that would serve as the basis for codes of conduct that specify how the baseline principles apply in particular contexts.  At today’s event, Kerry provided more detail about the Department’s proposal.

Continue Reading

House Energy & Commerce Committee Members Launching Review of Privacy Issues

Posted by Josephine Liu on July 05, 2011

As we previously discussed, the House Energy & Commerce Committee announced last month that it would be undertaking a comprehensive review of electronic privacy concerns.  That process will kick off on July 14, 2011 with a joint hearing by the Commerce, Manufacturing, and Trade Subcommittee and the Communications and Technology Subcommittee. 

Regulators from the Federal Communications Commission, the Federal Trade Commission, and the National Telecommunications and Information Administration have been invited to report on existing federal laws and practices to protect online consumer privacy.  FCC, FTC, and Commerce Department representatives also testified last week before the Senate Commerce Committee, which is similarly analyzing privacy and data security issues. 

Continue Reading

U.S. Chamber of Commerce Hosts Event on Challenges to the Free Flow of Electronic Commercial Information

Posted by Rob Sherman on June 17, 2011

by Katie Keith

On June 16, 2011, the United States Chamber of Commerce organized a forum for business leaders addressing challenges to the free flow of electronic commercial information. Panelists included academics, government officials, and policy and privacy directors from Google, AT&T, GE, Citigroup, and IBM. The event was moderated by leaders from the Commerce Department, and Secretary of Commerce Gary Locke provided the keynote address. A full agenda can be found here.

The participants were unanimous in their recognition of the economic role of e-commerce and the need for market-oriented solutions to promote innovation and expansion. Secretary Locke pointed to the $10 trillion of business conducted online, and one speaker noted a recent OECD report which found that broadband and information and communication technology applications are very likely to exceed the economic effect of any other technology, including electricity and steam technology.

Business leaders, however, report that foreign governments increasingly restrict the free flow of information with implications for the economy, business community, and consumers. The number of countries with such restrictions has increased tenfold since 2002 and can have a pronounced economic impact. For example, a conservative estimate of the impact of an Internet shutdown in Egypt reflected direct losses of $90 million.

Continue Reading

Commerce Department Requests Comments on Proposed Cybersecurity Codes of Conduct

Posted by Josephine Liu on June 15, 2011

The Commerce Department is calling for the creation of nationally recognized, voluntary codes of conduct to help strengthen cybersecurity protections for online businesses.  The Department issued its recommendations in a green paper on “Cybersecurity, Innovation and the Internet Economy,” which was released on June 8, 2011.  As noted in today’s Federal Register, the Department will be accepting comments on the green paper until August 1, 2011. 

As we discussed last month, one element of the White House’s recent legislative proposal for cybersecurity focuses on core critical infrastructure operators such as the electricity grid, the financial sector, the water system, and transportation networks.  The Commerce Department’s report complements the legislative proposal by concentrating on another sector of the economy – what the report calls the Internet and Information Innovation Sector (“I3S”).  The I3S encompasses businesses that create or utilize the Internet or networking services and have a large potential economic impact, including electronic retailers, social networking sites, cloud computing firms, and online transactional service providers.

Continue Reading

Privacy Bills Begin Dropping in Congress; More to Follow

Posted by Erin Egan on February 18, 2011

As expected, this year is shaping up to be a busy year on privacy.  As we noted in an earlier post, many Congressional members on both sides of the aisle are focusing on privacy issues.  We still expect Senator Kerry to introduce comprehensive privacy legislation in the next few weeks and we understand Senator Pryor is working on legislation focused on children's privacy before possibly turning back to a "do-not-track" bill.  In the meantime, Senator Leahy, who has long engaged on privacy issues, has created a new Privacy and Technology Subcommittee to be chaired by Al Franken; Congresswoman Jackie Speier introduced her expected do-not-track legislation; Congressman Bobby Rush reintroduced his comprehensive privacy bill; and Congressman Cliff Stearns has discussed introducing the draft privacy legislation that he co-authored with Congressman Rick Boucher last year.

Gerry Waldron has previously written on this blog about some of the challenges that privacy legislation will face in the 112th Congress, but it is notable that so many members of Congress are focusing in on privacy issues this early in the 112th Congress.  Congressional engagement on these issues makes clear that consumer privacy legislation will be a key issue for consumers and businesses that care about privacy to focus on this Congress.  This is especially true in light of recent Federal Trade Commission and Department of Commerce privacy efforts.  Neither agency has endorsed new legislation, but the Commerce Department is seeking comment on the question and the FTC has suggested that, if self-regulatory efforts fail, legislation may be necessary to implement Do Not Track. 

Department of Commerce Proposed Privacy Framework: Context Matters

Posted by Erin Egan on February 03, 2011

It is no surprise that the 97 comments filed in response to the Department of Commerce’s Green Paper on “Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework” take a range of positions on issues such as the need for federal privacy legislation, the relevance of the Fair Information Practice Principles (FIPPs), the efficacy of Privacy Impact Assessments (PIAs), and the value of voluntary codes of conduct.  But there is a prevalent theme echoed in several of the comments:  individuals' privacy expectations depend on context.  Privacy notices should be clearer and shorter but there is not likely a one-size-fits-all approach to the structure or content of such notices.  Individuals should be given greater control over the use of their data but the level of control should depend on the type of data at issue, the type of use involved and the relationship between the individuals and the entities that use their data.  

This recognition that context matters has led to the sector-specific and practice-specific privacy laws in the US, which include laws governing kids privacy, email marketing, telemarketing, financial privacy, cable privacy, and health privacy.  It certainly is possible to draft comprehensive baseline federal privacy legislation.  But any such legislation will need to appreciate that not all of the rules can or should apply in the same way all of the time.  Just like data security rules (which are tailored to the risks at issue), privacy rules around issues such as transparency, individual control, and access will need to be tailored to account for individuals' different expectations in different circumstances.  

Commenters appear to agree that both government and industry have a role to play in developing a meaningful privacy framework that protects individuals' varied privacy interests and allows for innovation to flourish.  The debate centers around how to balance these important interests.  But there seems to be a growing consensus that any privacy framework -- whether codified or not -- will need to recognize the importance of context.

Older Posts