Privacy. Security. Risk. 2015 Presented by the IAPP Privacy Academy and CSA Congress

Las Vegas, NV

“Who’s on First? Regulatory Authority

for the Internet of Things,

Connected Cars and ISPs”

Breakout Session

Wednesday, September 30, 2015

11:00 AM – 12 Noon

Who’s on First? Regulatory Authority for the

Internet of Things, Connected Cars and ISPs

Moderator:

◦ S. Jenell Trigg, CIPP/US, Member and Chair, Intellectual Property, New Media & Technology Practice Group, Lerman Senter PLLC

Panelists:

◦ Christopher Olsen, Partner, Wilson Sonsini Goodrich & Rosati (former Deputy Director, Bureau of Consumer Protection, Federal Trade Commission)

◦ Phillip Rosario, Deputy Chief, Enforcement Bureau,

Federal Communications Commission

◦ Catherine J.K. Sandoval, Commissioner, California Public Utility Commission

2

Regulation of Internet Service Providers

Historic and Current Role of FTC

◦ Section 5 of FTC Act – Unfair and

Deceptive Trade Practices

◦ In the Matter of GeoCities (1999)

◦ FTC v. Pricewert LLC (N.D. Cal. 2009)

◦ USA v. Google Inc. (N.D. Cal. 2012)

◦ Fair Credit Reporting Act

◦ USA v. Time Warner Cable, Inc. (S.D. NY

2013)

◦ Children’s Online Privacy Protection Act

3

Regulation of ISPs

Challenges to FTC Authority under Sec. 5

to enforce unfair data security practices

◦ FTC v. Wyndham Hotels & Resorts, LLC

et al. (D. Ariz. 2012)

Affirmed by U. S. Court of Appeals, Third Circuit

(Aug. 2015)

◦ In re LabMD, Inc., File No. 102 3099

(2013)

Appealed to U.S. District Court, N.D. Georgia (2014)

Appealed to U.S. Court of Appeals, 11th Circuit (2015)

4

Regulation of ISPs

Historic and Current Role of FCC Re:

Privacy & Data Security

◦ Title VI – Cable, Protection of

subscriber privacy, 47 U.S.C. § 551

◦ Title III – Satellite, Privacy rights of

satellite subscribers, 47 U.S.C. §

338(i)

◦ Title II – Privacy of customer

information, 47 U.S.C. § 222

◦ Title II – Service and charges, 47

U.S.C. § 201(b)

5

Regulation of ISPs

Title II – Recent Privacy Enforcement

◦ TerraCom, Inc. and YourTel America, Inc., FCC

14-173 (2014) – $10 million NAL for failure to

protect proprietary information TerraCom and YourTel Consent Decree - $3.5 Million

Settlement, DA -15-776 (July 2015)

◦ AT&T Services, Inc., DA 15-399 (2015) – $25

Million civil penalty for failure to protect CPNI at

foreign call centers

6

Regulation of ISPs

Title II – Protecting and Promoting the Open

Internet, Report and Order on Remand,

Declaratory Ruling, and Order, FCC 15-24 (March

2015), effective June 12, 2015

◦ Reclassified broadband Internet access service

providers as “common carriers” from “information

service providers”

7

Regulation of ISPs

FCC Regulations – 47 C.F.R. § § 64. 2001

et seq.

◦ Forbearance of current telephonic-centric

regulations

◦ Pending rulemaking to establish ISP-specific

privacy and data security requirements

Statutory Requirements – 47 U.S.C. § 222

◦ FCC Enforcement Advisory, Open Internet

Privacy Standard, DA 15-603 (May 2015) –

enforceable core tenets

8

Regulation of ISPs

Status of litigation against FCC’s

Open Internet Order ◦ Multiple petitions consolidated in D.C.

Circuit, U. S. Court of Appeals – U. S.

