FTC Comments on NTIA’s Cybersecurity Vulnerability Disclosure Template

The FTC released public comments yesterday on the National Telecommunications and Information Administration’s (NTIA) draft “Early Stage” Coordinated Vulnerability Disclosure Template released in December 2016.  The draft template was released by the NTIA Safety Working Group as part of a multistakeholder process that convened security researchers and software and system developers and owners to address security vulnerability disclosure.

The FTC’s comments highlighted the importance of coordinated vulnerability disclosure efforts, stating that “companies should communicate and coordinate with the security research community as part of a continuous process of detecting and remediating software vulnerabilities,” and cited its prior enforcement actions and Staff guidance on the subject.  The FTC encouraged transparency in vulnerability reporting by both researchers and companies, and promoted the model vulnerability disclosure policy language in the draft template as “a useful asset for companies seeking to draft a public-facing vulnerability disclosure policy that helps forge common expectations with researchers regarding vulnerability handling timelines and processes.” Continue Reading

Cross-Border Data Transfer: A China Perspective

When China’s new Cybersecurity Law takes effect on June 1, 2017, China will become another important jurisdiction to watch in the international data transfer space.

Before the new Cybersecurity  Law officially was promulgated on November 7, 2016, cross-border data transfer of data from China was largely unregulated by the government.  While many Chinese laws and regulations governed the collection, use and storage (including localization) of data, no binding laws or regulations contained generally applicable legal requirements or constraints on the transfer of data across Chinese borders. Continue Reading

Senators Seek Answers from DHS on Privacy Aspects of Trump Order, Including Privacy Shield

On February 9, 2017, six Democratic senators wrote to DHS Secretary John Kelly about their concerns over a Trump executive order that would remove Privacy Act protections for non-U.S. citizens and lawful permanent residents.

Senators Ed Markey (MA), Ron Wyden (OR), Jeff Merkley (OR), Al Franken (MN), Chris Coons (DE), and Mazie Hirono (HI) wrote that Section 14 of the order would make it easier for government agencies to share non-citizens’ personal information with Congress and the public. Continue Reading

“Cybersecurity Review” Takes Shape in China

When China’s Cybersecurity Law was enacted last November, one question (among many) that surfaced was how the government would implement the “national security review” that the law requires for certain network products and services.  The law, which takes effect this June, provides that any network products and services that might affect national security procured by operators of critical information infrastructure must clear a “national security review,” but left that term unexplained.  Last week, the nation’s leading internet regulator—the Cyberspace Administration of China (“CAC”)—stepped in to elaborate, at least in part.

On February 4, CAC issued a draft regulation outlining the contours of the “cybersecurity review” required by the new law and opened a one-month window for receiving public comments (see original Chinese here and our analysis here).  The name change (“cybersecurity” in lieu of “national security”) seems purely cosmetic; consistent with the Cybersecurity Law, the review process focuses on safeguarding China’s national security in cyberspace.  To that end, the draft regulation sheds light on some of CAC’s priorities, while raising new questions about what businesses must do to comply.

First, the regulations appear to contemplate a two-tier compliance system: Government agencies, Communist Party organs, and entities in “key sectors” would be prohibited from procuring any network products and services that have not passed the cybersecurity review, while other critical infrastructure operators would enjoy greater leeway, though any procurement that “may affect national security” is still subject to review.  Although the “key sectors” with the strictest obligations include sectors “such as” finance, telecommunications, and energy, it is unclear whether other sectors will join their ranks.  As for other sectors, the regulations do not explain how regulators will determine if certain procurement activities “may affect national security.”

