CLA’s Privacy Law Section summarizes important developments in California privacy and beyond.
FTC Announces Changes To The GLBA Safeguards Rule
By Natalie Marcell
The Federal Trade Commission issued its update to the Safeguards Rule of the Gramm-Leach-Bliley Act on October 27, 2021.
The Safeguards Rule obligates covered financial institutions to develop, implement and maintain a comprehensive information security program.
The new Safeguards Rule is much more detailed in terms of the elements required in an information security plan. These amendments bring the FTC’s expectations of what cybersecurity is required under the Gramm-Leach-Bliley Act more in line with what the FTC has been requiring in enforcement actions under its Section 5 authority.
While the Safeguards Rule applies to financial institutions under the FTC’s jurisdiction, the new rule provides guidance as to what specific elements of a cybersecurity program the FTC expects of any entity collecting personal information.
Some of the new sections added to the Safeguards Rule go into effect 30 days after publication in the Federal Register while others go into effect 1 year after publication.
The following summarizes the requirements go into effect 30 days after publication in the Federal Register:
- Finders are now included as financial institutions subject to Safeguards Rule. The definition of “financial institution” has been expanded to include “finders.” Finders are entities that are engaged in activity that is incidental to financial activity. According to the FTC’s notice, only finding services involving consumer transactions will be covered, and this will not apply to finders that have only isolated interactions with consumers and where no information is received from other financial institutions about that institution’s customers. The Commission noted that it believes that this excludes most advertising agencies and similar business that generally do not have continuing relationships with consumers who are using their services for personal or household purposes.
- Security events do not exclude events that involve encrypted information even if the encryption key was not compromised.
- Risk assessment must be performed. The assessment must identify reasonably foreseeable risks and assess the sufficiency of safeguards in place. The written information security program required by the new Safeguards Rule must be based on this risk assessment.
- A written information security program is required. The written information security program must include the new elements of the Safeguards Rule including:
- Periodic risk assessments to reexamine reasonably foreseeable risks and reassess safeguards in place. The Commission declined to set forth a specific schedule for frequency of risk assessments.
- Regularly testing or monitoring. At the 1-year effective date, penetration testing must be at a minimum done annually and vulnerability testing must be done at least every 6 months as well as when there is an elevated risk of a new vulnerability having been introduced into a financial institution’s information systems. The Commission noted that attempted social engineering and phishing are important parts of testing the security of information systems.
- Oversight of service providers. Due diligence is required in selecting and retaining service providers and contracts with service providers must include the requirement that they implement and maintain safeguards.
- Information Security Programs must be periodically evaluated and adjusted.
The following summarizes requirements go into effect 1 year after publication in the Federal Register:
- A “Qualified Individual” must be designated. The QI is responsible for overseeing, implementing and enforcing the information security program. The QI can be employed by the financial institution, or an affiliate, or a service provider, but there are additional requirements if using an affiliate or service provider. The QI is required under the new Safeguards Rule to report to the board of directors or equivalent governing body at least annually.
- The risk assessment must be written. Elements that are required for the written risk assessment include: criteria for the evaluation and categorization of identified security risks or threats faced; criteria for assessment of confidentiality, integrity and availability of information systems and customer information; criteria for assessing the adequacy of existing controls in the context of risks identified; requirements that describe how identified risks will be mitigated or accepted and how the information security program will address the risks. The Commission noted that as to risks that are accepted “[a] financial institution that is concerned that its decision to accept a risk will later be question may choose to set forth whatever context or explanation it sees fit in the written assessment.”
- The information security program must include specific safeguards of the new rule including:
- Implementing and periodically reviewing access controls, both technical and physical.
- System inventory.
- Encryption of all customer information held or transmitted, both in transit over external networks and at rest.
- Adoption of secure development practices for in house developed applications used to transmit, access, or store customer information.
- Adopt procedures for evaluating the security of externally developed applications used to transmit, access, or store customer information.