Telecom Assn et al. v. FCC & USA (2015)

◦ Stay denied, but granted expedited review

◦ Primary Issue:

Whether the FCC lawfully reclassified fixed and

mobile broadband Internet access service as a

telecommunications service

9

Regulation of ISPs

Impact of Open Internet Order on FTC

Authority Under Sec. 5

◦ Common Carrier Exemption – Prohibits

FTC from certain enforcement actions

against ISPs

Status v. Activity-based determination

FTC v. AT&T Mobility, LLC (N.D. Cal. 2015)

10

Regulation of ISPs

FTC Common Carrier Exemption as applied

to newly classified ISPs and repeal “[K]eeping the FTC in the picture is important, but I think there

would be some hard thinking about how one would come up with

a rational regulatory scheme to have the FTC and the FCC in this

space. I think that would be more difficult. But with that being

said, the FTC does work in areas where a lot of other agencies

also have authority – the FDA, CFPB, I mean the list sort of goes

on and on. So it’s not unusual that we or industry have to work in

the area where there are more than one regulatory agency playing

a role. “

Remarks of FTC Commissioner

Maureen K. Ohlhausen, American

Enterprise Institute, April 1,

2015 11

FTC v. FCC - General Differences

FTC v. AT&T Mobility

LLC, Case No. 3:14-

cv-04785, EMC, U.S.

District Court (N.D.

Cal. Mar. 2013)

◦ Alleged deceptive and

unfair trade practices for

data throttling

AT&T Mobility, LLC,

NAL for Forfeiture &

Order, No. EB-IHD-14-

00017504, FCC 15-63

(June 2015)

◦ Violation of 2010 Open

Internet Transparency

Rules

12

Differences in enforcement process, redress v. fines

Regulation of ISPs

Impact of shifting regulatory authority on

Online Behavioral Advertising (OBA) and

Big Data ecosystem?

◦ FCC concerns regarding convergence of Big

Data over multiple platforms

“ We have to think hard about the

privacy regime for a converging world.”

Travis LeBlanc, Chief, FCC Enforcement

Bureau, Communications Daily

3/26/2015, remarks at ABA/FCBA 10th

Annual Privacy & Data

Security Symposium, March 25, 2015

13

Regulation of ISPs

Reported FCC pending enforcement

investigations since its Open Internet Order

14

Regulation of ISPs

Role of other Federal

Agencies/Branches

◦ The White House Consumer Data Privacy in a Networked

World: A Framework for Protecting Privacy

and Promoting Innovation in the Global Digital

Economy and Consumer Privacy Bill of Rights

(Feb. 2012)

◦ U.S. Congress

15

Regulation of ISPs

Role of other Federal Agencies/Branches

cont’d

◦ U. S. Dept. of Commerce, National

Telecommunications & Information

Administration (NTIA)

White House policy

Multistakeholder process for mobile apps &

facial recognition

◦ U. S. Dept. of Justice Cybercrimes "Usdepartmentofjustice". Licensed under CC BY-SA 3.0 via Wikimedia Commons -

https://commons.wikimedia.org/wiki/File:Usdepartmentofjustice.jpg#/media/File:Usdepartmentofjustice.jpg

◦ U. S. Dept. of Homeland Security Cybercrimes

16

Regulation of ISPs

Historic & Current Role of States

◦ States have little “FTC Acts” that

prohibit unfair and/or deceptive trade

practices

◦ Some states have specific privacy and

data security laws

Privacy Policy

Data Security

Data Breach Notification

◦ State laws are not necessarily pre-empted

by federal laws

17

Regulation of ISPs

◦ State Public Utility and Public Service

Commissions

National Association of Regulatory Utility

Commissioners (NARUC)

◦ Executive Branch

◦ Legislative Branch

18

Audience Polling Question

Do the benefits of IoT outweigh

your concerns regarding privacy

and data security?

◦ Yes

◦ No

◦ Unsure

19

Audience Polling Question

Do the benefits of IoT outweigh your

concerns regarding privacy and data

security?

Compare with 2015 Ponemon Survey Results: ◦ Yes – 44%

◦ No – 42%

◦ Unsure – 14%

Source: Ponemon Institute Survey, Privacy and Security in a

Connected Life: A Study of US, European and Japanese Consumers

(March 2015)

20

Regulation of Internet of Things

(IoT)

The Internet of Things ◦ Definition: “ ‘[T]hings’ such as devices or sensors –

other than computers, smartphones, or tablets – that

connect, communicate or transmit information with or

between each other through the Internet.”

