Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Policy and Regulatory Positioning

Subscribe to Policy and Regulatory Positioning RSS Feed

Congress Funds Cybersecurity: Spending Bill Allocates over $1 Billion to Cybersecurity

Posted in Cyber and National Security, Policy and Regulatory Positioning
congress money2

The final spending bill of the 113th Congress, which keeps the government doors open until September 30th of 2015, was passed by the House on December 11th, the Senate on the 13th, and signed by the President on December 16th. It is a $1.1 trillion omnibus spending bill that will direct well over $1 billion toward cybersecurity. Among other things, it will provide $675,500,000 for the National Institute of Standards and Technology (NIST) scientific and technical core programs, which includes $15,000,000 for the National Cybersecurity Center of Excellence, up to $60,700,000 for cybersecurity research and development, $4,000,000 for the National Initiative for Cybersecurity Education, and $16,500,000 for the National Strategy for Trusted Identities in Cyberspace. It also allocates funds to various other federal agencies specifically for cybersecurity, as well as to federal investigative agencies to combat cybercrime. Some of the funds are directed toward developing a more robust cybersecurity workforce, including $35 million to the General Services Administration (GSA) for construction of a “civilian cyber campus” that would house federal employees and contractors dedicated to the civilian cyber security mission. According to a GSA prospectus on the project, the goals of the ... Continue Reading

Congress Confirms NIST’s Role in Cybersecurity – and the Continuation of the Cybersecurity Framework

Posted in Cyber and National Security, Policy and Regulatory Positioning
cyber button

The Cybersecurity Enhancement Act of 2014 (CEA) was passed by the House and the Senate on December 11th, and signed by the President on the 18th. The bill formalizes the role of the National Institute for Standards and Technology (NIST) in continuing to develop the voluntary Cybersecurity Framework. Through five “titles,” the bill includes provisions to promote cybersecurity research, private/public sector collaboration on cybersecurity, education and awareness and technical standards, which includes a federal cloud computing strategy.

Title I of the CEA, entitled “Public-Private Collaboration on Cybersecurity,” amends the NIST Act to permit the Secretary of Commerce, through the Director of NIST, to facilitate and support the development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure – this would be the Cybersecurity Framework. It requires the Director of NIST to coordinate continuously with, and incorporate the industry expertise of, relevant private sector personnel and entities, critical infrastructure owners and operators, sector coordinating councils, Information Sharing and Analysis Centers, and other relevant industry organizations.  It also requires the Director of NIST to consult with the heads of agencies with national security responsibilities, sector-specific agencies, state and local governments, governments ... Continue Reading

Congress Passes Cybersecurity Workforce Legislation

Posted in Cyber and National Security, Policy and Regulatory Positioning

The Border Patrol Agent Pay Reform Act of 2014 was passed by the Senate on September 18th, by the House on December 10th, and signed by the President on December 18th. It contains provisions from the Cybersecurity Workforce Recruitment and Retention Act of 2014, which allows the Secretary of the Department of Homeland Security (DHS) to establish cybersecurity positions within DHS to better meet its cybersecurity mission. Another piece of legislation, the Cybersecurity Workforce Assessment Act (CWAA), was passed by the Senate on December 10th, by the House on December 11th, and was also signed by the President on December 18th. It requires DHS to evaluate and enhance its cybersecurity workforce. It requires the Secretary of DHS, within 180 days of the enactment of the CWAA and then annually for the next three years, to assess the cybersecurity workforce of DHS. Among other things, the assessment is to include an evaluation of the readiness and capacity of the DHS workforce to meet its cybersecurity mission.

Comprehensive workforce strategy: The CWAA requires the Secretary of DHS, within one year of its enactment, to develop a comprehensive workforce strategy ... Continue Reading

Congress Passes The Federal Information Security Modernization Act of 2014: Bringing Federal Agency Information Security into the New Millennium

Posted in Cyber and National Security, Policy and Regulatory Positioning
red congress

The Federal Information Security Modernization Act of 2014 (FISMA) was passed by the Senate on December 8th, by the House on December 10th, and by the President on December 18th. It is a comprehensive bill intended to bring federal agency information security practices into the new millennium – to better respond to evolving cybersecurity threats. FISMA updates the Federal Information Security Management Act of 2002, and provides a comprehensive framework for ensuring the effectiveness of information security controls over federal information operations and assets. It recognizes the highly networked nature of current federal computing environments and the complex task of coordinating information security efforts throughout the civilian, law enforcement and national security communities. It also acknowledges that commercially developed information security products offer effective information security solutions, and that specific information security solutions should be left to individual agencies from among commercially developed products.

