FTC Announces “Stick With Security” Initiative

The FTC announced today a new “Stick With Security” Initiative, building on its prior “Start With Security” guide as “part of its ongoing efforts to help businesses ensure that they are taking reasonable steps to protect and secure consumer data.”  Stick With Security constitutes a series of blog posts published each Friday using “hypothetical examples based on lessons from closed investigations, FTC law enforcement actions, and questions from businesses.”  The new Initiative is part of Acting Chairman Ohlhausen’s pledge earlier this year to be more transparent with businesses about what the FTC considers to constitute reasonable data security practices.

The first blog post in the series focuses on “recurring themes that run through the investigations that are ultimately closed without law enforcement.”  The post notes that those companies’ practices often line up with those recommended in the Start With Security guide, that press reports do not always report the full story of an incident, that proceeding further with the investigation “wouldn’t be a good use of resources,” that the FTC may not be the “right agency” to investigate the incident, or that “the risk of the vulnerability being exploited to cause consumer injury is more theoretical than likely.”

China Seeks Public Comments on Draft Regulation on the Protection of Critical Information Infrastructure

On July 11, 2017, the Cyberspace Administration of China (CAC) released the draft Regulation on the Protection of the Critical Information Infrastructure (“Draft Regulation”) for public comment (official Chinese version available here). The comment period ends on August 10, 2017.

Aiming to add greater clarification to the Cybersecurity Law, which took effect on June 1, 2017, the Draft Regulation clarifies the scope of Critical Information Infrastructure (“CII”) and elaborates on how CII operators are supposed to protect their networks against cyber threats. The Draft Regulation also sets out additional obligations CII operators face, including allowing officials to perform cybersecurity inspections, among others.

The Draft Regulation may help reduce some of the confusion surrounding the key phrase “critical information infrastructure,” which constitutes a crucial part of China’s fast-evolving cybersecurity regulatory framework. But many important questions remain unanswered in the current draft. Companies that either operate in the sectors identified in the Draft Regulation or that supply operators in those sectors should be mindful of the requirements relating to cybersecurity, especially relating to cybersecurity reviews and procurement of network services and products, and closely monitor the regulatory developments.

Some highlights of the Draft Regulation are summarized below.

Continue Reading

New York DFS Publishes FAQs on New Cybersecurity Regulations

As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500).  Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk.

Notwithstanding the fanfare surrounding the announcement of these “first-in-the-nation” regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced.  That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)).

On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a “Frequently Asked Questions” section about the regulations on its website.  The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers.  Some highlights below: Continue Reading

Reno at 20: The Packingham Decision and the Supreme Court on Online Speech

Twenty years ago, the Supreme Court was faced with the question of whether a federal statute that imposed a content-based restriction on online speech violated the First Amendment. That case, Reno v. American Civil Liberties Union, marked the first instance in which the Supreme Court weighed in on the role of the Internet in the marketplace of ideas, and decided affirmatively that speech on the Internet is afforded protection under the First Amendment.

Over the course of the twenty years following Reno, the Internet has changed in size, shape, and substance. In 1997, about 40 million people used the Internet and “most colleges and universities,” “many corporations,” “many communities and local libraries,” and “an increasing number of storefront ‘computer coffee shops’” provided the public access to the Internet. Today, at least 280 million Americans use the Internet, 102 million U.S. households have in-home broadband Internet access, and 225 million Americans access the Internet through their mobile device. In 1997, popular uses of the Internet included e-mail, listservs, newsgroups, chatrooms, and the “World Wide Web” (which then consisted of around 100,000 websites), but today, social media dominates, with an estimated 81% percent of Americans participating.

Despite the seismic changes to the Internet since the Reno case was decided, the Court’s views on online speech have remained largely consistent, albeit more tailored to the times. Recently, in Packingham v. North Carolina, the Court struck down a content-neutral state law that restricted sex offenders’ access to “social networking” websites, finding that it violated the First Amendment. The significance of the Packingham opinion, particularly in its partial extension of Reno, goes beyond the four corners of the Court’s holding.

Continue Reading

ICO Rules UK Hospital-DeepMind Trial Failed to Comply with UK Data Protection Law

The UK Information Commissioner’s Office (“ICO”), which enforces data protection legislation in the UK, has ruled that the NHS Royal Free Foundation Trust (“Royal Free”), which manages a London hospital, failed to comply with the UK Data Protection Act 1998 in providing 1.6 million patient records to Google DeepMind (“DeepMind”), requiring the Royal Free to sign an undertaking committing to changes to ensure it is acting in line with the UK Data Protection Act.

