Wildman Harrold | 225 West Wacker Drive | Chicago, IL 60606 | (312) 201-2000 | wildman.com Wildman, Harrold, Allen & Dixon LLP What Is an Identity Trust.

Slides:



Advertisements
Similar presentations
June 27, 2005 Preparing your Implementation Plan.
Advertisements

19-1 Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Assurance Services Independent professional services that “improve the quality of information, or its context, for decision makers” Assurance service encompass.
1 AUDIT AND AUDIT RESOLUTION Peg Rosenberry, Director of Grants Management Claire Moreno, Audit Liaison, Office of Grants Management 9/18/2009 AMERICORPS.
OMB Regulatory Requirements Regulatory Requirements 2. Written Policies & Procedures 3. Documen- tation of Expenses 4. Managing Cash 5. Efficient.
1 Welcome Safety Regulatory Function Handbook April 2006.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
2/13/ Engineering & Technology Management Group Engineering Technology Management Tracking the Constant of Change Management History Society Legal.
Hamid Dom Reg WS March 04 1 INTRODUCTION THE GATS and DOMESTIC REGULATION.
1 Session 9 – Government-to-government dispute settlement procedures WTO Dispute Settlement Understanding Vesile Kulaçoglu, WTO Secretariat Dar es Salaam,
Dispute Settlement in the WTO
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
ILO Convention N o. 189 ILO Recommendation N o. 201 DECENT WORK FOR DOMESTIC WORKERS.
ActionDescription 1Decisions about planning and managing the coast are governed by general legal instruments. 2Sectoral stakeholders meet on an ad hoc.
The Implementation Structure DG AGRI, October 2005
The Managing Authority –Keystone of the Control System
© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
1 ITU Interconnection Workshop 17 August 2001 Role of the Regulator K S Wong Office of the Telecommunications Authority Hong Kong, China.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Module N° 7 – Introduction to SMS
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.
Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
IBM Corporate Environmental Affairs and Product Safety
EMS Checklist (ISO model)
Presentation of the proposed Annex 19 – Safety Management
14. LETTERS OF CREDIT: PROCEDURES 1. LETTERS OF CREDIT I.THE NEED FOR LETTERS OF CREDIT A. USES TO THE SELLER WITH A FIRST-TIME CUSTOMER WITH A CREDIT.
Quality Assurance/Quality Control Plan Evaluation February 16, 2005.
NIH RESEARCH CONTRACTS
© 2012 McNees Wallace & Nurick LLC CONTRACT ESSENTIALS Diane M. Tokarsky Chair, Construction Law 100 Pine Street, PO Box 1166 Harrisburg, PA
1 CONTRACT RISK MANAGEMENT: Strategies and Tactics J. Scott Hommer, III Venable LLP 8010 Towers Crescent Drive, Suite 300 Vienna, Virginia (703)
Training Employees 8 Human Resources Management and Supervision OH 8-1.
CHAPTER 29 AGENCY: CREATION AND TERMINATION
Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
1 Regulation of Sponsors and Independent Financial Advisers Joint HKEx / SFC Press Conference 19 October 2004.
Shared Information and Mutual Assistance Book V – Mutual Assistance Book VI – Administrative Information Management Presentation for the EU Ombudsman /
Review of NTS entry charge setting arrangements - IA 1 July 2010.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Internal Control–Integrated Framework
Clinical Trial Agreements
LACPA ISA Presentation
Module 2: Legal Aspects of Associations & Non-Profits Presented by the Southern Early Childhood Association.
Internal Control and Control Risk
® NSTIC’s Effects on Privacy The Need to Balance Identity and Privacy- Protection with Market Forces in the National Strategy for Trusted Identities in.
Chapter 14 Fraud Risk Assessment.
TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.
Identity Federation Rules and Process Linda Elliott President, PingID Network Electronic Authentication Partnership Washington, DC February 12, 2004.
Subset of presentations to the Provincial Forestry Forum in
Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com Wildman, Harrold, Allen & Dixon LLP Identity Management: The.
National Smartcard Project Work Package 8 – Security Issues Report.
© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP The Emerging Legal Framework for Identity and Access Management Thomas J. Smedinghoff.
Functional Model Workstream 1: Functional Element Development.
Negotiating M&A and Joint Venture Deals Rome, 8 June 2005.
TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.
A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.
Identity Ecosystem Framework and Charter Gap Analysis.
ITU-T X.1254 | ISO/IEC An Overview of the Entity Authentication Assurance Framework.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.
Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com © 2010 Wildman, Harrold, Allen & Dixon LLP. Building an Online.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Authority Recognition GGF9
Higher Education’s Role in the Identity Ecosystem
General Data Protection Regulation
Setting Actuarial Standards
Internal control - the IA perspective
Presentation transcript:

Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com Wildman, Harrold, Allen & Dixon LLP What Is an Identity Trust Framework? Addressing the Legal and Structural Challenges Thomas J. Smedinghoff Wildman, Harrold, Allen & Dixon LLP Chicago Chair, ABA Identity Management Legal Task Force

Wildman, Harrold, Allen & Dixon LLP. Many Transactions Involve Trust Frameworks Credit card trust framework ACH electronic funds transfer trust framework Privacy (e.g., TRUSTe trustmark) The are a set of specs and rules and legal obligations that address a specific element or issue of importance to the transaction We are addressing an identity trust framework

Wildman, Harrold, Allen & Dixon LLP. The Threshold Problem We’re not all talking about the same thing What does “identity trust framework” mean to you? Consider some examples of definitions...

Wildman, Harrold, Allen & Dixon LLP. 4 Much Disagreement Re What a Trust Framework Is FICAM: processes and controls for determining an identity provider’s compliance to OMB M Levels of Assurance ISO Draft: a set of requirements and enforcement mechanisms for parties exchanging identity information Kantara: a complete set of contracts, regulations or commitments that enable participating actors to rely on certain assertions by other actors to fulfill their information security requirements OIX: a certification program that enables a party who accepts a digital identity credential (called the relying party) to trust the identity, security, and privacy policies of the party who issues the credential (called the identity service provider) and vice versa. OITF Model: a set of technical, operational, and legal requirements and enforcement mechanisms for parties exchanging identity information

Wildman, Harrold, Allen & Dixon LLP. 5 Much Disagreement Re What a Trust Framework Is NSTIC 4/15/2011 Final: The Identity Ecosystem Framework is the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem. A Trust Framework is developed by a community whose members have similar goals and perspectives. It defines the rights and responsibilities of that community’s participants in the Identity Ecosystem; specifies the policies and standards specific to the community; and defines the community-specific processes and procedures that provide assurance.... In order to be a part of the Identity Ecosystem, all trust frameworks must still meet the baseline standards established by the Identity Ecosystem Framework.

Wildman, Harrold, Allen & Dixon LLP. 6 But In All Cases, the Goal Is... Building an identity system that actually works E.g., the plane actually flies Building an identity system that participants trust – i.e., are willing to participate in and rely on E.g., we are all willing to fly on the plane – we’re confident that it will get us there safely, comfortably, on-time, etc. For both of these goals, we need to address all of the relevant risks in an acceptable manner

Wildman, Harrold, Allen & Dixon LLP. 7 All Trust Frameworks Consists of Two Parts Technical and Operational Specifications Content Technical specifications, process standards, policies, procedures, performance rules and requirements, assessment criteria, etc. Goals Make it work Make it trustworthy Legal Rules Content Existing law Contractual obligations Goals Regulate Technical and Operational Specifications Make Technical and Operational Specifications legally binding on the participants Define and govern the legal rights and responsibilities of the participants

Wildman, Harrold, Allen & Dixon LLP. 8 Note How the Operational Specs and Legal Rules Relate The Technical and Operational Specifications are designed to “make it work” from a functional perspective The Legal Rules – Regulate the content and implementation of the Technical and Operational Specifications, Make the Technical and Operational Specifications enforceable, and Address rights and obligations of the parties But note that: Some legal rules come from existing law Other legal rules are made up by the parties

Wildman, Harrold, Allen & Dixon LLP. 9 As An Analogy -- Consider a Construction Contract There will be many requirements and specifications Blueprints Electrical specification Plumbing specifications HVAC specifications The specifications reflect much personal choice, but are also subject to regulation by existing law The specs are attached to a contract whereby – The builder agrees to build the building in accordance with the specifications, and the buyer agrees to pay for it Both parties agree to numerous rules regarding price, schedule, warranties, limits on liability, insurance, applicable law, remedies for breach by the other, etc. Existing law supplies legal rules not covered in contract

