26 March 2002
Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html
-------------------------------------------------------------------------
[Federal Register: March 26, 2002 (Volume 67, Number 58)]
[Notices]
[Page 13767-13769]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr26mr02-46]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
Public Workshop: Consumer Information Security
AGENCY: Federal Trade Commission (FTC).
ACTION: Notice Announcing Public Workshop; Requesting Public Comment
and Participation; and Correcting Earlier Notice With Respect to Dates
of Public Workshop.
-----------------------------------------------------------------------
SUMMARY: The FTC is planning to host a public workshop to explore
issues relating to the security of consumers' computers and the
personal information stored in them or in company databases. This
notice provides the correct dates for the public workshop.
DATES: The workshop will be held on Monday, May 20, 2002, from 9 a.m.
to 5 p.m., and Tuesday, May 21, 2002, from 9 a.m. to 2 p.m., at the
Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC
20580.\1\
---------------------------------------------------------------------------
\1\ An earlier Federal Register notice inadvertently provided
incorrect dates for the public workshop. See 67 FR 10213 (March 6,
2002). This notice provides the correct dates for the public
workshop, and is in all other respects substantively identical to
the earlier Federal Register notice and to the notice and news
release posted on the Commission website at http://www.ftc.gov/opa/
2002/03/security.htm.
---------------------------------------------------------------------------
Pre-registration: The event is open to the public and there is no
fee for attendance. However, attendees are strongly encouraged to pre-
register, as seating will be limited. To pre-register, please email
your name and affiliation by April 29, 2002, to
securityworkshop@ftc.gov.
Requests to participate as a panelist: As discussed below, written
requests to participate as a panelist in the workshop must be filed on
or before April 1, 2002. Persons filing requests to participate as a
panelist will be notified on or before April 22, 2002, if they have
been selected to participate.
Written comments: Whether or not selected to participate, persons
may submit written comments on the Questions to be Addressed at the
workshop. Such comments must be filed on or before April 29, 2002. For
further instructions on submitting comments and requests to
participate, please see the ``From and Availability of Comments'' and
``Requests to Participate as a Panelist in the Workshop'' sections
below. To read our policy on how we handle the information you may
submit, please visit http://www.ftc.gov/ftc/privacy.htm.
ADDRESSES: Written comments and requests to participate as a panelist
in the workshop should be submitted to: Secretary, Federal Trade
Commission, Room 159, 600 Pennsylvania Avenue, NW., Washington, DC
20580. Alternatively, they may be e-mailed to securityworkshop@ftc.gov.
FOR FURTHER INFORMATION CONTACT: L. Mark Eichorn, Division of
Advertising Practices, 202-326-3053, Ellen Finn, Division of Financial
Practices, 202-326-3296, or Laura Berger, Division of Financial
Practices, 202-326-2471. The above staff can be reached by mail at:
Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC
20580.
SUPPLEMENTARY INFORMATION:
Background and Workshop Goals
The security of consumers' home computers is an issue of growing
importance. The terms ``virus,'' ``worm,'' and ``Trojan horse'' have
gained new meanings as ``Melissa,''
[[Page 13768]]
``ILOVEYOU,'' and ``Code Red'' infected computers across the globe.
News of hackers' ``exploits'' make front page news. At the same time,
more and more consumers access the Internet through ``always on'' DSL
or cable Internet connections, which allow quick access to Internet
content but also may be vulnerable to attack even when the consumer is
not actively using the Internet. As consumers use their computers as
repositories for sensitive information such as passwords, financial
records, and health information, the potential destruction or
disclosure of that information is cause for concern.
Another aspect of consumer security is whether consumers' personal
information held by businesses is secure. When consumers interact with
businesses--whether to check a bank account balance, register to
receive information, or purchase a product or service--those businesses
become custodians of consumers' personal information. An employee
processing a consumer's payment or a consumer checking his or her
account balance may want access to this information, but at the same
time businesses face the challenge of securing it from access by
external threats such as hackers or even by unauthorized insiders.
Should a hacker gain access to a business' customer credit card
database, for example, that intrusion may not only have serious
consequences for that particular business and the consumer's financial
well-being, but may also affect consumers' confidence and willingness
to engage in e-commerce generally.
This workshop provides an opportunity for the Commission to explore
information security issues that affect consumers. The questions to be
addressed at the workshop would include:
1. The Current State of Information Security
What are the security risks facing consumers?
Are consumers aware of the risks?
What are the costs to consumers of security measures and
of security failures?
Do consumers accurately assess security risks?
How does consumers' security affect the network as a
whole?
2. Security Issues Relating to Consumers' Home Information Systems
What steps can consumers take to reduce their security
risks?
What information resources or security products are
available to help consumers protect themselves?
