Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Privacy. Security. Risk. 2015 Presented by the IAPP Privacy Academy and CSA Congress
Las Vegas, NV
“Who’s on First? Regulatory Authority
for the Internet of Things,
Connected Cars and ISPs”
Breakout Session
Wednesday, September 30, 2015
11:00 AM – 12 Noon
Who’s on First? Regulatory Authority for the
Internet of Things, Connected Cars and ISPs
Moderator:
◦ S. Jenell Trigg, CIPP/US, Member and Chair, Intellectual Property, New Media & Technology Practice Group, Lerman Senter PLLC
Panelists:
◦ Christopher Olsen, Partner, Wilson Sonsini Goodrich & Rosati (former Deputy Director, Bureau of Consumer Protection, Federal Trade Commission)
◦ Phillip Rosario, Deputy Chief, Enforcement Bureau,
Federal Communications Commission
◦ Catherine J.K. Sandoval, Commissioner, California Public Utility Commission
2
Regulation of Internet Service Providers
Historic and Current Role of FTC
◦ Section 5 of FTC Act – Unfair and
Deceptive Trade Practices
◦ In the Matter of GeoCities (1999)
◦ FTC v. Pricewert LLC (N.D. Cal. 2009)
◦ USA v. Google Inc. (N.D. Cal. 2012)
◦ Fair Credit Reporting Act
◦ USA v. Time Warner Cable, Inc. (S.D. NY
2013)
◦ Children’s Online Privacy Protection Act
3
Regulation of ISPs
Challenges to FTC Authority under Sec. 5
to enforce unfair data security practices
◦ FTC v. Wyndham Hotels & Resorts, LLC
et al. (D. Ariz. 2012)
Affirmed by U. S. Court of Appeals, Third Circuit
(Aug. 2015)
◦ In re LabMD, Inc., File No. 102 3099
(2013)
Appealed to U.S. District Court, N.D. Georgia (2014)
Appealed to U.S. Court of Appeals, 11th Circuit (2015)
4
Regulation of ISPs
Historic and Current Role of FCC Re:
Privacy & Data Security
◦ Title VI – Cable, Protection of
subscriber privacy, 47 U.S.C. § 551
◦ Title III – Satellite, Privacy rights of
satellite subscribers, 47 U.S.C. §
338(i)
◦ Title II – Privacy of customer
information, 47 U.S.C. § 222
◦ Title II – Service and charges, 47
U.S.C. § 201(b)
5
Regulation of ISPs
Title II – Recent Privacy Enforcement
◦ TerraCom, Inc. and YourTel America, Inc., FCC
14-173 (2014) – $10 million NAL for failure to
protect proprietary information TerraCom and YourTel Consent Decree - $3.5 Million
Settlement, DA -15-776 (July 2015)
◦ AT&T Services, Inc., DA 15-399 (2015) – $25
Million civil penalty for failure to protect CPNI at
foreign call centers
6
Regulation of ISPs
Title II – Protecting and Promoting the Open
Internet, Report and Order on Remand,
Declaratory Ruling, and Order, FCC 15-24 (March
2015), effective June 12, 2015
◦ Reclassified broadband Internet access service
providers as “common carriers” from “information
service providers”
7
Regulation of ISPs
FCC Regulations – 47 C.F.R. § § 64. 2001
et seq.
◦ Forbearance of current telephonic-centric
regulations
◦ Pending rulemaking to establish ISP-specific
privacy and data security requirements
Statutory Requirements – 47 U.S.C. § 222
◦ FCC Enforcement Advisory, Open Internet
Privacy Standard, DA 15-603 (May 2015) –
enforceable core tenets
8
Regulation of ISPs
Status of litigation against FCC’s
Open Internet Order ◦ Multiple petitions consolidated in D.C.
Circuit, U. S. Court of Appeals – U. S.