Second, the agencies will focus on ensuring that products and services are “secure and controllable.”  This standard, the draft regulations explain, aims to mitigate several distinct risks—the risk that products or services will be “unlawfully controlled, interfered with, or interrupted”; the risks associated with “research and development, delivery, and technical support”; the risks that products or services will become a means to “illegally collect, store, process, or utilize users’ data”; and the risk that providers will leverage user reliance to “engage in unfair competitive practices or otherwise harm consumers.”  The “secure and controllable” standard, then, encompasses not only the more obvious goal of guarding against hacking or interference, but also a distinct and more expansive interest in protecting consumers and their data.  Additionally, to be “secure and controllable” also requires adequate protection against “possible harms to national security and the public interest,” terms that leave ample room for interpretation.

Lastly, the regulations sketch out the cybersecurity review’s core elements—“laboratory testing, on-site inspection, online monitoring, and review of background information.”  What each of these elements means in practice, however, remains to be seen.

Public comments are due by March 4.

European Commission Dismisses Privacy Shield Concerns Over Trump Executive Order

On January 25, 2017, President Trump signed a new Executive Order on Enhancing Public Safety in the Interior of the U.S.  Among other elements, the Executive Order directs U.S. government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” but only if doing so is “consistent with applicable law.”

This prompted certain commentators, such as Member of the European Parliament Jan-Philipp Albrecht, to question whether the Executive Order would have an impact on the robustness of the EU-U.S. Privacy Shield data transfer frameworkContinue Reading

FTC Releases Cross-Device Tracking Report

The Federal Trade Commission yesterday released its report on cross-device tracking.  The report, which follows the Commission’s November 2015 Cross-Device Tracking Workshop, describes some of the current approaches to track consumers across multiple connected devices, discusses industry self-regulatory approaches to protect consumer privacy, and offers recommendations for how to apply longstanding FTC principles like transparency, choice, and security to cross-device tracking.  These recommendations are not binding legal rules, but provide insight on what the FTC staff consider best practices and how the FTC might interpret and apply Section 5 of the FTC Act in this space.

At a high level, cross-device tracking allows companies to associate multiple devices with the same person.  This may be achieved, for example, deterministically (e.g., when a user logs in to a service on multiple devices) or probabilistically (i.e., by inferring who is using a device through technological or statistical methods).  The report acknowledges that cross-device tracking has numerous consumer benefits, such as creating a seamless consumer experience, improving fraud detection and account security, and receiving more relevant ads.

Recommendations

The report’s recommendations mirror the general principles that the FTC has applied in other contexts, such as the 2009 Self-Regulatory Principles for Online Behavioral Advertising.  Applied to the cross-device tracking context, these recommendations include:

  • Transparency. All companies involved in cross-device tracking (including  advertising technology providers, website publishers, and mobile app developers) should truthfully disclose their tracking activities.  The report warns that failure to disclose cross-device tracking could implicate the FTC Act. These disclosures extend not only to stating the fact that companies are engaging in these practices, but also to making truthful claims about the categories of data collected and the scope of any opt-out mechanisms.Notably, the report states that data that is “reasonably linkable to a consumer or a consumer’s device” – including in some cases a hashed email address or username – is “personally identifiable.”  As an example, the FTC pointed out that consumer-facing companies who share plain-text or hashed email addresses or usernames for purposes of cross-device tracking should “refrain from referring to this data as anonymous or aggregate, and should be careful about making blanket statements to consumers stating that they do not share ‘personal information’ with third parties.”  (In a footnote, however, Commissioner Ohlhausen clarifies that “to the extent that an email address is hashed in a manner so that it is not reasonably linkable to a consumer or a consumer’s devices, it would not be personally identifiable information.”)
  • Choice. The FTC encourages companies to offer consumers choices with respect to cross-device tracking.  The report recognizes that there are valid reasons for an opt-out choice to apply on a device-by-device basis, rather than across the entire graph of connected devices.  If, however, an opt-out tool is limited to only certain types of tracking technologies or is otherwise limited in scope, companies should clearly and conspicuously disclose the limits of the opt out to avoid misleading consumers.  In addition, third-party tracking companies must avoid misrepresenting to app developers and website publishers the types of information they collect and use or the scope of their opt-out mechanisms.
  • Sensitive Data. The FTC recommends that companies refrain from engaging in cross-device tracking on sensitive topics without consumers’ affirmative express consent.  Such  topics include health, financial, children’s information, and precise geolocation information.
  • Security. As in other areas, the FTC Act requires that companies maintain “reasonable security.”  The FTC staff noted that cross-device tracking companies may have rich data sets that are often tied to individuals, and which may be an attractive target for malicious actors.  Accordingly, the FTC encourages companies to keep only the data necessary for their business purposes and to properly secure the data they do collect and maintain.

