The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

FCC Proposes Cyber Security Certification Program




            On April 21, 2010, the Federal Communications Commission ("FCC") issued a Notice of Inquiry  that kicks off  a proceeding seeking comment on a "cyber security" certification program designed to encourage communication service providers (i.e., those entities providing communications services by radio, wire, cable, satellite, or lightguide for a fee to one or more unaffiliated entities) to implement a full range of cyber security best practices.  The FCC is reviewing this potential program, which was recommended under the Commission’s National Broadband Plan, in an effort to counter cyber attacks and protect the communications infrastructure in the U.S.  Among other things, the FCC cites a 2008 Data Breach Investigation Report that found that 87% of cyber breaches could have been avoided if reasonable security controls had been in place.

            The proposed voluntary certification program would involve security assessments of service providers’ networks, to be conducted by the FCC or private sector auditors.  The audit would entail a review of whether the networks comply with "stringent cyber security practices" to be developed by a public-private partnership.   Those providers who successfully complete the audit would receive a special certification and then be able to market their networks as complying with these FCC network security requirements.

            The inquiry is being led by the FCC’s Public Safety and Homeland Security Bureau.  The FCC’s Notice of Inquiry seeks comment on a variety of topics, including:

·        the costs/benefits of the program

·        whether the program will really lead to an increase in security and improved cyber security practices

·        whether the certification program should be open to all communication providers, or only certain types

·        the composition and operating procedures of a certification authority

·        whether the security criteria should be definitive or established on a case-by-case basis.

·        assessment standards

·        form and duration of the security certification, and the renewal process

·        FCC enforcement process, if any, for the program

·        education process regarding cyber security  for consumers, businesses, and government agencies 