Telecom Assn et al. v. FCC & USA (2015)
◦ Stay denied, but granted expedited review
◦ Primary Issue:
Whether the FCC lawfully reclassified fixed and
mobile broadband Internet access service as a
telecommunications service
9
Regulation of ISPs
Impact of Open Internet Order on FTC
Authority Under Sec. 5
◦ Common Carrier Exemption – Prohibits
FTC from certain enforcement actions
against ISPs
Status v. Activity-based determination
FTC v. AT&T Mobility, LLC (N.D. Cal. 2015)
10
Regulation of ISPs
FTC Common Carrier Exemption as applied
to newly classified ISPs and repeal “[K]eeping the FTC in the picture is important, but I think there
would be some hard thinking about how one would come up with
a rational regulatory scheme to have the FTC and the FCC in this
space. I think that would be more difficult. But with that being
said, the FTC does work in areas where a lot of other agencies
also have authority – the FDA, CFPB, I mean the list sort of goes
on and on. So it’s not unusual that we or industry have to work in
the area where there are more than one regulatory agency playing
a role. “
Remarks of FTC Commissioner
Maureen K. Ohlhausen, American
Enterprise Institute, April 1,
2015 11
FTC v. FCC - General Differences
FTC v. AT&T Mobility
LLC, Case No. 3:14-
cv-04785, EMC, U.S.
District Court (N.D.
Cal. Mar. 2013)
◦ Alleged deceptive and
unfair trade practices for
data throttling
AT&T Mobility, LLC,
NAL for Forfeiture &
Order, No. EB-IHD-14-
00017504, FCC 15-63
(June 2015)
◦ Violation of 2010 Open
Internet Transparency
Rules
12
Differences in enforcement process, redress v. fines
Regulation of ISPs
Impact of shifting regulatory authority on
Online Behavioral Advertising (OBA) and
Big Data ecosystem?
◦ FCC concerns regarding convergence of Big
Data over multiple platforms
“ We have to think hard about the
privacy regime for a converging world.”
Travis LeBlanc, Chief, FCC Enforcement
Bureau, Communications Daily
3/26/2015, remarks at ABA/FCBA 10th
Annual Privacy & Data
Security Symposium, March 25, 2015
13
Regulation of ISPs
Reported FCC pending enforcement
investigations since its Open Internet Order
14
Regulation of ISPs
Role of other Federal
Agencies/Branches
◦ The White House Consumer Data Privacy in a Networked
World: A Framework for Protecting Privacy
and Promoting Innovation in the Global Digital
Economy and Consumer Privacy Bill of Rights
(Feb. 2012)
◦ U.S. Congress
15
Regulation of ISPs
Role of other Federal Agencies/Branches
cont’d
◦ U. S. Dept. of Commerce, National
Telecommunications & Information
Administration (NTIA)
White House policy
Multistakeholder process for mobile apps &
facial recognition
◦ U. S. Dept. of Justice Cybercrimes "Usdepartmentofjustice". Licensed under CC BY-SA 3.0 via Wikimedia Commons -
https://commons.wikimedia.org/wiki/File:Usdepartmentofjustice.jpg#/media/File:Usdepartmentofjustice.jpg
◦ U. S. Dept. of Homeland Security Cybercrimes
16
Regulation of ISPs
Historic & Current Role of States
◦ States have little “FTC Acts” that
prohibit unfair and/or deceptive trade
practices
◦ Some states have specific privacy and
data security laws
Privacy Policy
Data Security
Data Breach Notification
◦ State laws are not necessarily pre-empted
by federal laws
17
Regulation of ISPs
◦ State Public Utility and Public Service
Commissions
National Association of Regulatory Utility
Commissioners (NARUC)
◦ Executive Branch
◦ Legislative Branch
18
Audience Polling Question
Do the benefits of IoT outweigh
your concerns regarding privacy
and data security?
◦ Yes
◦ No
◦ Unsure
19
Audience Polling Question
Do the benefits of IoT outweigh your
concerns regarding privacy and data
security?
Compare with 2015 Ponemon Survey Results: ◦ Yes – 44%
◦ No – 42%
◦ Unsure – 14%
Source: Ponemon Institute Survey, Privacy and Security in a
Connected Life: A Study of US, European and Japanese Consumers
(March 2015)
20
Regulation of Internet of Things
(IoT)
The Internet of Things ◦ Definition: “ ‘[T]hings’ such as devices or sensors –
other than computers, smartphones, or tablets – that
connect, communicate or transmit information with or
between each other through the Internet.”
