[Federal Register Volume 67, Number 44 (Wednesday, March 6, 2002)]
[Notices]
[Pages 10213-10215]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-5327]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Public Workshop: Consumer Information Security

AGENCY: Federal Trade Commission (FTC).

ACTION: Notice announcing public workshop and requesting public comment 
and participation.

-----------------------------------------------------------------------

SUMMARY: The FTC is planning to host a public workshop to explore 
issues relating to the security of consumers' computers and the 
personal information stored in them or in company databases.

DATES: The workshop will be held on Thursday, May 16, 2002, from 9:00 
a.m. to 5:00 p.m., and Friday, May 17, 2002, from 9:00 a.m. to 2:00 
p.m., at the Federal Trade Commission, 600 Pennsylvania Avenue, NW, 
Washington, DC 20580.
    Pre-registration: The event is open to the public and there is no 
fee for attendance. However, attendees are strongly encouraged to pre-
register, as seating will be limited. To pre-register, please e-mail 
your name and affiliation by April 29, 2002, to 
[email protected].
    Requests to participate as a panelist: As discussed below, written 
requests to participate as a panelist in the workshop must be filed on 
or before April 1, 2002. Persons filing requests to participate as a 
panelist will be notified on or before April 22, 2002, if they have 
been selected to participate.
    Written comments: Whether or not selected to participate, persons 
may submit written comments on the Questions to be Addressed at the 
workshop. Such comments must be filed on or before April 29, 2002. For 
further instructions on submitting comments and requests to 
participate, please see the ``Form and Availability of Comments'' and 
``Requests to Participate as a Panelist in the Workshop'' sections 
below. To read our policy on how we handle the information you may 
submit, please visit http://www.ftc.gov/ftc/privacy.htm.

ADDRESSES: Written comments and requests to participate as a panelist 
in the workshop should be submitted to: Secretary, Federal Trade 
Commission, Room 159, 600 Pennsylvania Avenue, NW, Washington, DC 
20580. Alternatively, they may be e-mailed to [email protected].

FOR FURTHER INFORMATION CONTACT: L. Mark Eichorn, Division of 
Advertising Practices, 202-326-3053, Ellen Finn, Division of Financial 
Practices, 202-326-3296, or Laura Berger, Division of Financial 
Practices, 202-326-2471. The above staff can be reached by mail at:

[[Page 10214]]

Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 
20580.

SUPPLEMENTARY INFORMATION:

Background and Workshop Goals

    The security of consumers' home computers is an issue of growing 
importance. The terms ``virus,'' ``worm,'' and ``Trojan horse'' have 
gained new meanings as ``Melissa,'' ``ILOVEYOU,'' and ``Code Red'' 
infected computers across the globe. News of hackers'' ``exploits'' 
make front page news. At the same time, more and more consumers access 
the Internet through ``always on'' DSL or cable Internet connections, 
which allow quick access to Internet content but also may be vulnerable 
to attack even when the consumer is not actively using the Internet. As 
consumers use their computers as repositories for sensitive information 
such as passwords, financial records, and health information, the 
potential destruction or disclosure of that information is cause for 
concern.
    Another aspect of consumer security is whether consumers' personal 
information held by businesses is secure. When consumers interact with 
businesses--whether to check a bank account balance, register to 
receive information, or purchase a product or service--those businesses 
become custodians of consumers' personal information. An employee 
processing a consumer's payment or a consumer checking his or her 
account balance may want access to this information, but at the same 
time businesses face the challenge of securing it from access by 
external threats such as hackers or even by unauthorized insiders. 
Should a hacker gain access to a business' customer credit card 
database, for example, that intrusion may not only have serious 
consequences for that particular business and the consumer's financial 
well-being, but may also affect consumers' confidence and willingness 
to engage in e-commerce generally.
    This workshop provides an opportunity for the Commission to explore 
information security issues that affect consumers. The questions to be 
addressed at the workshop would include:

1. The Current State of Information Security

     What are the security risks facing consumers?
     Are consumers aware of the risks?
     What are the costs to consumers of security measures and 
of security failures?
     Do consumers accurately assess security risks?
     How does consumers' security affect the network as a 
whole?

2. Security Issues Relating to Consumers' Home Information Systems

     What steps can consumers take to reduce their security 
risks?
     What information resources or security products are 
available to help consumers protect themselves?
     If consumers' lack of awareness or technical expertise 
lead to security vulnerabilities, what steps can be taken to raise 
awareness or educate consumers?
     What types of awareness and education initiatives are 
currently being pursued?
     What are the ``best practices'' being implemented by 
businesses to assist consumers in safeguarding their home information 
systems?

