Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later. The hotel chain paid a penalty to the State of New York for its handling of that incident. The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy
Christopher Harvie is a Member in the Washington, DC office. Chris focuses chiefly on legal, policy, and legislative issues affecting cable and telecommunications companies. He has represented clients in proceedings before the Federal Communications Commission, Congress, federal and state courts, and state and local regulatory bodies. Chris assists clients on a broad range of cable television legal and policy matters, including cable franchising and regulation, privacy, programming agreements, content licensing and copyright, rate regulation, set-top box issues, inside wiring, and broadband network policy.
As we previewed last week, the Federal Communications Commission (FCC) has adopted new privacy rules that govern Internet service providers’ (ISPs) handling of broadband customer information. Though the Wireline Competition Bureau stated that it expects it will be at least several days before the final Order is released to the public, the FCC released a fact sheet describing the rules as adopted.
These rules are the culmination of a process that began in 2015 with the reclassification of Broadband Internet Access Service (BIAS) as a common carrier telecommunications service regulated under Title II of the Communications Act. As a consequence of reclassification, the obligations established under the privacy framework adopted by the Federal Trade Commission (FTC) no longer applied to ISPs due to the common carrier exception in Section 5 of the FTC Act. Accordingly, the FCC determined that the privacy protections governing telephone customer proprietary network information (CPNI) set forth in Section 222 of the Communications Act would now apply to ISPs’ provision of BIAS.
On April 1, 2016, the Commission released a Notice of Proposed Rulemaking setting forth proposed privacy and data security rules that would govern ISPs’ provision of BIAS. The rules originally proposed by the FCC would have subjected ISPs to significantly greater constraints on their ability to use customer data for advertising, marketing, and offering customized services and features than the FTC’s privacy framework, which continues to apply to websites, apps, and all other entities in the Internet ecosystem other than ISPs. For example, while the FTC framework applies differing choice mechanisms (i.e., opt-in, opt-out, or implied consent) depending on the sensitivity of the data being collected and the context of its use, the FCC initially proposed to apply a default opt-in regime to virtually all data – rejecting any distinctions based on data sensitivity.
In response to comments from the FTC and others in the proceeding, the final rules adopted by the FCC align more closely with the FTC framework, though some important differences remain. Continue reading for key elements of the proposed rules. Continue Reading What You Need to Know about the New Broadband Privacy Regulations
As we wrote previously, the federal government released several guidance documents last month implementing The Cybersecurity Information Sharing Act (CISA). Among these was the Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under CISA published by the Department of Homeland Security and Department of Justice. This document provides guidance on the circumstances in which personal information of a specific individual may – or may not – need to be shared in order to adequately describe a cyber threat indicator (CTI). In addition, the release identifies certain categories of information likely to be considered individually identifiable information unrelated to a cybersecurity threat, and provides guidance on sharing CTIs with the government in a manner covered by the Act’s liability protections. Continue Reading CISA Guidelines (Part 3): Guidance to Assist Non-Federal Entities
FCC Chairman Tom Wheeler has announced that a proposed rulemaking is being circulated among the Commissioners that would establish privacy and data security requirements applicable to providers of broadband Internet access service (BIAS). The Notice of Proposed Rulemaking (NPRM) itself will not be released to the public until the end of March when it is scheduled for a vote, but Chairman Wheeler released a summary of his proposal on Thursday.
In adopting the Open Internet Order, which reclassified BIAS as a telecommunications service subject to Title II of the Communications Act, the FCC determined that the privacy provisions of Section 222 of the Communications Act that govern how call detail and call record information are used and protected by providers of telecommunications services also would apply to BIAS providers. The Commission concluded, however, that its rules implementing the privacy provisions of that Title were ill-suited for broadband privacy, and opted to forbear from applying those rules to BIAS providers. Instead, the Commission stated that it would establish a new privacy framework applicable to BIAS providers, and last week’s announcement represents the start of that process. Continue Reading FCC Announces Broadband Privacy Proposal
Verizon Wireless has reached a settlement with the Federal Communications Commission over Verizon’s insertion of unique identifier headers (“UIDH”), also known as “supercookies,” to track customers’ mobile Internet traffic without their knowledge or consent. Verizon inserted UIDH into customers’ web traffic and associated the UIDH with customer proprietary information to create profiles and deliver targeted ads. In at least one instance, a Verizon advertising partner overrode customers’ privacy choices by using the UIDH to restore cookies deleted by the customer. For over two years Verizon Wireless did not disclose its use of UIDH in its privacy policies or offer consumers the opportunity to opt-out of the insertion of UIDH into their Internet traffic.
Last week, we discussed the Federal government’s first steps toward implementing the Cybersecurity Information Sharing Act (CISA). Among the guidance documents released by the Department of Homeland Security and the Department of Justice were the Privacy and Civil Liberties Interim Guidelines. This guidance is designed to apply Fair Information Practice Principles (FIPPs) to Federal agency receipt, use and dissemination of cyber threat indicators consistent with CISA’s goal of protecting networks from cybersecurity threats.
FIPPs form the core of many federal and state privacy laws as well as the basis for privacy best practices across numerous industries and government agencies. This guidance applies them to federal agency collection of cyber threat indicators as described below. In practice, the government intends that application of some FIPPs to cyber threat indicators shared via the Department of Homeland Security’s Automated Indicator Sharing (AIS) tool, which we referenced here, will be effectuated via capabilities embedded within the AIS mechanism. Continue Reading CISA Guidelines: Privacy and Civil Liberties Interim Guidelines for Federal Agencies
This week, the Federal government took the first steps toward implementation of the The Cybersecurity Information Sharing Act (CISA), enacted into law last December. CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act. The DHS Federal Register notice was published this morning here.
As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information. Continue Reading Cyber Threat Information Sharing Guidelines Released by DHS
Just at the end of 2015, the Cybersecurity Information Sharing Act (CISA) was enacted into law as part of the omnibus spending measure passed by Congress and signed by President Obama at right before Christmas. The legislation combines elements from the versions of CISA that passed the House in April of 2015 and the Senate in October.
Enactment of CISA was driven by the goal of clearing away some of the legal uncertainty and liability risk concerns inhibiting sharing of cybersecurity threat information. Cyber criminals are technologically proficient and constantly innovating, which means that protecting American enterprise networks, industrial control systems, and electronic information systems requires continued vigilance and innovation. There is broad agreement that the nation’s cyber defense posture could be greatly strengthened through more robust and timely sharing of cyber threat information both between the government and the private sector and between private companies themselves. Continue Reading Happy New Year – Cybersecurity Information Sharing Act