- Implementation of multi-factor authentication for any person accessing information, including employees, customers or otherwise.
- Development and implementing procedures for the secure disposal of customer information in any format no later than 2 years after the last date the information is used. There are some exceptions to this deadline.
- Periodic review of data retention policies to minimize unnecessary data retention.
- Adoption of procedures to assess the security of any changes made to the information system or network.
- Implementation of policies and procedures to monitor and log user activity. This requirement also applies to paper records.
- Continuous monitoring or testing and assessment. Continuous monitoring means the system can detect on an ongoing basis the changes in the information system. If opting for testing and assessment, then a minimum of annual penetration testing and bi-annual vulnerability testing. The Commission noted that it believes bi-annual vulnerability testing may not be sufficient.
- Personnel Training is required.
- Service providers must be assessed periodically.
- A written incident response plan is required.
- Annual written report to the Board of Directors required. This must be done by the designated Qualified Individual. The report must address the overall status of the information security program, compliance with the Safeguards Rule, material matters related to the information security program, and recommendations for changes in the information security program.
The changes to the Safeguards Rule introduce some exceptions. Financial institutions that maintain information concerning less than 5,000 customers are exempt from the requirement to have a written risk assessment (but they still must conduct risk assessments), the requirement for continuous monitoring or periodic testing and vulnerability assessments, the requirement for a written incident response plan, and the requirement of annual reporting to the Board of Directors by the Qualified Individual.
The revised Safeguards Rule is pending publication in the Federal Register and codification to the Code of Federal Regulations. The FTC’s proposed text of the Federal Register Notice is available here.
Additional changes to the Safeguards Rule are on the horizon as the FTC is currently seeking comment on the Commission’s plan to add a reporting requirement. The FTC’s Notice of Proposed Rulemaking is available here.
Under the proposed reporting requirement, financial institutions will be required to report to the FTC all security events where the institution has determined misuse of customer information has occurred or is reasonably likely and at least 1,000 customers have been affected or reasonably may be affected. The Commission is proposing a timing requirement of 30 days after discovery of the security event. The Commission also plans on making these security event reports public. The FTC indicates that these reports will ensure that the Commission is aware of security events that could suggest a financial institution’s security program does not comply with the Safeguard Rule’s requirements and therefore help the Commission enforce the Rule.
FTC Examines What Internet Service Providers Know About You
By Brandon M. Jasso, CIPP/US
On October 21, 2021, the Federal Trade Commissioner (“FTC”) put out a press release (“Press Release”) (see here) discussing the FTC staff report entitled A Look At What ISPs Know About You: Examining the Privacy Practices of Six Major Internet Service Providers (“Report”) (see Report here). The Report data came from an FTC order (“Order”) sent to six of the largest internet service providers (“ISP” or “ISPs”) seeking information from the ISPs under the authority of the FTC Act section 6(b) (see here).
The six ISPs that the Order sought information from were: (1) AT&T Mobility LLC; (2) Cellco Partnership doing business as Verizon Wireless; (3) Charter Communications Operating LLC; (4) Comcast Cable Communications, doing busines as Xﬁnity; (5) T-Mobile US Inc.; and (6) Google Fiber Inc. (“ISP Order Recipients”). The FTC’S Order sought how information on how the ISPs collected, retained, and used customer information on their various systems (for more on the Order request see here).
The Press Release stated that “[m]any internet service providers (ISPs) collect and share far more data about their customers than many consumers may expect—including access to all of their Internet trafﬁc and real-time location data—while failing to offer consumers meaningful choices about how this data can be used.” Furthermore, the Press Release pointed out that ISPs have evolved into technology giants who now offer a host of services including “voice, content, smart devices, advertising, and analytics.” By combing the information gained from these various services, ISPS are more capable of collecting information about their customers which creates troubling practices among the ISP.
