Today, the FCC voted to pass the Restoring Internet Freedom order, which repeals the 2015 “net neutrality” rules and reverts back to the “light regulatory” touch the FCC previously had in place regarding internet service providers (“ISPs”).  Of primary importance, the FCC restored the classification of Broadband Internet Access Services as “information services” under Title I of the Communications Act rather than as telecommunications services under Title II.  For purposes of data privacy and security, this reclassification (more specifically, the reversal of the 2015 reclassification) restores the jurisdiction of the Federal Trade Commission to act when broadband providers engage in anticompetitive, unfair, or deceptive acts or practices related to the security and privacy of online consumers.  While the FTC had such jurisdiction prior to the 2015 net neutrality order, they are prohibited from regulating common carriers, and so today’s order restores that jurisdiction.  Although the final order has not yet been published, today’s press releases outlines that today’s declaratory ruling, report and order, and order, will do the following:

Declaratory Ruling:

  • Restores the classification of Broadband Internet Access Service as an “information service” under Title I of the Communications Act – the classification affirmed by the Supreme Court in the 2005 Brand X case.
  • Reinstates the classification of mobile broadband internet access service as a private mobile service.
  • Finds that the regulatory uncertainty created by utility-style Title II regulations has reduced Internet service provider (ISP) investments in networks, as well as hampered innovation, particularly among small ISPs serving rural consumers.
  • Finds that public policy, in addition to legal analysis, supports the information service classification, because it is more likely to encourage broadband investment and innovation, thereby furthering the goal of closing the digital divide and benefitting the entire Internet ecosystem.
  • Restores broadband consumer protection authority to the Federal Trade Commission (FTC), enabling it to apply its extensive expertise to provide uniform online protections against unfair, deceptive, and anticompetitive practices.

Report and Order

  • Requires that ISPs disclose information about their practices to consumers, entrepreneurs, and the Commission, including any blocking throttling, paid prioritization, or affiliate prioritization.
  • Finds that transparency, combined with market forces as well as antitrust and consumer protection laws, achieve benefits comparable to those of the 2015 “bright line” rules at lower costs.
  • Eliminates the vague and expansive Internet Conduct Standards, under which the FCC could micromanage innovative business models.

Order

  • Finds that the public interest is not served by adding to the already-voluminous record in this proceeding additional materials, including confidential materials submitted in other proceedings.

The order was approved by Chairman Pai, and Commissioners O’Rielly and Carr, with dissents from Commissioners Clyburn and Rosenworcel.  Chairman Pai and Commissioners Clyburn, O’Rielly, Carr and Rosenworcel each issued separate statements.

A link to the press release is available here.

The draft order, issued in November, is available here.

Yesterday, the Federal Trade Commission (FTC) and Federal Communications Commission (FCC) announced their intent to coordinate which of the two agencies would coordinate online consumer protection efforts following the adoption of the Restore Internet Freedom Order, and published a draft Memorandum of Understanding (MOU) that outlines those efforts.

The draft MOU outlines a number of ways in which the FCC and FTC will coordinate and collaborate, including:

  • The FCC will review informal complaints concerning the compliance of Internet service providers (ISPs) with the disclosure obligations set forth in the new transparency rule. Those obligations include publicly providing information concerning an ISP’s practices with respect to blocking, throttling, paid prioritization, and congestion management. Should an ISP fail to make the required disclosures—either in whole or in part—the FCC will take enforcement action.
  • The FTC will investigate and take enforcement action as appropriate against ISPs concerning the accuracy of those disclosures, as well as other deceptive or unfair acts or practices involving their broadband services.
  • The FCC and the FTC will broadly share legal and technical expertise, including the secure sharing of informal complaints regarding the subject matter of the Restoring Internet Freedom Order. The two agencies also will collaborate on consumer and industry outreach and education.

