Subgroup 5 – Safeguarding Registrant Data

Objective

Consistent with ICANN’s mission and Bylaws, Section 4.6(e)(ii), the review team will assess the extent to which the implementation of today’s WHOIS (the current gTLD RDS) safeguards registrant data by (a) identifying the lifecycle of registrant data, (b) determining if/how data is safeguarded in each phase of that lifecycle, (c) identifying high-priority gaps (if any) in safeguarding registrant data, and (d) recommending specific measureable steps (if any) the team believes are important to fill gaps.

Background Documents

SAC051, Report on Domain Name WHOIS Terminology (2011)
SAC054, Report on Domain Name Registration Data Model (June 2012)
RDS/WHOIS Contractual Requirements - Sections pertaining to Data Safeguards, including
- 2013 Registrar Accreditation Agreement (RAA), Section 3.6 - Data Retention Specification
- 2014 New gTLD Registry Agreement, Specification 2 - Data Escrow Requirements

Further background documents may be found on the Review Team's overall Background Materials page.

Leader/Rapporteur: Alan Greenberg

Members: Alan Greenberg, Dmitry Belyavsky, Stephanie Perrin, Volker Greimann

Mailing-list archives: http://mm.icann.org/pipermail/rds-whois2-safeguard/

Conference calls

Review Team Templates: see here

Subgroup Documents

Date	Document (Versions in Red are latest)	File
Subgroup report
08 Aug 2018	v9	DOCX
04 Aug 2018	v8	DOCX
30 Jul 2018	v7 (incl. FtoF #3 Agreements)	DOCX
19 Jun 2018	v6	DOCX
18 Jun 2018	v5	DOCX
03 Jun 2018	v4	DOCX
28 May 2018	v3	DOCX
12 Apr 2018	v2	DOCX
05 Apr 2018	v1	DOCX
Face-to-Face Mtg #2 Slides - Findings
12 Apr 2018	v2	PPTX
09 Apr 2018	v1	PPTX
Work plan (as per Alan's email)
14 Feb 2018	v1	EMAIL
Planning questions
04 Mar 2018	v2	PPTX
09 Feb 2018	v1	PPT
First Pass Document
04 Mar 2018	v4	DOCX
17 Jan 2018	v3	DOCX
29 Dec 2018	v2	DOCX
06 Dec 2017	v1	DOCX

Open Actions/Requests

*To be provided once reasonable date is determined by appropriate subject-matter expert

Item #	Source of Request	Date of Request	Action Item Request	Action Owner	Anticipated Completion Date*	Progress Notes

Completed Actions/Requests

*To be provided once reasonable date is determined by appropriate subject-matter expert

Item #	Source of Request	Date of Request	Action Item Request	Action Owner	Anticipated Completion Date*	Completed Response	Completion Date
10	#37	28 Jul 2018	Modify language to specify that level of data breach should be the subject of discussion with data security expert(s)	Alan	10 Aug 2018	DOCX	08 Aug 2018
9	FtoF #3	28 Jul 2018	Update Rec SG.1 to reflect agreements reached.	Alan	03 Aug 2018	DOCX	04 Aug 2018
8	#35	23 Jul 2018	Subgroup 5 \| Safeguarding Registrant Data - Alan to update the draft recommendation text that appears in brackets [ICANN should similarly consider whether contractual requirement are needed to require registrars, registries and escrow provides to notify registrants in the event of data breaches.] regarding breach notification to serve as the basis for discussion at the face-to-face meeting #3.	Alan
7	Email	06 Jun 2018	Contract signed with escrow providers so that we may understand what processes, constraints or rules escrow providers are subject to regarding safeguarding data while under their custody and in relation to any data breaches that may be discovered. If the contracts are all substantially identical, then the standard boiler-plate contract will be sufficient.	ICANN org		Email	11 Jun 2018
6	#27	14 May 2018	Subgroup members to send a quick status update to the review team	Subgroup		Plenary Call #28	21 May 2018
5	#26	18 Apr 2018	Alan to confirm revisions made RT agreements.	Alan		Email	03 Jun 2018
4	#26	18 Apr 2018	Stephanie to provide draft formulation to Alan	Stephanie		Report	03 Jun 2018
3	#26	18 Apr 2018	Alan to refine question number 3.	Alan		Report	06 Jun 2018
2	#26	18 Jun 2018	Questions for ICANN org : ○ What are contractual requirements to secure stored escrow data ○ What are contractual requirements to notify ICANN in the event of breach ○ How do you secure registrant data under your control?	ICANN org		Email	06 Jun 2018
1	#25	06 Apr 2018	Alan plans to share his first draft of subgroup draft report with the subgroup/RT for review in parallel by the end of the weekend.	Alan		Email	12 Apr 2018

Decisions Reached

Source of request	Date	Decision
FtoF #3	27 Jul 2018	Update findings but retain recommendation for review by data security experts. Do not include a recommendation regarding registrant notification.

Content

Space Tools