Self-Regulatory Efforts

The FTC also discussed self-regulatory efforts to address cross-device tracking, namely by the Digital Advertising Alliance (DAA) and the Network Advertising Initiative (NAI).  The staff noted that, on February 1, 2017, the DAA will begin enforcing its Cross-Device Guidance.  Under this guidance, an opt out for behavioral ads on one device not only stops behavioral advertising on that specific device but also prevents data from that opted-out device from being used for behavioral advertising on a user’s other linked devices.

In general, the staff commended the DAA’s and NAI’s self-regulatory efforts to improve transparency and choice with respect to cross-device tracking.  Staff encouraged heightened levels of protection for sensitive information, clear effective dates for the self-regulatory principles and codes, and defined scope of their application.

Although the Commissioner’s voted unanimously to issue the staff report, Commissioner Ohlhausen issued a concurring statement to emphasize that the report “does not alter the FTC’s longstanding privacy principles but simply discusses their application in the context of a new technology.”

Commerce Releases Green Paper on Approach to Supporting IoT, Seeks Public Comment

The Department of Commerce released a “green paper” earlier this month proposing steps the Department can take to advance and support the Internet of Things (“IoT”).  The report includes recommendations based on comments submitted to the Department in response to an April 2016 Request for Comment as well as feedback from a September 2016 IoT workshop.

The paper states is goal as identifying “elements of an approach” for the Department of Commerce to adopt to “foster the advancement of the Internet of Things.”  The paper recognizes the risk of “premature and excessive regulation is notable given the size of the potential economic benefits [of IoT] to U.S. producers and consumers.  At the same time, it states the Department received a “strong message” from commenters that “coordination among U.S. Government partners would be helpful,” give the “complex, interdisciplinary, cross-sector nature of IoT.”

The paper identifies four key areas of engagement:

  • Enabling Infrastructure Availability and Access: Fostering the physical and spectrum-related assets needed to support IoT growth and advancement.
  • Crafting Balanced Policy and Building Coalitions: Removing barriers and encouraging coordination and collaboration; influencing, analyzing, devising, and promoting norms and practices that will protect IoT users while encouraging growth, advancement, and applicability of IoT technologies.
  • Promoting Standards and Technology Advancement: Ensuring that the necessary technical standards are developed and in place to support global IoT interoperability and that the technical applications and devices to support IoT continue to advance.
  • Encouraging Markets: Promoting the advancement of IoT through Department usage, application, iterative enhancement, and novel usage of the technologies; and translating the economic benefits and opportunities of IoT to foreign partners.

It also outlines a number of next steps in specific IoT areas.  For privacy, it states the Department will work to “address the need to protect consumer privacy in the IoT environment and continue to support baseline privacy legislation, as well as an engineering approach to privacy.”

For IoT cybersecurity, the Department will proactively support and promote cybersecurity policy for the IoT environment, promote the use of strong encryption as a key tool for addressing IoT cybersecurity concerns, and collaborate with industry to educate consumers about limiting risk.

In connection with the paper, the Department also issued a Request for Comment on the approach and engagement strategies it contains.  Comments are due by February 27.  In particular, the Department seeks input on whether there are important IoT issues not addressed in the paper, whether the paper takes an appropriate approach to advancing IoT, and any suggestions by commenters for next steps for the agency in fostering IoT advancement.

