[RDS-WHOIS2-Safeguard] Request from Safeguard SG

Alan Greenberg alan.greenberg at mcgill.ca
Wed Jun 13 14:44:30 UTC 2018 

Team,

I have reviewed the Escrow agreement. I belive 
that it provides adequate specifications for 
proper storage and transmission of data 
(expressions such as "commercially reasonable 
efforts and industry standard safeguards").

One question I might want to ask is to what 
extent is stored data accessible from outside 
their facility (ie is it well protected by 
firewalls, or not physically connected). Not sure 
whether this is really required though. I know 
traditionally organization such as the US CIA had 
rules that highly confidential data not be stored 
on machines with any external connection. I 
suspect the data we are referring to is neither 
at that level of confidentialiity and besides, 
network security has gotten somewhat better.

It also includes requirements to separate escrow 
activities from other domain-name activities, but 
the presence of such clauses implies that 
theremay be the possibility of an internal 
breach, even if the data is reasonably protected from external access.

However, I see no requirement to notify ICANN or 
the Registrar/Registry in the event of a breach 
and I believe that we should recommend such a requirement.

Please comment on whether you agree with such a 
recommendation and on whether we need to talk to 
providers regarding physical connectivity.

Alan

At 11/06/2018 05:52 AM, Alice Jansen wrote:
>Dear Alan, Dear Safeguarding Registrant Data Subgroup,
>
>We have received the following information from 
>subject matter experts in response to your 
>request for information submitted on 06 June:
>
>All of the existing registrar data escrow 
>agreements, including Iron Mountain, can be 
>found here: 
>https://www.icann.org/resources/pages/registrar-data-escrow-2015-12-01-en
>
>Since data escrow is also a component in legacy 
>gTLD Registry Agreements, we also recommended 
>reviewing the base Registry Agreement (data 
>escrow shows up in multiple sections):
>https://www.icann.org/resources/pages/registries/registries-agreements-en
>
>The data escrow template for new gTLD registries 
>is published here: https://newgtlds.icann.org/en/applicants/data-escrow
>
>Thank you,
>Best regards
>Alice
>
>On 06/06/18 22:02, "RDS-WHOIS2-Safeguard on 
>behalf of Alan Greenberg" 
><rds-whois2-safeguard-bounces at icann.org on 
>behalf of alan.greenberg at mcgill.ca> wrote:
>
>     Hi Alice and Jean-Baptiste,
>
>     As per our discussion in the Leadership meeting today, The SafeGuard
>     subgroup is requesting that ICANN Org provide us with the contract
>     signed with escrow providers so that we may understand what
>     processes, constraints or rules escrow providers are subject to
>     regarding safeguarding data while under their custody and in relation
>     to any data breaches that may be discovered.
>
>     If the contracts are all substantially identical, then the standard
>     boiler-plate contract will be sufficient. If the contracts are
>     significantly tailored, the we request copies of the actual contracts
>     for Iron Mountain and one other provider. If that requires a
>     non-disclosure agreement, we are willing to sign one.
>
>     If this request is still not sufficiently clear, since time is
>     running out, perhaps you can put me directly in touch with the
>     appropriate people within ICANN Org to more fully refine it.
>
>     Alan
>
>     _______________________________________________
>     RDS-WHOIS2-Safeguard mailing list
>     RDS-WHOIS2-Safeguard at icann.org
>     https://mm.icann.org/mailman/listinfo/rds-whois2-safeguard
>
>
>_______________________________________________ 
>RDS-WHOIS2-Safeguard mailing list 
>RDS-WHOIS2-Safeguard at icann.org 
>https://mm.icann.org/mailman/listinfo/rds-whois2-safeguard

More information about the RDS-WHOIS2-Safeguard mailing list