FISMA oversight: FISMA reestablishes the oversight authority of the Director of Office of Management and Budget (OMB) with respect to federal agency information security policies and practices. This includes the development and implementation of principles, standards and guidelines pertaining to information security within federal agencies, and coordinating the development of ... Continue Reading

Congress Passes the National Cybersecurity Protection Act: Codifies National Cybersecurity Center & Creates Federal Agency Data Breach Notification Law

Posted in Cyber and National Security, Policy and Regulatory Positioning

The National Cybersecurity Protection Act of 2014 (NCPA) was passed by the House on December 8th, by the Senate on December 10th, and signed by the President on December 18th. Senate Committee on Homeland Security and Governmental Affairs Chairman Tom Carper (D-Del.) issued the following statement regarding the NCPA: “Cybersecurity is one of the biggest national security challenges our country faces. Our laws should reflect that reality. By codifying the Department of Homeland Security’s existing cybersecurity operations center, the National Cybersecurity Protection Act of 2014 bolsters our nation’s cybersecurity while providing the department with clear authority to more effectively carry out its mission and partner with private and public entities. It is critical that the department continues to build strong relationships with businesses, state and local governments, and other entities across the country so that we can all be better prepared to stop cyber-attacks and quickly address those intrusions that do occur.”

Codification of the National Cybersecurity and Communications Integrity Center: The NCPA codifies the existing cybersecurity and communications operations center at DHS, known as the National Cybersecurity and Communications Integrity Center (NCCIC). The bill directs the NCCIC to provide a number of services, ... Continue Reading

Cybersecurity Legislation Focuses on Federal Government Initiatives – Leaves Private Sector Reforms for 2015

Posted in Cyber and National Security, Policy and Regulatory Positioning

One of the few things the parties in Congress can agree upon these days is cybersecurity – at least when it comes to directing the federal government’s cyber activities.  In its final days, the 113th Congress reached agreement on several major pieces of legislation intended to improve the nation’s cybersecurity: the National Cybersecurity Protection Act of 2014, the Federal Information Security Modernization Act of 2014, the Border Patrol Agent Pay Reform Act of 2014 (a bill that contains provisions from the Department of Homeland Security (DHS) Cybersecurity Workforce Recruitment and Retention Act of 2014), the Cybersecurity Workforce Assessment Act, and the Cybersecurity Enhancement Act of 2014. All of these were signed by the President on December 18th, and will be funded by a $1.1 trillion spending package signed by him on December 16th. In total, the bills update the federal government’s roles and responsibilities with respect to planning for and responding to cyber threats, helping them move into the 21st century with a trained workforce.  What is notably absent in this nicely wrapped package of bills, however, is any meaningful reforms for the private sector.

Subsequent posts will provide details ... Continue Reading

FCC Reaffirms Fax Ads Sent With Recipients’ Prior Permission Require Opt-Out Notice

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning
FCC Logo

But Grants Retroactive Waivers to Petitioners Who Sent Permission-Based Faxes Without Opt-Out Notices

The Federal Communications Commission has issued an Order sustaining its rule that even ads faxed with the permission of the recipient must include a notice with instructions for how to opt out of future faxes. The Order responds to a passel of petitions that argued the Telephone Consumer Protection Act’s (TCPA) “junk fax” provision and attendant opt-out requirement apply only to “unsolicited” fax advertisements, and thus do not cover faxes “solicited” by those who consent to receive the faxed ads.