The Report also pointed out that privacy protections offered by the ISPs raise concerns as even those who claim not to sell data “allow it to be used, transferred, and monetized by others and hide disclosures about such practices in the fine print of their privacy policies.” Additionally, many of the ISPs claim to allow customers the right to access their data and give them choices about how it is used. However, access is made extremely difficult, and customers are often pointed to share more information, which can be retained for extended periods under “business purpose” claims that can vary from ISP to ISP.
The Report introduction discusses how the COVID-19 pandemic has changed the way businesses, governments, schools, and communities operate, and how consumers have become more dependent no ISPs to communicate and access services. For example, video conferencing subscriptions grew substantially, and online shopping and e-commerce grew “44% from the previous year, or over $263 billion.” Further addressed is that as the internet becomes more intertwined in our lives, it is important to consider how data is being aggregated and the privacy of the consumer’s whose data is being aggregated, but “especially for minority and low-income communities.”
The Introduction again reidentifies the Order Receipts (see above), but also identifies that the Order was also sent to three advertising companies who do business with the ISP Order Recipients: (1) “AT&T’s Appnexus Inc.—rebranded as Xandr”; and (2) “Verizon’s Verizon Online LLC and Oath Americas Inc.—rebranded as Verizon Media” (collectively the ISP Order Recipients and advertising companies are referred to as the “Order Recipients”). Lastly, a copy of the Order is attached to the Report and is identified as Appendix A.
- Legal Framework Applicable to ISP Privacy
The legal framework discusses how ISPs various services are treated differently under “applicable regulatory frameworks.” Accordingly, “[t]he Communications Act of 1934, as amended by the Telecommunications Act of 1996, distinguishes between so-called ‘information services’ and ‘telecommunications services,’ and if an entity is a telecommunications service it comes under the jurisdiction of the Federal Communications Commission. An entity is treated as a common carrier, and subject to Title II of the Communications Act, when providing telecommunications services but not when providing information services.” The difference is not always easy to spot and whether an ISP is an “information service” or “a Title II ‘telecommunication service’” and has privacy implications on two fronts.
First, Tittle II imposes duty telecommunication services to protect customer proprietary network information (“CPNI”) and places restrictions on the usage and sharing of CPNI, which provides greater protections for customers. “Second, the FTC Act exempts “common carrier activities subject to the Acts to regulate commerce” from the FTC’s jurisdiction. Therefore, if a service is classified as a common carrier service under Title II of the Communications Act, the FTC loses its jurisdiction over the service.”
In 2015, the FCC classified Broadband Internet Access Services (“BIAS”), which is a core service of ISPs subject to the Order. However, Congress reversed the BIAS determination and classified it as an information service under its authority of the Congressional Review Act. This change has been helpful to the FTC as the FTC enforces several laws that directly affect ISPs. Specifically, the FTC has authority to act under the FTC Act section 5 for unfair or deceptive practices, under the Children’s Online Privacy Protection Act, and under the Fair Credit Reporting Act.
ISPs are still subject to the FCC’s jurisdiction based on other services they provide creating a dual layer of oversight as the FCC and FTC work closely together to help enforce laws and provide protections to consumers. Lastly, there are state and local laws the address privacy and many states also have their own consumer protection acts that address unfair and deceptive practices.
- Background Information About Order Receipts
Again, the Order was sent to the Order Recipients who were comprised of six ISP and three ISP ad affiliates, which represented “a broad swath of the internet services offered in this country, including fixed residential internet and mobile internet providers” and a total of “approximately $130.4 billion in revenue from mobile internet and $54.8 billion dollars in revenue from fixed residential internet, annually.”
The study’s ISPs show how providers have evolved from “conduits that route internet traffic to vertically-integrated platforms” that provide internet, voice, cable access, create content, and provide ads across various devices. Collectively, the ISPs serve hundreds of millions of subscribers across residential broadband and mobile internet. For example, “Comcast is the nation’s largest fixed residential ISP with approximately 30.7 million subscribers,” while is the Verizon is the “nation’s largest mobile internet provider” with 94 million subscribers.