Source: Internet of Things: Privacy & Security in a Connected World,

FTC Staff Report (Jan. 2015)

21

Regulation of IoT

State of development and technology: ◦ End of 2015 estimated 25 Billion connected devices

◦ End of 2020 estimated 50 Billion connected devices Source: Internet of Things: Privacy & Security in a Connected World, FTC Staff Report (Jan.

2015)

◦ By End of 2015, 4X more things than people will be

connected to the Internet – 3 Billion people connected to

Internet Source: http://www.mediapost.com/publications/article/254305/internet-connections-coming-25-

billion-

things4.html?utm_source=newsletter&utm_medium=email&utm_content=readmore&utm_camp

aign=8 4593

22

Regulation of IoT

The types of “Things” are very diverse: ◦ Electronic devices

◦ Household appliances

◦ Farm equipment

◦ Smart meters and thermostats

◦ Medical devices

◦ Wearables © weedezign/shutterstock.com

◦ Inventory, functionality and efficiency management tools

◦ Pet care

◦ Airline engines

◦ Connected cars, and more!

23

Privacy & Data Security Issues for

IoT

“Holy sh*t! Smart toilet hack attack!” Free app lets anyone remotely harass toilet's occupant, run up water

bill.

By Sean Gallagher - Aug 4 2013, 5:30pm EDT

Source: http://arstechnica.com/security/2013/08/holy-sht-smart-toilet-hack-

attack/

“Fiat Chrysler Recall Demonstrates New

IoT World” By Jedidiah Bracy, CIPP/E, CIPP/US - Privacy Tech | Jul 24, 2015

Source: https://iapp.org/news/a/fiat-chrysler-recall-demonstrates-new-iot-world/

24

Regulation of IoT

Current Role of FTC

◦ Sec. 5 of FTC Act – unfair and deceptive

trade practices In re TRENDnet, Inc., FTC Matter/File No. 122 3090

(2014)

◦ Industry research and guidance on

recommended practices The Internet of Things: Privacy and Security in a

Connected World, FTC Staff Report (Jan. 2015)

Careful Connections: Building Security in the Internet of

Things,

FTC (Jan. 2015)

25

Regulation of IoT

Current Role of FCC

◦ Spectrum management and wireless

equipment, Title III

◦ Privacy & Data Security

If ISPs or telecommunications services

involved, Title II, 47 U.S.C. § § 201 and 222

If cable services involved, Title VI, 47 U.S.C. §

551

If satellite services involved, Title III, 47 U.S.C.

§ 338(i)

26

Regulation of IoT

Current Role of States

◦ Legislative & Regulatory

Unfair and deceptive trade practice laws

Privacy Laws

Data Security laws

Data breach notification laws

◦ State Public Utility and Public Service

Commissions/NARUC

◦ State Insurance Commissions

◦ Executive Branch

27

Connected Cars

Mike Thompson/Detroit Free Press

28

Audience Polling Question

What company leads in

manufacturing anonymous

vehicles?

◦ Tesla

◦ Google

◦ Mercedes Benz

◦ John Deere

◦ General Motors

29

Regulation of Connected Cars Definitions:

◦ Connected Vehicle – Dynamic exchange of wireless

data allows vehicle-to-vehicle communications, and

vehicle-to-infrastructure communications, locally and

through centralized infrastructure

© Bloomua/Shutterstock.com

30

Regulation of Connected Cars

◦ Automated Vehicle – assumes a certain level of

command over vehicle performance

Level 0 – No automation

Level 1 – Function-specific automation

Level 2 – Combined-function automation

Level 3 – Limited self-driving automation

Level 4 – Full self-driving automation (i.e., autonomous)

Source: National Highway Transportation Safety

Administration (NHTSA), Preliminary Statement of Policy

Concerning Automated Vehicles (May 2013)

31

Regulation of Connected Cars

© iQoncept./Shutterstock.com

◦ Autonomous Vehicle – (AKA “robotic cars”

“self-driving car,” and “driverless car”) “a motor

vehicle that uses artificial intelligence, sensors

and global positioning system coordinates to

drive itself without the active intervention of a

human operator.”