However, while staunchly defending its statutory authority to adopt an opt-out notice rule for permission-based faxes, and that it was a logical outgrowth of its rulemaking notice, the FCC recognized that its order adopting the rule may have been confusing on this point. It accordingly granted retroactive waivers to petitioners with temporary relief from any past obligation to have opt-out notices on permission-based faxes. The waivers give petitioners who received them a six-month window to come into compliance with the opt-out requirement, and the FCC invited similarly situated parties to seek similar waivers, strongly suggesting that such requests must be on file within the next six months.... Continue Reading

Second Circuit Adopts FCC’s Narrow Construction of “Implied” Express Consent for Autodialed Calls to Cell Phones

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

This updates our report last summer on a Federal Communications Commission (FCC) letter brief filed at the invitation of the U.S. Court of Appeals for the Second Circuit in Nigro v. Mercantile Adjustment Bureau, which observed the FCC taking a noticeably less generous view of its then-recent declaratory rulings on whether consumer provision of a cell number is deemed consent to autodial it under the Telephone Consumer Protection Act (TCPA). We noted at that time that, “It would be a shame if, in the FCC’s view, calls in the course of ‘normal, expected and desired business communications’ are permissible only if no one objects after-the-fact.” The Second Circuit has now issued an opinion adopting the view in the FCC’s letter brief, holding that because Nigro did not provide his phone number directly to the creditor in the context of the debt incurred (in respect to which Mercantile called), the TCPA prohibited the calls.

To recap, when Nigro contacted his recently deceased mother-in-law’s electric utility to stop service, he gave them a cell number, which Mercantile later called using an automatic dialing system to collect a remaining balance on the mother-in-law’s account. Nigro sued on grounds the calls violated the ... Continue Reading

Chip-and-PIN is Coming…To the US Government

Posted in Data Protection, Policy and Regulatory Positioning

Last Friday, in the wake of numerous data breaches, President Obama signed a new Executive Order that will change how federal agencies use payment cards and allow access to certain government portals.  Those changes include the adoption of chip-and-PIN (also known as EMV) payment terminals and cards, and the implementation of multi-factor authentication on digital applications where consumers can access personal information.

The Executive Order requires the executive departments and agencies to deploy chip-and-PIN payment processing terminals at government offices “as soon as possible.”  Legacy payment processing terminals do not have to be replaced immediately but all new terminals purchased after Jan. 1, 2015 must include the necessary hardware to support the enhanced security features.  The Department of Treasury also has until the same deadline to develop a plan on how the agencies can install the associated software-components to support these security features.

More importantly, by Jan. 1, 2015, all Direct Express prepaid debit cards used to pay government benefits will include the embedded chip.  The Office of Management and Budget is also charged with developing plans to replace the cards issued by other federal agencies with payment cards that include the enhanced security features.  In a speech to the ... Continue Reading

Eleventh Circuit Reverses Refusal to Honor FCC’s TCPA Debt Collection Declaratory Ruling, Fosters Uniformity on TCPA’s Autodialing Exception

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

The U.S. Court of Appeals for the Eleventh Circuit has brought a bit of legal balance back to automated debt collection calls, and reminded lower courts that when it comes to claims under the Telephone Consumer Protection Act (TCPA), they must honor the validity of FCC rulings.

The Eleventh Circuit’s decision implicates a 2008 declaratory ruling by the FCC regarding automated debt collection calls under the TCPA.  The TCPA and FCC rules implementing it prohibit autodialed and/or prerecorded calls to cell phones, unless there is prior express consent from the call recipient.  The FCC’s Debt Collection Declaratory Ruling from early 2008 held that prior express consent exists where a consumer gives a company his/her cell phone number as part of a transaction, and the company later autodials/prerecorded-calls or texts the consumer in connection with a debt arising from that transaction.

In Mais v. Gulf Coast Collection Bureau, Mais alleged that defendants placed autodialed and/or prerecorded calls to his cellphone without consent, in violation of the TCPA.  The calls followed from Mais’ emergency room treatment, during which his wife completed hospital admission documents and provided her husband’s cellphone number and other information.  Defendants maintained before the U.S. District Court for ... Continue Reading

In Flight Catalog: Senator Rockefeller Opens Inquiry Into Consumer Data Practices by Airlines

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

Last week, Senator Jay Rockefeller (D-W.Va.) sent a letter to the top ten revenue generating passenger airlines in the United States, opening an inquiry into their practices related to charging additional fees for optional services and the collection of consumer data. With respect to consumer data, Sen. Rockefeller’s letter calls for greater transparency from airlines about how they collect, use, and disclose the personal information of consumers, citing concerns by consumer advocates that “airline policies can contain substantial caveats” and that “it is difficult for consumers to learn what information airlines and others in the travel sector are collecting, keeping, and sharing about them.” To assist the Senate Committee on Commerce, Science, & Transportation (“Committee”) in evaluating these concerns, Sen. Rockefeller has asked the airlines to provide the following information:

