© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP The Emerging Legal Framework for Identity and Access Management Thomas J. Smedinghoff.

Slides:



Advertisements
Similar presentations
Module N° 4 – ICAO SSP framework
Advertisements

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.
Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com Wildman, Harrold, Allen & Dixon LLP What Is an Identity Trust.
® NSTIC’s Effects on Privacy The Need to Balance Identity and Privacy- Protection with Market Forces in the National Strategy for Trusted Identities in.
TFTM Interim Trust Mark/Listing Approach Paper Discussion Deck TFTM Committee IDESG Plenary Meeting January 14, IDESG TFTM Committee1.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
IDESG Goals & Work-plans for 2013 and beyond Brett McDowell IDESG Management Council Chair
Functional component terminology - thoughts C. Tilton.
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Unlawful Internet Gambling Enforcement Act Final Rule Joseph Baressi June 3, 2009.
Cross Sector Digital Identity Initiative March 12, 2014 Hearing on the National Strategy for Trusted Identities in Cyberspace (NSTIC) Cross Sector Digital.
Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com © 2009 Wildman, Harrold, Allen & Dixon LLP. Identification and.
Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.
Security Controls – What Works
COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.
Building Trusted Transactions Identity Authentication & Attribute Exchange In Public and Private Federations OASIS Conference September 2010 Joni Brennan,
Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com Wildman, Harrold, Allen & Dixon LLP Identity Management: The.
Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.
By Garland Land NAPHSIS Consultant. Importance of Birth Certificates Needed for: Social Security Card School Enrollment Driver’s License Passport.
National Smartcard Project Work Package 8 – Security Issues Report.
1st MODINIS workshop Identity management in eGovernment Frank Robben General manager Crossroads Bank for Social Security Strategic advisor Federal Public.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.
Functional Model Workstream 1: Functional Element Development.
NSTIC ID Ecosystem A Conceptual Model v03 Andrew Hughes October October IDESG Version 1.
Ray Collins27th September 2005LGfL Project – workshop report1 LGfL Project Report Proof of Principle of the Shibboleth Authentication & Authorisation Infrastructure.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
HIT Policy Committee Nationwide Health Information Network Governance Workgroup Recommendations Accepted by the HITPC on 12/13/10 Nationwide Health Information.
Trusted Federated Identity and Access Management to provide the Cornerstone for Cyber Defense.
TFTM Interim Trust Mark/Listing Approach Paper Analysis of Current Industry Trustmark Programs and GTRI PILOT Approach Discussion Deck TFTM Committee.
Presented by: Jay Maxwell CIO, AAMVA The Driver’s License: Finally, National Standards Presented by: Jay Maxwell CIO, AAMVA.
A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.
Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.
Identity Ecosystem Framework and Charter Gap Analysis.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
Identity in the Virtual World: Creating Virtual Certainty David L. Wasley Information Resources & Communications UC Office of the President.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Higher Education PKI Summit Meeting August 8, 2001 The ABA PAG Rodney J. Petersen, J.D. Director, Policy and Planning Office of Information Technology.
The privacy risks and rewards of distributed identity Conference Presentation (8 September 2003) Surveillance and Privacy 2003, University of New South.
Cloud Computing, Policy Management and Standardization Europe Identity Conference 2011 John Sabo, Director Global Government Relations, CA Technologies.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
Scalable Trust Community Framework STCF (01/07/2013)
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Information Management in Retail: A Legal Perspective Chris Hill Barlow Lyde & Gilbert LLP 17 September 2009.
NSTIC and the Identity Ecosystem Jim Sheire Senior Advisor NSTIC National Program Office, NIST 14 November 2012.
Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Overview of ONC Report to Congress on Health Information Blocking Presented to the Health IT Policy Committee, Task Force on Clinical, Technical, Organizational,
HIT Policy Committee Meeting Nationwide Health Information Network Governance June 25, 2010 Mary Jo Deering, PhD ONC, Office of Policy and Planning NHIN.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
PROTECTING THE INTERESTS OF CONSUMERS OF FINANCIAL SERVICES Role of Supervisory Authorities Keynote Address to the FinCoNet Open Meeting 22 April 2016.
Data protection—training materials [Name and details of speaker]
Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com © 2010 Wildman, Harrold, Allen & Dixon LLP. Building an Online.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Higher Education’s Role in the Identity Ecosystem
Model Contract for Health
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Appropriate Access InCommon Identity Assurance Profiles
Reiniger LLC.
Colorado “Protections For Consumer Data Privacy” Law
Presentation transcript:

© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP The Emerging Legal Framework for Identity and Access Management Thomas J. Smedinghoff Edwards Wildman Palmer LLP Chair: ABA Identity Management Legal Task Force May 9, 2012

© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP ABA Legal Task Force Overview

3 American Bar Association Identity Management Legal Task Force - 1 ♦ It’s an open project: ♦ Participants include lawyers, non-lawyers, IdM technology experts, businesspersons, and other interested persons ♦ From businesses, associations, universities, and government agencies ♦ From U.S., Canada, EU, Australia, etc. ♦ ABA Task Force Website (and sign up for listserv) at – ♦

4 American Bar Association Identity Management Legal Task Force - 2 ♦ Goals ♦ Identify and analyze the legal issues that arise in connection with the development, implementation and use of federated identity management systems; ♦ Identify and evaluate models for an appropriate legal framework; ♦ Develop sample terms and contracts that can be used by parties ♦ Draft Report (three parts) ♦ IdM fundamentals and terminology ♦ Legal regulation of, and barriers to, identity management ♦ Structuring a legal framework for an identity system Draft Report available at –

© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP Identity Management Basics

6 Two Key Questions We’re Trying to Address For Online Transactions ♦ “Who are you?” (Identification) ♦ Assigning attributes to individuals (or companies, or devices) ♦ Name, address, age, status (e.g., student or faculty), company, authority, credit rating, gender, model number, serial number, etc. ♦ A one-time (offline or online) process called “identity proofing” ♦ Issuing a credential ♦ Drivers license, passport, ATM card, UserID, digital certificate, smart card, etc. ♦ Typically a one-time event ♦ “How can you prove it?” (Authentication) ♦ Verifying that the person online is the person previously identified ♦ Correlate a person to a credential (drivers license, UserID, etc.) via an authenticator (e.g., picture, password, etc.)

7 Three Key “Roles” ♦ Subject (a/k/a user, principal, or customer) ♦ The person (entity, or device) that is identified ♦ The subject of assertions/claims about his/her identity ♦ Identity Provider (a/k/a credential service provider, CA) ♦ Responsible for identity proofing of Subject and issuing a Credential ♦ Producer of assertions/claims about a Subject’s identity to a Relying Party via a Credential ♦ Relying Party (a/k/a service provider, vendor) ♦ Consumer of identity assertions/claims ♦ Relies on assertion to make authorization decision

8 The Basics of an Identity Transaction 1. A Relying Party wants to know “something” about the identity of a Subject, such as – ♦ basic identifying information (e.g., name, account number, etc.) ♦ status or role (e.g., employment, student, membership) ♦ qualifications (e.g., credit rating, authority) ♦ age or nationality, etc. 2. An Identity Provider has previously issued a digital “Credential” to make an “assertion” or “claim” about the identity of the Subject (or issues one upon request) 3. The Credential is communicated to the Relying Party and authenticated 4. The Relying Party relies on the assertion/claim from the Identity Provider and does business with the Subject

9 Traditional Two-Party Approach Employer or Bank Employee or Customer Data Subject Identity Provider & Relying Party (User ID and Password)

10 The Developing Three-Party Approach: Federated Identity Management Identity Provider Relying Party Subject (Bank A) (ATM Card) (Bank B) (Verification) Relying Party (Bank C) (Bank D) ATM Example

11 U.S. National Strategy For Trusted Identities in Cyberspace (NSTIC) ♦ Issued by White House on April 15, 2011: ♦ Vision: Identity systems that -- ♦ Are “secure, efficient, easy to-use, and interoperable” ♦ Promote “confidence, privacy, choice, and innovation” ♦ Key NSTIC goals ♦ Develop a comprehensive Identity Ecosystem Framework ♦ “the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that govern the Identity Ecosystem” ♦ Private sector to lead the effort to build & implement ♦ Federal government to provide support

© 2012 Edwards Wildman Palmer LLP & Edwards Wildman Palmer UK LLP Building the Legal Framework

