FTC Seeks Comment on Petition to Modify 2009 Sears Order Concerning Online Browsing Tracking

The Federal Trade Commission (“FTC”) is soliciting public comments on a petition filed by Sears Holdings Management (“Sears”) to reopen and modify a 2009 FTC order regarding the tracking of personal information on their software apps.  The petition is notable for a number of reasons.  First, the Sears consent order was a seminal order in the development of the FTC’s privacy jurisdiction, standing for the proposition that a company cannot “bury” disclosures that consumers would not expect in long privacy notices.  Second, the concept of modifying 20-year consent orders is an important one in light of changes over time.  Third, the petition seeks to correct the unintended consequences that a consent order can have on future technologies when such an order regulates present ones.

In the 2009 FTC order, Sears settled charges that it failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software app.  As part of that 20-year consent order, Sears agreed to make certain disclosures and obtain consent in connection with its downloadable software app and future ones that “monitor, record, or transmit information.”  The petition argues that the 2009 FTC order should be modified to update its existing definition of “tracking application,” presently defined as:

any software program or application . . . that is capable of being installed on consumers’ computers and used . . . to monitor, record, or transmit information about activities occurring on computers on which it is installed, or about data that is stored on, created on, transmitted from or transmitted to the computers on which it is installed.

The petition seeks to modify this definition to exempt information about “(a) the configuration of the software program or application itself; (b) information regarding whether the program or application is functioning as represented; or (c) information regarding consumers’ use of the program or application itself.”  Continue Reading

Top Tips and Traps for Cyber Insurance Buyers

By John G. Buchanan and Marialuisa S. Gallozzi

Although the National Cybersecurity Awareness Month of October has come to a close, it is not too late for corporate counsel and risk managers to be thinking about cyber-risk insurance — an increasingly essential tool in the enterprise risk management toolkit. But a prospective policyholder purchasing cyber insurance for the first time may be hard put to understand what coverage the insurer is selling and whether that coverage is a proper fit for its own risk profile. With little standardization among cyber policies’ wordings, confusing labels for their covered perils, and little interpretive guidance from case law to date, a cyber insurance buyer trying to evaluate a new proposed policy may hardly know where to focus first.

After pursuing coverage for historically major cyber breaches and analyzing scores of cyber insurance forms over the past 15 years, we suggest the following issues as a starting point for any cyber policy review: Continue Reading

National Cybersecurity Awareness Month Q&A with Yan Luo

Yan Luo advises clients on a broad array of regulatory matters in connection with cybersecurity and data protection rules in China. With previous work experience in Washington, DC and Brussels before relocating to Beijing, Yan has fostered her government and regulatory skills in all three capitals. She is able to strategically advise international companies on Chinese regulatory matters and represent Chinese companies in regulatory reviews in other markets.

Over the past two years, Yan has provided practical advice to clients on nearly all aspects of China’s Cybersecurity Law. She continues to help them navigate the complex and quickly evolving regulatory regime, including on issues arising out of personal information protection, cross border data transfers, and various cybersecurity requirements.

What provisions of China’s Cybersecurity Law have caused the greatest concern for U.S. companies? What advice do you have for these companies when it comes to compliance? Continue Reading

National Cybersecurity Awareness Month Q&A with Ashden Fein

Ashden Fein’s Cybersecurity practice focuses on counseling clients who are preparing for and responding to cyber-based attacks on their networks, assessing their security controls and practices for the protection of data and systems, developing and implementing cybersecurity programs, and complying with federal and state regulatory requirements. Ashden has specifically been the lead investigator and crisis manager for multiple complex cyber and data security incidents, including data security breach matters involving millions of affected consumers, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Before joining the firm, Ashden served for thirteen years in the United States Army, first as a military intelligence officer and later as a Major in the Judge Advocate General’s Corps. While on active duty, he specialized as a military prosecutor, gaining significant experience investigating and prosecuting crimes related to national security and cybersecurity. In addition, Ashden served as the Chief of the Criminal Division for a command of 17,000 soldiers and as a legal advisor for an Army Aviation organization deployed in Iraq. He currently serves as a Judge Advocate in the U.S. Army Reserve.

