The National Institute of Standards and Technology (NIST) released a preview of its plans for a standard Privacy Framework this past week.  The purpose of the Framework is to help organizations better manage privacy risks.

The Privacy Framework would breakdown privacy functions into five categories: identify the context of processing, protect private data, control data through data management, inform individuals about data processing, and respond to adverse breach events.

Also, organizations would be able to reference the Privacy Framework when deciding how to tailor compliance to the organization’s risk tolerance, privacy objectives, and financial resources.

NIST enters the privacy policy-making arena in a crowded field.  The NTIA has solicited comments on developing an approach to consumer privacy, Congress is considering competing legislative options for federal privacy legislation, and California is gearing up this year for the 2020 implementation of the CCPA.

But as NIST explains on its website, the NIST framework is intended to compliment statutory and regulatory rules, not replace them: “the NIST framework is envisioned as an enterprise-level privacy risk management tool that can be compatible with and support organizations’ ability to operate under applicable domestic and international legal or regulatory regimes.”

Throughout the process of developing the Privacy Framework, NIST has emphasized that it will leverage its 2014 Cybersecurity Framework – both as a template and as an example of the value of standards documents.  The agency recently celebrated the five-year anniversary of the Cybersecurity Framework in February, touting the fact that the Framework has been downloaded more than half a million times.

Kelley Drye will continue to track developments at NIST on the development of a Privacy Framework.  If you have questions about the Privacy Framework or are interested in submitting comments, please contact Alysa Hutnik or Alex Schneider at Kelley Drye.

The draft National E-Commerce Policy (“Draft Policy”) released by the Government of India on February 23, 2019 for stakeholder comments, has left the e-commerce sector in jitters. For global market players, the protectionist construct of the Draft Policy seems to suggest a shift of India’s focus from ‘Ease of Doing Business in India’ to ‘Make in India’. If the Draft Policy is implemented in its present form, it may have a serious impact demanding drastic change in internal strategies, policies and cost allocations for foreign companies having e-commercial presence in India. The Draft Policy is open for stakeholder comments up to March 9, 2019.

The Draft Policy focuses on: (i) restriction on cross-border flow of data; (ii) local presence and taxability of foreign entities having significant economic presence in India; (iii) creating a robust digital infrastructure for e-commerce, from online custom clearance to online resolution of consumer complaints; (iv) promoting exports from India with a boost to start-ups and small firms; and (v) regulatory changes to augment economic growth in e-commerce.

The key highlights of the Draft Policy are as follows:  Continue Reading Doing Business in India? Keep an Eye on This….

Last month, CTIA, the wireless industry association, launched an initiative through which wireless-connected Internet of Things (“IoT”) devices can be certified for cybersecurity readiness.  According to the CTIA announcement, the CTIA Cybersecurity Certification Program (the “Program”) is intended to protect both consumers and wireless infrastructure by creating a more secure foundation for IoT applications that support “smart” cities, connected cars, mobile health apps, home appliances, and other IoT-enabled environments.

The Program was developed in collaboration with the nationwide wireless carriers, along with technology companies, security experts and test laboratories, and builds upon IoT security recommendations from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST).  According to the Program Test Plan, devices eligible for certification include those that contain an IoT application layer that provides identity and authentication functionality and at least one communications module supporting either LTE or Wi-Fi networks.

A device submitted for certification will undergo a series of tests at a CTIA-authorized lab.  The testing will assess the device for one of three certification levels or “categories.” To obtain a Category 1 certification, the device will be reviewed for the presence of “core” IoT device security elements, including a Terms of Service and a customer-facing privacy policy, along with technical elements including password management, authentication and access controls.  A Category 2 certification includes the Category 1 elements, in addition to enhanced security features, such as an audit log, multi-factor authentication, remote deactivation, and threat monitoring. A Category 3 certification features the most comprehensive level of cybersecurity threat testing, and covers elements such as encryption of data at rest, digital signature validation, and tamper reporting, in addition to the elements under Categories 1 and 2.