Do you retain personal information that your company obtains from consumers when they shop for airfares or from other sources? If yes:

a.  State the period of time your company retains such information and what specific data points you retain;

b.  State any specific sources for personal information or other such information your company obtains directly from consumers;

c.  Describe the privacy and security protections your company provides for personal ... Continue Reading

Consumer Privacy Legislation? All Sides Weigh In But Remain Far Apart in the Big Debate Over Big Data

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

Recent comments filed by various stakeholders in response to the U.S. Commerce Department’s National Telecommunications and Information Administration’s (NTIA) Request for Public Comment (RFC) on “Big Data and Consumer Privacy in the Internet Economy,” evidence a wide rift between consumer groups and most business interests regarding the need for additional consumer privacy law in the era of Big Data. NTIA issued its RFC back in June, in response to a recommendation in the May 1 White House report, “Big Data: Seizing Opportunities, Preserving Values” (hereinafter “Big Data Report”), which addressed how big data is transforming the lives of Americans.

In the Big Data Report, the White House recommended (among other things) that:

[t]he Department of Commerce should promptly seek public comment on how the Consumer Privacy Bill of Rights (“CPBR”) could support the innovations of big data while at the same time responding to its risks, and how a responsible use framework . . . could be embraced within the framework established by the [CPRB”]. Following the comment process, the Department of Commerce should work on draft legislative text for consideration by stakeholders and submission by the President to Congress.

The Consumer Privacy Bill of Rights and Big ... Continue Reading

FTC Undertakes Periodic Rule Review of Telemarketing Sales Rule

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

The Federal Trade Commission (FTC) has published in the Federal Register a Request for Comments on all aspects of its Telemarketing Sales Rule (TSR) as part of a routine review of the effectiveness, costs and benefits of its rules. Though the Request for Comments targets several TSR issues in particular (discussed below), it views the review as assessing generally whether the Rule is serving a “useful purpose,” and whether it can be improved to reflect changes in the marketplace since it was previously amended in 2003, 2008 and 2010. Comments are due October 14, 2014.

The Request for Comments does not itself propose specific changes to the TSR but rather invites input on several specific topics, as well as on any issues relevant to the TSR that commenters wish to address. Notably, the advent of the National Do-Not-Call Registry culminating in 2003 started as precisely this kind of “routine” review of the TSR. Here, the FTC specifically seeks comment on issues surrounding:

• Whether there is a need to expand the TSR’s recordkeeping requirements;

• The use of pre-acquired account information, i.e., that which a customer has previously provided to a seller or telemarketer to subsequently charge his or her ... Continue Reading

Pass or Fail? Sens. Markey and Hatch Introduce “Protecting Student Privacy Act” Seeking to Amend FERPA, Increase Protection of Student PII Shared with Private Companies

Posted in Data Protection, Policy and Regulatory Positioning

On July 30, 2014, Sen. Edward J. Markey, D-Mass., made good on his earlier promise to beef up the Family Educational Rights and Privacy Act of 1974 (FERPA) to provide heightened protections for student educational records shared with private companies.

Together with Sen. Orrin Hatch, R-Utah, Markey introduced the “Protecting Student Privacy Act” (S.2690), which would amend FERPA and require schools and school districts to implement various data security protections to safeguard the personally identifiable information (PII) contained in students’ education records, and ties receipt of federal education funding to compliance with the Act’s heightened security standards.

Among the bill’s provisions, the Protecting Student Privacy Act:

  • Requires schools and school districts to protect students’ personally identifiable information (PII) contained in education records maintained by the institution;
  • Prohibits schools and school districts from using, releasing, or providing access to student PII in education records for advertising or marketing services or products;
  • Provides parents with a right to access their children’s PII and challenge, correct, or delete any inaccurate data in the education records held by private companies;
  • Mandates that outside parties such as private companies with whom students’ PII is shared have comprehensive information security policies and procedures in place to
  • ... Continue Reading

“Getting to Know You, Getting to Know All About You…” FTC Data Brokers Report Calls for More Industry Transparency, Regulation in How Data Brokers Use Consumers’ Personal Information

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

“You may not know them, but data brokers know you,” Federal Trade Commission (FTC) Chairwoman Edith Ramirez said when she announced the release of the Commission’s newest report on the data broker industry. And in the FTC’s opinion, Congress and the data brokerage industry need to take concerted action to bring transparency to the industry, protect consumers’ personally identifiable information (PII), and prevent abuse and discrimination. But will the FTC’s recommendations have any real effect? In light of recent statements about “actual” vs. “potential” harm and the expanding scope of the Agency’s Section 5 enforcement authority, the answer is a definite “maybe.”

