No Safe Harbor Is Coming -- CISA Made Sure Of ItIt's time to take your data classification procedures more seriously. If not, that helpful information-sharing you did in the US could cost you hefty fines for privacy violations in the European Union.
UPDATED Jan. 25 -- By passing the Cybersecurity Information Sharing Act (CISA) as part of the omnibus spending bill last month, the US legislature has encouraged American companies to share threat intelligence with the government by absolving them of some of the data privacy liability concerns that stilled their tongues in the past. Yet, the federal government can do nothing to absolve companies of their duties to European data privacy regulations.
In passing CISA--officially titled the Cybersecurity Act of 2015 when signed into law--the US made life for multi-national companies, or any business with customers overseas, more difficult.
Here's what you need to know about CISA and Safe Harbor -- and what you can do about it.
The Messy Situation & Not-Very-Safe Harbor
The United States was already at odds with the European Union (EU) over privacy. In October, the European Court of Justice (ECJ) struck down Safe Harbor, the data transfer agreement that had, for the past 15 years, allowed multinationals to store Europeans’ data in the US if the companies agree to comply with the EU's data privacy laws.
The ECJ's ruling, in a nutshell, was that American companies were incapable of complying with European laws, simply because they were American. The US government's own invasive surveillance practices and the lack of sufficient American laws protecting privacy put the personal data of all citizens (American and European alike) perpetually at risk.
CISA just adds fuel to the flame. Not only does it absolve companies of some liability for data security, but the final version was stripped of may of the proposed provisions requiring data to be scrubbed of personally identifiable information before being shared.
So, while American companies now have more legal leeway in the States, the situation in Europe is more treacherous than ever.
The threats of the EU Data Protection Directive and its upcoming replacement, the EU General Data Protection Regulation (GDPR), are real and the fines are significant. The GDPR, expected to be approved by Parliament this year and go into effect in 2018, has proposed fines of up to 4% of annual global revenue or €20 million ($21.76 million), whichever is greater.
"What we're seeing through CISA is just what the Europeans don't want," says Neil Stelzer, general counsel for data classification firm Identity Finder. "They will not want their citizens' data spread around."
This raises a few key questions:
How will the European Union react if an organization shares threat intelligence information with the US government via CISA, and that information includes some European citizens' personal data? Will they consider that a violation of the EU Data Protection Act? Will it further hinder efforts to replace Safe Harbor?
Who is liable if one of the agencies with which data was shared experiences a subsequent breach, further exposing this data?
Is there any way American companies can safely share threat intelligence data without causing themselves problems with the EU?
What We Still Need To Know
The Replacement For Safe Harbor, If There Is One
"So one undereported aspect to the Safe Harbor decision is that much of it hangs off the judgement by the ECJ that it's the United States' existing surveillance laws that are the problem, not just the companies' compliance with EU privacy law," says Danny O'Brien, international director of the Electronic Frontier Foundation.
In its judgment, the ECJ wrote that European Commission did not state in the Safe Harbor Agreement "that the United States in fact ‘ensures’ an adequate level of protection, by reason of its domestic law or its international commitments." Therefore, "without there being any need to examine the content of the safe harbour principles," the ECJ concluded that the agreement failed to comply with the requirements laid down by the EU Data Protection Directive "and that it is accordingly invalid."
In other words, the principles of safe harbor were irrelevant to the decision to striking down the agreement.
"What's important about this," O'Brien says, "is that without US legal reform, the Safe Harbor -- and all the other proposals to move personal data from the US to the EU -- fail."
That won't stop the authorities from trying, though. European Union privacy regulators will meet in Brussels Feb. 2, and hope to decide at that time "whether and how data transfers to the United States should continue," Reuters reported. Leaders of the Information Technology Industry Council, a tech trade organization that represents Apple and Microsoft, are meeting with authorities around the continent ahead of that meeting to help grease the wheels.
Yet O'Brien says that all these best efforts may be in vain. Any new data transfer agreements they cook up could be overruled by ECJ on the same grounds.
