Photo of Ari Moskowitz

Ari Moskowitz an Associate in the Communications Practice, is based in the firm’s Washington, DC office. As a Certified Information Privacy Professional (CIPP), he provides guidance on compliance with privacy regulations including the Children’s Online Privacy Protection Act, cross-border data protection regulations, and data breach notification laws. Ari also advises telecommunications and technology clients on matters before the FCC, the Copyright Office, and state regulatory commissions.

 

 

As we previewed last week, the Federal Communications Commission (FCC) has adopted new privacy rules that govern Internet service providers’ (ISPs) handling of broadband customer information.  Though the Wireline Competition Bureau stated that it expects it will be at least several days before the final Order is released to the public, the FCC released a fact sheet describing the rules as adopted.

These rules are the culmination of a process that began in 2015 with the reclassification of Broadband Internet Access Service (BIAS) as a common carrier telecommunications service regulated under Title II of the Communications Act.  As a consequence of reclassification, the obligations established under the privacy framework adopted by the Federal Trade Commission (FTC) no longer applied to ISPs due to the common carrier exception in Section 5 of the FTC Act.  Accordingly, the FCC determined that the privacy protections governing telephone customer proprietary network information (CPNI) set forth in Section 222 of the Communications Act would now apply to ISPs’ provision of BIAS.

On April 1, 2016, the Commission released a Notice of Proposed Rulemaking setting forth proposed privacy and data security rules that would govern ISPs’ provision of BIAS.  The rules originally proposed by the FCC would have subjected ISPs to significantly greater constraints on their ability to use customer data for advertising, marketing, and offering customized services and features than the FTC’s privacy framework, which continues to apply to websites, apps, and all other entities in the Internet ecosystem other than ISPs.  For example, while the FTC framework applies differing choice mechanisms (i.e., opt-in, opt-out, or implied consent) depending on the sensitivity of the data being collected and the context of its use, the FCC initially proposed to apply a default opt-in regime to virtually all data – rejecting any distinctions based on data sensitivity.

In response to comments from the FTC and others in the proceeding, the final rules adopted by the FCC align more closely with the FTC framework, though some important differences remain.  Continue reading for key elements of the proposed rules. Continue Reading What You Need to Know about the New Broadband Privacy Regulations

As we reported last month, the FCC was preparing a proposed rulemaking (NPRM) to establish privacy and data security requirements for broadband internet access service (BIAS) providers.  The FCC has now released that proposal with comments and reply comments due May 27th and June 27th respectively.

The brief background to this proposal is that in 2015, the FCC adopted net neutrality rules in Open Internet Order, which reclassified BIAS as a common carrier telecommunications service subject to regulation under Title II of the Communications Act.  The Commission determined that, as a consequence of reclassification, Section 222 of the Communications Act, which is part of Title II, would now apply to BIAS providers. Section 222 regulates a telecommunications carrier’s use and disclosure of Customer Proprietary Network Information (“CPNI”) – which includes information related to the quantity, location, and amount of use of a telecommunications service.  The FCC concluded in its Open Internet Order that the rules implementing Section 222 were telephone-centric and ill-suited to BIAS, and so chose to forbear from applying those rules to ISPs.  With this latest release, the FCC is proposing a new set of rules implementing Section 222 that would apply to BIAS providers. Continue Reading FCC Broadband Privacy and Security Proposed Rulemaking Underway

As we wrote previously, the federal government released several guidance documents last month implementing The Cybersecurity Information Sharing Act (CISA).  Among these was the Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under CISA published by the Department of Homeland Security and Department of Justice.  This document provides guidance on the circumstances in which personal information of a specific individual may – or may not – need to be shared in order to adequately describe a cyber threat indicator (CTI).   In addition, the release identifies certain categories of information likely to be considered individually identifiable information unrelated to a cybersecurity threat, and provides guidance on sharing CTIs with the government in a manner covered by the Act’s liability protections. Continue Reading CISA Guidelines (Part 3): Guidance to Assist Non-Federal Entities

 

FCC Chairman Tom Wheeler has announced that a proposed rulemaking is being circulated among the Commissioners that would establish privacy and data security requirements applicable to providers of broadband Internet access service (BIAS).  The Notice of Proposed Rulemaking (NPRM) itself will not be released to the public until the end of March when it is scheduled for a vote, but Chairman Wheeler released a summary of his proposal on Thursday.