The Program comes at a time of rapid growth for IoT devices.  According to the latest Ericsson Mobility Report, the global IoT market will expand to 3.5 billion cellular-connected devices in the next five years.  Much of this growth is expected to be driven by the anticipated deployment of 5G technology and enhanced mobile broadband.

The Program will begin accepting devices for certification testing beginning in October 2018.  Details on how to participate in the Program are available on the CTIA website.

The Federal Trade Commission has filed a lawsuit in federal court claiming that a networking equipment manufacturer engaged in unfair and deceptive acts, exposing thousands of consumers to the risk of cyberattack from vulnerable wireless routers and internet cameras.

The complaint against Taiwan-based networking equipment manufacturer D-Link Corporation and its U.S. subsidiary D-Link Systems alleges that the companies failed to take reasonable steps to protect the internet routers and IP cameras from “widely known and reasonable foreseeable” vulnerabilities. According to the complaint, these risks were not purely theoretical: D-Link equipment has been compromised by attackers, including being made part of “botnets,” which are large-scale networks of computers infected by malicious software.

In particular, the complaint alleges that the company failed to take steps to address well-known and easily preventable security flaws, such as:

  • “hard-coded” login credentials integrated into D-Link camera software — such as the username “guest” and the password “guest” — that could allow unauthorized access to the cameras’ live feed;
  • a software flaw known as “command injection” that could enable remote attackers to take control of consumers’ routers by sending them unauthorized commands over the Internet;
  • the mishandling of a private key code used to sign into D-Link software, such that it was openly available on a public website for six months; and
  • leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.

Count I of the complaint alleges that D-Link’s failure to take reasonable measures to secure the products from these vulnerabilities was unfair under Section 5 of the FTC act.  It alleges that D-Link’s practices caused, or are likely to cause, substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers.

But the FTC is not only concerned with the potential vulnerabilities of the D-Link products; in Counts II through VI, the FTC alleges that D-Link violated Section 5(a) of the FTC Act by making deceptive statements about the products’ security.  These allegedly deceptive statements include the following:

Count II:  D-Link advertised a Security Event Response Policy, implying that D-Link had taken reasonable measures to secure the products from unauthorized access;

Count III:  In promotional materials, D-Link claimed that its routers were “EASY TO SECURE” and had “ADVANCED NETWORK SECURITY,” among other claims, implying that the routers were secure from unauthorized access and control;

Count IV: In promotional materials, D-Link advertised that its cameras provided a “secure connection,” among other claims, implying that the cameras were secure from unauthorized access and control;

Count V: To begin using the routers, a graphical user interface provided security-related prompts such as “To secure your new networking device, please set and verify a password below,” implying that the routers were secure from unauthorized access and control; and

Count VI: To begin using the cameras, a graphical user interface provided security-related prompts such as “Set up an Admin ID and Password” or “enter a password” in order “to secure your camera” and featured a lock logo, implying that the cameras were secure from unauthorized access and control.

In a press release announcing the lawsuit, FTC Bureau of Consumer Protection Director Jessica Rich commented, “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

The Commission vote authorizing the staff to file the complaint was 2-1, with Commissioner Maureen K. Ohlhausen voting against the complaint. The complaint was filed in the U.S. District Court for the Northern District of California.

The complaint is just the most recent action in the FTC’s efforts to crack down on potential vulnerabilities in the Internet of Things (IoT). The FTC has also brought enforcement actions against ASUS over allegedly insecure routers and cloud services and against TRENDnet over its allegedly insecure cameras.  This case serves as yet another reminder that the FTC remains focused on cyber security, especially for IoT devices, and that it is important for all businesses that handle or have access to customer information to ensure that they have implemented reasonable security practices, and confirmed the accuracy of all related marketing claims and public representations (including in public-facing policies and product dashboards) about the security of their products.