Source: Nev. Rev. Stat. §§ 482A.025, .030 (2014)

32

Regulation of Connected Cars

State of Development and Technology:

◦ Connected cars –

Telematics (e.g., navigational & concierge services);

vehicle-to-vehicle communications (e.g., accident

avoidance) and vehicle-to-infrastructure communications

(e.g. ,traffic lights)

Transportation Network Sharing connections via mobile

applications to book reservations, provide navigational

services, track and profile consumers for operational and

advertising/marketing purposes

33

Regulation of Connected Cars

◦ Automated cars –

Major auto manufacturers announced plans to begin

offering semi-automated driving systems over the next

18 months.

Source: http://recode.net/2015/06/23/ford-joins-rivals-in-

ramping-up-self-driving-car-tech/

34

Regulation of Connected Cars

“Google didn’t lead the self-driving vehicle

revolution. John Deere did.” By Andrea Peterson June 22, 2015, The Washington Post

Source: https://www.washingtonpost.com/blogs/the-switch/wp/2015/06/22/google-didnt-lead-the-

self-driving-vehicle-revolution-john-deere-did/

Fully Autonomous Vehicles – Level 4

John Deere is the leading operator and manufacturer

of autonomous vehicles, and has manufactured

automated and autonomous mowers, tractors and

other farm equipment since 2000

35

Regulation of Connected Cars

State of development and technology

cont’d:

◦ Fully Autonomous Cars – Level 4

Google’s second-generation prototype introduced in

2014 – no steering wheel, no accelerator or brakes, and

no means for occupant to assume control of vehicle

except to input destination

36

Regulation of Connected Cars

37

“Google announced today that its panda-shaped self-driving cars are

now puttering around the streets of Mountain View, California. Quartz

first reported in March that Google was likely to start trialling its cars this

year.” Source: http://qz.com/437788/googles-self-driving-cars-are-now-on-the-streets-of-california/

Google’s self-driving cars are now on the streets of

California

Written by Mike Murphy June 25, 2015

Privacy and Data Security Issues for

Connected Cars

“Connected Cars are Here. The Good News Is That

Privacy Is Being Taken Seriously”

By Joshua Harris - Privacy Perspectives | Feb 3, 2014

Source: https://iapp.org/news/a/connected-cars-are-here-the-good-news-is-that-privacy-is-

being-taken-serio/

“Fiat Chrysler will recall vehicles over hacking worries”

By David Shepardson, Detroit News Washington Bureau 3:53 p.m. EDT July 24, 2015

Source: http://www.detroitnews.com/story/business/autos/2015/07/24/us-pushing-guard-

vehicle-cyberhacking/30613567/

“Hacks on the highway - Automakers rush to add

wireless features, leaving our cars open to hackers”

Story by Craig Timberg, The Washington Post, July 22, 2015

Source: http://www.washingtonpost.com/sf/business/2015/07/22/hacks-on-the-highway/

38

Privacy and Data Security Issues

cont’d.

Primary Problem? “Manufacturers have belatedly begun trying to retrofit

protections into their onboard computers. But experts say

it is notoriously difficult to build security into systems that

were not designed for it from the beginning — a problem

that long has bedeviled the larger online world as it has

evolved from a network run by a few dozen computer

scientists to a vast system open to billions of people

worldwide.”

“Hacks on the highway - Automakers rush to add wireless features, leaving our cars

open to hackers” Story by Craig Timberg, The Washington Post, July 22, 2015

39

Regulation of Connected Cars

Source: Autonomous car humor. Second original cartoon for Automotive IT News by Garth Gerhart:

http://www.automotiveitnews.org/articles/169450/driverless-car-humor-original-cartoon/

40

Regulation of Connected Cars

Historic and Current Role of States:

◦ Dept. of Motor Vehicles - Authority to regulate

own roads and highway systems and testing of

automated/autonomous vehicles

California

Florida

Michigan

Nevada

District of Columbia

◦ State Insurance Commissions

41

Regulation of Connected Cars

◦ Legislative & Regulatory:

