First Annual Privacy Shield Review Will Comprehensively Assess the Framework

The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C.  The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, address concerns that have been raised, and seek to ensure that the Privacy Shield is well positioned to continue operating as a valid legal basis for transfers of personal data from the EU to the U.S.

Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce (“Commerce”) and the European Commission (“Commission”), with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  Regulators have also indicated that they plan to solicit and incorporate feedback and comments from other Privacy Shield stakeholders as part of the review process, including from self-certified companies and other interested organizations.

Although this is the first annual review, it is important to note that the Privacy Shield has already been the subject of intense public scrutiny.  The draft text of the framework was released in February, several months prior to the final release in July, and a number of stakeholders took the opportunity to comment on the text, leading to several revisions designed to improve and strengthen the Privacy Shield.  Continue Reading

White House Issues New Cybersecurity EO

On May 11, 2017, President Trump signed an Executive Order titled “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (the “Order”).  The long-anticipated directive was issued months after the White House originally planned to release a cybersecurity order in February.  Since then, revised drafts of the order were circulated, including a version from February 10, 2017 (the “Revised Draft”) that differed significantly from the initial draft order, but aligned with Executive Order 13636, “Improving Critical Infrastructure Security,” which was signed by President Obama on February 12, 2013.  With few exceptions, the Order signed yesterday mirrors the Revised Draft that we previously analyzed in our February 17, 2017 blog post titled “Release of Cybersecurity EO May Have Notable Impact in Communications, Energy, and Defense Industrial Base Critical Infrastructure Sectors.”  Here, we highlight key differences between the Revised Draft and the final Order.

Section 1:  Cybersecurity of Federal Networks

The first section of the Order continues to primarily address cybersecurity risk management and IT modernization within the executive branch consistent with the Revised Draft and Executive Order 13636 signed by President Obama.  The Order incorporates nearly all of the Revised Draft’s language in this section, with minor exceptions.

For instance, the Order specifies additional content for risk management reports, such as requiring each agency to include an action plan for implementing the NIST Framework for Improving Critical Infrastructure Cybersecurity.  The Order also departs from the Revised Draft by instructing the Director of the American Technology Council, a position recently established by an EO issued on May 1, 2017, instead of the Assistant to the President for Intragovernmental and Technology Initiatives to “coordinate a report to the President . . . regarding [the] modernization of Federal IT.”  Further, the modernization report must be completed within 90 days of the signing of the Order, not 150 days as initially stipulated in the Revised Draft.

Section 2:  Cybersecurity of Critical Infrastructure

Minor changes were also made to the second section of the Order, which details the executive branch’s support for critical infrastructure.  Section two of the Order now includes a paragraph titled “Resilience Against Botnets and Other Automated, Distributed Threats” that focuses specifically on the threats posed by botnets.  Pursuant to the final Order, the Department of Homeland Security (“DHS”) and Department of Commerce (“DOC”) are directed to “identify and promote action by appropriate stakeholders . . . in the internet and communications ecosystem . . . with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g. botnets).”

Moreover, the final Order arguably requires DHS and DOC to work with a much broader group of stakeholders in fulfilling this mandate.  The earlier draft order only required DHS and DOC to include stakeholders from “core communications infrastructure.”  However, the final Order requires DHS and DOC to work with stakeholders, including owners and operators, throughout the “internet and communications ecosystem.”  DHS and DOC are required to make public a preliminary report about these efforts within 240 days and submit a final report to the President within one year.

Section 3:  Cybersecurity for the Nation

The third section of the Order includes new requirements relating to international cooperation not found in the previous drafts.  The final Order also reincorporates a section from the first draft of the order focused on efforts to educate and develop a sustainable cybersecurity workforce.

With respect to international cooperation, the Order now recognizes that the U.S. is “especially dependent on a globally secure and resilient internet and must work with allies and other partners.”  To that end, the Order directs the Secretaries of States, Treasury, Defense, Commerce, and Homeland Security, in coordination with the Attorney General and Director of the Federal Bureau of Investigation, to submit a report to the President outlining their international cybersecurity priorities, “including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation” within 45 days.

To encourage the sustained growth of the domestic cybersecurity workforce, the Order also instructs the Secretaries of Commerce and Homeland Security, in consultation with other agencies, to provide a report to the President within 120 days that assesses ongoing efforts to train and educate the “cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs.”  The report must also include findings and recommendations that “support the growth and sustainment of the Nation’s cybersecurity workforce in both the public and private sectors.”