If consumers' lack of awareness or technical expertise
lead to security vulnerabilities, what steps can be taken to raise
awareness or educate consumers?
What types of awareness and education initiatives are
currently being pursued?
What are the ``best practices'' being implemented by
businesses to assist consumers in safeguarding their home information
system?
3. Security Issues for Businesses that Maintain Consumers' Personal
Information
What practical challenges do businesses face in securing
their computer systems, and specifically consumers' personal
information that is stored on them?
What are the costs to businesses of security measures and
of security failures?
What measures can businesses, especially smaller
businesses, take to secure their computer systems and the consumer
information stored on them?
What information resources are available to help these
businesses?
What are the ``best practices'' being implemented by
businesses to address these issues?
4. Emerging Business Models, Technologies, and Best Practices
What are the existing business models for security, and
are they sustainable over the long term?
What technologies, business models, or initiative are
emerging in the marketplace to address the security of consumers'
information?
5. Revising the OECD Security Guidelines
Commissioner Orson Swindle is leading the U.S. delegation to the
Organization for Economic Cooperation and Development (``OECD'')
Experts Group reviewing the OECD Guidelines for the Security of
Information Systems. These voluntary guidelines contain principles
which provide a framework for participants to think about information
and network security practices, policies, and procedures. The
guidelines discuss cultivating a ``culture of security'' and contain
nine policy principles for the security of information systems and
networks, as well as principles relating to the life cycle of
information systems and networks. The guidelines specifically address:
raising awareness of security risks; responsibility for the security of
information systems; designing security into system architecture; and
risk management, assessment, and monitoring. Because the principles
provide a helpful framework for thinking about security issues, the
Commission plans to present a panel discussion on the Security
Guidelines.
Form and Availability of Comments
The FTC requests that interested parties submit written comments on
the above questions to facilitate greater understanding of the issues.
Of particular interest are any studies, surveys, research, and
empirical data. Comments should indicate the number(s) of the specific
question(s) being answered, provide responses to questions in numerical
order, and use a separate page for each question answered. Comments
should be captioned ``Consumer Information Security Workshop--Comment,
P024512,'' and must be filed on or before April 29, 2002.
Parties sending written comments should submit an original and two
copies of each document. To enable prompt review and public access,
paper submissions should include a version on diskette in PDF, ASCII,
WorkPerfect, or Microsoft Word format. Diskettes should be labeled with
the name of the party, and the name and version of the word processing
program used to create the document. Alternatively, comments may be
mailed to securityworkshop@ftc.gov.
Written comments will be available for public inspection in
accordance with the Freedom of Information Act, 5 U.S.C. 552, and FTC
regulations, 16 CFR part 4.9, Monday through Friday between the hours
of 8:30 a.m. and 5:00 p.m. at the Public Reference Room 130, Federal
Trade Commission, 600 Pennsylvania Avenue, NW., Washington, DC 20580.
This notice and, to the extent technologies possible, all comments will
also be posted on the FTC website at www.ftc.gov/securityworkshop.
Registration Information
The workshop will be open to the public and there is no fee for
attendance. As discussed above, pre-registration is strongly
encouraged, as seating will be limited. To pre-register, please email
your name and affiliation to securityworkshop@ftc.gov by April 29,
2002. A detailed agenda and additional information on the workshop will
be posted on the FTC's website at www.ftc.gov/securityworkshop before
May 20, 2002.
Requests To Participate as a Panelist in the Workshop
Those parties who wish to participate as panelists in the workshop
must notify
[[Page 13769]]
the FTC in writing of their interest in participating on or before
April 1, 2002, either by mail to the Secretary of the FTC or by e-mail
to securityworkshop@ftc.gov. Requests to participate as a panelist
should be captioned ``Consumer Information Security Workshop--Request
to Participate, P024512.'' Parties are asked to include in their
requests a statement setting forth their expertise in or knowledge of
the issues on which the workshop will focus and their contact
information, including a telephone number, facsimile number, and email
address (if available), to enable the FTC to notify them if they are
selected. An original and two copies of each document should be
submitted. Panelists will be notified on or before April 22, 2002
whether they have been selected.
Using the following criteria, FTC staff will select a limited
number of panelists to participate in the workshop. The number of
parties selected will not be so large as to inhibit effective
discussion among them.
1. The party has expertise in or knowledge of the issues that are
focus on the workshop.
2. The party's participation would promote a balance of interests
being represented at the workshop.
3. The party has been designated by one or more interested parties
(who timely file requests to participate) as a party who shares group
interests with the designator(s). In addition, there will be time
during the workshop for those not serving as panelists to ask
questions.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 02-7172 Filed 3-25-02; 8:45 am]
BILLING CODE 6750-01-M