The Federal Communication Commission’s long-awaited – and much debated – privacy rules for Internet Service Providers have now been adopted. The agency approved the rules by a 3-2 vote along political party lines last Thursday. Several of the FCC requirements are particularly notable for being more restrictive than the Federal Trade Commission’s standards for consumer online privacy. In this post we provide an overview of some of the new FCC rules and highlight key areas where the FCC’s requirements diverge from the FTC’s framework.
Close followers of the cases FTC v. Wyndham Worldwide Corp. and In the Matter of LabMD know that the litigation has prompted increased Congressional oversight of the Federal Trade Commission’s data security enforcement practices. Prior to Wyndham and LabMD, Congressional debates on the FTC’s data security practices centered on whether the Commission should have additional tools to address these issues, including traditional rulemaking authority to create new data security rules, civil penalty authority to fine violators, or authority over the activities of non-profit entities. To the extent Congress questioned the FTC’s enforcement decisions in this pre- Wyndham and LabMD era, those inquires typically focused on the length of time of FTC settlement agreements, while relatively little attention was paid to how the Commission provided notice of its data security standards or how the Commission chose its enforcement targets. Wyndham and LabMD fundamentally shifted this debate.
On October 13, the Federal Trade Commission held a workshop on drone privacy and cybersecurity as part of its Fall Technology Series. Close watchers of the drone privacy debate would recognize the arguments presented at the FTC workshop as reminiscent of the comprehensive and productive debate over drone privacy played out before the National Telecommunications and Information Administration earlier this year. The NTIA process concluded with the release of Best Practices for drone privacy supported by a diverse group of industry members and civil society representatives. Although the FTC’s workshop was in many ways a reprise of the NTIA multi-stakeholder debate, the workshop was notable insofar as the public gained new insights into FTC staff views on drone privacy and cybersecurity.
On August 29, 2016, the Federal Aviation Administration’s long-awaited small unmanned aircraft systems rule went into effect, for the first time broadly authorizing commercial drone operations. This is a positive step, as drones have great safety and efficiency benefits for the public. Nevertheless, the American public remains concerned about drone privacy issues.
The U.S. Department of Education and Department of Justice recently weighed in on the obligations of school districts, colleges, and universities to provide civil rights protections for transgender students. On May 13, 2016, the Departments issued a Dear Colleague Letter that summarizes the responsibilities of school districts, colleges, and universities that receive federal financial assistance under the Departments’ interpretation of federal law, including Title IX of the Education Amendments of 1972 and the Family Education Rights and Privacy Act. Here, we focus on the DCL’s guidance pertinent to compliance with FERPA.
Energy-sector cybersecurity and privacy is generating significant attention of late. Last month, the Federal Energy Regulatory Commission issued a final rule creating new standards for the cybersecurity of the electric grid. FERC followed this issuance with a report on electrical grid recovery and restoration planning that makes a number of recommendations for improved cyber-incident response and recovery plans.
In parallel, the U.S. Congress is working on a variety of measures to combat perceived cybersecurity and privacy threats related to the powergrid. The failure of the powergrid in Ukraine due to security breaches; reports of ISIS and other foreign threats attempting to hack the U.S. grid; and news reports about the sensitivity of data on home energy usage have added a sense of urgency to this work.
Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Years in the making, CISA is intended to incentivize organizations to share cyber threat indicators with the federal government and to promote the dissemination of this information to organizations facing similar threats. The spending bill included a number of other cybersecurity provisions covering topics ranging from federal preparedness to foreign policy strategy. Most notably, the bill directs the Department of Health and Human Services to develop cybersecurity best practices for organizations in the healthcare industry. The bill also directs federal agencies to create new plans to fortify federal information systems and identify cyber-related gaps in the federal workforce.
