The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

New Article on Standards for Privacy in the Cloud

An interesting article from Kurt Wimmer and Meena Harris

ISO/IEC Develop First-Ever International Standard Focusing on Privacy in the Cloud

Kurt Wimmer, Co-Chair, Privacy and Data Security Group, Covington & Burling LLP
Meena Harris, Associate, Covington & Burling LLP

Those who long have been concerned about a lack of consistent principles to guide the implementation of cloud services now have access to a new tool — one that promises to provide a useful guide to categories and controls in this important and expanding area of our practice.

This past summer, the International Organization for Standardization (“ISO”) together with the International Electrotechnical Commission (“IEC”) published ISO/IEC 27018, a new voluntary code of practice for the protection of personally identifiable information (“PII”) that is processed by a cloud-service provider. Used in conjunction with and as an expansion of ISO/IEC 27002, a best-practice guide for implementing information-security management, ISO/IEC 27018 creates a common set of security categories and controls intended specifically for cloud services. As the first-ever security standard for the cloud, ISO 27018 has the following key objectives:

• Help cloud-service providers that process PII to address applicable legal obligations as well as customer expectations.
• Enable transparency so customers can choose well-governed cloud services.
• Facilitate the creation of contracts for cloud services.
• Provide cloud customers with a mechanism to ensure cloud providers’ compliance with legal and other obligations.

While ISO/IEC 27018 does not replace existing laws and regulations, it provides a global common standard, which is particularly helpful for those cloud providers that offer services to customers in different countries. Because the requirements of such laws and regulations governing the protection of PII vary significantly from country to country, and obligations as between cloud-service providers and their customers can differ according to individual contract terms, ISO/IEC 27018 addresses the special challenges faced by cloud services operating internationally.

ISO states that the new standard is “applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, which provide information processing services as PII processors via cloud computing under contract to other organizations.” Still, ISO notes that the new standard should be adopted only as a “starting point.” In other words, not all aspects of the standard will be appropriate for all cloud services, and additional controls not included in ISO/IEC 27018 might be necessary for particular services to develop. Likely sometime next year, ISO will release ISO/IEC 27017, which more broadly will address information-security best practices for cloud computing.

In order to achieve ISO/IEC 27018 certification, a cloud service must undergo an audit by an accredited certification body that ensures that the cloud provider:

• Helps customers comply with their obligations to allow end-users to access, correct and/or erase their personal information.
• Processes PII only in accordance with a customer’s instructions.
• Processes PII for marketing or advertising purposes only with the customer’s express consent.
• Discloses information to law-enforcement authorities only when legally bound to do so.
• Discloses the names of any sub-processors and the possible locations where personal information may be processed prior to entering into a cloud-services contract.
• Helps customers comply with their data breach notification obligations.
• Implements a policy for the return, transfer, or disposal of personal data that specifies the retention period following the termination of a contract.
• Agrees to independent information-security reviews at planned intervals or when significant changes occur.
• Enters into confidentiality agreements with staff who have access to personal data and provide them training.

To maintain certification under ISO 27018, a cloud-services provider must undergo periodic third-party reviews.

Key cloud players in the U.S. and Europe already have announced intentions to become certified under ISO/IEC 27018.


Leave a comment

Does Free E-mail Threaten the Attorney Client Privilege and Other Ethical Duties to the Client?

An interesting article by Chris Castle:

http://www.christiancastle.com/articles/2014/10/11/free-email-and-attorney-client-privilege-from-texas-lawyer-22-october-13-2014


Leave a comment

Canada’s Anti-Spam Law (CASL) in force July 1

Canada’s Anti-Spam Law (CASL) enters into force on Canada Day, July 1.  It was passed in 2010 as a “made-in-Canada” solution to “drive spammers out of Canada“. 

Are you outside Canada?  It’s important to know that this law reaches beyond Canada’s borders.  CASL is already affecting businesses in the United States, Europe and elsewhere as they change their communications practices to send emails and other “commercial electronic messages” into Canada. 

