No Safe Harbor Is Coming -- CISA Made Sure Of It
Its time to take your data classification procedures more seriously. If not, that helpful information-sharing you did in the US could cost you hefty fines for privacy violations in the European Union.
UPDATED Jan. 25 --
By passing the Cybersecurity Information Sharing Act (CISA) as part of the omnibus spending bill last month, the US legislature has encouraged American companies to share threat intelligence with the government by absolving them of some of the data privacy liability concerns that stilled their tongues in the past. Yet, the federal government can do nothing to absolve companies of their duties to European data privacy regulations.
In passing CISA--officially titled the Cybersecurity Act of 2015 when signed into law--the US made life for multi-national companies, or any business with customers overseas, more difficult.
Heres what you need to know about CISA and Safe Harbor -- and what you can do about it.
Figure 1:
The United States was already at odds with the European Union (EU) over privacy. In October, the European Court of Justice (ECJ) struck down Safe Harbor, the data transfer agreement that had, for the past 15 years, allowed multinationals to store Europeans’ data in the US if the companies agree to comply with the EUs data privacy laws.
The
ECJs ruling
, in a nutshell, was that American companies were incapable of complying with European laws, simply because they were American. The US governments own invasive surveillance practices and the lack of sufficient American laws protecting privacy put the personal data of all citizens (American and European alike) perpetually at risk.
CISA just adds fuel to the flame. Not only does it absolve companies of some liability for data security, but the final version was stripped of may of the proposed provisions requiring data to be scrubbed of personally identifiable information before being shared.
So, while American companies now have more legal leeway in the States, the situation in Europe is more treacherous than ever.
The threats of the EU Data Protection Directive and its upcoming replacement, the
EU General Data Protection Regulation (GDPR)
, are real and the fines are significant. The GDPR, expected to be approved by Parliament this year and go into effect in 2018, has proposed fines of up to 4% of annual global revenue or €20 million ($21.76 million), whichever is greater.
What were seeing through CISA is just what the Europeans dont want, says Neil Stelzer, general counsel for data classification firm Identity Finder. They will not want their citizens data spread around.
This raises a few key questions:
How will the European Union react if an organization shares threat intelligence information with the US government via CISA, and that information includes some European citizens personal data? Will they consider that a violation of the EU Data Protection Act? Will it further hinder efforts to replace Safe Harbor?
Who is liable if one of the agencies with which data was shared experiences a subsequent breach, further exposing this data?
Is there any way American companies can safely share threat intelligence data without causing themselves problems with the EU?
What We Still Need To Know
Figure 2:
The Replacement For Safe Harbor, If There Is One
So one undereported aspect to the Safe Harbor decision is that much of it hangs off the judgement by the ECJ that its the United States existing surveillance laws that are the problem, not just the companies compliance with EU privacy law, says Danny OBrien, international director of the Electronic Frontier Foundation.
In its judgment
, the ECJ wrote that European Commission did not state in the Safe Harbor Agreement that the United States in fact ‘ensures’ an adequate level of protection, by reason of its domestic law or its international commitments. Therefore, without there being any need to examine the content of the safe harbour principles, the ECJ concluded that the agreement failed to comply with the requirements laid down by the EU Data Protection Directive and that it is accordingly invalid.
In other words, the principles of safe harbor were irrelevant to the decision to striking down the agreement.
Whats important about this, OBrien says, is that without US legal reform, the Safe Harbor -- and all the other proposals to move personal data from the US to the EU -- fail.
That wont stop the authorities from trying, though. European Union privacy regulators will meet in Brussels Feb. 2, and hope to decide at that time whether and how data transfers to the United States should continue,
Reuters reported
. Leaders of the Information Technology Industry Council, a tech trade organization that represents Apple and Microsoft, are meeting with authorities around the continent ahead of that meeting to help grease the wheels.
Yet OBrien says that all these best efforts may be in vain. Any new data transfer agreements they cook up could be overruled by ECJ on the same grounds.
Anyone reading the ECJ decision knows that those protections arent going to stand another judicial review, says OBrien, because its the US laws that are the problem. And with CISA, theyre getting even worse. Itll take another ECJ review to highlight this, but the US hasnt done itself any favors with US companies by pushing CISA when they already have problems with their existing powers to obtain the personal info of non-US persons from US companies.
The U.S. also didnt improve matters when they
delayed action
this week on the proposed Judicial Redress Act, which would allow European citizens to sue the U.S. if law enforcement agencies misused their personal data. According to
Politico.com
, although the measure was passed by the House in October, lawmakers are now considering adding a provision that would tie it to negotiations for a new data transfer agreement.
US Attorney Generals Forthcoming Guidelines On CISA Information-Sharing
This is significant: generally no one will be held liable for bad things that happen to data that is shared, or the associated individuals, says privacy consultant and trainer
Rebecca Herold
. The procedures that are required for supporting CISA include a provision for providing notice if personal information is breached, but that looks to be the extent of their required actions.
