NOTEREF _Ref445303279 1998 CPNI Order, 13 FCC Rcd at 8198, para. 198; see alsoid. at Appx. B (codifying the personnel training safeguard at 47 CFR § 64.2009(b)).
NOTEREF _Ref445303279 AT&T Consent Decree, 30 FCC Rcd at 2808, para. 2; see also id. at 2817-18, para. 18(g); Cox Consent Decree, 30 FCC Rcd at 12303, para. 4.
NOTEREF _Ref445303279 See 16 CFR § 314.4(b)(1), (d).
NOTEREF _Ref445303279 For example, HIPAA rules require training for all members of a covered entity’s workforce on the policies and procedures relating to protected health information, with sanctions applied for members of the workforce who fail to comply with the covered entity’s privacy policies and procedures. 45 CFR § 164.530(b), (e). In addition to this training requirement, HIPAA rules also include administrative safeguards which require covered entities to “[i]mplement a security awareness and training program for all members of its workforce (including management).” 45 CFR § 164.308(a)(5)(i).
NOTEREF _Ref445303279 The HIPAA Privacy Rule requires training be provided to new employees “within a reasonable period of time after the person joins the covered entity’s workforce” and to affected employees “within a reasonable period of time after [any material change in the policy] becomes effective.” 45 CFR §164.530(b)(2)(B), (C). The HIPAA Security Rule requires the security awareness and training program that includes “periodic” security updates, but does not quantify “periodic.” 45 CFR §164.308(a)(5)(ii)(A).
NOTEREF _Ref445303279 See 45 CFR § 164.308(a)(2); see also 16 CFR § 314.4(a) (GLBA implementing rule that requires a covered financial institution to “[d]esignate an employee or employees to coordinate [its] information security program.”).
NOTEREF _Ref445303279 1998 CPNI Order, 13 FCC Rcd at 8199, para. 201; see also 47 CFR § 64.2009(e).
NOTEREF _Ref445303279 The right of access is a fundamental privacy principle, and is featured in a wide array of legal and conceptual frameworks concerning consumer privacy. See supra n.282; 5 U.S.C. § 552a(d); 47 U.S.C. §§ 551(d), 338(i)(5).
NOTEREF _Ref445303279 Authentication requirements exist in a variety of privacy contexts to protect and secure customer data from unauthorized access. For example, GLBA calls for financial institutions to “protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.” 15 U.S.C. § 6801(b)(3). The HIPAA Security Rule requires a covered entity to “[i]mplement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.” 45 CFR § 164.312(d). Guidance developed to implement this requirement recommends that covered entities verify that the individual attempting to access information is who they claim to be by providing proof of identity through any one of the following authentication measures: a password or PIN; a smart card, token, or access key; or biometric authentication (fingerprints, voice patterns, etc.). NIST HIPAA Implementation Guidance at 46.
NOTEREF _Ref445303279 See infra para. 198.
NOTEREF _Ref445303279 See generally NIST Special Publication 800-63-2, Electronic Authentication Guidelines, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf.
NOTEREF _Ref445303279 2012 FTC Privacy Report 68; see also id. at 25; PCI Security Standards Council, Maintaining Payment Security, https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security (last visited Mar. 8, 2016) (“Payment security is paramount for every merchant, financial institution or other entity that stores, processes or transmits cardholder data.”).
NOTEREF _Ref445303279 The White House, National Strategy for Trusted Identities in Cyberspace: Enhancing Online Choice, Efficiency, Security, and Privacy at 30 (2011), https://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf.
NOTEREF _Ref445303279 See, e.g., Michael Zimmerman, Biometrics and User Authentication, SANS Institute InfoSec Reading Room (2002), http://www.sans.org/reading-room/whitepapers/authentication/biometrics-user-authentication-122; Russell Kay, Biometric Authentication, Computer World, Apr. 4, 2005, http://www.computerworld.com/article/2556908/security0/biometric-authentication.html.
NOTEREF _Ref445303279 See 47 CFR § 64.2010(b)-(c); 2007 CPNI Order, 22 FCC Rcd at 6936-41, paras. 13-22.