"Anyone reading the ECJ decision knows that those protections aren't going to stand another judicial review," says O'Brien, "because it's the US laws that are the problem. And with CISA, they're getting even worse. It'll take another ECJ review to highlight this, but the US hasn't done itself any favors with US companies by pushing CISA when they already have problems with their existing powers to obtain the personal info of non-US persons from US companies."
The U.S. also didn't improve matters when they delayed action this week on the proposed Judicial Redress Act, which would allow European citizens to sue the U.S. if law enforcement agencies misused their personal data. According to Politico.com, although the measure was passed by the House in October, "lawmakers are now considering adding a provision that would tie it to negotiations" for a new data transfer agreement.
US Attorney General's Forthcoming Guidelines On CISA Information-Sharing
"This is significant: generally no one will be held liable for bad things that happen to data that is shared, or the associated individuals," says privacy consultant and trainer Rebecca Herold. "The procedures that are required for supporting CISA include a provision for providing notice if personal information is breached, but that looks to be the extent of their required actions."
"If I disclose info [via] CISA," says Stelzer, "I am shielded as long as I am sharing under the guidelines that are eventually laid out by the Attorney General."
The final version of the law does still contain text -- SEC. 104 (d)(2)(A) -- about removal of "certain personal information," but privacy advocates have criticized it for leaving too much room for interpretation. It requires that, prior to sharing, non-federal entities "review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal in- formation of a specific individual or information that identifies a specific individual and remove such information."
The definitions of "not directly related to a cybersecurity threat" and "personal information" are what give privacy experts pause. The US Attorney General and the Department of Homeland Security have been given 60 days from the passage of the law to issue more guidelines on how precisely cyber threat indicators must be shared. The details of those rules will provide a clearer picture of what data government agencies may and may not obtain.
"They will be collecting," Stelzer says. "We just don't know how much yet."
Another question which may or may not be answered in the forthcoming guidelines is its definition of "personal information," and how it may differ from that of the Europeans.'
"Privacy is a right that is protected more strongly there [in the EU]," says Stelzer.
This has always been the case. The GDPR will take it further, expanding the definition of personal data to "encompass other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity," according to IT Governance.
"Shoe size and dress size," says Kris Lahiri, chief security officer of file-sharing company Egnyte. "All of that is considered personal information."
"As written, only personal information that is 'not directly related to a cybersecurity threat' needs to be removed," Herold says. That doesn't sound too bad, but as she points out, "Based upon the monitoring that has occurred by the NSA in recent years, it would not be surprising to see the federal agencies subsequently claim that much/most/all personal information is necessary for investigating a threat."
The Final Ruling on DoJ's Case Vs. Microsoft
Microsoft and the US Department of Justice are still at loggerheads over a subpoena DoJ issued in 2013 for email messages that derived from a Hotmail account hosted in Ireland.
Microsoft refused to comply with DoJ's request, on the grounds that data on Irish servers are protected by Irish laws, and that DoJ is overreaching its authority. DoJ argues that that Microsoft is an American company, and therefore all of its data is subject to American laws.
As The Guardian wrote:
The DoJ contends that emails should be treated as the business records of the company hosting them, by which definition only a search warrant would be needed in order to compel the provision of access to them no matter where they are stored. Microsoft argues the emails are the customers’ personal documents and a US warrant does not carry the authority needed to compel the company to hand it over.
"What comes out of that case is of major interest to a company like Egnyte," Lahiri says.
His business has been geographically segregating data for years -- European customers on servers in Europe, Americans on servers in America -- mostly for performance and management reasons. However, if DoJ emerges as the ultimate victor in this long legal battle, it will dash any privacy benefits of the practice.
The case is still awaiting a ruling by the Second U.S. Circuit Court of Appeals in New York. If Microsoft doesn't get its way there, they may raise it to the Supreme Court.
Jan. 4, Politico.com called it "the court case that could sink Safe Harbor."
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
1 of 2