 

The FCC is expected to vote on the order at its December 14 meeting. This order would reverse the 2015 “net neutrality” order reclassifying broadband Internet access service as a Title II common carrier service.  According to the FTC’s press release, one of the impacts of this reclassification was to “strip the FTC of its authority to protect consumers and promote competition with respect to Internet service providers because the FTC does not have jurisdiction over common carrier activities.”  By reversing the order, the FCC would return jurisdiction to the FTC to policy the conduct of ISPs with respect to their disclosures and privacy practices.  Once adopted, the order would require broadband Internet access service providers to disclose their network management practices, performance, and commercial terms of services.  The FTC could then police their implementation of those practices under the “unfair and deceptive practices” requirement under Section 5 of the FTC Act.

In response to the MOU, FCC Chairman Ajit Pai stated that the MOU “will be a critical benefit for online consumers because it outlines the robust process by which the FCC and FTC will safeguard the public interest. …  This approach protected a free and open Internet for many years prior to the FCC’s 2015 Title II Order and it will once again following the adoption of the Restoring Internet Freedom Order.”  Acting FTC Chairman, Maureen K. Ohlhausen, stated that “[t]he FTC is committed to ensuring that Internet service providers live up to the promises they make to consumers .. [and that] [t]he MOU we are developing with the FCC, in addition to the decades of FTC law enforcement experience in this area, will help us carry out this important work.”

FCC Commissioner Mignon Clyburn, who opposes the proposed order, released the following statement:  “The agreement announced today between the FCC and FTC is a confusing, lackluster,  reactionary afterthought: an attempt to paper over weaknesses in the Chairman’s draft proposal repealing the FCC’s 2015 net neutrality rules.  Two years ago, the FCC signed a much broader pro-consumer agreement with the FTC that already covers this issue. There is no reason to do this again other than as a smoke and mirrors PR stunt, distracting from the FCC’s planned destruction of net neutrality protections later this week.”

To view the MOU, click here.

On December 5, 2017, NIST published a revised version of the NIST Cybersecurity Framework (i.e., Draft 2 of Version 1.1) (“Framework”).  According to NIST, Version 1.1 of the Framework refines, clarifies, and enhances Version 1.0 of the Framework issued in February 2014, and the recently published Draft 2 of Version 1.1 is informed by over 120 comments on the first draft proposed in January 10, 2017, as well as comments and discussion by attendees at NIST’s workshop in May 2017.

Among the various revisions, they include revisions intended to: (1) clarify and revise cybersecurity measurement language; (2) clarify the use of the Framework to manage cybersecurity within supply chains; (3) better account for authorization, authentication, and identity proofing; (4) better consider coordinated vulnerability disclosure, including the addition of a subcategory related to the vulnerability disclosure lifecycle; and (5) remove statements related to federal applicability in light of various intervening policies and guidance (e.g., Executive Order 13800, OMG Memorandum M-17-25, and Draft NIST Interagency Report (NISTIR) 8170) on federal use of the Framework.

NIST seeks public comment on the following questions by January 19, 2018:

  • Do the revisions in Version 1.1 Draft 2 reflect the changes in the current cybersecurity ecosystem (threats, vulnerabilities, risks, practices, technological approaches), including those developments in the Roadmap items?
  • For those using Version 1.0, would the proposed changes affect their current use of the Framework? If so, how?
  • For those not currently using Version 1.0, would the proposed changes affect their decision about using the Framework? If so, how?

Feedback and comments should be directed to cyberframework@nist.gov.

To view a markup (.pdf) of the revised draft Framework, click here.

To view a clean version (.pdf) of the revised draft Framework, click here.

To view the draft roadmap (.pdf), click here.

To view the draft Framework Core (.xls), click here.

On November 15, 2017, the Trump administration released the Vulnerabilities Equities Policy and Process. This document describes the process by which U.S. agencies and departments determine whether to disclose or restrict information on vulnerabilities in information systems and technologies. The Vulnerabilities Equities Process (VEP) balances whether to disclose vulnerability information to the vendor or supplier in the expectation that the vulnerability will be fixed or to temporarily restrict disclosure of the information so that it can be used for national security and/or law enforcement purposes.

