Uncategorized

IAPP DC Summit 2015

Washington, D.C. – March 9, 2015 On March 4-6, 2015, the International Association of Privacy Professionals ("IAPP") held its annual Global Privacy Summit at the Mariott Marquis in Downtown Washington D.C., and as per the usual, it was a who's who of privacy pros in attendance. eWhite House Watch had the pleasure of attending the conference as part of IAPP’s Press Corps, and is pleased to report that it was a smashing success. This year, the three-day privacy extravaganza featured topics ranging from keynote speaker Glen Greenwald's Snowden coverage, privacy issues surrounding the Internet of Things (IoT), privacy issues for startups, cyber insurance, and the U.S. Consumer Privacy Bill of Rights proposed by Obama just a few weeks prior to the event.  Regular conference attendee (and past IAPP conference speaker) Fernando M. Pinguelo (partner and Chair of Scarinci Hollenbeck’s Cyber Security & Data Protection group) observed, “IAPP’s tradition of offering high caliber presenters with real-world experience and insight continues, and is matched only by the notable keynote speakers who add a level of urgency to the data privacy and security dialogue and the conference attendees whose active participation contributes greatly to the panel discussions and learning experience.” eWhite House Watch also had the opportunity to sit in on a private roundtable discussion between IAPP President and CEO J. Trevor Hughes and Vice President of Research and Education Omar Tene. Referring to the year-over-year increase in consumer awareness regarding data privacy concerns, Hughes drew analogies between the digital and industrial economies. Both Hughes and Tene agreed that the media, consumer awareness, and the influence of the president were critical to getting uniform data privacy legislation on the books here in the U.S., and that unfortunately, such a massive shift in the regulation of data privacy might only be sparked by an Exxon-Valdez-caliber breach incident. “Aside from the informative programs available to lawyers in private practice, I find the conference also offers me the unique opportunity to meet with clients and colleagues in one location, many of whom also make it a point to attend this one in particular,” added Angelo A. Stio, III, partner in the Litigation & Dispute Resolution Department of Pepper Hamilton LLP, and a member of its Privacy, Security and Data Protection group. This year's conference was littered with networking events, and was packed full of consulting service providers on the exhibitor floor. And for the first time, a new session type called "From the Game Changers" was introduced as shorter, more informal professional-to-professional chats on practical experiences these 'Game Changers' withstood during their careers. In all, the 2015 Global Privacy Summit was a wealth of knowledge for both seasoned and aspiring privacy professionals, and lived up to the high standards of event coordination and substantive content that IAPP members have come to know and expect from the organization. "We really like how this event brings together the entire industry, including the regulators, and allows us to share our often differing views on the latest developments in the field," reflected Michael Morgan, Of Counsel in Cybersecurity and Data Privacy group at Jones Day. eWhiteHouse Watch’s Executive Editor stated “we are already looking forward to next year's event.”

Net Neutrality – A Win for Liberty or Lawyers?

On February 26, 2015, the FCC ruled in favor of net neutrality by applying Title II (of the Communications Act of 1934 to Internet service providers and reclassifying broadband access as a telecommunications service. Championing the new regulations, FCC Chairman Tom Wheeler said, "[t]his is no more a plan to regulate the Internet than the First Amendment is a plan to regulate free speech. They both stand for the same concept." While Mr. Wheeler views the regulations as a referee, Telecom company's insist that the measures will do more harm than good, and consumers will bear the brunt of change. What is net neutrality? In short, adoption of Title II established three bright line rules… No Blocking: broadband providers may not block access to legal content, applications, services, or non-harmful devices. No Throttling: broadband providers may not impair or degrade lawful Internet traffic on the basis of content, applications, services, or non-harmful devices. No Paid Prioritization: broadband providers may not favor some lawful Internet traffic over other lawful traffic in exchange for consideration – in other words, no “fast lanes.”  This rule also bans ISPs from prioritizing content and services of their affiliates. Who is for it and who is against it? Those who support net neutrality argue that allowing “paid prioritization” unfairly raises prices on content services and that adoption of title II levels the playing field for all Americans. Opponents say the Title II designation will stifle innovation in broadband. A group of Internet service providers (ISPs), including AT&T, Comcast, Time Warner Cable, and Verizon, argue that the new classification permits the FCC to conduct "unprecedented government micromanagement of all aspects of the Internet economy." What does this law mean for the consumer? The FCC promises that broadband will continued to cost the same amount as it did before. This ruling establishes the authority to implement regulations put in place in 2010, and will grant the FCC the administrative authority to examine practices and hear complaints. This past week, at the Mobile World Conference, Mr. Wheeler seemed argued that he his plans have been mischaracterized. Wheeler dismisses the idea that adoption of Title II is heavy handed regulation but is instead, as Mr. Wheeler characterized it, a referee throwing up the card when someone acts in an unfair manner. In Europe there are proposals coming through the European commission which would allow specialized services, being provided by telecom groups, to be delivered at guaranteed speeds for customers - very different from what has been proposed int the US. Many opponents have accused the President as relaying pressure from Facebook and google to take action on their behalfs. While adoption of the regulations will begin to have an effect in early summer, the telecoms companies are saying to Mr. Wheeler - “we’ll see you in court.” http://www.mediaite.com/tv/john-oliver-explains-fccs-net-neutrality-ruling-to-confused-republicans/