NOTEREF _Ref445303279 See Sakshi Jain et al., New Directions in Social Authentication,Internet Society (2015), http://www.internetsociety.org/sites/default/files/01_2_4.pdf. For example, one private sector company that sells security solutions to organizations regulated under GLBA recommends the organizations employ a password authentication solution that “[e]nforces password policies for end-users with access to customer information,” “[e]liminates end-users’ need to share authentication information with the Help Desk or IT staff for password reset or system access,” and “[a]utomates password reset processes,” among other access recommendations. Pistol Star, Authentication Solutions – By Regulation, http://www.pistolstar.com/authentication-solutions/regulation/GLBA.html. (last visited Mar. 23, 2016).
NOTEREF _Ref445303279 See 47 CFR § 64.2010.
NOTEREF _Ref445303279 For example, the Clean Water Act requires entities discharging wastewater to employ the “best available technology economically achievable” (BAT), see 33 U.S.C. § 1311(b)(2), and the Environmental Protection Agency (EPA) developed standards for assessing the BAT. EPA, Learn About Effluent Guidelines (last visited Mar. 23, 2016). The EPA also employs similar standards for other laws that it implements, such as the “Reasonably Achievable Control Technology,” “Best Available Control Technology,” “Lowest Achievable Emission Rate,” and “Best Management Practices” to require the regulated entities to install protocols and safeguards that are available and economically justified but also allow flexibility for practices to evolve as technology advances. See EPA,Technology Transfer Network Clean Air Technology Center - RACT/BACT/LAER Clearinghouse, http://www3.epa.gov/ttncatc1/rblc/htm/welcome.html (last visited Mar. 23, 2016); Clean Air Act, 42 U.S.C. § 7479(3); Clean Air Act, 42 U.S.C. § 7501(3); 40 CFR § 122.44(k).
NOTEREF _Ref445303279 Natasha Stokes, Should You Use Facebook or Google to Log In to Other Sites?, Techlicious Blog, May 29, 2014, http://www.techlicious.com/blog/should-you-use-facebook-or-google-to-log-in-to-other-sites/ (“Logging in with a main account whose credentials you easily remember saves you the trouble of going through yet another laborious account creation and memorizing dozens of passwords. . . . Linking two or more sites allows companies to collect more data, building an increasingly rounded profile about you. Allowing one account to have access to others means that if the least secure account is hacked, the rest could also be compromised.”).
NOTEREF _Ref445303279 See 47 CFR § 64.2010.
NOTEREF _Ref445303279 See 47 U.S.C. §§ 551(c)(1), 338(i)(4)(A).
NOTEREF _Ref445303279 See, e.g., Florian Schaub et al., A Design Space for Effective Privacy Notices,USENIX at 3 (2015), https://www.usenix.org/conference/soups2015/proceedings/presentation/schaub (“Frequent exposure to seemingly irrelevant privacy notices results in habituation, i.e., notices are dismissed without even registering their content.”).
NOTEREF _Ref445303279 SeeNSTIC FIPPs Appendix.
NOTEREF _Ref445303279 See, e.g., 2012 FTC Privacy Report at 15-16 (establishing a framework for protecting consumer privacy that exempts certain small businesses, due in part to a consideration of the burden the framework could impose on small businesses). As the FTC has noted, in some instances, the burdens associated with mandating disclosure of non-sensitive consumer information may outstrip the consumer benefits of allowing access to this data. See id.
NOTEREF _Ref445303279 See, e.g., id. at 15.
NOTEREF _Ref445303279 See, e.g.,2016 FTC Big Data Report.
NOTEREF _Ref445303279 See 47 CFR § 64.2010(a) (requiring telecommunications carriers to “properly authenticate a customer prior to disclosing CPNI based on customer-initiated telephone contact, online account access, or an in-store visit”) (emphasis added).
NOTEREF _Ref445303279 The FTC has held first parties responsible for third party behavior in its privacy enforcement actions. See, e.g., Twitter Consent Order, F.T.C. File No. 92-3093, at II.D.
NOTEREF _Ref445303279 Cf. 2012 FTC Privacy Report at 8-9.
NOTEREF _Ref445303279 2007 CPNI Order, 22 FCC Rcd at 6948, para. 39; see also 1999 CPNI Reconsideration Order, 14 FCC Rcd at 14496-97, paras. 168-71.
