The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


2 Comments

NIST Eliminates Privacy Appendix from Cybersecurity Framework

In a January 15, 2014 update, the National Institutes of Standards and Technology (“NIST”) announced that it would eliminate contentious privacy provisions in Appendix B of the Preliminary Cybersecurity Framework.  The appendix was originally intended “to protect individual privacy and civil liberties” as part of the February 2012 Executive Order 13636 requiring NIST to establish a framework to manage cybersecurity risk.  The proposed privacy provisions generated widespread controversy, however, because “the methodology did not reflect consensus private sector practices and therefore might limit use of the Framework.”  As a result, NIST determined that the appendix “did not generate sufficient support through the comments to be included in the final Framework.”

In place of a separate privacy appendix, NIST stated that it would incorporate an alternative methodology proposed on behalf of several industry sectors.  This substitute approach eliminates references to specific privacy standards, such as Fair Information Practice Principles (FIPPs), given the current lack of consensus regarding such standards.  Instead, the Framework will provide “more narrowed and focused” guidance in the “How To Use” section that requires companies to consider privacy implications and address them as appropriate.  The high-level measures now include ensuring proper privacy training, reviewing any monitoring activities, and evaluating any privacy concerns that arise when information (such as threat data) is shared outside the company.  According to NIST, this approach will “allow organizations to better incorporate general privacy principles when implementing a cybersecurity program.”

Although eliminating the privacy appendix in favor of more general guidance was the only definitive change that NIST announced, the update also noted several other common issues raised in public comments.  These topics – which include reaching consensus on what “adoption” of the Framework entails and the use of “Framework Implementation Tiers” to assess the strength of a company’s cybersecurity program – will remain key areas of debate once the Cybersecurity Framework is released on February 13, 2014.

Although the Framework is slated for release in just a few weeks (and will be available here), NIST made clear that it is intended to be a “living document” that will need to be “update[d] and refine[d] . . . based on lessons learned through use as well as integration of new standards, guidelines, and practices that become available.”  NIST also explained that it intends to continue serving as the “convener” for such changes until the document can be transitioned to a non-government organization, but will issue a roadmap with more details soon. 

Advertisements


Leave a comment

Tributes and a Call to Action – Remembering Aaron Swartz

A year ago, on January 11, 2012, 26-year-old internet activist Aaron Swartz committed suicide while facing up to 35 years in prison and up to $1 million in fines. Charges against him included violations of the Computer Fraud and Abuse Act (CFAA) as a result of “unauthorized access” for downloading millions of academic articles while on MIT’s network. On this first anniversary of his death, a reinvigorated call to action is taking place. The Electronic Frontier Foundation (EFF) has launched a “Remembering Aaron” campaign and is reactivating efforts to reform the CFAA, activists are invoking his name for an upcoming day of action against NSA surveillance, “The Day We Fight Back” to be held on February 11, lawmakers are demanding answers from the Justice Department treatment of Swartz, and a host of articles and other tributes are appearing across the internet.

The EFF’s Remembering Aaron campaign includes a tribute to Swartz’s legacy and kicks off a month of action against censorship and surveillance, toward open access. The EFF is reinvigorating efforts to reform the CFAA, encouraging supporters to send a letter to their legislative representatives that criticizes the law for its “vague language” and “heavy-handed penalties,” and its disregard for demonstrating whether an act was done to further the public good. The letter calls for: “three critical fixes: first, terms of service violations must not be considered crimes. Second, if a user is allowed to access information, it should not be a crime to access that data in a new or innovative way — which means commonplace computing techniques that protect privacy or help test security cannot be illegal. And finally, penalties must be made proportionate to offenses: minor violations should be met with minor penalties.”

In addition to calls to change the CFAA, activists are also calling a protest against laws and systems that enable government surveillance to run unchecked. Specifically, a mass movement against government surveillance is being organized by a heavy-hitting group of organizations including  EFF; the organization Swartz co-founded, Demand Progress; Fight for the Future; Reddit; and Mozilla. Organized for February 11, 2014, “The Day We Fight Back Against Mass Surveillance” invokes Swartz’s legacy in its call for a day of mass protest against government surveillance: “If Aaron were alive, he’d be on the front lines, fighting against a world in which governments observe, collect, and analyze our every digital action.” In a show of support for the planned protest, on the day before the year anniversary of Swartz’s death, Anonymous defaced MIT’s SSL-enabled Cogeneration Project page, displaying a page that called viewers to “Remember the day we fight back.”

