E-Commerce Law Week, Issue 387

Multifactor Authentication Goes Global
The evidence is mounting -- both in the US and abroad -- that Internet banking is about to undergo a major transformation in the way that banks authenticate customers online.  Indeed, it looks like the days of customers' using single-factor authentication methods (a password or a PIN, for instance) to access their online accounts are numbered. First, last October, the Federal Financial Institutions Examination Council released Guidance warning financial institutions that single-factor authentication alone is inadequate for high-risk transactions. And just recently -- on the other side of the world -- the Monetary Authority of Singapore (MAS) issued Circular No. SRD TR 02/2005 to bank CEOs informing them that as of December 2006, all institutions operating online banking services in Singapore would be expected to implement two-factor authentication when customers log into Internet banking portals.  MAS further urged banks to consider requiring the repeated use of the second authentication factor for high risk transactions or for changes to sensitive customer information during a login session.

OFAC Amends Enforcement Procedures for Banking Institutions and Requests Comments Regarding Enforcement Policies for Other Industries
The U.S. Office of Foreign Assets Control ("OFAC"), which administers and enforces economic trade sanctions, published an interim final rule on January 12 on a proposed change to enforcement procedures for banking institutions. The rule will take effect for enforcement cases commenced on or after February 13, 2006, and supercedes a rule proposed by OFAC three years ago. The rule also indicates that OFAC is considering separate enforcement procedures for other entities in both the financial and non-financial sectors, including computer and e-commerce companies, and has requested public comments regarding whether similar enforcement procedures would be appropriate. Comments on the rule must be received by March 13, 2006.

NIST Issues New Crypto Guideline For Federal Government
The National Institute of Standards and Technology ("NIST"), on December 22, updated the guidelines for the federal government’s implementation and use of cryptography. The update comes in the form of Special Publication (SP) 800-21 -- the second edition of the Guideline for Implementing Cryptography in the Federal Government , which replaces the 1999 edition of the same name. Many of the references and cryptographic techniques contained in the first edition have been amended, rescinded, or superseded since its publication. The new edition is intended to provide a "structured, yet flexible set of guidelines for selecting, specifying, employing, and evaluating cryptographic protection mechanisms in Federal information systems."  Although the guidelines are binding only for federal information systems (in particular, those not designated as "national security systems"), they may also be of interest to the private sector, since other standards bodies -- such as the American National Standards Institute -- have also adopted the document. And since data encryption is a relevant issue in both state data breach notification laws and the Federal Trade Commission's consideration of whether a company has an adequate security policy, companies would be well advised to consider the NIST guidelines, which represent the federal government's statement of best practices for cryptography, in implementing their own cryptographic controls.

France Requires Drivers to Protect Their Privacy, Even If They Don't Want To
American consumers are quite used to the idea of giving up a little privacy in order to gain convenience -- whether it means joining a supermarket loyalty program, providing personal information in order to gain access to a restricted website, or giving up personal data to get a product discount. In France, however, one form of such exchange just became illegal. On December 22, France's data protection authority (the "Commission Nationale de l’Informatique et des Libertes" or "CNIL") rejected a proposal from an unnamed insurance company to equip its policyholders' vehicles with Global Positioning System (GPS) devices that would have enabled the monitoring of young drivers, who are statistically more accident-prone than others on the road. The proposal, which came in the wake of the CNIL's March 2005 guidance on employee and employer rights and responsibilities with regard to GPS technology, entailed offering selected drivers reduced insurance premiums in return for their agreeing to use the GPS monitoring device.  The device would have provided the company with real-time updates on driver behavior, enabling the assessment of compliance with policy restrictions such as those concerning maximum speed limits and restrictions on the use of dangerous roads. However, the CNIL rejected the proposal, stating that the planned monitoring was an unacceptable violation of personal privacy and that the company's proposal to collect and retain such information violated French standards on database management and was "disproportionate" to road safety objectives.

Binding Corporate Rules for EU Data Protection Come of Age with UK Decision
At the end of December, the United Kingdom Information Commissioner approved the "binding corporate rules" ("BCRs") of General Electric as a basis for transfer of information on GE's UK employees to GE entities outside the European Economic Area ("EEA"). This decision, which appears to be the first approval of a set of BCRs by any European Union data protection authority ("DPA"), suggests that BCRs may be coming of age as a viable data protection approach for multinational companies.

Although the UK's was the lead DPA considering GE's BCRs, the DPA in each EU country in which GE has operations must also approve the BCRs. The UK Information Commission has historically been among the most flexible EU DPAs, so it remains to be seem whether others will take similar approaches.  The GE BCRs relate only to employees' personal data, so it also remains to be seen to what extent DPAs will approve BCRs for transfer of personal data related to customers and other external commercial relationships.

Questions and comments about E-Commerce Law Week are always welcome. Please send your feedback to Sally Albertazzie.