NOTEREF _Ref445303279 See TerraCom NAL, 29 FCC Rcd at 13326-27, paras. 5-7; AT&T Consent Decree, 30 FCC Rcd at 2812-14, paras. 7-10; Cox Consent Decree, 30 FCC Rcd at 12308, para. 8.
NOTEREF _Ref445303279 See, e.g.,Sasha Romanosky & Alessandro Acquisti, Privacy Costs and Personal Data Protection: Economic and Legal Perspectives, 24 Berkeley Tech. L.J. 1061, 1072 (2009) (“[A]s the probability of being held liable for damages due to breaches increases, so does the amount of consumer loss internalized by the firm. This, in turn, increases the firm’s incentive to further invest in security controls, reducing the probability of a data breach, and finally, reducing the expected harm.”). See generally Alan O. Sykes, The Economics of Vicarious Liability, 93 Yale L.J. 1231 (1984).
NOTEREF _Ref445303279 2015 FTC Security Guide for Business at 11.
NOTEREF _Ref445303279 See 1999 CPNI Reconsideration Order, 14 FCC Rcd at 14496, para. 171.
NOTEREF _Ref445303279 See, e.g., 2015 FTC Security Guide for Business.
NOTEREF _Ref445303279 See generally TerraComNAL (failure to encrypt data); 2015 FTC Security Guide for Business at 6-7.
NOTEREF _Ref445303279 See, e.g., 2012 FTC Privacy Report at 25-26; GMR Transcription Services Complaint; GeneLink Complaint.
NOTEREF _Ref445303279 The GLBA Safeguards Rule calls for covered entities to create a security plan that is “appropriate to [the company’s] size and complexity, the nature and scope of [its] activities, and the sensitivity of the customer information” it handles. 16 CFR § 314.3(a). The FTC’s more general Privacy Framework similarly allows entities to implement privacy protections that are “proportional to the nature, sensitivity, and amount of data collected as well as to the size of the business at issue.” 2012 FTC Privacy Report at 9. The FTC has extended this flexible approach to its enforcement in data security cases, saying “[w]here a company has offered assurances to consumers that it has implemented reasonable security measures, the Commission assesses the reasonableness based, among other things, on the sensitivity of the information collected, the measures the company has implemented to protect such information, and whether the company has taken action to address and prevent well-known and easily addressable security vulnerabilities.” 2012 FTC Privacy Report at 21, n. 108. See also Md. Code Ann., Com. Law § 14-3503(a).
NOTEREF _Ref445303279 See 47 CFR § 64.2010(a); see also 47 U.S.C. § 222(a).
NOTEREF _Ref445303279 2012 FTC Privacy Report at 71.
NOTEREF _Ref445303279 National Institute for Standards and Technology, Special Publication 800-60 Rev. 1 (Volume 1, Volume 2), Guide for Mapping Types of Information and Information Systems to Security Categories, http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol1-Rev1.pdf and http://csrc.nist.gov/publications/nistpubs/800-60-rev1/SP800-60_Vol2-Rev1.pdf.
NOTEREF _Ref445303279 NSTIC FIPPs Appendix. Similarly, the Administration’s 2012 privacy blueprint states that “[c]onsumers have a right to reasonable limits on the personal data that companies collect and retain.” 2012 White House Privacy Blueprint at 1.
NOTEREF _Ref445303279 See 47 U.S.C. §§ 551(b), 338(i)(3).
NOTEREF _Ref445303279 See 2016 FTC Big Data Report at 1.
NOTEREF _Ref445303279 See 47 U.S.C. § 222(a).
NOTEREF _Ref445303279 Privacy-by-design refers to the principle that meaningful privacy protections, “including data security, reasonable collection limits, sound retention and disposal practices, and data accuracy” should be incorporated “at every stage of the development of [an organization’s] products and services.” 2012 FTC Privacy Report at vii.
NOTEREF _Ref445303279 See Ira S. Rubinstein, Big Data: A Pretty Good Privacy Solution, Future of Privacy Forum (2013), http://www.futureofprivacy.org/wp-content/uploads/TECH-Rubinstein-Big-Data-A-Pretty-Good-Privacy-Solution.pdf.
NOTEREF _Ref445303279 NSTIC FIPPs Appendix (“Organizations should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).”).
NOTEREF _Ref445303279 2012 FTC Privacy Report at 44.