Leave a comment

Today at the ABA: Expanding the FTC’s Role through Financial Reform

The big question being debated at this morning’s session on financial reform legislation and the proposed Consumer Financial Protection Agency/Bureau: how will the legislation impact the FTC’s authority, both in terms of rulemaking and imposition of civil penalties?
In December 2009, the House passed the “Wall Street Reform and Consumer Protection Act of 2009” (HR 4173). An important provision in the bill would strip the FTC of its powers to regulate consumer financial protection — while also expanding the agency’s powers in two key ways. First, by giving the FTC “APA” rulemaking authority for areas that fall within the FTC’s jurisdiction and second, by giving the agency greater latitude to assess civil penalties for unfair and deceptive practices.
These amendments will surely impact FTC enforcement of online advertising, marketing, privacy, and data security. For instance, violations under the FTC’s expanded authority could trigger civil penalties even in the absence of an FTC order. Civil penalties would be assessed in antitrust cases brought by the FTC that include a consumer protection claim.
In addition, the HR 4173 language that expands the FTC’s authority would impose liability on companies that “substantially assist” in an unlawful act, even if the company does not have direct knowledge or responsibility for the violation. This provision will probably raise some serious concerns for companies currently enjoying a safe harbor under the Communications Decency Act.
Today, FTC rulemaking jurisdiction comes in two flavors – “APA” rulemaking under certain laws as prescribed by Congress e.g. the Children’s Online Privacy Protection Act, as well as general rulemaking authority under the 1975 Magnusson-Moss Act. Under the latter, the FTC can only regulate “prevalent” unfair and deceptive acts, and must justify that regulation with “substantial evidence.” The key difference between these two types of rulemaking occurs during judicial review; a court can overturn an FTC regulation under Magnusson-Moss if the rule lacks a substantial evidentiary record to support it. In contrast, FTC regulations enacted under the APA rulemaking scheme, such as those implementing COPPA, can only be overturned if the agency was “arbitrary or capricious” in enacting the rule – a much higher standard. As former FTC Chairman Muris explained in his presentation at the panel, Magnusson-Moss gives the FTC authority to act only when a problem occurs often enough to justify a rule, or when a problem has a common cause in a sufficient number of cases.
Current FTC Chairman Jon Leibowitz, supported by President Obama and the Administration, has strongly advocated for an expansion in the FTC’s authority, stating that it is “critical” for the FTC to carry out its mission of protecting consumers. In particular, Leibowitz has argued that the procedural requirements of Magnusson-Moss – such as the requirement that a practice be prevalent before the agency can act – makes FTC rulemaking more burdensome than at most other federal agencies. Although the relevant amendments expanding the FTC’s power are missing from the Senate version of the legislation, it is widely expected that these differences will be worked out in conference. Financial reform legislation appears to be on a fast track – earlier today, a Senate panel approved the bill, and both Republicans and Democrats have indicated that passage is likely.
The CFPA would be a new independent federal agency – the composition of which would vary depending on whether you are looking at the House Bill (5 members and a Director for two years) or Senate Bill (5 members). Its enactment would strip the FTC and other federal banking agencies of their federal consumer protection powers under a number of laws, including the Electronic Funds Transfer Act, the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, the Home Mortgage Disclosure Act, the Real Estate Settlement Procedures Act, the Secure and Fair Enforcement for Mortgage Licensing Act, the Truth in Lending Act and the Truth in Savings Act. In short, any product or service that results from or is related to engaging in a financial activity and that is to be used by a consumer “primarily for personal, family or household purposes” will come under the new agency’s purview.
At today’s session, we saw differing viewpoints from both Tim Muris, former FTC Chairman, and Julie Brill, incoming FTC Commissioner, on this current push to expand the FTC’s authority under financial reform legislation.
Former Chairman Muris views the FTC’s current role as important, and he sees FTC rulemaking as relevant in certain areas – e.g. the do-not-call rules. He is concerned about the current proposals to expand the FTC’s authority because the agency often lacks industry-specific knowledge and expertise (I see this most recently in the area of privacy, as the FTC is currently gleaning this knowledge through its Exploring Privacy roundtable series). Muris also thinks the agency’s rulemaking authority under Magnusson-Moss is more than sufficient as it imposes an obligation on the agency to be clear about its proposed theories while focusing its evidence on key questions. He cites the agency’s recent business opportunity rulemaking as an example of an instance where the FTC initially proposed a broad rule that would have disproportionately impacted both fraudulent and legitimate business. The FTC eventually narrowed its proposed business opportunity rule after the public comment process.
On civil penalties, Muris thinks these are important only when a company violates an FTC order or rule. He sees blanket civil penalty authority as a mistake that may have unintended consequences – such as a penalty on a firm’s stock price. He’s also concerned that the standard of review laid out in the financial reform legislation will return the FTC’s definition of unfairness to its pre 1994 definition i.e. the Sperry-Hutchinson or “cigarette rule” which defines an unfair practice as one that is injurious to consumers, violate established public policy or is it unethical or unscrupulous. As many know, Congress amended the FTC Act in 1994 to specify that an unfair act or practice is one that causes or is likely to cause substantial injury to consumers that is not reasonably avoidable and is not outweighed by countervailing benefits to consumers or competition.
Providing a counterpoint to Muris’ remarks, FTC Commissioner Julie Brill, speaking “on behalf of herself,” is generally in favor of expanding the FTC’s authority. She sees the FTC as both a law enforcement and regulatory agency. She views civil penalties as just “one of the arrows” in the FTC’s quiver – not to be used in every instance, but as appropriate. As a law enforcer, she does not see the FTC’s request to have civil penalty authority as unusual – since most state AGs already have this type of authority. To view such penalties as “automatic” is particularly misleading to her, since the FTC would only be able to obtain such penalties after judicial review in court. Brill also sees the FTC as a regulatory agency and notes that APA rulemaking is enjoyed by most other federal agencies. In addition, she points out that APA rulemaking under the proposed amendments would also be subject to review by a judge in court. Brill also views civil penalties as helpful in quantifying equitable remedies to compensate consumers for their injury – e.g. disgorgement or restitution for data breach violations.
Taking a broader view of the situation, Brill sees an expansion of the FTC’s authority as a way to make the agency’s enforcement efforts more effective – which benefits both consumers and competition in the long run. She also feels that consumers want an agency that has the right enforcement tools – not an “emasculated” FTC – and finds it surprising that the issue is even being debated, given the events of the financial meltdown and the current economic recession.
On the subject of FTC regulation, Brill is strongly in favor of an update, noting that rulemaking under Magnusson-Moss can often take up to 8 – 10 years. She recalls comments she made on the hearing aid rule as an Assistant AG in Vermont in 1992 – rules that have yet to be issued, nearly 20 years later. Her statements suggest that expanded rulemaking authority might give companies in dynamic industries – such as technology – FTC regulation that actually keeps pace with innovation.
The question of course, is whether such FTC regulation would also stifle innovation preemptively. Companies have started to take note of the recent push to expand the FTC’s power, and it is likely that the topic will continue to be debated fiercely in the coming weeks as financial reform legislation comes to a vote. Some have even expressed concerns that such an expansion of the FTC’s rulemaking authority could impact funding and investment in technology and Internet companies by both Wall Street and Silicon Valley VCs. For more, take a look at this transcript of the Progress & Freedom Foundation’s recent forum entitled “Supersizing the FTC.”

Leave a comment

New Jersey Supreme Court Decides Computer Use Policy is Not Enough to Defeat Protection for Employee-Attorney E-mails Exchanged on Company Computers

Last week, in what appears to be the first instance in which a  state supreme court has addressed the issue, the Supreme Court of New Jersey unanimously ruled that the attorney-client privilege applies to email communications between an employee and her personal attorney  even when she e-mails her attorney with a personal, password-protected Yahoo e-mail account accessed through a company-provided laptop.  This decision should be read carefully when conducting forensic investigations or reviews into company IT systems.

Continue reading