- Information Obtained From Our Study
It is worth noting that this section of the Report is the most information intensive and a thorough reading of the actual Report is encouraged.
The focus of this section is how many of the ISPs collective and use information for their services: “(1) core ISP services to consumers (internet, voice, video), (2) other services to consumers (e.g., IoT, content), (3) advertising, and (4) other services to businesses.”
Core Services. The discussion around core services points out that ISPs collect personal information directly from customers when they engage the ISPs for service, but also passively collect information such as device specifications, service usage information, browsing information, and location data. Furthermore, this information can be shared as needed to provide services, and including for legal purposes, fraud detection, security purposes, and research and development.
Other Services Offered to Consumers. ISPs also offer a variety of other services which allow them to collect personal information. ISPs’ additional services include, but are not limited to, tv and video streaming services, email services, content production, connected wearable devices, and search engines. Due to the multiple services offered, ISPs can collect additional information that they would not normally have access to such as home type and security, health information, vehicle information, and viewership for TV and video to name a few. The result is some ISPs can combine myriads of information across different platforms to directly identify consumers.
Advertising Services. ISPs, like traditional advertising companies, actively seek out information from consumers for advertising purposes. Companies gain information three different primary ways: (1) from consumers directly; (2) buying consumer information from third-party data brokers; and (3) property managers (based on the information of who has moved into or within a service area). This allows ISPs to market their own services to new customers, additional services to existing customers, advertise third-party products and services, and can even allow them to provide information not based on advertising to third-party businesses.
Of concern is the fact that the aggregated information can provide demographic information of individuals based on segments that use sensitive identifiers such as “viewership-gay,” “pro-choice,” “African American,” “Assimilation or Origin Score,” “Jewish,” and “Asian Achievers,” to name a few. ISPs do attempt to limit the use of personal information with contractual obligations such as using information to check for credit worthiness when necessary. However, given even those limitations, there is substantial use of personal information for advertising purposes beyond the scope of ISPs required contractual limitations when required.
Privacy Practices. First, several ISPs promise they will not sell your information, but fail to give detailed information about how personal information can be “used, transferred, or monetized outside of selling it, often burying such disclosures in the fine print of their privacy policies,” essentially giving ISPs the right to use personal information for any purpose such as sharing information with affiliates and ISP parent companies. Second, a trend is for ISPs to say customers have a choice with how their data will be used, but ISPs often make it difficult to consumers to exercise this right. For example, ISPs can put in place complicated methods for exercising these rights such as spreading out privacy choices across different dashboard areas or requiring manual opt-outs per individual devices. Given the difficulty in opting out, it is no wonder that less than 2% of total subscribers use opt-out features.
Third, consumers tend to not have meaningful access to their information as information provided by requests can either be very detailed or extremely limited with no consistency. Some ISPs will provide highly detailed information explaining customer demographics, while others will provide less detailed information. Fourth, ISPs can retain data for extended periods, with one ISP having the ability to retain data for business reasons giving them the ultimate discretion. The frameworks for retaining information vary greatly.
The Report pointed out the following primary observations:
- ISPs and their affiliates collect and retain a substantial amount of personal information about their consumers from the products and services their offer.
- The integration of ISP services with other services has created a wealth of data that these ISPs have access to, which provide detailed information about consumers.
- Most consumers are not aware that ISPs gather, use, combine, and retain data in the ways that they do, which creates privacy concerns. For example, an ISP who also provides emailing services will have access to sensitive personal information that a consumer may wish to keep secret. Although courts have acknowledged the reasonable expectation of privacy in those communications there are still concerns.
- ISPs engage in cross-device tracking that would surprise most consumers as the methods used are not obvious.
- “[T]here is a trend in the ISP industry to use location information for advertising purposes and sell this data to third parties.”