In addition, the Department also recently announced that the National Telecommunications & Information Administration (“NTIA”) will convene a virtual meeting in its multistakeholder process on January 31.  That meeting is to focus on IoT security upgradeability and patching.

The Securities and Exchange Commission and Financial Industry Regulatory Authority Release Examination Priorities for 2017

The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) and the Financial Industry Regulatory Authority, Inc. (“FINRA”) (a private self-regulatory organization overseen by OCIE), recently released their 2017 examination priorities.  It is no surprise to find cybersecurity listed as an examination priority again this year.

OCIE and FINRA have repeatedly recognized cybersecurity as an examination priority.  OCIE first identified cybersecurity as an examination issue in 2014 and FINRA first mentioned data security and online defense as an issue in 2008.  Today, U.S. financial institutions regularly face increasingly sophisticated cyberattacks that seek to access or acquire customer data illegally, disrupt operations and increase reputational risk.  In light of these threats, OCIE and FINRA have further developed and refined their cybersecurity examination priorities to better identify and mitigate cyber risks for market participants.  Details follow below.

SEC’s 2017 Examination Priorities

The SEC, through OCIE, publishes annual examination priorities to identify issues that present a risk to investors or capital markets.  For 2017, OCIE again listed cybersecurity as a market-wide risk and examination priority.  OCIE promises to “continue [its] initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls.”

OCIE’s Examination Priorities for 2017 are available here.

FINRA’s 2017 Regulatory and Examination Priorities

In its latest Examination Priorities guidance, FINRA identified cybersecurity threats as “one of the most significant risks” that firms face in 2017.  Recognizing that cyber threats are dynamic and evolving, and that “there is no one-size-fits-all approach to cybersecurity,” FINRA stated that it would “tailor [its] assessment of cybersecurity programs to each firm” based on certain factors, such as its business model, size and risk profile.

FINRA also said it will focus on firms’ data loss prevention and vendor relationship management policies.  In assessing data loss prevention, FINRA plans to examine firms’ data storage policies, data flow, and the tools used to monitor and protect data.  With respect to examining management of vendor relationships, FINRA would review policies, consider whether vendors have access to sensitive firm data, and assess any controls put in place to protect firm data from insider threats.  FINRA also underscored two common vulnerabilities in cybersecurity controls that it has observed:  (i) password protections, encryption, network and system maintenance and physical security at branch offices tend to be weaker than at a firm’s headquarters; and (ii) some firms may not be complying with all or parts of Securities Exchange Act Rule 17a-4(f), which requires firms to preserve records securely, in a non-rewriteable, non-erasable format (the secure format is commonly called a “write once read many” or “WORM” format).

FINRA’s 2017 Annual Regulatory and Examination Priorities Letter is available here.

Switzerland and US Announce New Commercial Data Transfer Framework

On January 12, 2017, the U.S. Federal Trade Commission announced the adoption of a Swiss-U.S. Privacy Shield, to replace the existing Swiss-U.S. Safe Harbor Agreement.  Companies have a three month grace period to switch from the old to the new regime.

The Swiss version of the Privacy Shield had to be negotiated following the invalidation of the EU-U.S. Safe Harbor Agreement by the EU Court of Justice.  While this invalidation did not directly affect the Swiss version of the Safe Harbor Agreement, it was clear that Switzerland could not continue to rely on it.  The Swiss Data Protection Authority (“DPA”) considered that the Agreement no longer provided adequate protection, severely limiting its use going forward.  The new Privacy Shield, however, has been welcomed by the Swiss DPA as an appropriate mechanism to transfer personal data to the U.S.

Extension of Time for Comments on the Federal ANPR on Cyber Risk Management Standards

For those considering submitting comments on the federal advance notice of proposed rulemaking (ANPR) on enhanced cyber risk management standards, you’ve been granted an extension.  The agencies involved—the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation—announced that they will extend the comment period by one month, from the original deadline of today, January 17, to February 17, 2017.  Details here‎.

LexBlog