The Equities Review Board (ERB), consisting of individuals from numerous agencies, functions as the forum for interagency deliberation and determination concerning the VEP. The National Security Agency will function as the VEP Executive Secretariat. The VEP Executive Secretariat will oversee communications, documentation and recordkeeping for the VEP. The VEP Executive Secretariat will also publish a report of unclassified information on an annual basis.

The VEP provides steps for submitting and reviewing identified vulnerabilities:

  • When an agency determines that a vulnerability reaches the threshold for entry into the VEP, it will notify the VEP Executive Secretariat and provide a recommendation for disclosure or restriction of the vulnerability.
  • The VEP Executive Secretariat will provide notice to all agencies of the ERB and request agencies to respond if they have a strong interest (i.e., “equity”) in the vulnerability. Any agencies with a strong interest in the vulnerability must concur or disagree with the recommendation.
  • The ERB will then reach a consensus on whether or not to disclose or restrict the vulnerability

To view the VEP Charter, click here.

To view the fact sheet, click here.

The FTC is seeking public comment on a petition by Sear’s to reopen and modify its 2009 consent order to restrict the broad definition of “tracking application”.

Background.  In 2009, the FTC issued an order settling charges that Sears Holdings Management Corporation (“Sears”) had failed to adequately disclose the scope of consumers’ personal information it collected via a downloadable software application.  While Sears represented to consumers that the software would track their “online browsing”, the FTC alleged that the software would also monitor consumers’ other online secure sessions – including sessions on third parties’ websites — and collect information transmitted in those sessions, “such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based emails.”  The software would also track some computer activities unrelated to the Internet.  The proposed settlement called for Sears to stop collecting data from consumers who downloaded the software, and to destroy all data it had previously collected.

The 2009 Sears case is significant, among other reasons, because, the FTC found a violation of Section 5 of the FTC Act notwithstanding Sears’ disclosure, because the disclosure was not sufficiently conspicuous.  Specifically, while Sears did disclose the full scope of the software’s specific functions, the details of such functions were contained on approximately the 75th line of the scroll box containing the privacy statement and user license agreement.  The FTC order stated that because such description was not displayed clearly and prominently, that Sears was being “unfair and deceptive” under Section 5 of the FTC Act.

Petition.  On October 30, 2017, Sears petitioned the FTC to reopen and modify its final order to modify the broad definition of “tracking application”.   Sears states that the current definition should be updated because of changing circumstances over the past eight years which result in the definition unnecessarily restricting Sears’s ability to compete in the mobile app marketplace. Sears states that the requested modification would enable the company to “keep step with current market practices” related to retail online tracking applications.

  • Definition. Paragraph 4 of the consent order defines “tracking application” as:  “any software program or application disseminated by or on behalf of respondent, its subsidiaries or affiliated companies, that is capable of being installed on consumers’ computers and used by or on behalf of respondent to monitor, record, or transmit information about activities occurring on computers on which it is installed, or about data that is stored on, created on, transmitted from, or transmitted to the computers on which it is installed.” 
  • Modification. Sears requests that the following additional language be inserted after the word “installed”: “unless the information monitored, recorded, or transmitted is limited solely to the following: (a) the configuration of the software program or application itself; (b) information regarding whether the program or application is functioning as represented; or (c) information regarding consumers’ use of the program or application itself.”
  • Rationale. Sears states that the proposed modification is necessary to carve out commonly accepted and expected behaviors from the scope of the Order without modifying the Order’s core manage of providing notice to consumers when software applications engaged in potentially invasive tracking.  Sears states subparts (a) and (b) would exclude “activities common to all modern software applications” while subpart (c) would exclude “information tracking that is commonly accepted by consumers and that does not present the type of risks to consumer privacy that the Order was intended to remedy.” Sears further states that the proposed modification mirrors language that the FTC has used to exclude such commonly accepted practices from more recent consent orders.