- “[T]he use by several of the ISPs in our study of race and ethnicity data (or proxies for such data such as location data) for advertising purposes and the sale of such data to unrelated businesses raises concerns, particularly around the practices of ‘digital redlining,’ which “could reverse any progress on civil rights issues if a business is able to discriminate in its advertising buys based on . . . a person’s color or religion, or based on a proxy that effectively discriminates against certain races or religions.”
- ISPs claims regarding consumer choices are often illusory. Choices regarding consumer choice are often not offered clearly and push consumers to share more information in what are commonly referred to as “dark patterns” (see here for more information on dark patterns). Examples include interfaces with a grayed-out choice (see Report, Figure 7), interfaces that do not let consumers reject sharing (see Report, Figure 8), hard to access choices (see Report, Figure 9), or unclear toggle settings (see Report, Figure 10).
- Lastly, ISPs can be as privacy intrusive as traditional advertising platforms as they access to unencrypted internet traffic, are able to verify a particular subscriber’s identify, can track across sites and geographic location, and track across products.
The Report concludes with the fact that current practices can lead to significant harm for consumers, particularly when consumers are classified by demographic characteristics, such as race, ethnicity, gender, or sexuality. Furthermore, it points out that current practices mirror those across other industries and consumers often do not have real choices with regards to their data.
The EU Cloud Code can Demonstrate GDPR Compliance
By Andrew Scott, CIPP/US/E & CIPM
Cloud computing has become a business standard in processing data. Accordingly, Cloud Service Providers (CSPs) are essential business partners (i.e., Agents, Data Processors, vendors, or Entrusted Parties). But how does one evaluate whether a CSP is compliant with a particular global privacy framework?
Assessing the internal practices of the CSPs to ensure those practices align with an organization’s contractual and regulatory obligations under these frameworks can be even more challenging. The lack of transparency around these internal practices often leave many customers in the dark.
To assess a CSP’s practices, customers may take a variety of steps, including the following:
Using paper assessments, following internal standard information gathering templates, using Data Processing Agreements, reviewing vendor contracts, requiring on-site rights to audit, evaluating third-party audit reports, seeking penetration testing, and subjecting third parties to privacy and security assessments through SaaS-based tools.
This list could continue ad infinitum without any assurance to guarantee a CSP’s practices are compliant with the desired framework.
Enter the EU’s Cloud Code of Conduct (CCC). In May 2021, the CCC became the first transnational Code of Conduct that can demonstrate General Data Protection Regulation (GDPR) compliance. By becoming a member of the CCC, CSPs can concretize the legal requirements for Article 28 (Processor) of the GDPR, including all of the relevant and related Articles of the GDPR that will allow for practical implementation within the cloud services market.
The CCC would allow a CSP to “demonstrate sufficient guarantees” for data protection compliance. (Art. 28.5). Practically speaking, a CSP could show its customers that it had implemented appropriate technical and organizational measures in such a manner that complies with the GDPR. Demonstrating this type of compliance reflects unparalleled transparency and engenders trust for customers and sub-processors to analyze whether an organization’s cloud services are appropriate for their use.
Cloud Service Providers
Most cloud-based software likely could be part of the CCC. Naturally, all aspects of Article 28 cloud services are covered, including software (SaaS), platform (PaaS), and infrastructure (IaaS). But, the definition of a CSP that may seek membership might be broader than most think. For example, companies that provide services on the internet and that build those services on top of an IaaS (e.i., Amazon Web Services or Microsoft) might actually become a CSP. Of note, the CCC only applies to “business-to-business” (B2B) CSPs acting as a Data Processor, regardless of size.
Codes of Conduct
Codes of Conduct (CoC) can give practical guidance for an entire industry sector, especially where the GDPR has not been very precise; a CoC can help establish compliance with a law. (Art. 40). This can be very valuable for small and medium-sized enterprises (SMEs) that are looking to engender trust with their consumers or business-partners. Codes are established through collaboration with different stakeholders, including political entities, private associations, and regulators.