President Obama Rejuvenates the Cyber Troops: Is the Private Sector be on Board?

This past week, President Obama met with tech gurus at Stanford University to discuss cybersecurity and emphasized the need to focus more efforts on combating cyber security threats. The theme of his speech was the unification of efforts by the private sector and public sector. The flexibility of the private sector combined with the wealth of data collected by the government could, the President hopes make for an aggressive partnership capable of combating cyber threats. While the President’s remarks were very broad, a plenary session of corporate leaders spoke about two issues that might define a cyber security relationship. First, the need to reduce outdated legislation that hinders cyber protection efforts and Second, the definition of “data” that is to be shared.   During a plenary panel, led by Director of Homeland Security Jeh Johnson, corporate leaders talked about the the growing need to face cyber threats facing their industries and hurdles to doing so. One of the themes that each executive touched on was that outdated legislation and regulatory measures hinder the company’s ability to face modern threats. For example, Kenneth Chenault of American Express, highlighted that limits on access to customers via text messaging and email hindered Amex’s ability to rapidly respond to such threats. Additionally, Mr. Chenault called for greater transparency in the way in which the government collects and shares it’s data with private industry, claiming that less than 1% of all threats facing Amex were sourced from government entities.   Mr. Bernard Thompson, from Kaiser Permanente emphasized that private industry should not be willing to blindly hand over their data to the government. Healthcare data is sensitive information and he said that the relationship between government and private industry should be clearly defined by the type of data industry is willing to share. He emphasized that he would under no circumstances be willing to share “content” with the government, but would provide information about those attempting to gain access to that content. Mr. Thompson reiterated the point that outdated legislation continues to hinder Kaiser Permanente’s ability to face growing threats. Financial and Healthcare corporations like American Express and Kaiser Permanente respectively, have built their reputations on trust with their customers. Any talk of data sharing will need to be clearly defined. Additionally, any government led cyber security policy will inevitably usher in a series of new regulations and with them regulatory cost. Corporations, unlike our sluggish bureaucracy must make cuts were new regulatory measures are needed to be enforced. A certain degree of deregulation of outdated measures will be necessary to help corporations create a lean cyber fighting mechanisms. http://www.c-span.org/video/?324360-2/publicprivate-collaboration-cybersecurity  

Obama’s Cybersecurity Initiative: Substance? Or Hot Air?

Success of the President's proposed cyber legislation hinges on the willingness of corporations to share their data with the government.  But why would a company want to share data with the government? While the Sony hack was shocking to most, it’s unlikely that corporations will be willing to trust the government with their customers most sensitive data. For one, businesses owe a duty to their customers to maintain their data in accordance with their agreements with and expectations of their customers.  Also, despite billions of dollars in funding, the federal bureaucracy has failed to meet its own federal cybersecurity standards. Using data from General Accounting Office, George Mason University researchers found that in 2006, there were more than 5,503 cyber-breaches on federal IT systems, in 2013 - 61,213 cyber-breaches. Since 2002, the federal government has had its own legislation similar to the one proposed by the President last week, and despite $78.8 billion in funding, the number of IT security breaches has increased more than 10 times since 2006. Critics argue criminalizing cybercrime will not prevent what Americans fear - industrial espionage and oversea hackers. Summary of President’s proposal: 1.      Cyber information sharing between private sector and government, with liability protection for companies 2.      Expanding RICO to include cyber-crime 3.      Criminalizing the sale of botnets and the sale of banking information overseas 4.      Greater restrictions on selling spyware 5.      Gives Courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity 6.      Making rogue insiders punishable by the CFAA (Computer Fraud and Abuse Act) 7.      Uniform national data breach notification - 30 days within attack 8.      Establish a consumer policy bill of rights Additionally, critics argue that the law could hinder U.S. internet users who have no intention of committing cybercrimes but who may be out of compliance with a U.S. judgment in an effort to debilitate cybercrime. What is lacking from this bill is a mechanism that actively seeks out global cyber threats; and while the new legislation may reign in domestic cybercriminals - it does nothing to relieve our increasing threat - rapidly emerging economies with no form of legal redress for victims of cybercrimes. Despite bills that promise to reign in cybercriminals, it remains incumbent on companies to strengthen their own defenses.

