Subgroup 5 – Safeguarding Registrant Data

Objective

Consistent with ICANN’s mission and Bylaws, Section 4.6(e)(ii), the review team will assess the extent to which the implementation of today’s WHOIS (the current gTLD RDS) safeguards registrant data by (a) identifying the lifecycle of registrant data, (b) determining if/how data is safeguarded in each phase of that lifecycle, (c) identifying high-priority gaps (if any) in safeguarding registrant data, and (d) recommending specific measureable steps (if any) the team believes are important to fill gaps.

Background Documents

SAC051, Report on Domain Name WHOIS Terminology (2011)
SAC054, Report on Domain Name Registration Data Model (June 2012)
RDS/WHOIS Contractual Requirements - Sections pertaining to Data Safeguards, including
- 2013 Registrar Accreditation Agreement (RAA), Section 3.6 - Data Retention Specification
- 2014 New gTLD Registry Agreement, Specification 2 - Data Escrow Requirements

Further background documents may be found on the Review Team's overall Background Materials page.

Leader/Rapporteur: Alan Greenberg

Members: Alan Greenberg, Dmitry Belyavsky, Stephanie Perrin, Volker Greimann

Mailing-list archives: http://mm.icann.org/pipermail/rds-whois2-safeguard/

Conference calls

Review Team Templates: see here

Subgroup Documents

Date	Document (Versions in Red are latest)	File
Subgroup report
03 Jun 2018	v4	DOCX
28 May 2018	v3	DOCX
12 Apr 2018	v2	DOCX
05 Apr 2018	v1	DOCX
Face-to-Face Mtg #2 Slides - Findings
12 Apr 2018	v2	PPTX
09 Apr 2018	v1	PPTX
Work plan (as per Alan's email)
14 Feb 2018	v1	EMAIL
Planning questions
04 Mar 2018	v2	PPTX
09 Feb 2018	v1	PPT
First Pass Document
04 Mar 2018	v4	DOCX
17 Jan 2018	v3	DOCX
29 Dec 2018	v2	DOCX
06 Dec 2017	v1	DOCX

Open Actions/Requests

*To be provided once reasonable date is determined by appropriate subject-matter expert

Item #	Source of Request	Date of Request	Action Item Request	Action Owner	Anticipated Completion Date*	Progress Notes
7	Email	06 Jun 2018	Contract signed with escrow providers so that we may understand what processes, constraints or rules escrow providers are subject to regarding safeguarding data while under their custody and in relation to any data breaches that may be discovered. If the contracts are all substantially identical, then the standard boiler-plate contract will be sufficient. If the contracts are significantly tailored, the we request copies of the actual contracts for Iron Mountain and one other provider. If that requires a non-disclosure agreement, we are willing to sign one.	ICANN org	TBD

Completed Actions/Requests

*To be provided once reasonable date is determined by appropriate subject-matter expert

Item #	Source of Request	Date of Request	Action Item Request	Action Owner	Anticipated Completion Date*	Completed Response	Completion Date
6	#27	14 May 2018	Subgroup members to send a quick status update to the review team	CLOSED	CLOSED
5	#26	18 Apr 2018	Alan to confirm revisions made RT agreements.	CLOSED	CLOSED
4	#26	18 Apr 2018	Stephanie to provide draft formulation to Alan	CLOSED	CLOSED
3	#26	18 Apr 2018	Alan to refine question number 3.	CLOSED	CLOSED
2	#26	18 Jun 2018	Questions for ICANN org : ○ What are contractual requirements to secure stored escrow data ○ What are contractual requirements to notify ICANN in the event of breach ○ How do you secure registrant data under your control?	CLOSED	CLOSED
1	#25	06 Apr 2018	Alan plans to share his first draft of subgroup draft report with the subgroup/RT for review in parallel by the end of the weekend.	Alan		Email	12 Apr 2018

Decisions Reached

Date	Decision

Content

Space Tools