In addition to reinvigorating the fight against laws that are abusive and can be easily abused, the key players in Swartz’s prosecution are also coming under scrutiny: the DOJ and MIT. On Friday January 10, a bipartisan group of eight lawmakers, Sens. John Cornyn, R-Texas; Ron Wyden, D-Ore.; Jeff Flake, R-Ariz.; and Reps. Darrell Issa, R-Calif.; James Sensenbrenner, R-Wis.; Alan Grayson, D-Fla.; Zoe Lofgren, D-Calif.; and Jared Polis, D-Colo, sent Attorney General Eric Holder a letter calling out inconsistencies between the DOJ’s and MIT’s reports and the DOJ’s lack of forthrightness and transparency. Additionally, the letter issues this demand: “In March, you testified that Mr. Swartz’s case was ‘a good use of prosecutorial discretion.’  We respectfully disagree. We hope your response to this letter is fulsome, which would help re-build confidence about the willingness of the Department to examine itself where prosecutorial conduct is concerned.” In Boston Magazine’s Losing Aaron, Bob Swartz, Aaron’s father, voices his deep disappointment in MIT and articulates specific ways in which he believes the institution was complicit in the DOJ’s draconian prosecution contributing to Aaron’s suicide.

Additional tributes to Swartz this month include a documentary by Brian Knappenberger, The Internet’s Own Boy: The Story of Aaron Swartz, which will play at the Sundance Film Festival beginning this week. In Wired Magazine’s article, One Year Later, Web Legends Honor Aaron Swartz, author Angela Watercutter notes “Swartz’s fight for rights online has only been brought more intensely into focus in the year since his death, largely due to NSA whistleblower Edward Snowden. To see him talk about government spying in [Knappenberger’s] documentary at a time before the Snowden leaks is especially chilling now.”  Further, in Knappenberger’s forthcoming documentary  web visionaries, including founders of the World Wide Web and Creative Commons, speak of Swartz’s work and legacy:

“I think Aaron was trying to make the world work – he was trying to fix it…  he was a bit ahead of his time.” – Tim Berners-Lee.

“He was just doing what he thought was right to produce a world that was better.” – Lawrence Lessig

 


Leave a comment

FTC Announces Settlement with Accretive Health over Data Security Practices

On New Year’s Eve, the Federal Trade Commission (“FTC” or “Commission”) announced that it had approved, 4-0, a settlement with Accretive Health, Inc. – a provider of medical billing and revenue services to hospitals nationwide – resolving allegations that the company failed to adequately protect sensitive consumer information, which resulted in a 2011 data breach. The settlement agreement does not impose a civil penalty, but Accretive Health is required to establish and implement a comprehensive information security program.

In the complaint, the FTC alleges that Accretive Health failed to implement reasonable and appropriate security measures and procedures to protect the personal information, which included sensitive health information, such as medical diagnostic information, billing information, and names, dates of birth, and Social Security numbers, of the patients of the company’s hospital clients. The FTC also claims that this failure led to an incident in July 2011, in which a laptop containing the sensitive information of 23,000 patients was stolen from an employee’s car. Permitting employees to transport laptops containing such sensitive personal information created unnecessary risks and exposed the company to theft, the FTC stated. Additionally, Accretive’s security procedures should have prevented employees from retaining consumers’ personal information when no longer needed and placed need-based restrictions on access to personal information.

Under the terms of the consent order, Accretive Health must establish, implement, and maintain a comprehensive information security program reasonably designed to protect consumers’ personal information. The program must: (1) designate an employee responsible and accountable for the program; (2) identify material and external risks that could result in a breach of security, and assess the adequacy of any safeguards; (3) design, implement, and regularly test and monitor the effectiveness of reasonable safeguards; (4) develop and use reasonable steps to select service providers capable of appropriately safeguarding personal information; and (5) evaluate and adjust the program in light of the required testing and monitoring. Additionally, the order requires a certified third party to evaluate the information security program initially and biannually for the next 20 years.

The complaint – the latest data security action the Commission has publicized – alleges that Accretive Health’s lack of adequate security measures constitutes an unfair practice, in violation of Section 5(a) of the FTC Act. This action serves as a reminder to companies that the FTC will continue to exercise its data security enforcement authority under the unfairness prong of Section 5, despite the challenges in court to that authority from Wyndham Worldwide and others.


2 Comments

Before Liftoff, Drones Must Maneuver Through Privacy Laws

Unmanned aerial vehicles, better known as drones, are expected to revolutionize the way companies deliver packages to their customers.  Some also imagine these small aircrafts delivering pizzas to a customer’s home or nachos to a fan at a ballgame.  Researchers are even investigating the possibility of using drones to assist farmers with monitoring their crops.  Before drone technology takes flight, however, it will have to maneuver through privacy laws.