As we have described in our presentation Comparing CASL to CAN-SPAM, the new law applies to messages that are accessed by a computer system in Canada.  That means that messages sent by a person, business or organization outside of Canada, to a person in Canada, are subject to the law.

CASL expressly provides for sharing information among the Government of Canada, the Canadian CASL enforcement agencies, and “the government of a foreign state” or international organization, for the purposes of administering CASL’s anti-spam (and other) provisions.  The MOU among the Canadian CASL enforcement agencies similarly references processes to share and disseminate information received from and provided to their foreign counterpart agencies. 

In a speech on June 26, the Chair of the Canadian Radio-television and Telecommunications Commission, Jean-Pierre Blais, emphasized the CRTC’s cooperation with its international counterparts to combat unlawful telemarketers, hackers and spammers that “often operate outside our borders“.  The Chairman specifically named “the Federal Trade Commission in the U.S., the Office of Communication (OFCOM) in the U.K., the Authority for Consumers and Markets in the Netherlands, the Australian Communications and Media Authority and others”, and noted that the CRTC has led or participated in many international networks on unlawful telecommunications.

Companies should also take note that a violation of CASL might also result in the CRTC exercising its so-called “name and shame” power, by posting the name of the offender and the violation on its online compliance and enforcement list.  The CRTC has for years published notices of violation with respect to its “Do Not Call List”, and is expected to take a similar approach for CASL notices of violation as well. 

The CRTC recently published a Compliance and Enforcement Bulletin on its Unsolicited Telecommunications Rules and on CASL, available here.  The CRTC recommends implementing a corporate compliance program as part of a due diligence defence: 

Commission staff may take into consideration the existence and implementation of an effective corporate compliance program if the business presents the program as part of a due diligence defence in response to an alleged violation of the Rules or CASL. Although the pre-existence of a corporate compliance program may not be sufficient as a  complete defence to allegations of violations under the Rules or CASL, a credible and effective documented program may enable a business to demonstrate that it took  reasonable steps to avoid contravening the law.


Leave a comment

Google Spain Decision – July 2 Discussion

On Wednesday, July 2, PRIS and the Media and Technology committees will host a dial-in to discuss the recent Google Spain “right to be forgotten” case.  Please join an expert EU-based panel to learn more about this landmark case and its implications for internet platforms going forward.

When: July 2 at noon ET.

Who: Mark Stephens, UK media law barrister; Professor Judith Rauhofer, privacy scholar; Professor Steve Peers, EU law scholar.

Link to Register: http://www.americanbar.org/content/dam/aba/marketing/20140702_at140702.authcheckdam.pdf

Please feel free to direct any questions – before, during, or after the call – to Gail Slater at lgslater@comcast.net.  Thanks.

 


Leave a comment

Senate ‘Malvertising’ Hearing

The Permanent Subcommittee of the Senate Committee on Homeland Security & Governmental Affairs held a hearing last week on the findings of its ‘Online Advertising and Hidden Hazards to Consumer Security and Data Privacy’ report.
In his introductory remark, Senator John McCain (R-AZ) noted that online advertising is now more profitable than broadcast television advertising. Indeed online advertising revenue was $42.8 billion in 2013, almost $3 billion more than television advertising.

At the same time, ‘malvertising’ increased over 200 % in 2013 to over 209,000 incidents generating over 12.4 billion malicious ad impressions (Testimony of Craig D. Spiezle Executive Director & Founder of Online Trust Alliance).

Online advertisements may be used as a vehicle to install malicious software on users’ computers. The software then steal personal information or attack other computers, most of the time without the user even knowing that his computer has been infected.