On September 30,  2015, the Royal Free entered into an agreement with Google UK Limited (an affiliate of DeepMind) under which DeepMind would process approximately 1.6 million partial patient records, containing identifiable information on persons who had presented for treatment in the previous five years together with data from the Royal Free’s existing electronic records system.  On November 18, 2015, DeepMind began processing patient records for clinical safety testing of a newly-developed platform to monitor and detect acute kidney injury, formalized into a mobile app called ‘Streams’. Continue Reading

EU Article 29 Working Party Releases Extensive GDPR Guidance on Data Processing at Work

By Dan Cooper and Rosie Klement

The EU’s Article 29 Working Party (“WP29”) has issued new guidance on data processing in the employment context (available here).  Adopted on June 8, 2017, the guidance primarily takes account of the existing data protection framework under the EU Data Protection Directive (Directive 95/46/EC), but also considers the developments coming into force on May 25, 2018 under the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”).

The WP29 released the guidance partly as a result of the GDPR, but also due to the number of new technologies that have been adopted since previous WP29 publications relating to personal data in the workplace (see Opinion 8/2001 on the processing of personal data in the employment context and the 2002 Working Document on the surveillance of electronic communications in the workplace).  As the WP29 observes, these new technologies enable extensive systematic processing of employees’ personal data and present significant challenges to privacy and data protection.

The new guidance is not restricted to the protection of persons with an employment contract, but is more expansive in scope and intended to cover a range of individuals in an employment relationship with an organization, such as applicants and part-time workers (the term “employee” applies broadly in all such contexts).  The guidance discusses a number of distinct employment scenarios: processing operations during the recruitment and employee screening stage; processing for monitoring ICT usage in and out of the workplace; time, attendance and video monitoring; processing relating to employees’ use of vehicles; as well as the disclosure of employee data to third parties and international transfers of personal data. Continue Reading

South Korea Joins the APEC Cross-Border Privacy Rules Framework

South Korea has became the fifth member economy to join the Asia-Pacific Economic Cooperation’s (“APEC”) Cross-Border Privacy Rules (“CBPR”) system, a voluntary but legally enforceable code of conduct that aims to facilitate secure data transfers and e-commerce between parties to the agreement.

Established in 2011, the CBPR system aims to provide a minimum level of protection for personal information exchanged among member economies as e-commerce continues to boom. It helps mitigate privacy concerns led by the ever-increasing flow of personal data across borders and build consumer trust by ensuring that data is processed in compliance with the CBPR’s high security standards without restricting data flows.  Countries and businesses that took part in the multilateral system agree to implement APEC’s nine privacy principles, which include, for example, preventing harm, notice, collection limitation, integrity, and accountability, in all cases involving the transfer or processing of personal information. Continue Reading

FTC and NHSTA Hold Workshop to Drive Discussion on Connected Cars

On June 28, 2017, The Federal Trade Commission and the National Highway Traffic Safety Administration (NHTSA) hosted a workshop  to examine the consumer privacy and security issues that automated and connected motor vehicles pose.  The workshop’s Public Notice, which solicited comments from stakeholders in advance of the event, highlighted the benefits that connected cars can provide to consumers, as well as the vulnerabilities that may arise through use of the emerging technologies.  During the workshop this week, speakers and panelists, including industry representatives, consumer advocates, and government officials, considered the issues from the Notice and responded to panel questions on data use, cybersecurity, and privacy.  Their comments emphasized the complexity of developing a regulatory framework that promotes innovations while protecting consumers, and many of the participants called for more collaboration and consumer education.

Chairwoman Maureen Olhausen’s opening remarks jump-started the day with a call for “regulatory humility.”  In her reflections on the FTC’s role with respect to emerging connected car technologies, Chairwoman Olhausen said the FTC seeks “to protect consumers’ personal and sensitive information and prevent unreasonable data security practices, within a framework that allows continued innovation and growth.”  She also acknowledged that “predicting the future – including future benefits and harms – is difficult,” and that, pursuant to the FTC Act, the Commission must “understand the likely benefits and risks of connected cars” before putting in motion any new regulation.  To that end, she provided a “key piece of context for that assessment.” Approximately 40,000 people died in car accidents in the U.S. during 2016.  She continued: “Connected cars promise to significantly reduce such fatalities.  We regulators must keep that benefit in mind to ensure that our approaches to connected cars do not hinder such a positive outcome.”  According to the Chairwoman, that “means we must continue to work with our sister agencies, like NHTSA, to avoid unnecessary or duplicative regulation that could slow or stop innovation, and ultimately leave consumers worse off.”

Subsequent workshop participants echoed the Chairwoman’s interest in understanding the benefits and risks of connected vehicles and minimizing regulatory overlap.  Below are some of the key issues raised during the workshop.

Data Collection, Storage, and Transmission: Participants considered the amount of types of information that connected cars use to improve consumers’ experiences and protect them.  They explained that connected cars increasingly include technologies that enable the vehicles to access information via the Internet and gather, store, and transmit data for entertainment, performance, or safety purposes.  As a result of such technologies, connected cars are expected to gather enormous amounts of data, with conservative estimates suggesting that the average connected car will generate up to 30 terabytes of data daily by 2020.  Some of that data will pertain solely to the functioning of cars, including their operations, speed, predicated path, emergency breaking, or crash information.  Other information may be highly personal and sensitive, including geolocation information and biometric data.  As panelists discussed these types of information, they raised additional questions about data ownership, data sharing, encryption, anonymization of information, law enforcement access, and future uses of data.