13 All Online Identity Systems Require Rules ♦ Business & Technical Rules ♦ Content ♦ Business and Technical specifications, process standards, policies, operational procedures, performance rules and requirements, assessment criteria, etc. ♦ Purpose ♦ Make it work – from a functional perspective ♦ Make it trustworthy – willingness to participate ♦ Legal Rules (Contractual) ♦ Content ♦ Contractual obligations, including agreement to follow Business & Technical Rules ♦ Purpose ♦ Define and govern the legal rights and responsibilities of the participants ♦ Address liability and risk allocation ♦ Provide mechanism for enforcement of rights / Address dispute resolution ♦ Make it trustworthy – willingness to participate

14 Those Rules Go By Various Names ♦ Trust Framework – NSTIC / Kantara / OIX ♦ Operating Policies - SAFE-BioPharma ♦ Federation Operating Policies and Practices - InCommon ♦ Operating Rules – FIXs / CAHQ (health info exchange) ♦ Operating Rules and System Documentation - IdenTrust ♦ Common Operating Rules - CertiPath ♦ Guidelines – CA/Browser Forum ♦ Operating Regulations - Visa (credit) ♦ Operating Rules – NACHA (electronic payments) ♦ Operating Procedures – Bolero (e-bills of lading)

15 1. Business & Technical Rules: (Components Necessary to “Make it Work”) Partial listing of Business & Technical Rules NOTE: Must comply with any existing law; Also may be supplemented by existing law Existing Law Privacy Standards Credential Issuance Authentication Requirements Reliance Rules Audit & Assessment Oversight Credential Management Security Standards Identity Proofing Technical Specifications Enrolment Rules

16 2. Legal Rules (To Govern Legal Rights of the Parties) Existing Law as Supplemented and/or Modified by Private Legal Rules Existing Law Warranties Dispute Resolution Measure of Damages Enforcement Mechanisms Termination Rights Liability for Losses Partial listing of Legal Rules

17 Putting It All Together to Form Enforceable “Operating Rules” Contract(s): “I Agree” to... Existing Law Warranties Dispute Resolution Measure of Damages Enforcement Mechanisms Termination Rights Liability for Losses Existing Law Privacy Standards Credential Issuance Authentication Requirements Reliance Rules Audit & Assessment Oversight Credential Management Security Standards Identity Proofing Technical Specifications Enrolment Rules Business and Technical Rules Legal Rules (Contractual) Enforcement Element

18 Operating Rules Are Governed By Existing Laws Laws & Regulations* (in all relevant jurisdictions) Operating Rules** Privacy Standards Credentia l Issuance Authenticatio n Requirements Reliance Rules Audit & Assessment Oversight Credential Managemen t Security Standards Identity Proofing Technical Specification s Business Processe s Warranties Dispute Resolution Measure of Damages Enforcement Mechanisms Termination Rights Liability for Losses Legal Rules (contractual) Business & Technical Rules Contract: “I Agree” to...” EU Data Protection Directive Crypto regulations Tort law Law of negligent misrepresentation Privacy law Data security law Warranty law Consumer protection law Contract lawPKI laws EU E-Signatures Directive Rules of evidence Data retention law * Written by governments; applies to all identity systems ** Written by private parties; a/k/a “trust framework;” applies to a specific identity system Authentication law E-transaction law IdM laws

19 All Identity Systems Use Private Operating Rules that Operate Within a Public Legal System Laws & Regulations* (in all relevant jurisdictions) EU Data Protection Directive Crypto regulations Tort law Law of negligent misrepresentation Privacy law Data security law Warranty law Consumer protection law Contract lawPKI lawsEU E-Signatures Directive Rules of evidence Data retention law * Written by governments; applies to all identity systems ** Written by private parties; a/k/a “trust framework;” applies to a specific identity system Authentication law E-transaction law IdM law Certipath Operating Rules** SAFE-BioPharma Operating Rules** InCommon Operating Rules ** Identity System X Operating Rules** Identity System Y Operating Rules** Identity System Z Operating Rules** Facebook Connect Operating Rules** Breach Notification law

20 Key Legal Issues - Privacy ♦ Must comply with existing privacy law ♦ In all relevant jurisdictions ♦ And such laws may be inconsistent ♦ Can add additional privacy requirements ♦ To enhance trust of individual subjects ♦ But increases cost for other participants ♦ NSTIC views protecting privacy as key issue to incentivize participation by Subjects ♦ Proposes that identity systems be based on - ♦ Fair Information Practice Principles ♦ A “user-centric” approach to data protection ♦ Privacy will be major focus of NSTIC Ecosystem Framework