Source: Internet of Things: Privacy & Security in a Connected World,
FTC Staff Report (Jan. 2015)
21
Regulation of IoT
State of development and technology: ◦ End of 2015 estimated 25 Billion connected devices
◦ End of 2020 estimated 50 Billion connected devices Source: Internet of Things: Privacy & Security in a Connected World, FTC Staff Report (Jan.
2015)
◦ By End of 2015, 4X more things than people will be
connected to the Internet – 3 Billion people connected to
Internet Source: http://www.mediapost.com/publications/article/254305/internet-connections-coming-25-
billion-
things4.html?utm_source=newsletter&utm_medium=email&utm_content=readmore&utm_camp
aign=8 4593
22
Regulation of IoT
The types of “Things” are very diverse: ◦ Electronic devices
◦ Household appliances
◦ Farm equipment
◦ Smart meters and thermostats
◦ Medical devices
◦ Wearables © weedezign/shutterstock.com
◦ Inventory, functionality and efficiency management tools
◦ Pet care
◦ Airline engines
◦ Connected cars, and more!
23
Privacy & Data Security Issues for
IoT
“Holy sh*t! Smart toilet hack attack!” Free app lets anyone remotely harass toilet's occupant, run up water
bill.
By Sean Gallagher - Aug 4 2013, 5:30pm EDT
Source: http://arstechnica.com/security/2013/08/holy-sht-smart-toilet-hack-
attack/
“Fiat Chrysler Recall Demonstrates New
IoT World” By Jedidiah Bracy, CIPP/E, CIPP/US - Privacy Tech | Jul 24, 2015
Source: https://iapp.org/news/a/fiat-chrysler-recall-demonstrates-new-iot-world/
24
Regulation of IoT
Current Role of FTC
◦ Sec. 5 of FTC Act – unfair and deceptive
trade practices In re TRENDnet, Inc., FTC Matter/File No. 122 3090
(2014)
◦ Industry research and guidance on
recommended practices The Internet of Things: Privacy and Security in a
Connected World, FTC Staff Report (Jan. 2015)
Careful Connections: Building Security in the Internet of
Things,
FTC (Jan. 2015)
25
Regulation of IoT
Current Role of FCC
◦ Spectrum management and wireless
equipment, Title III
◦ Privacy & Data Security
If ISPs or telecommunications services
involved, Title II, 47 U.S.C. § § 201 and 222
If cable services involved, Title VI, 47 U.S.C. §
551
If satellite services involved, Title III, 47 U.S.C.
§ 338(i)
26
Regulation of IoT
Current Role of States
◦ Legislative & Regulatory
Unfair and deceptive trade practice laws
Privacy Laws
Data Security laws
Data breach notification laws
◦ State Public Utility and Public Service
Commissions/NARUC
◦ State Insurance Commissions
◦ Executive Branch
27
Connected Cars
Mike Thompson/Detroit Free Press
28
Audience Polling Question
What company leads in
manufacturing anonymous
vehicles?
◦ Tesla
◦ Mercedes Benz
◦ John Deere
◦ General Motors
29
Regulation of Connected Cars Definitions:
◦ Connected Vehicle – Dynamic exchange of wireless
data allows vehicle-to-vehicle communications, and
vehicle-to-infrastructure communications, locally and
through centralized infrastructure
© Bloomua/Shutterstock.com
30
Regulation of Connected Cars
◦ Automated Vehicle – assumes a certain level of
command over vehicle performance
Level 0 – No automation
Level 1 – Function-specific automation
Level 2 – Combined-function automation
Level 3 – Limited self-driving automation
Level 4 – Full self-driving automation (i.e., autonomous)
Source: National Highway Transportation Safety
Administration (NHTSA), Preliminary Statement of Policy
Concerning Automated Vehicles (May 2013)
31
Regulation of Connected Cars
© iQoncept./Shutterstock.com
◦ Autonomous Vehicle – (AKA “robotic cars”
“self-driving car,” and “driverless car”) “a motor
vehicle that uses artificial intelligence, sensors
and global positioning system coordinates to
drive itself without the active intervention of a
human operator.”