The Director of National Intelligence (DNI) and Secretary of Defense are also required to coordinate and submit their own reports relating to workforce development.  The DNI’s report will focus on “foreign workforce development practices likely to affect long-term . . . cybersecurity competitiveness” in the U.S. and must be submitted within 60 days.  The Secretary of Defense’s report will examine U.S. efforts to maintain or increase “its advantage in national security-related cyber capabilities.”

*          *          *

As we explained in our February 17, 2017 post analyzing the Revised Draft, the final Order reflects a continuation of the efforts by the previous administration to adopt a risk-based approach to cybersecurity, based in part on adoption by federal agencies of the NIST Framework for Improving Critical Infrastructure Cybersecurity to manage cybersecurity risk.

Parties Discuss Privacy Issues in Advance of FTC, NHTSA Workshop on Connected Cars

Automated vehicle technology is accelerating, and regulators are racing to keep up.  On June 28, 2017, the Federal Trade Commission and the National Highway Traffic Safety Administration (“NHTSA”) will hold a workshop to examine the consumer privacy and security issues posed by automated and connected vehicles.  The workshop comes several months after the Department of Transportation and NHTSA promulgated a Notice of Proposed Rulemaking (“NPRM”) that would require all new passenger vehicles to be capable of vehicle-to-vehicle (“V2V”) communications by the early 2020s. Continue Reading

Ninth Circuit Will Rehear Dismissal of FTC Throttling Suit

The Ninth Circuit announced today that the full court will rehear the case in which the three-judge panel opinion had dismissed the FTC’s lawsuit against AT&T for allegedly violating Section 5 of the FTC Act due to past “throttling” practices around unlimited data plans.  According to the panel opinion, the FTC lacked jurisdiction over AT&T’s practices because of AT&T’s status as a common carrier, even though AT&T was engaging in non-common carrier activities.

The FTC had previously filed a petition for en banc review of the panel opinion, and that petition was supported by the FCC, among others.  This case  has important consequences for the scope of the FTC’s enforcement jurisdiction over non-common carrier activities of communications providers—a subject of particular relevance following FCC Chairman Pai’s recent proposal to re-classify broadband Internet access service as an “information service” under the Communications Act.

The Ninth Circuit has announced that the en banc oral argument will take place during the week of September 18, 2017, with the specific date and time to be determined later.

Working Effectively with Forensic Firms

Among the many issues that can give rise to the initial uncertainty of responding to a significant cybersecurity incident is a failure by incident response team members to understand the perspectives and priorities of other stakeholders. But this complicating factor can readily be mitigated through cross-functional education and relationship building before an incident occurs.

In the first part of a two-part article in Cybersecurity Law Report (subscription required), Steve Surdu and Jennifer Martin, members of Covington’s cybersecurity practice with extensive experience responding to cyber incidents, explain the differences in how forensic analysts and lawyers approach incident response, and how those differences, if understood, can complement one another rather than lead to tension.  Continue Reading

China Releases Final Regulation on Cybersecurity Review of Network Products and Services

Today, the Cyberspace Administration of China (“CAC”) released the final version of the Measures on the Security Review of Network Products and Services (Trial) (“the Measures”), with an effective date of June 1, 2017 (official Chinese version available here).  The issuance of the Measures marks a critical first step toward implementing China’s Cybersecurity Law (“the Law”), which was promulgated on November 7, 2016 and will take effect on June 1, 2017 (the same date as the Measures).

More specifically, the long-anticipated Measures offer guidance on how CAC is planning to conduct cybersecurity reviews of network products and services procured by entities in a range of key sectors and other operators of Critical Information Infrastructure (“CII”), if the procurement “may affect China’s national security.”

A draft form of the Measures was released in February 2017 for public comment (see Covington’s alert on the draft Measures here).  Since then, international stakeholders have been submitting comments to the CAC and changes in the final version reflect some of these comments.  The Measures, however, still lack clarity with respect to certain aspects of the review process, both in terms of substantive criteria and procedure.  Companies that may be subject to such reviews will likely need further guidance from the agencies once the Measures take effect.