Solicitation of Public Comment.  On November 8, the FTC issued a release seeking public comment on Sear’s petition requesting that it reopen and modify the 2009 order and definition.  The FTC will decide whether to approve Sears’ petition following the expiration of the 30-day public comment period.  Public comments may be submitted under December 8, 2017.

To view the 2009 FTC Order, click here.

To view Sears’s Petition, click here:

To view FTC’s solicitation of public comment click here.

 

If you’ve seen the news, you’re probably aware that Equifax announced last week that hackers had breached some of its website application software, potentially affecting the sensitive personal information of approximately 143,000,000 consumers.  If you believe you may be affected by the breach, or are wondering what to do about it, read below for: (A) a brief background of the breach and mitigating efforts, as well as: (B) 5 basic steps to take that may improve your chances of protecting yourself from identity theft as a result of the breach.

A. Background: Equifax Breach

The scope of data includes names, social security numbers, birth dates, addresses, and driver’s licenses.  The incident may have also compromised credit card numbers for 209,000 U.S. consumers, and other “dispute documents” that contained identifying information for 182,000 consumers.  On July 29, the company discovered the intrusion, which began in mid-May and continued through July.  More information can be found in a video statement by CEO, Rick Smith.  To support consumers, Equifax has beefed up its call centers and is directing consumers to a specific Equifax’s website, where they can type in their last name and the last 6 digits of their social security number to see if they are impacted; they also have the option to enroll in its “TrustedID Premier” service. Normally costing $19.95 a month, Equifax is offering this “comprehensive package of ID theft protection and credit monitoring at no cost.”

Criticisms.  Some debate currently exists about whether consumers should sign up for this product on the Equifax website, and various criticisms are being blasted on social media and elsewhere over the way in which Equifax is handling the breach:

  • Some have specifically criticized the nature of Equifax’s help, asserting that (a) consumers may be giving up some rights to sue the company if they signed up for its credit monitoring services, and (b) while companies do offer an opt out provision, consumers must do so in writing within 30 days of accepting the services, which the CFPB has pushed back against.
  • One Ars Technica article even criticizes the security of the Equifax website itself, which encourages you to type in your last name and the last 6 digits of your social security number to see if you’ve been impacted. According ot the article, “it runs on a stock installation WordPress … that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number.”
  • Some criticize free credit card monitoring as simply a Band-Aid, like treating the symptom instead of the underlying disease.
  • Other criticisms range from the Equifax’s delay (five weeks) before announcing to sale of shared by top executives shortly after the July 29 discovery of the breach.

Response.  Contrary to some of these assertions and several social media posts, Equifax has clarified on its website that consumers signing up for TrustedID Premier will not be automatically enrolled or charged after the conclusion of the complimentary year of Trusted ID Premier. Equifax also subsequently clarified in its FAQs that enrolling in the free credit file monitoring and ID theft protection associated with this cybersecurity incident does not waive any rights to take legal action.

B. Now What Do I Do?

Perhaps you are concerned that your information may have been compromised.  Perhaps you even went on the Equifax website and were told that your information “may have been impacted”. As you weigh the pros and cons of enrolling in Equifax’s TrustedID Premier product, or entering your information to see whether you may have been impacted, here are some additional steps you can take to protect yourself:

  1. Check your credit reports. Through this website, you can check your credit reports once a year – for free – from each of the 3 major credit reporting agencies, Equifax, Experian, and TransUnion. Accounts or activity that you do not recognize could indicate identity theft.
  2. Consider placing a credit freeze on your files. While it may not prevent an identity thief from making charges to existing accounts, placing a credit freeze on your file could make it harder for someone to open a new account in your name. A freeze will remain in place until you request it to be removed or temporarily lifted, which can take up to 3 business days.  Note that if you plan on opening a new account, applying for a job, renting an apartment or buying insurance in the near future, you will need to either remove the freeze or lift it temporarily for a specific time or specific party (e.g., potential landlord, employer, etc.). Check with your credit reporting company for the costs and lead times associated with temporarily lifting a freeze. If you coordinate with the party, you can find out which company they are contacting, and simply lift the freeze for that company instead of all three.
  3. Alternatively, if someone has misused your information, place a fraud alert. While a credit freeze locks down your credit, a fraud alert allows creditors to access your report as long as they take steps to verify your identify.  For instance, if you provide a phone number, the business must call you to verify you are the person making the credit requests. This may prevent someone from opening new credit accounts in your name, but won’t prevent the misuse of your existing accounts (i.e., bank, credit card, insurance statements), which you should still monitor for any indications of fraudulent transactions. You must only ask one of the three credit reporting companies to put a fraud alert on your report – they will contact the other two.  Fraud alerts are free, but require you to provide proof of your identity. They can vary from: (a) initial fraud alert (90 days, but can be renewed), (b) extended fraud alert (7 years) and (c) active duty military alert (protecting the military while deployed for one year).
  4. Monitor your existing credit card and bank accounts closely. As stated above, credit freezes and fraud alerts help prevent the opening of new accounts using your information, but they may not prevent misuse of your existing accounts. For the next couple of months, put a note in your calendar to sit down and go through each bank and credit statements to monitor for any charges you do not recognize.
  5. File your taxes early. Tax identity theft can occur when someone uses your Social Security number to get a tax refund or a job.  You may recall in 2015, when hackers obtained sensitive information and then used the data to authenticate themselves to the IRS Get Transcript application and receive tax record belong to approx. 724,000 tax filers. More recently, the IRS announced the compromise of an online tool used to fill out FAFSA student loan applications. By filing your taxes as soon as you have the tax information you need, you can help to prevent a scammer from doing so. Respond to any letters from the IRS right away.

Contact Information for the Three Credit Reporting Companies:

  1. TransUnion — 1-800-680-7289
  2. Experian — 1-888-397-3742
  3. Equifax — 1-888-766-0008

On August 7 2017, the U.S. Securities and Exchange Commission (SEC), through its Office of Compliance Inspections and Examinations (OCIE), published a Risk Alert summarizing observations on how broker dealers, investment advisers, and investment companies have addressed cybersecurity issues. The OCIE examined 75 financial firms registered with the SEC. The examinations focused on the firms’ written policies regarding cybersecurity. The OCIE observed increased cybersecurity preparedness since a similar 2014 observational initiative was conducted but also noticed areas of compliance and oversight that could be improved.

In particular, the OCIE observed that almost all firms that were examined maintain cyber-security related written procedures regarding protection of customer and shareholder records and information. Additionally, the examinations confirmed many of the firms are conducting cybersecurity risk assessments, penetration tests and vulnerability scans, and maintaining clearly defined cybersecurity organizational charts for workforces. However, the OCIE also observed that, in some cases, firms are administering vague or unclear cybersecurity policies, are not adequately following cybersecurity policies, or are not conducting adequate system maintenance to address system vulnerabilities. The Risk Alert concluded that, despite some improvements, cybersecurity remains one of the top compliance risks for financial firms. The OCIE noted that it will continue to monitor financial firms’ compliance in this area.

To view the Risk Alert, click here.

 

On August 1, 2017, the Senate introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”, which aims to bolster the security of government-acquired IoT devices.  Sponsored by Sens. Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-OR), and Steve Daines (R-MT), the bill would require connected devices purchased by the government agencies to be patchable, rely on industry standard protocols, not use hard-coded passwords, and not contain any known security vulnerabilities.