Obama’s Cybersecurity Initiative: Substance? Or Hot Air?

Success of the President's proposed cyber legislation hinges on the willingness of corporations to share their data with the government.  But why would a company want to share data with the government? While the Sony hack was shocking to most, it’s unlikely that corporations will be willing to trust the government with their customers most sensitive data. For one, businesses owe a duty to their customers to maintain their data in accordance with their agreements with and expectations of their customers.  Also, despite billions of dollars in funding, the federal bureaucracy has failed to meet its own federal cybersecurity standards. Using data from General Accounting Office, George Mason University researchers found that in 2006, there were more than 5,503 cyber-breaches on federal IT systems, in 2013 - 61,213 cyber-breaches. Since 2002, the federal government has had its own legislation similar to the one proposed by the President last week, and despite $78.8 billion in funding, the number of IT security breaches has increased more than 10 times since 2006. Critics argue criminalizing cybercrime will not prevent what Americans fear - industrial espionage and oversea hackers. Summary of President’s proposal: 1.      Cyber information sharing between private sector and government, with liability protection for companies 2.      Expanding RICO to include cyber-crime 3.      Criminalizing the sale of botnets and the sale of banking information overseas 4.      Greater restrictions on selling spyware 5.      Gives Courts the authority to shut down botnets engaged in distributed denial of service attacks and other criminal activity 6.      Making rogue insiders punishable by the CFAA (Computer Fraud and Abuse Act) 7.      Uniform national data breach notification - 30 days within attack 8.      Establish a consumer policy bill of rights Additionally, critics argue that the law could hinder U.S. internet users who have no intention of committing cybercrimes but who may be out of compliance with a U.S. judgment in an effort to debilitate cybercrime. What is lacking from this bill is a mechanism that actively seeks out global cyber threats; and while the new legislation may reign in domestic cybercriminals - it does nothing to relieve our increasing threat - rapidly emerging economies with no form of legal redress for victims of cybercrimes. Despite bills that promise to reign in cybercriminals, it remains incumbent on companies to strengthen their own defenses.

SOTU Watch: Obama Cybersecurity Boost

SOTU Watch: Obama Cybersecurity Boost   With great expectation that Cyber Policy will be a significant focus of the upcoming State of the Union address (SOTU) – more than any other of this administration’s past SOTUs – we feature our SOTU Watch series leading up to, during, and after January 20th’s main event.   Earlier this week, President Barack Obama vowed to introduce three new pieces of legislation aimed at providing online protections for consumers and students. Obama labeled the new legislation the “consumer privacy bill of rights” and promised that his proposals aim to protect consumer privacy and “ensure that private industry can keep innovating.”   President Obama is launching this program at a time when consumers and industry leaders are still coming to terms with the devastating hack of Sony Entertainment this past December, among other high-profile breaches. Ironically, on Monday the Administration witnessed another embarrassing example of the potential power of hackers when people claiming to be supporters of ISIS took control of the Pentagon’s social media accounts scoring a propaganda move for the group.   President Obama outlined three new pieces of legislation:   A consumer privacy bill of rights, a set of rules about how technology companies can use and store sensitive information about their consumers.   A set of standards as for when a company must reveal that it has been breached and when a credit card or bank is breached - at present states have their own rules.   A bill that would place limits on data that is collected on students using technology in the classroom.   In theory these are uncontroversial ideas, but the politics of cybersecurity in the United States is not so clear cut. Especially since the Edward Snowden incident pitted privacy activist against the government security establishment. Additionally, it unclear whether Republicans share the same definition of “cybersecurity” as the President. While google and yahoo lobby budgets continue to grow, it will be interesting to see just what shape a “cybersecurity” definition will take. Nevertheless, President Obama says that he hopes that Congress will join him in making his proposed laws the law of the land.