In adopting the Open Internet Order, which reclassified BIAS as a telecommunications service subject to Title II of the Communications Act, the FCC determined that the privacy provisions of Section 222 of the Communications Act that govern how call detail and call record information are used and protected by providers of telecommunications services also would apply to BIAS providers.  The Commission concluded, however, that its rules implementing the privacy provisions of that Title were ill-suited for broadband privacy, and opted to forbear from applying those rules to BIAS providers.  Instead, the Commission stated that it would establish a new privacy framework applicable to BIAS providers, and last week’s announcement represents the start of that process.  Print Continue Reading FCC Announces Broadband Privacy Proposal

cookiesVerizon Wireless has reached a settlement with the Federal Communications Commission over Verizon’s insertion of unique identifier headers (“UIDH”), also known as “supercookies,” to track customers’ mobile Internet traffic without their knowledge or consent.  Verizon inserted UIDH into customers’ web traffic and associated the UIDH with customer proprietary information to create profiles and deliver targeted ads.  In at least one instance, a Verizon advertising partner overrode customers’ privacy choices by using the UIDH to restore cookies deleted by the customer.  For over two years Verizon Wireless did not disclose its use of UIDH in its privacy policies or offer consumers the opportunity to opt-out of the insertion of UIDH into their Internet traffic.

Continue Reading Verizon Settles Supercookie Probe with FCC

Last week, we discussed the Federal government’s first steps toward implementing the Cybersecurity Information Sharing Act (CISA).  Among the guidance documents released by the Department of Homeland Security and the Department of Justice were the Privacy and Civil Liberties Interim Guidelines.  This guidance is designed to apply Fair Information Practice Principles (FIPPs) to Federal agency receipt, use and dissemination of cyber threat indicators consistent with CISA’s goal of protecting networks from cybersecurity threats.

FIPPs form the core of many federal and state privacy laws as well as the basis for privacy best practices across numerous industries and government agencies.  This guidance applies them to federal agency collection of cyber threat indicators as described below.  In practice, the government intends that application of some FIPPs to cyber threat indicators shared via the Department of Homeland Security’s Automated Indicator Sharing (AIS) tool, which we referenced here, will be effectuated via capabilities embedded within the AIS mechanism. Continue Reading CISA Guidelines: Privacy and Civil Liberties Interim Guidelines for Federal Agencies

The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court.  The original complaint, which is summarized in this post from 2012, alleged that Wyndham’s claims to use “standard industry practices” and “commercially reasonable efforts” to protect customers’ personal information were deceptive, and its actual practices unfair, in light of the company’s lax security practices.  Wyndham argued that the FTC lacks the authority to police data security practices, but in August 2015 the Third Circuit found against Wyndham, holding that the FTC’s authority to take action against a company’s unfair practices extends to enforcement of data security practices.

The proposed settlement, which is in effect for 20 years, reached between Wyndham and the FTC provides the first notice to companies of what they should expect from the FTC in the event of a data breach due to a failure to maintain reasonable data security standards.  The various settlement provisions are similar to those imposed in cases brought by the FTC over misrepresentations in privacy policies (as opposed to this case, which involved a suit over the laxity of the company’s actual data security practices).

Those provisions include Wyndham agreeing to undertake the following:

  • • Establishment a comprehensive information security program to protect credit card data, which must include risk assessments, reasonable safeguards, and regular monitoring for the next 20 years;
  • • Annual information security audits and independent assessments of its compliance with the Payment Card Industry Data Security Standard (PCI DSS) over the next 20 years;
  • • Obtain the certification of an independent certified assessor before implementing any “significant change” to its data security practices that the change would not cause it to fall out of compliance;
  • • Provide all assessments to FTC;
  • • Keep records relied on to prepare each annual assessment for three years; and
  • • Submit to compliance monitoring by the FTC.

Notably, and different from the settlements of privacy-related cases, Wyndham will not be required to pay a fine.

Some privacy & security bits and bytes to start your week:

FCC to Hold Public Workshop on Broadband Consumer Privacy Tomorrow

Over the last several months, the Federal Communications Commission has taken on a significantly expanded role on consumer privacy protection issues. Between the FCC’s expanded notion of the type of personal information subject to its authority under Section 222 of the Communications Act that surfaced in the TerraCom and YourTel cases last year and its recent reclassification of broadband Internet access service as a Title II telecommunications service – which was accompanied by a determination that the privacy requirements in Section 222 applicable to telephony could be extended to broadband service – the FCC is showing every intention of expanding its reach over privacy issues..