If I disclose info [via] CISA, says Stelzer, I am shielded as long as I am sharing under the guidelines that are eventually laid out by the Attorney General.
The final version of the law does still contain text -- SEC. 104 (d)(2)(A) -- about removal of certain personal information, but privacy advocates have criticized it for leaving too much room for interpretation. It requires that, prior to sharing, non-federal entities review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal in- formation of a specific individual or information that identifies a specific individual and remove such information.
The definitions of not directly related to a cybersecurity threat and personal information are what give privacy experts pause. The US Attorney General and the Department of Homeland Security have been given 60 days from the passage of the law to issue more guidelines on how precisely cyber threat indicators must be shared. The details of those rules will provide a clearer picture of what data government agencies may and may not obtain.
They will be collecting, Stelzer says. We just dont know how much yet.
Another question which may or may not be answered in the forthcoming guidelines is its definition of personal information, and how it may differ from that of the Europeans.
Privacy is a right that is protected more strongly there [in the EU], says Stelzer.
This has always been the case. The GDPR will take it further, expanding the definition of personal data to encompass other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity,
according to IT Governance
.
Shoe size and dress size, says Kris Lahiri, chief security officer of file-sharing company Egnyte. All of that is considered personal information.
As written, only personal information that is not directly related to a cybersecurity threat needs to be removed, Herold says. That doesnt sound too bad, but as she points out, Based upon the monitoring that has occurred by the NSA in recent years, it would not be surprising to see the federal agencies subsequently claim that much/most/all personal information is necessary for investigating a threat.
The Final Ruling on DoJs Case Vs. Microsoft
Microsoft and the US Department of Justice are still at loggerheads over a subpoena DoJ issued in 2013 for email messages that derived from a Hotmail account hosted in Ireland.
Microsoft refused to comply with DoJs request, on the grounds that data on Irish servers are protected by Irish laws, and that DoJ is overreaching its authority. DoJ argues that that Microsoft is an American company, and therefore all of its data is subject to American laws.
As
The Guardian
wrote:
The DoJ contends that emails should be treated as the business records of the company hosting them, by which definition only a search warrant would be needed in order to compel the provision of access to them no matter where they are stored. Microsoft argues the emails are the customers’ personal documents and a US warrant does not carry the authority needed to compel the company to hand it over.
What comes out of that case is of major interest to a company like Egnyte, Lahiri says.
His business has been geographically segregating data for years -- European customers on servers in Europe, Americans on servers in America -- mostly for performance and management reasons. However, if DoJ emerges as the ultimate victor in this long legal battle, it will dash any privacy benefits of the practice.
The case is still awaiting a ruling by the Second U.S. Circuit Court of Appeals in New York. If Microsoft doesnt get its way there, they may raise it to the Supreme Court.
Jan. 4, Politico.com called it
the court case that could sink Safe Harbor
.
Figure 3:
Just Dont Share Threat Information
Information-sharing through CISA isnt mandatory. You dont have to give your threat indicators to anyone, if you dont want. Some businesses will certainly take that route.
The initial recipients of the data shared through CISA will be the departments of Commerce, Defense, Homeland Security, Energy, Treasury, and the Office of the Director of National Intelligence, Herold notes. These are
huge
agencies. So there is a great likelihood for a huge number of people to access the data that is shared from the privacy sector, she says.
Organizations concerned that data they share with the feds could be breached likely wont share it, she says. It could be a PR nightmare, even if theyre not liable: Just consider all that bad press that many tech companies have gotten when the public found out they had been sharing personal data with feds, she says.
Eliminate All Personal Information From Data You Share
If you do wish to share data, you can sanitize it of personally identifiable information before you hand it over. Even though the regulation doesnt require you to do so, it doesnt prohibit it -- not unless the Attorney Generals guidelines change that.
Identity Finders Stelzer says this is very doable using basic searches for PII and PHI available in current data classification technology.
The GDPRs expanding definition of personal data, however, may give those tools a serious challenge -- social security numbers and home addresses are easy enough to find, but shoe and dress sizes might be a bigger hurdle to clear.
Egnytes Lahiri is optimistic about the innovation happening in the security industry to meet this challenge.
[Data loss prevention] is kicking into very high gear, Lahiri says. The new-age DLP really builds in this new kind of data recognition and classification.
New technology will not just recognize sensitive data and slide it into the right column, but will actually educate users about data privacy and security with prompts, she says.
In a normal use case people are not wantonly doing something wrong, he says. They just dont know.
Stelzer reminds security pros planning to share threat intel through CISA, that they might get away with being lax on PII scrubbing if they only have American users in their database. No Europeans data, no problem, he says. But youd better redact the EU data before you share it.
Segregate Data To Begin With
All of this is much easier if you separate US data sets from non-US data sets as you collect it, experts say.
Regardless of what the courts ultimately decide on the DoJ vs. Microsoft case, youll save yourself headaches in the future.
Tags:
No Safe Harbor Is Coming -- CISA Made Sure Of It