Wildman, Harrold, Allen & Dixon LLP. 10 ABA Proposed Definition of Identity Trust Framework A Trust Framework is the governance structure for a specific identity system consisting of: the Technical and Operational Specifications that have been developed – to define requirements for the proper operation of the identity system (i.e., so that it works), to define the roles and operational responsibilities of participants, and to provide adequate assurance regarding the accuracy, integrity, privacy and security of its processes and data (i.e., so that it is trustworthy); and the Legal Rules that govern the identity system and that -- regulate the content of the Technical and Operational Specifications, make the Technical and Operational Specifications legally binding on and enforceable against the participants, and define and govern the legal rights, responsibilities, and liabilities of the participants of the identity system.

Wildman, Harrold, Allen & Dixon LLP. 11 Note that... The Trust Framework is NOT LIMITED to the rules and requirements the participants agree upon A Trust Framework is a COMBINATION of – The rules and requirements that the participants (or trust framework provider) write down and agree to, AND Existing law We have to consider the impact of both Both need to work in harmony

Wildman, Harrold, Allen & Dixon LLP. 12 Technical and Operational Specifications: Components Necessary to “Make it Work” Partial listing of Technical and Operational Specifications Privacy Standards Credential Issuance Authentication Requirements Reliance Rules Audit & Assessment Oversight Credential Management Security Standards Identity Proofing Technical Specifications Enrolment

Wildman, Harrold, Allen & Dixon LLP. 13 Technical and Operational Specifications: Regulated by Existing Law Partial listing of Technical and Operational Specifications NOTE: Must comply with any existing law; Also supplemented by existing law Existing Law Privacy Standards Credential Issuance Authentication Requirements Reliance Rules Audit & Assessment Oversight Credential Management Security Standards Identity Proofing Technical Specifications Enrolment

Wildman, Harrold, Allen & Dixon LLP. 14 Legal Rules To Govern Legal Rights of the Parties Existing Law as Supplemented and/or Modified by Contract Existing Law Warranties Dispute Resolution Measure of Damages Enforcement Mechanisms Termination Rights Liability for Losses Partial listing of Legal Rules

Wildman, Harrold, Allen & Dixon LLP. The Legal Rules Are a Combination of... Public Law (statutes, regulations, common law) – Existing IdM-specific law, if any Existing generally applicable law Privacy law, warranty law, tort law (negligence), e- transaction law, defamation law, etc. Supplanted / Revised by Private Law (created via) – Contractual agreements among the parties Standards adopted by the parties Self-asserted undertakings

Wildman, Harrold, Allen & Dixon LLP. 16 Identity Trust Framework: Putting It All Together Contract: “I Agree” to... Existing Law Warranties Dispute Resolution Measure of Damages Enforcement Mechanisms Termination Rights Liability for Losses Existing Law Privacy Standards Credential Issuance Authentication Requirements Reliance Rules Audit & Assessment Oversight Credential Management Security Standards Identity Proofing Technical Specifications Enrolment Technical and Operational Specifications Legal Rules Enforcement Element

Wildman, Harrold, Allen & Dixon LLP. 17 Common Legal Problems to Be Addressed By a Trust Framework Legal Uncertainty (i) Lack of legal rules and (ii) lack of clarity re applicable legal rules Liability Risk / Liability Allocation Uncertainty over potential liability is a key issue! Legal Compliance E.g., privacy law requirements; security law requirements, etc. Legal Barriers Some laws may adversely impact Identity systems; Can they be altered by agreement? Contract Enforceability How can we bind all participants (and affected non-parties) in an enforceable Trust Framework? Cross-Jurisdiction Issues Regulatory law in one jurisdiction may differ from another