On May 27, 2014, the FTC released “Data Brokers: A Call for Transparency and Accountability,” a report that marks the conclusion of the FTC’s two-year study into data broker industry practices. Coming on the heels of the White House’s own Big Data Report the FTC’s Data Brokers Report highlights that “[i]n today’s economy, Big Data is big business” with numerous positive effects for both companies and consumers. And data brokers specifically play an important role in driving our economy through increased targeted marketing, identity verification and fraud detection.

But the Data Brokers Report also rang ... Continue Reading

FCC Reinforces that Those Who Knowingly Release Cell Numbers Grant Permission to be Called Under the TCPA–But Companies May Still Be Required to be Sure They Get the Number Directly from the Person to be Called

Posted in Communications/Media, Marketing and Consumer Privacy, Policy and Regulatory Positioning

We recently reported on two FCC declaratory rulings interpreting the Telephone Consumer Protection Act (TCPA), in the context of social-network text messages and package-delivery calls, that included broad, business-friendly statements that should help clarify TCPA rules for prior express consent to autodial, prerecorded-call and text cell phones. We noted that in one ruling, the FCC in some respects revived  a position staked out in 1992, in originally implementing the TCPA, that “persons who knowingly release their [cell] phone numbers have … given their invitation or permission to be called” there, an allowance whose viability had become less clear as TCPA precedent evolved. Shortly after the declaratory rulings, we also advised on the Eleventh Circuit’s Osorio v. State Farm decision, which increased the number of states in which the TCPA is interpreted as imposing strict liability on those who direct automated and/or prerecorded calls to cell phones under a mistaken belief they have prior express consent to do so. Now another case extends the Osorio analysis to potentially up the ante again.... Continue Reading

Part III: Has Congress Spoken and Does It Really Matter? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In the first and second parts of this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp. and then focused on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable. Today, we take a slightly different view of the FTC’s Section 5 history and revisit whether Brown v. Williamson actually supports the position that Congress has granted the Commission the authority to regulate data security under Section 5. But in the end, such analysis may not matter—the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming…

Has Congress really given the FTC Authority?
As we all know by now, the court rejected Wyndham’s arguments that the FTC’s Section 5 authority does not permit the Commission to create data-security standards for the private sector and enforce them under the “unfairness” prong of section 5. However, Judge Salas’ opinion lacks both an appreciation of the history of the FTC’s unfairness authority and any real analysis of whether this was an issue of ... Continue Reading

Part II: Fair Notice or No Notice? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In our first blog in this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp., in which Judge Salas confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices, even in the absence of formal rules or regulations setting forth what practices are unreasonable. Today we begin to explore the ramifications of that ruling, focusing on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable.

Not the Final Word
As noted in our April 9, 2014 post, it is important to keep in mind what this decision is not. It was not reached by a federal appeals court panel, but by a single federal district court judge, and it only denied a motion to dismiss the FTC’s complaint. The scope of the FTC’s authority under Section 5 may well be challenged in other district courts, and it is at least possible that Wyndham might ask the district court here to certify an interlocutory appeal to the Third Circuit on the scope of the FTC’s power (and in any event, the holding ... Continue Reading

Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001).

With the April 7, 2014 decision of Judge Esther Salas of the District Court of New Jersey in FTC v. Wyndham Worldwide Corp., that elephant has left its hiding place, and has exploded the mousehole in the process. Most notably, Judge Salas held that the FTC’s authority under the “unfairness” prong of Section 5 of the statute, includes the power to prosecute stand-alone cases where a company is alleged generally to have “fail[ed] to maintain reasonable and appropriate data security for consumers’ sensitive personal information.”