Unfair and deceptive trade practice laws

Privacy Laws

Data Security laws

Data breach notification laws

◦ Executive Branch

◦ State Public Utility and Public Service

Commissions

42

Regulation of Connected Cars

Current Role of FTC:

◦ Sec. 5, FTC Act

◦ FTC - The “Sharing” Economy Workshop (June

2015)

Issues Facing Platforms, Participants, and Regulators

Current Role of FCC:

◦ Spectrum management and wireless equipment

Title III

◦ Privacy & Data Security

If ISP or telecommunications services, Title II

43

Regulation of Connected Cars

Role of other Federal Agencies:

◦ U.S. Dept. of Transportation/NHTSA

Responsible for setting Federal Motor Safety Standards

Broad authority to regulate use and design

New rules require new vehicles sold in U.S. to include

Event Data Recorder (“EDR”), functional equivalent to

airplane black box

Potential central database of all computer data

aggregated and communicated about the vehicle

and/or its drivers over time

44

Regulation of Connected Cars

DOT/NHTSA Cont’d: ◦ ANPRM on V2V Communications, NHTSA-2014-0022 and

accompanying report, ‘‘Vehicle-to-Vehicle Communications:

Readiness of V2V Technology for Application,” Report No.

DOT HS 812014 (2014)

FTC Filed formal comments (Oct. 20, 2014):

“The Commission supports NHTSA’s commitment to

the principle that any regulation of V2V technologies

should ‘both protect[] individual privacy and

promote[] this important safety technology’ and be

rooted in the framework of the Fair Information

Practice Principles.” Source: https://www.ftc.gov/system/files/documents/advocacy_documents/federal-trade-

commission-comment-national-highway-traffic-safety-administration-regarding-

nhtsa/141020nhtsa-2014-0022.pdf (footnotes omitted)

45

Regulation of Connected Cars

Role of Automotive Industry

◦ Association of Global Automakers and the

Alliance of Automobile Manufacturers, Inc.

“Consumer Privacy Protection Principles for

Vehicle Technologies and Services” (2014) Source: https://www.globalautomakers.org/topic/privacy

46

Predictions and Best Practices

Increased Legislative Oversight (Federal,

State, Local and International)

Evolving Statutes and Regulations

Increased Consumer Education and

Awareness

Advancements in Technology

Privacy and Data Security by Design

47

Additional Resources FTC:

◦ FTC Business Education - Privacy and Security: https://www.ftc.gov/tips-

advice/business-center/privacy-and-security

◦ The Sharing Economy Workshop: https://www.ftc.gov/news-

events/events-calendar/2015/06/sharing-economy-issues-facing-

platforms-participants-regulators

◦ Cases and Proceedings: https://www.ftc.gov/enforcement/cases-

proceedings

FCC:

◦ Enforcement Bureau: http://transition.fcc.gov/eb/

◦ Protecting Proprietary Information Including CPNI:

http://transition.fcc.gov/eb/PI/

U.S. Dept. of Transportation/National Highway Traffic Safety

Administration

◦ V2V Communications website: http://www.safercar.gov/v2v/index.html

California Public Utility Commission: http://www.cpuc.ca.gov/puc/

48

Additional Resources Cont’d.

Allseen Alliance: https://allseenalliance.org/announcement/allseen-

alliance-deepens-it-infrastructure-and-cloud-computing-expertise-iot

Open Interconnect Consortium, Inc.: http://openinterconnect.org/oic-

news-releases/open-interconnect-consortium-announces-new-members-and-

standards-milestone/

Google: http://www.google.com/selfdrivingcar/

49

Thank You & Good Luck!

Christopher Olsen, Partner, Wilson Sonsini Goodrich &

Rosati – COlsen@wsgr.com

Phillip Rosario, Deputy Chief, Enforcement Bureau, Federal

Communications Commission – Phillip.Rosario@fcc.gov

Catherine J.K. Sandoval, Commissioner, California Public

Utility Commission – CatherineJ.K.Sandoval@cpuc.ca.gov

S. Jenell Trigg, CIPP/US, Member, Chair, Intellectual

Property, New Media & Technology Practice Group, Lerman

Senter – STrigg@lermansenter.com

50