Wildman, Harrold, Allen & Dixon LLP. 18 Status of Industry Work to Date (1): Limited to Operational Specifications Technical and Operational Specifications Much work being done by many groups and governments Groups: Kantara Initiative, Open Identity Foundation, EURIM, STORK, OIX, WS-Federation, etc. Governmental: Australia, Belgium, Finland, EU, Germany, India, Scotland, Sweden, U.S., etc. Intergovernmental: ITU, OECD, etc. Legal Rules Largely unaddressed! Some private (closed) identity systems such as IdenTrust, SAFE- BioPharma, CertiPath, etc. Some groups, such as OIX and American Bar Association Identity Management Legal Task Force

Wildman, Harrold, Allen & Dixon LLP. 19 Status of Industry Work to Date (2): Most Existing Docs Are Just Components Most existing work focuses only on a subset of the of Technical and Operational Specifications, and thus are only components of an Identity Trust Framework, such as: NIST SP , Electronic Authentication Guideline Kantara Privacy Framework (being developed??) FICAM Security Assertion Markup Language (SAML) 2.0 Profile NASPO National Identity Proofing and Verification Standards Entity Authentication Assurance Framework, ISO/IEC 29115:2010 (draft) Kantara Identity Assurance Framework: Assurance Assessment FIPS 201, Personal Identity Verification Examples of complete Trust Frameworks might include SAFE-BioPharma, CertiPath, and IdenTrust

Wildman, Harrold, Allen & Dixon LLP. 20 A Few Thoughts on Addressing Liability Via a Trust Framework

Wildman, Harrold, Allen & Dixon LLP. 21 Three-Part Concern Risk of loss – risk of incurring one’s own losses (that cannot be shifted to someone else) Risk of liability – risk of being held responsible for losses of others Risk of non-compliance – risk of fines or other penalties for regulatory non-compliance

Wildman, Harrold, Allen & Dixon LLP. 22 Basic Rule re Liability When a party suffers a loss or damage – That party must bear its own losses UNLESS there is a basis for shifting the loss from the person that suffered it to someone else Approaches often used to shift responsibility for losses – Fault-based approaches Intentional act or omission of 3 rd party caused the loss Negligent act or omission of 3 rd party caused the loss Strict liability approaches 3 rd party did not cause loss, but still held responsible for the loss based on policy reasons

Wildman, Harrold, Allen & Dixon LLP. 23 The Default Rule Is Key Starting Point Sources of approaches often used to shift responsibility for losses -- Existing law Contract We need to know the rule under existing law, and then we can determine whether/how to modify it by contract But we can’t address the issue unless we know the source of the duty – e.g., warranty, antitrust, tort, contract, duty to authenticate, etc.

Wildman, Harrold, Allen & Dixon LLP. 24 Consider an Example... Assume an Identity Assertion is inaccurate and a Relying Party and/or Subject suffers a loss If negligence law applies – Liability depends on fault of IdP Relative to the standard that applies (by law) Depends on nature of loss, the jurisdiction involved, etc. If warranty law applies – Liability does NOT depend on fault of IdP Depends on nature of warranty that applies (by contract or law) If both apply???

Wildman, Harrold, Allen & Dixon LLP. 25 Some Potential Liability Models Warranty model – focus on stated or implied guarantees Tort model – focus on standards of conduct; negligence DMV model – no IdP liability; other roles bear all risk Credit card model – no Subject liability; others bear risk Contractual model – negotiated risk allocation (in theory) Strict liability – regardless of fault Liability caps model EV SSL model – restricts ability of IdP to limit its liability But recognize that -- Liability model unlikely to be a one-size fits all approach Liability is a zero-sum game

Wildman, Harrold, Allen & Dixon LLP. 26 The Overall Trust Framework Goal Develop an acceptable Trust Framework that – Provides enforceable rules for a workable and trustworthy identity ecosystem that are binding on all participants Adequately protects the rights of the parties Fairly allocates risk and responsibilities among the parties Provides legal certainty and predictability to the participants Complies with / works in conjunction with existing law Works cross-border (state or country)

Wildman, Harrold, Allen & Dixon LLP. 27 The Next Steps Agree on a general Trust Framework definition Identify the topics to be addressed for the Technical Operational Specifications and Legal Rules

Wildman, Harrold, Allen & Dixon LLP. 28 Further Information Thomas J. Smedinghoff Wildman, Harrold, Allen & Dixon LLP 225 West Wacker Drive Chicago, Illinois

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.