In the order reclassifying broadband service, the FCC recognized that the currently effective privacy rules are not a good match for broadband Internet access service, as those were written with telephone service in mind. For example, those rules include provisions for the use and disclosure of Customer Proprietary Network Information (CPNI) in connection with voice mail and caller I.D. Therefore, while the FCC applied the statutory privacy requirements of Section 222 to broadband service providers, it forbore from applying its rules implementing that statute pending further proceedings.

The FCC kicks off those further proceedings tomorrow with a public workshop on Broadband Consumer Privacy.  The workshop will include discussions of what subscriber information is collected by broadband Internet access service providers and how that information is used. There will also be a panel discussion of how the Section 222 applies to broadband services. Speakers include FCC Chairman Tom Wheeler and other members of the FCC, as well as representatives from local governments, academia, public interest groups, and broadband service providers.   The Commission will also provide audio and video coverage of the discussion on the FCC’s Web page at www.fcc.gov/livePrivacyMonday_Image

RSA Conference 2015

It is clear that “security” is a big industry:  there were more than 30,000 attendees with more than 9 acres of exhibitor space at last week’s record-breaking RSA Conference 2015 in San Francisco.   BankInfoSecurity has published a “visual journal” here.   I must say, I need to hang out with these guys next year.  They are masters of the swag bag.   CSO Online also has posted an interesting summary of the week here.

From the legal side, Smeeta Ramarathnam, the chief of staff to SEC Commissioner Luis Aguilar, told a Thursday morning panel hat the Securities and Exchange Commission (SEC) is about to “enter a “time of great change” as it pertains to regulation for disclosing cyber security incidents.

The discussion, called “Full Disclosure: What Companies Should Tell Investors about Cyber Incidents,” Ramarathnam, along with Jonas Kron, director of shareholder advocacy with Trillium Asset Management, discussed the growing concerns and sense of responsibility board of directors face in the wake of high-profile breaches, which will indelibly engage investors’ attentions.

“Hardly a day goes by without another breach being reported,” Ramarathnam said, explaining that the SEC is tasked with formally overseeing security incidents or issues that would impact the integrity of market systems, customer data protection and disclosure of material information.

While the SEC’s Division of Corporation Finance published guidance in 2011 to make companies aware of the agency’s views on what needs to be reported as far as material information disclosure related to cyber incidents, Ramarathnam noted that the guidance provided context for current SEC rules, but no new regulatory obligations for organizations.  Although she did say she expects “much more to come in way of requirements from the SEC” in reporting and disclosure of cybersecurity risks and incidents, by the end of the panel, she had walked that statement back a bit.

REMINDER – Wednesday Webinar – April 29

Don’t miss the next in our 2015 Privacy Webinar series coming up this Wednesday.   Mintz Levin’s Sue Foster will be discussing Compliance with EU Data Protection for US Companies.   Register here.

 

As cyber week continues in Washington, Federal Communications Commission Chairman Tom Wheeler traveled to the west coast to speak about cybersecurity at the RSA Conference in San Francisco.  Wheeler noted that the FCC has several charges to protect against cyber-attacks and similar threats, including the agency’s responsibility to protect the safety of communications networks generally, as well as its responsibility to protect the privacy of consumer data collected by communications providers.

Wheeler centered his remarks on information sharing and accountability by the private sector.  He suggested that the communications industry’s approach to 911 calls – a combination of industry best practices and rules requiring that network outages be reported to the government – could serve as a model for cybersecurity information sharing.  Cyber-attacks should be subject to similar reporting requirements.

He praised the work of the National Institute of Standards and Technology for its Critical Infrastructure Framework, and the FCC’s cybersecurity advisory committee, the Communications Security, Reliability and Interoperability Council (“CSRIC”) for its recommendations, released last month, to assist and encourage communications providers with implementing NIST’s voluntary framework.  He focused specifically on one of CSRIC’s accountability proposals – that members of the communications sector periodically meet with the FCC to discuss their companies’ cyber-risk management efforts.  He acknowledged that the FCC’s goal is not to micromanage implementation of the NIST framework by communications companies, but instead to learn whether the framework and companies’ efforts are actually working to mitigate risk.  He stated that the meetings will not be framed as depositions and sensitive information shared would be protected from public disclosure, but that many of the details regarding the meetings still need to be worked out.  The FCC is seeking comment on this and the other CSRIC recommendations until June 26, 2015.

And, back in Washington, the House of Representatives passed the Protecting Cyber Networks Act on a 307-116 vote over the concerns of civil liberties groups.  Read more:

Wired 

PC World

New York Times