In reaching its decision, the Court provided little additional guidance for companies as to what “reasonable” data security means, and—by rejecting defendant’s “fair notice” argument—would not require the FTC to promulgate rules and regulations in advance of enforcement actions, preferring ... Continue Reading

Updated Location Privacy Protection Act Introduced

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning, Surveillance

On March 27, 2014, Senator Al Franken (D.-Minn.) introduced the Location Privacy Protection Act of 2014, a bill that addresses so-called “stalking apps.” While Senator Franken’s intent is to target those apps designed to maliciously track individuals without their knowledge, the legislation (an updated version of a bill we discussed three years ago) would require all companies to get users’ permission before collecting and sharing location data from smartphones, tablets, and in-car navigation devices. To obtain consent, entities subject to the law (if passed) would have to provide “clear, prominent, and accurate notice” that tells the user that his or her geolocation information will be collected. The notice must also identify the categories of entities to which the geolocation information may be disclosed, and provide a link or some other easy means for users to access publicly available information about the geolocation data to be collected. The bill includes several exceptions to the consent requirement, allowing the collection or use of geolocation data without the requisite notice and consent for purposes such as allowing parents to locate children, and enabling the provision of emergency services.

Under the proposed legislation, companies collecting geolocation data from more than 1,000 devices in ... Continue Reading

Google “Street View” case may be headed for SCOTUS Review

Posted in Communications/Media, Global, Marketing and Consumer Privacy, Policy and Regulatory Positioning

By John D. Seiver

Google held true to its promise to seek SCOTUS review of the Ninth Circuit’s interpretation of the term “radio communications” in the Wiretap Act when it filed its Petition for Certiorari last week. Google had argued in the Ninth Circuit that intercepting unencrypted Wi-Fi transmissions is within a specific exemption, but the Ninth Circuit (initially and on rehearing) held instead that unencrypted Wi-Fi is protected from interception by the Wiretap Act. Absent an extension, oppositions are due April 30, 2014... Continue Reading.

Caution: Your Company’s Biggest Privacy Threat is…the FTC

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

By Sanjay Nangia... Continue Reading

Technology companies—from startups to megacorporations—should not overlook an old privacy foe: the Federal Trade Commission (FTC). Since its inception in 2002, the FTC’s data security program has significantly picked up steam. In the last two years, the FTC has made headlines for its hefty privacy-related fines against Google and photo-sharing social network, Path. In January 2014 alone, the agency settled with a whopping 15 companies for privacy violations. What is more, many of these companies’ practices were not purposefully deceptive or unfair; rather the violations stem from mere failure to invest the time and security resources needed to protect data.

California Bill Would Create Cyber Security Commission

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

In recognition of the increasing threat that cyber-attacks pose to the state’s infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a “Cyber Security Commission.”

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor’s Office and Legislature on the status and progress of cyber security efforts.

The commission would be comprised of a wide range of representatives from the Legislature, private industry, state, local, and federal government, including the following or their designees who have knowledge in information technology and information security: the California Director of Technology, the Chief of the California Office of Information Security, the President of the California Public Utilities Commission, representatives from the state universities, private sectors (retail, finance, utilities, healthcare or technology), the FBI, and the federal Department of Justice. Among other things, AB 2200 requires the Cyber Security ... Continue Reading

California AG Weighs in on Cybersecurity

Posted in Cyber and National Security, Policy and Regulatory Positioning

Just as NIST completes its version 1.0 national Framework for Improving Critical Infrastructure Cybersecurity, California Attorney General Kamala Harris has made clear she intends a leadership role for California. With a guide called “Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents,” the AG offers a simplified, brief, and plain English version of cybersecurity protections directed toward small and medium size California businesses that likely lack the resources to hire full-time cybersecurity personnel. The Guide’s “Practical Steps to Minimize Cyber Vulnerabilities” are based on acknowledged deficiencies in the devices, websites, and apps at the network’s edge, and on the need for users and businesses to discipline their behavior and increase their vigilance against threats. The best practices outlined in the Guide are not unique to small or medium size businesses and overlap to a large extent NIST’s perspective on threats and cyber recommendations from many sources. The NIST Framework provides greater detail and is more explicit in the latitude it provides for business judgments about the proportionality of precautions with respect to the specific risks. Both the California Guide and NIST Framework seek to ... Continue Reading