3. Security Issues for Businesses That Maintain Consumers' Personal 
Information

     What practical challenges do businesses face in securing 
their computer systems, and specifically consumers' personal 
information that is stored on them?
     What are the costs to businesses of security measures and 
of security failures?
     What measures can businesses, especially smaller 
businesses, take to secure their computer systems and the consumer 
information stored on them?
     What information resources are available to help these 
businesses?
     What are the ``best practices'' being implemented by 
businesses to address these issues?

4. Emerging Business Models, Technologies, and Best Practices

     What are the existing business models for security, and 
are they sustainable over the long term?
     What technologies, business models, or initiatives are 
emerging in the marketplace to address the security of consumers' 
information?

5. Revising the OECD Security Guidelines

    Commissioner Orson Swindle is leading the U.S. delegation to the 
Organization for Economic Cooperation and Development (``OECD'') 
Experts Group reviewing the OECD Guidelines for the Security of 
Information Systems. These voluntary guidelines contain principles 
which provide a framework for participants to think about information 
and network security practices, policies, and procedures. The 
guidelines discuss cultivating a ``culture of security'' and contain 
nine policy principles for the security of information systems and 
networks, as well as principles relating to the life cycle of 
information systems and networks. The guidelines specifically address: 
raising awareness of security risks; responsibility for the security of 
information systems; designing security into system architecture; and 
risk management, assessment, and monitoring. Because the principles 
provide a helpful framework for thinking about security issues, the 
Commission plans to present a panel discussion on the Security 
Guidelines.

Form and Availability of Comments

    The FTC requests that interested parties submit written comments on 
the above questions to facilitate greater understanding of the issues. 
Of particular interest are any studies, surveys, research, and 
empirical data. Comments should indicate the number(s) of the specific 
question(s) being answered, provide responses to questions in numerical 
order, and use a separate page for each question answered. Comments 
should be captioned ``Consumer Information Security Workshop--Comment, 
P024512,'' and must be filed on or before April 29, 2002.
    Parties sending written comments should submit an original and two 
copies of each document. To enable prompt review and public access, 
paper submissions should include a version on diskette in PDF, ASCII, 
WordPerfect, or Microsoft Word format. Diskettes should be labeled with 
the name of the party, and the name and version of the word processing 
program used to create the document. Alternatively, comments may be e-
mailed to [email protected].
    Written comments will be available for public inspection in 
accordance with the Freedom of Information Act, 5 U.S.C. 552, and FTC 
regulations, 16 CFR 4.9, Monday through Friday between the hours of 
8:30 a.m. and 5:00 p.m. at the Public Reference Room 130, Federal Trade 
Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580. This 
notice and, to the extent technologically possible, all comments will 
also be posted on the FTC Web site at www.ftc.gov/securityworkshop.

Registration Information

    The workshop will be open to the public and there is no fee for 
attendance. As discussed above, pre-registration is strongly 
encouraged, as seating will be limited. To pre-register, please e-mail 
your name and affiliation

[[Page 10215]]

to [email protected] by April 29, 2002. A detailed agenda and 
additional information on the workshop will be posted on the FTC's Web 
site at www.ftc.gov/securityworkshop before May 16, 2002.

Requests to Participate as a Panelist in the Workshop

    Those parties who wish to participate as panelists in the workshop 
must notify the FTC in writing of their interest in participating on or 
before April 1, 2002, either by mail to the Secretary of the FTC or by 
e-mail to [email protected]. Requests to participate as a 
panelist should be captioned ``Consumer Information Security Workshop--
Request to Participate, P024512.'' Parties are asked to include in 
their requests a statement setting forth their expertise in or 
knowledge of the issues on which the workshop will focus and their 
contact information, including a telephone number, facsimile number, 
and e-mail address (if available), to enable the FTC to notify them if 
they are selected. An original and two copies of each document should 
be submitted. Panelists will be notified on or before April 22, 2002 
whether they have been selected.
    Using the following criteria, FTC staff will select a limited 
number of panelists to participate in the workshop. The number of 
parties selected will not be so large as to inhibit effective 
discussion among them.
    1. The party has expertise in or knowledge of the issues that are 
the focus of the workshop.
    2. The party's participation would promote a balance of interests 
being represented at the workshop.
    3. The party has been designated by one or more interested parties 
(who timely file requests to participate) as a party who shares group 
interests with the designator(s). In addition, there will be time 
during the workshop for those not serving as panelists to ask 
questions.

    By Direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 02-5327 Filed 3-5-02; 8:45 am]
BILLING CODE 6750-01-P