Online advertisements is a serious security threat for consumers, yet most consumers are not aware of this issue. During the questions sessions, Mr. Spiezle noted that that issue has been kept quiet from several years. Senator McCaskill (D-MI) reminded panelists that online advertising is the backbone of the Internet economy, yet consumers have not been sufficiently informed that their data is what fuels this economy. Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection at the FTC, stated that the FTC informs consumers about online privacy on its OnGuard online site.

Who is Responsible?

What should be the responsibility of online advertising companies such as Google and Yahoo! ? Senator McCain believes that they “have a responsibility to help protect consumers from the potentially harmful effects of the advertisements they deliver.” They do not directly control the advertisements however, and as many as five or six companies can be involved in the process of publishing an ad, which makes finding which companies are responsible for having let the malware being installed quite difficult.

Also, Senator McCain noted that “commercial actors have limited incentives to develop and institute security measures for fear of becoming the liable party if something goes wrong.” However, the representatives of Google and Yahoo! emphasized that their companies have an incentive to fight malvertising in order to retain their customers’ trust.
Senator McCain asked Alex Stamos, Chief Information Security Officer at Yahoo!, if the site was responsible for malware, to which Mr. Stamos answered that Yahoo! takes responsibility for its users’ safety. Pushing further, Senator McCain then asked Mr. Stamos if Yahoo! would reimburse a user whose bank account has been depleted through a malware encountered on a Yahoo! site, but Mr. Stamos did not believe that Yahoo! has such responsibility.

Possible Solutions

George F. Salem, Senior Product Manager at Google, testified that his company has a two-pronged approach to fighting malware: preventing users from even visiting sites invested with malware and disabling ads which have malware. He also noted that consumers should be careful about downloads, always use the latest version of their browser and also install up-to-date antivirus software, a view shared by Ms. Mithal.

Senator Mc Cain also noted that “another problem in the current online advertising industry is the lack of meaningful standards for security” and expressed frustration that Google and Yahoo!, similar companies as they are, could not have the same best practice standards and implement them the same way, as they face the same problems.

Senator Mc Cain asked Ms. Mithal what could be the solutions to malvertising. She answered that increasing consumer education, having more robust industry self-regulations and also more enforcement would be key. Indeed, the FTC has already brought some enforcement actions against companies involved in online advertising for deceptive practices. Ms. Mithal stressed that there should be enforcement against the purveyor of malware but also against third parties which let the purveyor go by.

What’s Next?

Several online advertising companies, including Google and Yahoo, announced a new initiative called Trust in Ads that has as its goal the protection of consumers from malicious online advertisements and deceptive practices.

New legislation may be ahead. Senator Mc Cain asked Ms. Mithal if the FTC would need additional tools to protect consumer’s online privacy and Ms. Mithal mentioned that the FTC has advocated in the past to be given the authority to fine companies that do not maintain reasonable security practices. In her written testimony, Ms. Mithal wrote that the FTC “continues to reiterate its longstanding, bipartisan call for enactment of a strong federal data security and breach notification law.”


Leave a comment

Snapchat Settles FTC Charges That Promises of Disappearing Messages Were False

“Before u send any photo, msg or video, consider how u would feel if it reached a broader audience than you intend”, the FTC tweeted today after announcing a settlement with Snapchat, a popular messaging app that promised its users that their messages disappeared once expired.  Users are able to take photos, record videos, add text and drawings, known as snaps, and send them to a controlled list of recipients. Users also set a time limit for how long recipients can view their snaps (up to 10 seconds), and Snapchat claimed that after the time limit expired, the snaps would “disappear”.  However, the Commission alleged the snaps can be saved in several ways, such as using a third-party app or taking screenshots of snaps, without detection.

The FTC also alleged that Snapchat misled consumers about how much personal information was collected and the security measures in place to protect such information through its Find Friends feature.  For example, the app transmitted users’ location information and collected data like address book contacts, despite stating that it did not collect such information.  Further, the Commission charged that Snapchat’s failure to secure this feature resulted in a security breach that allowed hackers to compile a database of 4.6 million Snapchat usernames and phone numbers.

