Legal Issues Related to Protecting Critical Infrastructure and Access to Privacy Data from Erik Anderson on 2015-05-18 (public-webpayments-ig@w3.org from May 2015)

From: Erik Anderson <eanders@pobox.com>
Date: Mon, 18 May 2015 10:01:03 -0400
To: public-webpayments-ig@w3.org
Message-ID: <4beb5fb3240c8605ecbbd8c0a494883f@pobox.com>
I was provided the below information that I am just now getting to 
review as part of the requirement documents. It appears there are a lot 
of legal issues covering the below bullet points, all of which will 
apply to transmission of personal, private, and financial information as 
it applies to transactional value systems.

  - Regulation
     - What national laws regulate to the collection and use of personal 
data?
     - To whom do the laws apply?
     - What data is regulated?
     - What acts are regulated?
     - What is the jurisdictional scope of the rules?
     - What are the main exemptions?
     - Is notification or registration required before processing data?
  - Main data protection rules and principles
     - What are the main obligations imposed on data controllers to 
ensure data is processed properly?
     - Is the consent of data subjects required before processing 
personal data?
     - If consent is not given, on what other grounds (if any) can 
processing be justified?
     - Do special rules apply for certain types of personal data, such as 
sensitive data?
  - Rights of individuals
     - What information should be provided to data subjects at the point 
of collection of the personal data?
     - What other specific rights are granted to data subjects?
     - Do data subjects have a right to request the deletion of their 
data?
  - Security requirements
     - What security requirements are imposed in relation to personal 
data?
     - Is there a requirement to notify personal data security breaches 
to data subjects or the national regulator?
  - Processing by third parties
     - What additional requirements apply where a third party processes 
the data on behalf of the data controller?
  - Electronic communications
     - Under what conditions can data controllers store cookies or 
equivalent devices on the data subject's terminal equipment?
  - International transfer of data
     - What rules regulate the transfer of data outside your 
jurisdiction?
     - Are data transfer agreements contemplated or in use? Have any 
standard forms or precedents been approved by national authorities?
     - Is a data transfer agreement sufficient to legitimise transfer, or 
must additional requirements (such as the need to obtain consent) be 
satisfied?
     - Does the relevant national regulator need to approve the data 
transfer agreement?
  - Enforcement and sanctions
     - What are the enforcement powers of the national regulator?
     - What are the sanctions and remedies for non-compliance with data 
protection laws?


Legal Issues Related to Protecting Critical Infrastructure and Access to 
Privacy Data

  - Protection of the data itself through encryption
  - Controlled Access to data with strong authentication and 
authorization systems
  - Detection of data at risk, to prevent data leakage
  - Comprehensive Management of data throughout its lifecycle, from its 
creation through archive
  - Confidentiality: using encryption of information to protect sensitive 
or critical information, either stored or transmitted
  - Integrity/authenticity: using digital signatures or message 
authentication codes to protect the authenticity and integrity of stored 
or transmitted sensitive or critical information
  - Based on a risk assessment, identify the required levels of 
protection, including the type, strength, and quality of the encryption 
algorithm.
  - Use encryption to protect sensitive information that is transported 
by mobile or removable media, devices, or across communication lines.
  - Establish key management policies, including methods to deal with the 
protection of
cryptographic keys and the recovery of encrypted information if keys are 
lost, compromised, or damaged. Also establish a policy that addresses 
the long-term protection and recovery of archived data.
  - Protection of various data elements against 3rd parties disclosure 
when those 3rd parties are involved in some of the data processing.

We do have a couple of use cases that brush on this topic, in 
particular, "Privacy Protection", but it doesnt cover any bullet points 
when it comes to the actual changing legal and regulatory landscape.

I will have a call with the American Bar Association Privacy Privacy and 
Security Working group, likely call with the Securities and Exchange 
Commission to see if they have generic requirements these bullet points. 
If possible, consumer protections but I dont have connections within 
Consumer Protections.

Erik Anderson
Bloomberg R&D & Co-chair W3C Web Payments IG/SG
Received on Monday, 18 May 2015 14:07:21 UTC