FEDERAL TRADE COMMISSION Public Workshop: Consumer Information Security AGENCY: Federal Trade Commission (FTC). ACTION: Notice Announcing Public Workshop and Requesting Public Comment and Participation. SUMMARY: The FTC is planning to host a public workshop to explore issues relating to the security of consumers' computers and the personal information stored in them or in company databases. DATES: The workshop will be held on Monday, May 20, 2002, from 9:00 a.m. to 5:00 p.m., and Tuesday, May 21, 2002, from 9:00 a.m. to 2:00 p.m., at the Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. Pre-registration: The event is open to the public and there is no fee for attendance. However, attendees are strongly encouraged to pre-register, as seating will be limited. To pre-register, please email your name and affiliation by April 29, 2002, to securityworkshop@ftc.gov. Requests to participate as a panelist: As discussed below, written requests to participate as a panelist in the workshop must be filed on or before April 1, 2002. Persons filing requests to participate as a panelist will be notified on or before April 22, 2002, if they have been selected to participate. Written comments: Whether or not selected to participate, persons may submit written comments on the Questions to be Addressed at the workshop. Such comments must be filed on or before April 29, 2002. For further instructions on submitting comments and requests to participate, please see the "Form and Availability of Comments" and "Requests to Participate as a Panelist in the Workshop" sections below. To read our policy on how we handle the information you may submit, please visit http://www.ftc.gov/ftc/privacy.htm. ADDRESSES: Written comments and requests to participate as a panelist in the workshop should be submitted to: Secretary, Federal Trade Commission, Room 159, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. Alternatively, they may be emailed to securityworkshop@ftc.gov. FOR FURTHER INFORMATION CONTACT: L. Mark Eichorn, Division of Advertising Practices, 202-326-3053, Ellen Finn, Division of Financial Practices, 202-326-3296, or Laura Berger, Division of Financial Practices, 202-326-2471. The above staff can be reached by mail at: Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. SUPPLEMENTARY INFORMATION: Background and Workshop Goals The security of consumers' home computers is an issue of growing importance. The terms "virus," "worm," and "Trojan horse" have gained new meanings as "Melissa," "ILOVEYOU," and "Code Red" infected computers across the globe. News of hackers' "exploits" make front page news. At the same time, more and more consumers access the Internet through "always on" DSL or cable Internet connections, which allow quick access to Internet content but also may be vulnerable to attack even when the consumer is not actively using the Internet. As consumers use their computers as repositories for sensitive information such as passwords, financial records, and health information, the potential destruction or disclosure of that information is cause for concern. Another aspect of consumer security is whether consumers' personal information held by businesses is secure. When consumers interact with businesses - whether to check a bank account balance, register to receive information, or purchase a product or service - those businesses become custodians of consumers' personal information. An employee processing a consumer's payment or a consumer checking his or her account balance may want access to this information, but at the same time businesses face the challenge of securing it from access by external threats such as hackers or even by unauthorized insiders. Should a hacker gain access to a business' customer credit card database, for example, that intrusion may not only have serious consequences for that particular business and the consumer's financial well-being, but may also affect consumers' confidence and willingness to engage in e-commerce generally. This workshop provides an opportunity for the Commission to explore information security issues that affect consumers. The questions to be addressed at the workshop would include: 1. The Current State of Information Security
2. Security Issues Relating to Consumers' Home Information Systems
3. Security Issues for Businesses that Maintain Consumers' Personal Information
4. Emerging Business Models, Technologies, and Best Practices
5. Revising the OECD Security Guidelines Commissioner Orson Swindle is leading the U.S. delegation to the Organization for Economic Cooperation and Development ("OECD") Experts Group reviewing the OECD Guidelines for the Security of Information Systems. These voluntary guidelines contain principles which provide a framework for participants to think about information and network security practices, policies, and procedures. The guidelines discuss cultivating a "culture of security" and contain nine policy principles for the security of information systems and networks, as well as principles relating to the life cycle of information systems and networks. The guidelines specifically address: raising awareness of security risks; responsibility for the security of information systems; designing security into system architecture; and risk management, assessment, and monitoring. Because the principles provide a helpful framework for thinking about security issues, the Commission plans to present a panel discussion on the Security Guidelines. Form and Availability of Comments The FTC requests that interested parties submit written comments on the above questions to facilitate greater understanding of the issues. Of particular interest are any studies, surveys, research, and empirical data. Comments should indicate the number(s) of the specific question(s) being answered, provide responses to questions in numerical order, and use a separate page for each question answered. Comments should be captioned "Consumer Information Security Workshop -- Comment, P024512," and must be filed on or before April 29, 2002. Parties sending written comments should submit an original and two copies of each document. To enable prompt review and public access, paper submissions should include a version on diskette in PDF, ASCII, WordPerfect, or Microsoft Word format. Diskettes should be labeled with the name of the party, and the name and version of the word processing program used to create the document. Alternatively, comments may be emailed to securityworkshop@ftc.gov. Written comments will be available for public inspection in accordance with the Freedom of Information Act, 5 U.S.C. 552, and FTC regulations, 16 CFR part 4.9, Monday through Friday between the hours of 8:30 a.m. and 5:00 p.m. at the Public Reference Room 130, Federal Trade Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. This notice and, to the extent technologically possible, all comments will also be posted on the FTC website at www.ftc.gov/securityworkshop. Registration Information The workshop will be open to the public and there is no fee for attendance. As discussed above, pre-registration is strongly encouraged, as seating will be limited. To pre-register, please email your name and affiliation to securityworkshop@ftc.gov by April 29, 2002. A detailed agenda and additional information on the workshop will be posted on the FTC's website at www.ftc.gov/securityworkshop before May 20, 2002. Requests to Participate as a Panelist in the Workshop Those parties who wish to participate as panelists in the workshop must notify the FTC in writing of their interest in participating on or before April 1, 2002, either by mail to the Secretary of the FTC or by email to securityworkshop@ftc.gov. Requests to participate as a panelist should be captioned "Consumer Information Security Workshop - Request to Participate, P024512." Parties are asked to include in their requests a statement setting forth their expertise in or knowledge of the issues on which the workshop will focus and their contact information, including a telephone number, facsimile number, and email address (if available), to enable the FTC to notify them if they are selected. An original and two copies of each document should be submitted. Panelists will be notified on or before April 22, 2002 whether they have been selected. Using the following criteria, FTC staff will select a limited number of panelists to participate in the workshop. The number of parties selected will not be so large as to inhibit effective discussion among them. 1. The party has expertise in or knowledge of the issues that are the focus of the workshop. 2. The party's participation would promote a balance of interests being represented at the workshop. 3. The party has been designated by one or more interested parties (who timely file requests to participate) as a party who shares group interests with the designator(s). In addition, there will be time during the workshop for those not serving as panelists to ask questions. By direction of the Commission. Donald S. Clark |