Source: Nev. Rev. Stat. §§ 482A.025, .030 (2014)
32
Regulation of Connected Cars
State of Development and Technology:
◦ Connected cars –
Telematics (e.g., navigational & concierge services);
vehicle-to-vehicle communications (e.g., accident
avoidance) and vehicle-to-infrastructure communications
(e.g. ,traffic lights)
Transportation Network Sharing connections via mobile
applications to book reservations, provide navigational
services, track and profile consumers for operational and
advertising/marketing purposes
33
Regulation of Connected Cars
◦ Automated cars –
Major auto manufacturers announced plans to begin
offering semi-automated driving systems over the next
18 months.
Source: http://recode.net/2015/06/23/ford-joins-rivals-in-
ramping-up-self-driving-car-tech/
34
Regulation of Connected Cars
“Google didn’t lead the self-driving vehicle
revolution. John Deere did.” By Andrea Peterson June 22, 2015, The Washington Post
Source: https://www.washingtonpost.com/blogs/the-switch/wp/2015/06/22/google-didnt-lead-the-
self-driving-vehicle-revolution-john-deere-did/
Fully Autonomous Vehicles – Level 4
John Deere is the leading operator and manufacturer
of autonomous vehicles, and has manufactured
automated and autonomous mowers, tractors and
other farm equipment since 2000
35
Regulation of Connected Cars
State of development and technology
cont’d:
◦ Fully Autonomous Cars – Level 4
Google’s second-generation prototype introduced in
2014 – no steering wheel, no accelerator or brakes, and
no means for occupant to assume control of vehicle
except to input destination
36
Regulation of Connected Cars
37
“Google announced today that its panda-shaped self-driving cars are
now puttering around the streets of Mountain View, California. Quartz
first reported in March that Google was likely to start trialling its cars this
year.” Source: http://qz.com/437788/googles-self-driving-cars-are-now-on-the-streets-of-california/
Google’s self-driving cars are now on the streets of
California
Written by Mike Murphy June 25, 2015
Privacy and Data Security Issues for
Connected Cars
“Connected Cars are Here. The Good News Is That
Privacy Is Being Taken Seriously”
By Joshua Harris - Privacy Perspectives | Feb 3, 2014
Source: https://iapp.org/news/a/connected-cars-are-here-the-good-news-is-that-privacy-is-
being-taken-serio/
“Fiat Chrysler will recall vehicles over hacking worries”
By David Shepardson, Detroit News Washington Bureau 3:53 p.m. EDT July 24, 2015
Source: http://www.detroitnews.com/story/business/autos/2015/07/24/us-pushing-guard-
vehicle-cyberhacking/30613567/
“Hacks on the highway - Automakers rush to add
wireless features, leaving our cars open to hackers”
Story by Craig Timberg, The Washington Post, July 22, 2015
Source: http://www.washingtonpost.com/sf/business/2015/07/22/hacks-on-the-highway/
38
Privacy and Data Security Issues
cont’d.
Primary Problem? “Manufacturers have belatedly begun trying to retrofit
protections into their onboard computers. But experts say
it is notoriously difficult to build security into systems that
were not designed for it from the beginning — a problem
that long has bedeviled the larger online world as it has
evolved from a network run by a few dozen computer
scientists to a vast system open to billions of people
worldwide.”