While in the Army, you specialized as a military prosecutor where you gained significant experience in cybersecurity. For example, you were the lead trial attorney in the prosecution of Private Chelsea Manning for the unlawful disclosure of classified information to WikiLeaks. How did your time in the Army help inform your work on cybersecurity matters in private practice? Continue Reading

Information Technology Industry Council Releases Artificial Intelligence Principles Calling for Industry Responsibility, Flexible and Supportive Government Policies, and Cross-Sector Collaboration

On October 24, the Information Technology Industry Council (ITI) released a set of policy principles to guide the technology industry and governments in their approach to artificial intelligence (AI). The organization—which includes Amazon, Apple, Facebook, Google, Intel, and Microsoft—intends for its guidelines to help AI meet its potential to solve important problems while minimizing any harmful consequences.

The report presents separate recommendations for members of the technology industry, government, and public-private partnerships:

  • Technology Industry: The policy principles state that the technology industry has an obligation to minimize the risks AI presents, including mitigating harmful biases that may arise from AI data. The report emphasizes the need to design safe AI systems and prevent misuse. It also places importance on high security standards to ensure the public remains willing to share sensitive data. The council highlighted its support for voluntary, consensus-based standards and best practices for AI industry members.
  • Government: To facilitate further AI innovation, the council urged governments to continue offering funding and incentives for “long-term, high-risk” research in fields such as robotics, human augmentation, and data analytics. The group also suggested that lawmakers limit regulation of AI to avoid unintentionally impeding industry growth. Noting the danger of a one-size-fits-all policy, the council requested that governments customize any laws, regulations, or taxes for the particularities of a given AI application. The ITI expressed its support for protecting intellectual property rights for AI systems by all available means, including trade agreements. In addition, the principles recognize the importance of dependable cybersecurity and privacy provisions for AI to thrive and endorse government use of broadly-accepted and deployed security standards.
  • Public-Private Partnerships: ITI member companies encouraged greater use of public-private partnerships (PPP) engaging industry, academic institutions, and governments in addressing AI’s societal impacts. The group recommends cross-sector collaboration to promote science, technology, engineering and math (STEM) education and to help workers adapt to job changes, losses, or worker displacement that may result from greater reliance on AI. The guidelines propose that PPPs work to broaden access to resources necessary for AI use and development with the goal of more fairly distributing access to opportunities created by these technologies.

National Cybersecurity Awareness Month Q&A with Kristof Van Quathem

Kristof Van Quathem, special counsel in Covington’s Brussels office, advises clients on data protection, data security, and cybercrime matters. He has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies, ranging from compliance advice on the adopted laws, regulations, and guidelines, to the representation of clients in non-contentious and contentious matters before data protection authorities.

Kristof assists many international companies in their preparation for the EU General Data Protection Regulation (“GDPR”). This includes strategic advice on governance and data management, as well as hands-on assistance with writing policies, procedures, and agreements.

What are some of the major cybersecurity components of the GDPR and the NIS Directive? What tips can you provide to U.S. companies when preparing for these changes? Continue Reading

Advisory Committee to the Congressional Internet Caucus Discusses Vulnerability Disclosures

Last week, the Advisory Committee to the Congressional Internet Caucus hosted “Hacking: What Color Is Your Hat? Vulnerability Disclosures and the Law,” a discussion on the importance of vulnerability disclosures to protect information systems and  the nation’s cyber security defenses, and how private and public actors can safely encourage vulnerability reporting.  Technology and security companies were represented on the panel by Franck Journoud, Oracle’s Senior Director of Cybersecurity and Technology Policy, Katie Moussouris, CEO, Luta Security, and Harley Geiger, Rapid7’s Director of Public Policy. The Department of Justice (“DOJ”) was represented by Leonard Bailey, Special Counsel for National Security, Computer Crime and Intellectual Property Section (“CCIPS”).