21 Key Legal Issues - Liability ♦ Major concern for all participants – e.g., what is... ♦ Subject liability for failing to protect password or key? ♦ Identity Provider liability for incorrect identification? ♦ Relying Party liability for relying on false identity information? ♦ Existing public law is often ambiguous or unacceptable ♦ Solution is to allocate liability by contract, to the extent possible – i.e., to make up the liability rules ♦ Consider credit card system example ♦ Requires binding everyone to the contract ♦ BUT NOTE: Liability is a zero-sum game ♦ NSTIC recognizes liability is a primary barrier ♦ Proposes contractual allocation; recognizes legislation may be needed

22 Many Ways to Write the Liability Rules ♦ Warranty model – focus on stated or implied guarantees ♦ Tort model – focus on standards of conduct; negligence ♦ DMV model – no IdP liability; other roles bear all risk ♦ Credit card model – no Subject liability; others bear risk ♦ Contractual model – negotiated risk allocation ♦ Strict liability – regardless of fault ♦ Liability caps model ♦ Restrictions on ability of IdP to limit its liability ♦ But recognize that if you don’t write them -- ♦ You are subject to the uncertainties of existing law ♦ In multiple jurisdictions

23 Other Common Legal Problems For Contract-Based Operating Rules ♦ The enforceability problem ♦ How to bind all participants in an enforceable contractual framework? ♦ What about non-participants? ♦ The uncertainty problem ♦ Lack of clarity re the rules under existing law ♦ The cross-border problem ♦ Addressing the problem of differing legal regimes ♦ The non-waivable statute problem ♦ Some laws regulate Identity management systems ♦ Can’t be changed by contract (e.g., consumer)

24 Building the Legal Framework Under NSTIC Start with Layer 1 – Existing Laws and Regulations Laws & Regulations* (in all relevant jurisdictions) EU Data Protection Directive Crypto regulations Tort law Law of negligent misrepresentation Privacy law Data security law Warranty law Consumer protection law Contract lawPKI laws EU E-Signatures Directive Rules of evidence Data retention law * Written by governments; applies to all identity systems Authentication law E-transaction law IdM law Breach Notification law

25 Add Layer 2 -- the NSTIC Rules - a Voluntary Identity Ecosystem Framework Laws & Regulations* (in all relevant jurisdictions) EU Data Protection Directive Crypto regulations Tort law Law of negligent misrepresentation Privacy law Data security law Warranty law Consumer protection law Contract lawPKI laws EU E-Signatures Directive Rules of evidence Data retention law * Written by governments; applies to all identity systems; compliance is mandatory *** Written by NSTIC Steering Group; compliance is voluntary Authentication law E-transaction law IdM law Identity Ecosystem Framework – NSTIC*** (The overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem) -To be written by NSTIC Steering Group -Not Law (but must comply with law) -Voluntarily adopted by identity systems -Adherence accredited - Trustmark Breach Notification law

26 Add Layer 3 – Individual System Operating Rules (May or May Not Conform to NSTIC Ecosystem Framework) Laws & Regulations* (in all relevant jurisdictions) EU Data Protection Directive Crypto regulations Tort law Law of negligent misrepresentation Privacy law Data security law Warranty law Consumer protection law Contract lawPKI laws EU E-Signatures Directive Rules of evidence Data retention law * Written by governments; applies to all identity systems ** Written by private parties; a/k/a “trust framework;” applies to a specific identity system Authentication law E-transaction law IdM law Identity Ecosystem Framework – NSTIC Identity System 4 Operating Rules** Identity System X Operating Rules** Identity System Y Operating Rules** Identity System 99 Operating Rules** Identity System K Operating Rules** Identity System D Operating Rules** Breach Notification law

27 The Overall Goals ♦ Develop acceptable operating rules that – ♦ Provide enforceable rules for a workable and trustworthy identity system that are binding on all participants ♦ Adequately protect the rights of all parties ♦ Fairly allocate risk and responsibilities among the parties ♦ Provide legal certainty and predictability to the participants ♦ Comply with / work in conjunction with existing law ♦ Works cross-border (state or country)

28 Further Information Thomas J. Smedinghoff Edwards Wildman Palmer LLP 225 West Wacker Drive Chicago, Illinois American Bar Association Identity Management Legal Task Force

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.