Cybersecurity: The workshop addressed the potential risks to the security of data that connected cars collect.  While speaking on this topic, participants considered how Internet-connected vehicles may face the same security vulnerabilities as other connected computing platforms and to what extent incident response programs may need to differ in the automated-vehicle space.  They furthermore raised concerns over the potential for a “large scale attack” in the industry in the near future and questioned how companies can develop a tiered approach to addressing vulnerabilities, given such risks.  In addition to considering the procedural challenges of addressing cybersecurity threats, panelists emphasized the complex web of actors beyond car makers who would be involved in any incident and response, including suppliers, repair facilities, and telecommunications companies.  They also discussed the idea that having more data could be critical to improving cars, even though data minimization is an important information practice principle.  This observation underscores the challenge of determining how existing self-regulatory and government frameworks for cybersecurity can adapt to cover connected cars.

Privacy Issues: Participants additionally addressed privacy issues as they relate to connected cars.  They explored how consumer notice and choice, as well as usage limitations, operate in the automobile context, and they considered the role of federal agencies, as well as industry and local government actors, in protecting consumer privacy and data security in connected cars.  Of note, panelists once again considered the uniqueness of the connected-car industry, especially as it relates to a consumer’s ability to opt-out of some forms of data collection and sharing.  Moreover, participants emphasized the different privacy practices that may need to be in place for owners of vehicles in contrast to what needs to be in place for their passengers and other users.  As the panels concluded, the discussion again turned to the question of how to best regulate.  Participants considered the benefits of a self-regulatory regime and a federal framework, as well as an approach that relies on tort or local law to regulate new privacy issues as they emerge.

The FTC’s workshop examined issues that legislators and other regulators are simultaneously considering as they speed up their efforts to address the connected car industry.  The event also emphasized the need for more consumer education, and greater collaboration among government, industry, and other stakeholders.  As part of those efforts, participants directed audience members to review the Consumer Privacy Protection Principles from the Alliance of Automobile Manufacturers and the Association of Global Automakers, the work of the Auto Information Sharing and Analysis Center (ISAC), and the FTC’s Business Center.

FTC Launches Review of Its Email Marketing Rule

Today the FTC announced that it is undertaking a review of its CAN-SPAM Rule, which sets out the requirements for sending commercial e-mail messages.  Among other things, the CAN-SPAM Rule requires that senders of commercial e-mails provide recipients a mechanism to opt out of receiving commercial e-mails, honor opt-out requests within 10 business days, and include specific disclosures in the body of the commercial messages.

The review is part of the FTC’s standard process of reviewing its rules and industry guides on a 10-year schedule to ensure that they remain relevant and are not unduly burdensome.  The goal of these reviews typically is to determine whether rule modifications are needed to address public concerns or changed conditions, or to reduce undue regulatory burden.

Consistent with these goals, the FTC specifically is asking for comments on the following topics:

  • The economic impact and benefits of the CAN-SPAM Rule;
  • Possible conflict between the CAN-SPAM Rule and state, local, or other federal laws or regulations (note that the CAN-SPAM statute preempts state commercial e-mail laws, except to the extent they prohibit “falsity or deception”); and
  • The effect any technological, economic, or other industry changes have had on the CAN-SPAM Rule.

Unlike some other FTC rules and guides that are grounded in the FTC’s general authority to prohibit unfair and deceptive practices under Section 5 of the FTC Act, the CAN-SPAM Rule implements requirements contained in the CAN-SPAM statute.  Consequently, while there are certain aspects of the CAN-SPAM Rule that the FTC can modify, the statutory requirements cannot be changed without congressional amendment.

Written comments are due on August 31, 2017.

FTC Staff Publish COPPA Guidance for Businesses

The FTC staff published today a “Six-Step Compliance Plan” for businesses to comply with the Children’s Online Privacy Protection Act (COPPA).

The guidance, which provides a useful framework for businesses, states explicitly that COPPA applies to connected toys and other devices that collect personal information from children over the Internet.  The FTC’s 2013 revisions to the COPPA Rule greatly expanded the scope of the COPPA Rule by broadening the definition of “personal information” in two ways.  First, the definition now includes persistent identifiers, such as device IDs and IP addresses.  Second, the definition now covers audio, video, and image files of children.  Internet-connected toys and devices often collect persistent identifiers and voice or video information in order to function.  (Importantly, there are a number of other elements that must be met for COPPA to apply, and various exceptions that permit the collection of some types of information.)

The guidance does not, however, break new ground on COPPA’s substantive requirements.  For example, the two new parental consent methods that the guidance references — requiring a parent to answer a series of knowledge-based” challenge questions and using facial recognition technology to compare the parent’s selfie and driver’s license — were approved by the FTC in 2013 and 2015, respectively.

As a result, the guidance misses an opportunity to address, for example, best practices to de-identify voice data or to confirm that other verifiable parental consent methods (such as a parent’s informed purchase of a connected toy) should be sufficient under COPPA.