After a prolonged debate and months-long consideration of amendments, the Senate has passed S. 754, which includes the Cybersecurity Information Sharing Act (“CISA”) of 2015, by a vote of 74-21. CISA has the support of the White House and many industry stakeholders, but some of the most well-recognized privacy advocacy organizations oppose it. The House of Representatives must now decide whether to pass CISA or work with the Senate on compromise legislation that incorporates the House cybersecurity information sharing bills, H.R. 1560 and H.R. 1731. It remains to be seen what form the final cybersecurity information sharing bill will take, but the Senate’s overwhelming vote for CISA suggests that the chances for overall passage are stronger than ever.
On Monday, August 3, the National Telecommunications and Information Administration kicked off the multistakeholder process to develop best practices for commercial and private unmanned aircraft systems use. As we previously reported, the NTIA action follows the White House’s February 15, 2015, Presidential Memorandum directing NTIA to lead private sector groups toward the creation of commercial UAS standards and the NTIA’s request for comments on privacy, transparency, and accountability issues related to the use of UAS.
On March 16, the U.S. Commerce Department’s Internet Policy Task Force published a Request for Public Comment for input on the key cybersecurity issues affecting the digital ecosystem and digital economic growth. The IPTF aims to coordinate and facilitate consensus-based multistakeholder processes to generate collective guidance and identify best practices. Through this effort, the IPTF seeks to broaden the focus of federal cybersecurity efforts beyond securing critical infrastructure. A number of key cybersecurity challenges have been identified in the Request for Public Comment, and the IPTF is inviting commenters to highlight other topic areas that the IPTF should consider including as part of this process.
On March 4, the U.S. Commerce Department’s National Telecommunications and Information Administration announced it is seeking comments on how to structure a new multistakeholder process to develop best practices for commercial and private unmanned aircraft systems use. NTIA also announced that it will likely hold its first multistakeholder meeting within 90 days.
On February 15, the White House issued a Presidential Memorandum on safeguarding privacy, civil rights, and civil liberties in the domestic use of Unmanned Aircraft Systems. The memorandum launches a multi-stakeholder process to establish voluntary baseline privacy standards for commercial use of UAS and establishes principles that will govern the federal government’s use of UAS.
The Federal Trade Commission yesterday released its staff report on the Internet of Things. The report summarizes the FTC’s November 2013 workshop, “The Internet of Things: Privacy and Security in a Connected World,” and provides FTC staff recommendations in this area. Notably, the report also describes best practices for data security and data minimization, and reaffirms the FTC’s commitment to notice and choice principles. We provide below an overview of the staff’s recommendations and the concurring and dissenting views of Commissioners Ohlhausen and Wright.
Tonight, the President’s State of the Union address covered, as he put it, “the tasks that lie ahead.” Among the policy initiatives that he proposed, he “urge[d]…Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.” What he was referring to is a set of cybersecurity and info sharing initiatives and privacy and data security proposals that the White House started rolling out last week. The President also alluded to a report to be released next month that will address the Administration’s actions to curtail domestic surveillance programs. We provide here excerpts of the President’s address that discuss cybersecurity, data security, and privacy.
Today, the President spoke at the Federal Trade Commission on the importance of preventing identity theft and improving consumer and student privacy. Today’s speech has been billed as a first look at a broader White House policy initiative on cybersecurity, identity theft, and privacy that will continue this week and will be included in the President’s State of the Union address to Congress on January 20th. Tomorrow, the President will highlight the work of the Department of Homeland Security and the importance of public-private collaboration on cyber threats and is expected to release policy proposals over the coming weeks.
Six months after release of the Framework for Improving Critical Infrastructure Cybersecurity, on August 21 the National Institute of Standards and Technology put forward a draft Request For Information to learn more about experiences with and effectiveness of the Framework. Through the RFI process, NIST seeks to better understand how organizations in all critical infrastructure sectors are approaching and making specific use of the Framework. Responses to the RFI are expected to shape the agenda for NIST’s 6th Cybersecurity Framework Workshop, its first following the Framework’s release.
On January 1, 2014, California Assembly Bill 370 will go into effect, requiring operators of websites and other online services, including mobile applications, to provide new disclosures in their website privacy policies about online tracking.