The discussion centered around (1) the DOJ’s recently promulgated voluntary framework for handling vulnerability disclosures, (2) the challenges of reporting on and disclosing vulnerabilities and current industry best practices, and (3) potential legislative solutions to this issue.

Continue Reading

China Revises Proposals on Regulation of Commercial Encryption

In the past three weeks, China’s State Council and the State Cryptography Administration (“SCA”) issued two documents that reveal a major change in the regulatory regime governing commercial encryption products in China, potentially paving the way for the draft Encryption Law to establish a uniformed encryption regime. This development and its practical implications will be important to multinationals that manufacture, distribute, or use commercial encryption products in China.

On September 29, 2017, the State Council released the Decision on Removing a Batch of Administrative Approval Requirements (the “State Council Decision”) (official Chinese version available here), which removed some approval requirements for the manufacturing, sale, and use of commercial encryption products. On October 12, 2017, the SCA further released a notice (“Notice”) to instruct local Bureaus of Cryptography Administration (“BCA”) on the plan to implement the State Council Decision.  (The official Chinese version can be found here.)

The State Council Decision and the Notice reveals a major change in the regulatory regime governing commercial encryption products in China, potentially paving the way for an Encryption Law that would establish a uniform encryption regime. (Our previous alert describing the draft Encryption Law can be found here.) Continue Reading

EU Commission Concludes Privacy Shield “Adequate” in first Annual Review

The European Commission has today published its Report on the first annual review of the EU-U.S. Privacy Shield (the Report is accompanied with a Staff Working Document, Infographic, and Q&A).  The Commission concludes that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to Privacy Shield-certified companies in the United States.  With its conclusion, the Commission also makes a number of recommendations to further improve the Privacy Shield framework.  The Report follows a joint press statement by the U.S. Secretary of Commerce and EU Commissioner Jourová on September 21, 2017, closing the review and reaffirming that the “United States and the European Union share an interest in the [Privacy Shield] Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”

Background

The EU-U.S. Privacy Shield is a framework that effects the lawful transfer of personal data from the EEA to Privacy Shield-certified companies in the U.S.  The Privacy Shield framework was unveiled by the EU and United States on July 12, 2016 and the Privacy Shield framework became operational on August 1, 2016.  To date, there are over 2,400 in companies (including more than 100 EU-based companies) that have certified, with 400 applications under review.

The Privacy Shield provides an annual review and evaluation procedure intended to regularly verify that the findings of the Commission’s adequacy decision are still factually and legally justified.  Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce and the European Commission, with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  In preparation for the Review, the Commission also sought feedback from a number of trade associations, NGOs, and certified companies.  (See our earlier posts on the purpose of the first annual review here and here.) Continue Reading

Deputy Attorney General Rod Rosenstein Warns Against Warrant-Proof Encryption

In a speech delivered at the United States Naval Academy on October 10, Deputy Attorney General Rod Rosenstein waded into the public debate between data privacy and law enforcement interests.  As part of a discussion moderated by former Covington cybersecurity attorney Jeff Kosseff, Rosenstein’s remarks discussed cyber issues facing law enforcement with a particular focus on the advent of “warrant-proof” encryption.  In his view, warrant-proof encrypted data and devices are unable to be intercepted or unlocked by law enforcement, even with a court order.

Noting that “[p]rivate sector entities are crucial partners” in the fight against cyber threats, Rosenstein expressed concerns about the role played by tech companies in advancing warrant-proof encryption.  While recognizing the need to balance important privacy interests against law enforcement priorities, Rosenstein argued that “[w]arrant-proof encryption defeats the constitutional balance by elevating privacy above public safety.”  He emphasized the threat posed to public safety when technology developers deprive law enforcement of “crucial investigative tools.”  Rosenstein advocated for “responsible encryption,” recognizing that this approach would not be one-size-fits-all and that solutions would likely look different depending on the company and technology at issue.  Continue Reading

LexBlog