The spirit of a CoC is inherently collaborative. The CCC has created a cloud services ecosystem that can respond quickly to a fast-paced environment. The collaboration allows different players to take voluntary commitments to find pragmatic solutions that benefit the entire sector, not just their own organizations.
Monitoring of a CoC may be carried out by an accredited body that has an appropriate level of expertise in relation to the subject-matter of the particular code. The accreditation is provided by the competent supervisory authority. (Art. 41).
Here, the Belgian Data Protection Authority has accredited SCOPE Europe (SCOPE) as the CCC’s independent monitoring body. While SCOPE is a third-party organization, it is still subject to the oversight of the Belgian DPA. The organization’s responsibilities include scrutinizing cloud services that sign up to the CCC and monitoring services that are certified in the code.
Also, SCOPE ensures compliance from members by one of the following: an initial assessment, annual, recurring assessments, ad-hoc assessments, or whenever SCOPE considers those assessments reasonable. Once SCOPE declares a CSP adherent to the CCC, that organization will then be listed in the Public Register of Adherent Cloud Services.
Levels of Compliance
The CCC offers CSPs three levels of compliance, offering something for all CSP market players. The first level involves the applicant submitting to SCOPE an internal review of its partial conformity along with supporting evidence (an external audit of security elements is not necessary). The second level allows for CSPs to submit additional evidence of partial compliance from independent third parties (demonstrating an ISO or a NIST framework will suffice). The third level demonstrates full compliance with the code as evidenced from third-party certificates and audits (a representative from SCOPE provides an audit).
In deciding what level of compliance is best, a CSP will likely have to ask itself how strongly it wants to prove certain things to its clients. For example, pitching the third level of compliance to CSPs that have only a basic understanding of the GDPR would likely serve little purpose; however, the formalization offered by the monitoring body provided in third level of compliance may seem necessary for those larger market players that have a higher risk and more sensitive data to protect.
The CCC provides an opportunity to demonstrate the benefits of co-regulation. Co-regulation allows for collaboration between public authorities, industries, and regulatory authorities in promoting and implementing data protection standards. This regulatory model generates trust and reliability in the CCC: customers never have to worry that their CSP’s practices are compliant as long as they are members of the CCC.
From an innovative standpoint, the co-regulation model allows industries to proactively bring future design proposals to DPAs for approval rather than having to be served by DPAs with post-hoc remediation and fines for non-compliant controls and procedures. If the CCC succeeds, it will establish an important blueprint for the data privacy and security industry, demonstrating how to quickly address the needs of such a changing environment.
Third Party Transfer Initiative
With a Privacy Shield 2.0 deal yet to be struck, the long time it takes to approve adequacy decision, and the heavy lift put on SMEs wanting to execute the new SCCs, there is still both inefficiency and uncertainty in transferring personal data outside of the EU to third countries.
Currently, the CCC is not a mechanism to transfer personal data to a third country; however, the CCC’s Third Country Transfer Initiative is currently developing an “on-top Module” to the CCC, creating a dedicated safeguard for third country data transfers pursuant to Article 46. The model is not yet complete, but it has been established that the initiative will be monitored by SCOPE and membership will be available to all CCC members.
There are many benefits to the CCC. For example, the CCC can reduce an organization’s resources spent related to the onboarding of new customers. Also, the CCC must be positively taken into account in the determination of a fine. Additionally, the CCC can demonstrate to customers an Article 28.5 “sufficient guarantee,” which is helpful and attractive to SMEs seeking data processors. And, as previously mentioned, the CCC is laying the groundwork for a new third country transfer mechanism.
The CCC solidifies a commitment to GDPR compliance. The new code’s transparency fosters an environment of trust while also setting a default level of compliance for CSPs in the European cloud computing market. The co-regulatory compliance and enforcement model allows for innovation and compliance to develop concurrently. Finally, the CCC signals to other frameworks the potential to foster interoperability, unity, and alignment with the GDPR. To watch the CCC’s development, you can also follow on Twitter, too.