“Hacks on the highway - Automakers rush to add wireless features, leaving our cars
open to hackers” Story by Craig Timberg, The Washington Post, July 22, 2015
39
Regulation of Connected Cars
Source: Autonomous car humor. Second original cartoon for Automotive IT News by Garth Gerhart:
http://www.automotiveitnews.org/articles/169450/driverless-car-humor-original-cartoon/
40
Regulation of Connected Cars
Historic and Current Role of States:
◦ Dept. of Motor Vehicles - Authority to regulate
own roads and highway systems and testing of
automated/autonomous vehicles
California
Florida
Michigan
Nevada
District of Columbia
◦ State Insurance Commissions
41
Regulation of Connected Cars
◦ Legislative & Regulatory:
Unfair and deceptive trade practice laws
Privacy Laws
Data Security laws
Data breach notification laws
◦ Executive Branch
◦ State Public Utility and Public Service
Commissions
42
Regulation of Connected Cars
Current Role of FTC:
◦ Sec. 5, FTC Act
◦ FTC - The “Sharing” Economy Workshop (June
2015)
Issues Facing Platforms, Participants, and Regulators
Current Role of FCC:
◦ Spectrum management and wireless equipment
Title III
◦ Privacy & Data Security
If ISP or telecommunications services, Title II
43
Regulation of Connected Cars
Role of other Federal Agencies:
◦ U.S. Dept. of Transportation/NHTSA
Responsible for setting Federal Motor Safety Standards
Broad authority to regulate use and design
New rules require new vehicles sold in U.S. to include
Event Data Recorder (“EDR”), functional equivalent to
airplane black box
Potential central database of all computer data
aggregated and communicated about the vehicle
and/or its drivers over time
44
Regulation of Connected Cars
DOT/NHTSA Cont’d: ◦ ANPRM on V2V Communications, NHTSA-2014-0022 and
accompanying report, ‘‘Vehicle-to-Vehicle Communications:
Readiness of V2V Technology for Application,” Report No.
DOT HS 812014 (2014)
FTC Filed formal comments (Oct. 20, 2014):
“The Commission supports NHTSA’s commitment to
the principle that any regulation of V2V technologies
should ‘both protect[] individual privacy and
promote[] this important safety technology’ and be
rooted in the framework of the Fair Information
Practice Principles.” Source: https://www.ftc.gov/system/files/documents/advocacy_documents/federal-trade-
commission-comment-national-highway-traffic-safety-administration-regarding-
nhtsa/141020nhtsa-2014-0022.pdf (footnotes omitted)
45
Regulation of Connected Cars
Role of Automotive Industry
◦ Association of Global Automakers and the
Alliance of Automobile Manufacturers, Inc.
“Consumer Privacy Protection Principles for
Vehicle Technologies and Services” (2014) Source: https://www.globalautomakers.org/topic/privacy
46
Predictions and Best Practices
Increased Legislative Oversight (Federal,
State, Local and International)
Evolving Statutes and Regulations
Increased Consumer Education and
Awareness
Advancements in Technology
Privacy and Data Security by Design
47
Additional Resources FTC:
◦ FTC Business Education - Privacy and Security: https://www.ftc.gov/tips-
advice/business-center/privacy-and-security
◦ The Sharing Economy Workshop: https://www.ftc.gov/news-
events/events-calendar/2015/06/sharing-economy-issues-facing-
platforms-participants-regulators
◦ Cases and Proceedings: https://www.ftc.gov/enforcement/cases-
proceedings
FCC:
◦ Enforcement Bureau: http://transition.fcc.gov/eb/
◦ Protecting Proprietary Information Including CPNI:
http://transition.fcc.gov/eb/PI/
U.S. Dept. of Transportation/National Highway Traffic Safety
Administration
◦ V2V Communications website: http://www.safercar.gov/v2v/index.html
California Public Utility Commission: http://www.cpuc.ca.gov/puc/
48
Additional Resources Cont’d.
Allseen Alliance: https://allseenalliance.org/announcement/allseen-
alliance-deepens-it-infrastructure-and-cloud-computing-expertise-iot
Open Interconnect Consortium, Inc.: http://openinterconnect.org/oic-
news-releases/open-interconnect-consortium-announces-new-members-and-
standards-milestone/
Google: http://www.google.com/selfdrivingcar/
49
Thank You & Good Luck!
Christopher Olsen, Partner, Wilson Sonsini Goodrich &
Rosati – [email protected]
Phillip Rosario, Deputy Chief, Enforcement Bureau, Federal
Communications Commission – [email protected]
Catherine J.K. Sandoval, Commissioner, California Public
Utility Commission – [email protected]
S. Jenell Trigg, CIPP/US, Member, Chair, Intellectual
Property, New Media & Technology Practice Group, Lerman
Senter – [email protected]
50