The bill would also require each executive level agency head to inventory all connected devices used by the agency.  OMB and DHS would establish guidelines for the agencies based on DHS’s Continuous Diagnostics and Mitigation (CDM) program.  Specifically, the bill directs OMB to develop alternative network-level security requirements for devise within limited data process and software functionality.  It also directs DHS to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.  Finally, researchers would be exempted from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when engaging in good-faith research pursuant to adopted coordinated vulnerability disclosure guidelines.

This legislation follows calls for more security and standards addressing IoT devices to further safeguard information from potential attacks. For example, the Government Accountability Office (GAO) recently recommended that the Department of Defense update its policies to address IoT risks that leave them vulnerable to attacks.  In addition, Trump’s executive order on cybersecurity called for reports with recommendations to reduce the threat of botnets and other automated distributed attacks.

In a press release, Senator Warner, co-chair of the Senate Cybersecurity Caucus (SCC), states that the bill would provide “thorough, yet flexible guidelines for Federal Government procurements of connected devices.”  In the same statement, the SCC’s co-chair, Sen. Garner, states the bill would “ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems.”

To view the introduced legislation, click here.

To view the public statement, click here.

To view the fact sheet summary, click here.

 

An Alabama man has been sentenced to spend six months in prison for illegally accessing the personal information of over fifty women. For over two years, Kevin Maldonado engaged in a hacking technique called “phishing,” creating fake email accounts impersonating email providers and requesting numerous women to change their email passwords. He was then able to obtain passwords and access private information, including personal photographs. Maldonado then stored the stolen information on his personal computer. Maldonado pleaded guilty in February 2017 to computer intrusion, and was sentenced to six months in prison and three years of supervised release.

Although extensive, Maldonado’s phishing technique is a common strategy employed by hackers to gain personal information. Phishing scams are fraudulent email messages that appear to come from legitimate sources. In 2016, according to the FBI’s Internet Crime Complaint Center, there were more than 19,000 victims of phishing and related scams. Email users can guard against these scams by verifying information sent in emails, like the name of the company, sender and url links embedded in the email message. Personal firewalls and security software can provide even more protection if needed.

To view information from the SEC on protection from phishing scams, click here.

To view the U.S. Attorney’s press release click here.

This month, the Federal Trade Commission (FTC) issued guidance for businesses operating websites and online services looking to comply with the Children’s Online Privacy Protection Act (“COPPA”). COPPA addresses the collection of personal information from children under 13.  Importantly, the determination of whether a business’s website is “directed to children under 13” (and thus subject to certain COPPA requirements) is based on a variety of factors – thus even website that do not target children as its primary audience may nonetheless be subject to COPPA’s requirements based on the website’s subject matter, visual and audio content, ads on the site that may be directed to children, and other factors.

The FTC’s guidance notes that updates to the COPPA regulations were made in July 2013 to reflect changes in technology, and reminded businesses that violations can result in law enforcement actions as well as civil penalties.  The compliance guidance sets out steps to (1) determining whether your business is covered by COPPA; (2) if so, what steps need to be taken to ensure compliance, including privacy policy provisions, notifying and obtaining verifiable consent from parents, (3) providing methods for parents to review, delete, or revoke consent, and (4) implementing reasonable security procedures. Finally, the guidance provides a chart describing limited exceptions to the parental consent requirement.

  • Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
  • Step 2: Post a Privacy Policy that Complies with COPPA.
  • Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
  • Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
  • Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
  • Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
  • Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement

The six COPPA compliance steps are described below. To view the FTC’s full guidance webpage, click here.

NOTE:  In addition to COPPA, it may be worth determining whether California’s state version of COPPA, the California Online Privacy Protection Act (“CalOPPA”) applies to your business and, if so, whether additional compliance measures may be necessary. CAlOPPA broadly applies whenever a website or app collects “personally identifiable information” or PII (as defined in the state’s business code) from a California resident, and thus applies to the vast majority of online businesses, even if not based in California.