This post identifies two key changes in the final version. Continue Reading

Eleventh Circuit Hands Another VPPA Loss to Video App Plaintiffs

In Perry v. Cable News Network, the Eleventh Circuit dealt another loss to putative class-action plaintiffs seeking to use the Video Privacy Protection Act (“VPPA”) as a weapon against free online video services. The court affirmed that to be a “subscriber” of a video service—someone who can sue under the VPPA—one must have a genuine commitment, relationship, or association with that service. Because the Perry plaintiff could not show that, he lost.

The VPPA creates a cause of action for video service providers that disclose their consumers’ personally identifiable information alongside their viewing information. The typical Internet example is a paid video service that gives an advertiser a paying subscriber’s email address and viewing history.

To sue under the VPPA, a person must be a “consumer.” The VPPA defines that term as meaning a renter, purchaser, or subscriber of goods or services from a video service provider. “Subscriber” has raised the question of whether someone who downloads and uses a free app can be a “consumer” who can sue under the VPPA. At least in the Eleventh Circuit, Ellis v. Cartoon Network, Inc. answered that question: something more than mere use is needed. Instead, Ellis held that a proper VPPA plaintiff needs “some type of commitment, relationship, or association (financial or otherwise)” between the plaintiff and the video service provider.

In Perry, the district court relied on Ellis to dismiss plaintiff Perry’s suit without leave to amend because he was merely a user of CNN’s free app. Perry argued he could state a VPPA claim because he subscribed to CNN’s television channel through his cable package. This cable subscription let Perry access exclusive content via the CNN app. Perry said this made him a CNN app subscriber. He also said he paid CNN indirectly through his cable subscription. Perry appealed to the Eleventh Circuit on those theories. Continue Reading

FCC Chairman Pai Proposes New Regulatory Framework for Broadband ISPs, Seeks Comment on Net Neutrality Rules

In a widely anticipated step, FCC Chairman Ajit Pai has released a draft Notice of Proposed Rulemaking (“NPRM”) on the legal framework that governs broadband providers and related net neutrality questions.

Most notably from a privacy perspective, the draft NPRM proposes to find that broadband Internet access service is an “information service” under the Communications Act, reversing the 2015 “telecommunications service” classification that had brought broadband providers under the statutory privacy requirements of Title II of that Act.

The draft NPRM states that the 2015 reclassification “stripped FTC authority over Internet service providers,” in light of the common carrier exemption in Section 5 of the FTC Act.  By reversing the FCC’s prior finding that broadband is a common carrier service, the draft NPRM proposes to “return jurisdiction over Internet service providers’ privacy practices to the FTC, with its decades of experience and expertise in this area.” Continue Reading

Federal Trade Commission Plans to Clarify its Data Security Standard

The Federal Trade Commission (FTC) has announced that it is launching a new initiative to improve data security guidance and transparency as part of a broader plan to implement process reform initiatives.  In an interview with Politico Pro (subscription required) last week, the new acting director of the FTC’s Bureau of Consumer Protection, Thomas Pahl, discussed the FTC’s goal of supplementing existing data security recommendations with best practices and concepts drawn from recently closed investigations.

Under the FTC’s current standard, companies are advised to employ “reasonable” data security measures based on, among other things, the nature of their business and the sensitivity of the information involved.  Pahl noted that companies would benefit from up-to-date information that describes the types of safeguards that the FTC considers “reasonable.”  To that end, the FTC is analyzing previously closed investigations and comparing findings to cases that triggered enforcement actions so it can share best practices.

It is unclear whether the FTC will release improved data security guidance separately or as an add-on to its existing “Start with Security: A Guide for Business” publication.  Pahl also indicated that additional and clearer guidance would likely encourage interested companies to comply with data security standards, but that the FTC will continue to bring enforcement actions where appropriate.

Advocacy Groups Urge FCC to End Data Retention Mandate

On April 24th, the Electronic Privacy Information Center (“EPIC”) and a coalition of 37 other civil society groups sent a letter urging the Federal Communications Commission (“FCC”) to act on an August 2015 petition to repeal the FCC’s data retention mandate under 47 C.F.R. §42.6 (“Retention of Telephone Toll Records”).

The mandate requires communications carriers that “offer[] or bill[] toll telephone service” to retain the following customer billing records for a period of 18 months: (1) the “name, address, and telephone number of the caller,” (2) the “telephone number called,” and (3) the “date, time, and length of the call.”  Carriers are required to retain such information regardless of whether they are billing their own toll service customers or billing customers for another carrier. Continue Reading