Some privacy & security bits and bytes to start your week:
FCC to Hold Public Workshop on Broadband Consumer Privacy Tomorrow
Over the last several months, the Federal Communications Commission has taken on a significantly expanded role on consumer privacy protection issues. Between the FCC’s expanded notion of the type of personal information subject to its authority under Section 222 of the Communications Act that surfaced in the TerraCom and YourTel cases last year and its recent reclassification of broadband Internet access service as a Title II telecommunications service – which was accompanied by a determination that the privacy requirements in Section 222 applicable to telephony could be extended to broadband service – the FCC is showing every intention of expanding its reach over privacy issues..
In the order reclassifying broadband service, the FCC recognized that the currently effective privacy rules are not a good match for broadband Internet access service, as those were written with telephone service in mind. For example, those rules include provisions for the use and disclosure of Customer Proprietary Network Information (CPNI) in connection with voice mail and caller I.D. Therefore, while the FCC applied the statutory privacy requirements of Section 222 to broadband service providers, it forbore from applying its rules implementing that statute pending further proceedings.
The FCC kicks off those further proceedings tomorrow with a public workshop on Broadband Consumer Privacy. The workshop will include discussions of what subscriber information is collected by broadband Internet access service providers and how that information is used. There will also be a panel discussion of how the Section 222 applies to broadband services. Speakers include FCC Chairman Tom Wheeler and other members of the FCC, as well as representatives from local governments, academia, public interest groups, and broadband service providers. The Commission will also provide audio and video coverage of the discussion on the FCC’s Web page at www.fcc.gov/live
RSA Conference 2015
It is clear that “security” is a big industry: over 30,000 attendees with more than 9 acres of exhibitor space at last week’s RSA Conference 2015 in San Francisco. BankInfoSecurity has published a “visual journal” here. I must say, I need to hang out with these guys next year. They are masters of the swag bag. CSO Online also has posted an interesting summary of the week here.
From the legal side, Smeeta Ramarathnam, the chief of staff to SEC Commissioner Luis Aguilar, told a Thursday morning panel hat the Securities and Exchange Commission (SEC) is about to “enter a “time of great change” as it pertains to regulation for disclosing cyber security incidents.
The discussion, called “Full Disclosure: What Companies Should Tell Investors about Cyber Incidents,” Ramarathnam, along with Jonas Kron, director of shareholder advocacy with Trillium Asset Management, discussed the growing concerns and sense of responsibility board of directors face in the wake of high-profile breaches, which will indelibly engage investors’ attentions.
“Hardly a day goes by without another breach being reported,” Ramarathnam said, explaining that the SEC is tasked with formally overseeing security incidents or issues that would impact the integrity of market systems, customer data protection and disclosure of material information.
While the SEC’s Division of Corporation Finance published guidance in 2011 to make companies aware of the agency’s views on what needs to be reported as far as material information disclosure related to cyber incidents, Ramarathnam noted that the guidance provided context for current SEC rules, but no new regulatory obligations for organizations. Although she did say she expects “much more to come in way of requirements from the SEC” in reporting and disclosure of cybersecurity risks and incidents, by the end of the panel, she had walked that statement back a bit.