The Federal Aviation Administration (FAA) is the agency charged with developing rules, including privacy rules, for private individuals and companies to operate drones in national airspace.  While the precise breadth of FAA rules is not entirely clear, a framework is beginning to develop.  When the FAA recently announced test sites for drones, it also noted that test site operators must: (1) comply with existing federal and state privacy laws, (2) have publicly available privacy policies and a written plan for data use and retention, and (3) conduct a review of privacy practices that allows for public comment.  When soliciting the public for comment on these test site-privacy rules, the FAA received a wide spectrum of feedback.  This feedback ranged from suggestions that the agency must articulate precise elements of what constitutes a privacy violation, to the federal agency was not equipped (and therefore should not attempt) to regulate privacy at all.  It appears that the FAA settled on a middle ground of requiring drones to comply with existing privacy law, which is largely regulated by individual states.

Accordingly, state privacy laws are likely to be the critical privacy hurdle to commercial drone use.  It appears that only four states have thus far expressly addressed the use of private drones (as distinguished from drones used by public agencies, such as law enforcement).  Idaho and Texas generally prohibit civilians from using a drone to take photographs of private property.  They also restrict photography of any individual – even in public view – by such a drone.  And Oregon prevents drones from flying less than 400 feet above a property of a person who makes such a request.  The fourth state, Illinois, restricts use of drones that interfere with hunting and fishing activities.

As for the other states, they may be simply getting up to speed on the technology.  On the other hand, many of these states have considered or enacted laws restricting use of drones by the police.  Because these laws are silent on the use of private drones, one could argue that these states intentionally chose not to regulate private drones (and accordingly, existing laws regarding use of aircrafts or other public cameras, govern use of private drones).

Even though a state has passed a drone-related privacy law, it may very well be challenged on constitutional or other grounds.  For instance – to the extent they prohibit photography of public areas or objects and people in plain view – the Idaho and Texas laws may raise First Amendment questions.  As described in Hurley v. Irish-American, photographers generally receive First Amendment protection when taking public photos if he or she “possessed a message to be communicated” and “an audience to receive that message, regardless of the medium in which the message is to be expressed.”  Under this test, in Porat v. Lincoln Towers Community Association, a photo hobbyist taking pictures for aesthetic and recreational purposes was denied First Amendment protection.  In contrast, in Pomykacz v. Borough of West Wildwood, a “citizen activist” – whose pictures were taken out of concern about an affair between a town’s mayor and a police officer – was found to have First Amendment protection.  To be sure, however, the Supreme Court has acknowledged that “even in a public forum the government may impose reasonable restrictions on the time, place, or manner of protected speech, provided the restriction are justified without reference to the content of the regulated speech, that they are narrowly tailored to serve a significant governmental interest, and that they leave open ample alternative channels for communication of the information.”  For example, under this premise, some courts have upheld restrictions on public access to crime and accident scenes.  All told, we may see drone users assert First Amendment protection for photographs taken of public areas.

Another future legal challenge may involve the question of who owns the airspace above private property.  In United States v. Causby, the Supreme Court appeared to reject the idea of private ownership of airspace.  More specifically, it held that government aircrafts flying over private land do not amount to a government “taking”, or seizure of private property, unless the aircrafts are so low and frequent that they constitute an immediate interference with enjoyment of the land.  In other words, under Causby, the landowner owns the airspace necessary to use and enjoy the land.  But the Court declined to draw a specific line.  At the moment, it is unclear whether Oregon’s law – restricting drones within 400 feet of a home – is consistent with principle.

Lastly, we may see a legal challenge asserting that certain state privacy laws (such as the Idaho or Texas law or others that disallow drone use altogether) are preempted, or trumped.  Congress’s intent to impliedly preempt state law may be inferred (1) from a pervasive scheme of federal regulation that Congress left no room for the states to supplement, or (2) where Congress’s actions touch a field in which the federal interest is so dominant that the federal system will be assumed to preclude enforcement of state laws on that subject.  Applied here, one could argue that Congress has entrusted the FAA with sole authority for creating a scheme for regulating the the narrow field of national airspace, and drones in particular.  Additionally, the argument goes, the federal government has a dominant interest in regulating national airspace as demonstrated by the creation of the FAA and numerous other aircraft regulations.  Under the preemption line of reasoning, state privacy laws may be better focused on regulating data gathered by the drone rather than the space where the drone may fly or actions the drone may take while in the space (e.g. taking pictures).

All told, before official drone liftoff, companies employing drones will have to wait for final FAA rules on privacy.  Whether these final rules track the test site rules discussed above is not for certain.  Likely, the final rules will depend on the public comments received by the drone test sites.  Assuming the final rules track the test site rules, companies using commercial drones should focus on compliance with the various state privacy laws.  But, as noted above, we may see a constitutional challenge to these laws along the way.  Stay tuned.