According to the New York Times, in response to the announcement the company stated “While we were focused on building, some things didn’t get the attention they could have,” and added: “Even before today’s consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description, and in-app just-in-time notifications. And we continue to invest heavily in security and countermeasures to prevent abuse.”

The settlement prohibits Snapchat from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information.  Snapchat is also required to implement and maintain a comprehensive privacy program for the next 20 years.  The Commission stated that the settlement with Snapchat is part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers.


Leave a comment

Windows XP End of Life Poses Risks to the Significant Percentage of Companies Still Tied to the Platform

On April 8, Microsoft officially ended all support and ceased providing updates for their Windows XP operating system. This “end of life” (EOL) announcement is not uncommon with software platforms, where continued support of aging software (XP is over 12 1/2 years old) becomes too expensive or too impractical, and the user is thus encouraged to upgrade to a newer version of that software. This all makes sense on the surface. As we’ve seen time and time again, software–especially large, complex pieces of software like operating systems–tends not to age well. Due to the sheer complexity of systems like XP, retrofitting patches to fix errors and vulnerabilities can be quite difficult, and may even lead to unintended consequences (i.e., more bugs). Thus, over time, software companies may urge their customers to migrate to the (relatively) clean slate provided by upgraded versions of their software.

The XP EOL announcement came as no surprise. Microsoft has been urging customers to start planning for upgrades since it terminated all retail sales of the operating system in 2008. But according to recent statistics provided by Net Applications, nearly 28% of Internet users are still running some version of Windows XP. Even worse, this number does not include those computers running XP that aren’t use for web browsing, e.g., servers, point-of-sale (POS) systems, medical systems, industrial systems, security systems, and ATMs. This number includes large organizations such as banks and governments which, due mainly to their size and conservative technology adoption policies, take more time to migrate away from software platforms, especially those that provide core services, such as operating systems. This has led to multi-million dollar agreements between these organizations and Microsoft in order to provide continued support for the short term.

But what about those companies and organizations who don’t necessarily have the wherewithal to negotiate individual support contracts with Microsoft? In addition, these smaller companies too often don’t have the depth of IT support required to keep up with these updates, and some organizations may not even be aware they’re still running XP within their network. For these companies, the fact that Microsoft will no longer be providing public patches for future vulnerabilities could prove to be a serious problem.

The first example of this problem showed up this week. On Monday, a new “zero-day” vulnerability in Microsoft’s Internet Explorer (IE) web browser was announced. This vulnerability is quite serious, as it could allow for remote code execution on a user’s computer, and had already been detected as an attack being used in the wild. Technology news sources were referring to this bug as the first sign of the “XPocalypse,” where users and organizations still running the unsupported platform would be left to the wolves, so to speak.

Yesterday, Microsoft took the unusual step of issuing a patch for this IE vulnerability for all of its platforms, including the “unsupported” Windows XP. While this step may have averted disaster for XP users–at least for the time being–many technology experts are warning that providing retroactive support for EOL platforms will not solve the larger problem of a significant number of users running aging, vulnerable software. This should concern not only the companies still running XP, but the entire Internet ecosystem, since compromised computer systems are often repurposed as platforms for further attacks.

It’s still too early to tell whether any of the dire predictions presented by the so-called XPocalypse will come to pass. Some cynics have pointed out that we are not likely to see a sudden surge of attacks on XP, since XP has been quite vulnerable to attack for some time, even when it was supported. Either way, companies would do well to make software security a priority, from the C-Suite on down. Companies are coming to realize that many (or most) of them are actually in the software business, as so much of their operation depends on the software that sits behind the scenes. There may come a time that the FTC views the unsupported use of XP as failing to take reasonable security measures. Adopting a wait-and-see approach to software security is bound to make a potentially bad situation even worse.

Follow

Get every new post delivered to your Inbox.

Join 2,516 other followers