NOTEREF _Ref445303279 See 2012 FTC Privacy Report at 27-28; see also 2016 FTC Big Data Report at 1-2; Dibya Sarkar, Data Minimization May Work Against Finding New Discoveries, Issues, Say CES Panelists, Communications Daily, Jan. 8. 2016, at 15-17.
NOTEREF _Ref445303279 See 15 U.S.C. § 1681w.
NOTEREF _Ref445303279 See 16 CFR § 682.3(a); see alsoFederal Trade Commission, Disposal of Consumer Report Information and Records, 69 Fed. Reg. 68690 (Nov. 24, 2004).
NOTEREF _Ref445303279 See 16 CFR § 682.3(b).
NOTEREF _Ref445303279 See, e.g., Ark. Code Ann. § 4-110-104(a); Kan. Stat. Ann. § 50-7a03; N.J. Stat. Ann. § 56:8-162.
NOTEREF _Ref445303279 See 47 CFR § 64.2011; National Conference of State Legislatures, Security Breach Notification Laws (Jan. 4, 2016), http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx; Press Release, FTC, FTC Testifies on Proposed Data Security Legislation Before House Energy and Commerce Committee’s Commerce, Manufacturing and Trade Subcommittee (Mar. 18, 2015), https://www.ftc.gov/news-events/press-releases/2015/03/ftc-testifies-proposed-data-security-legislation-house-energy.
NOTEREF _Ref445303279 See 2007 CPNI Order, 22 FCC Rcd at 6943, para. 27 (“Notifying law enforcement of CPNI breaches is consistent with the goal of protecting CPNI [because] [l]aw enforcement can investigate the breach, which could result in legal action against the perpetrators, thus ensuring that they do not continue to breach CPNI . . . [and] this should enable law enforcement to advise industry, the Commission, and perhaps Congress regarding additional measures that might prevent future breaches.”).
NOTEREF _Ref445303279 See, e.g., Alaska Stat. §45.48.010(c); Arizona Stat. §44-7501(G); Conn. Gen. Stat. § 36a-701b(b)(1).
NOTEREF _Ref445303279 See, e.g., Vt. Stat. Ann. tit. 09 § 2435(d)(1); Md. Com. Law Code Ann. § 14-3504(c).
NOTEREF _Ref445303279 See Rules and Regulations Implementing the Truth in Caller ID Act of 2009, Report and Order, 26 FCC Rcd 9114, 9122, para. 22 (2011) (agreeing that the term “‘harm’ is a broad concept that encompasses financial, physical, and emotional harm”).
NOTEREF _Ref445303279 See, e.g., Conn. Gen. Stat. § 36a-701b(b)(1); Fla. Stat. §501.171(4)(c).
NOTEREF _Ref445303279 For example, Arizona requires “substantial economic loss” or the reasonable likelihood of this loss. Ariz. Rev. Stat. § 44-7501(L)(1). Kentucky on the other hand requires that the entity reasonably believe that the acquisition will cause or has caused “identity theft or fraud.” Ky. Rev. Stat. § 365.732(1)(a).
NOTEREF _Ref445303279 47 CFR § 64.2011(b)(1). There is an exception where “the carrier believes that there is an extraordinarily urgent need to notify any class of affected customers . . . in order to avoid immediate and irreparable harm.” 47 CFR § 64.2011(b)(2).
NOTEREF _Ref445303279 See 47 CFR § 64.2011(b)(3).
NOTEREF _Ref445303279 See 2007 CPNI Order, 22 FCC Rcd at 6943-44, paras. 26-29.
NOTEREF _Ref445303279 See 47 CFR § 64.2011(b)(2).
NOTEREF _Ref445303279 See, e.g., Fla. Stat. § 501.171(6)) (“as expeditiously as practicable”); Va. Code Ann. § 18.2-186.6(D) (“without unreasonable delay”); D.C. Code § 28-3852(b) (“in the most expedient time possible”); Wyo. Stat. Ann. § 40-12-502(g) (“as soon as practicable”).
NOTEREF _Ref445303279 See, e.g., Fla. Stat. § 501.171(4)(e).
NOTEREF _Ref445303279 See, e.g., W. Va. Code § 46A-2A-102(d); Haw. Rev. Stat. § 487N-2(d).