Threat Intelligence
1/22/2016
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

No Safe Harbor Is Coming -- CISA Made Sure Of It

It's time to take your data classification procedures more seriously. If not, that helpful information-sharing you did in the US could cost you hefty fines for privacy violations in the European Union.

UPDATED Jan. 25 -- By passing the Cybersecurity Information Sharing Act (CISA) as part of the omnibus spending bill last month, the US legislature has encouraged American companies to share threat intelligence with the government by absolving them of some of the data privacy liability concerns that stilled their tongues in the past. Yet, the federal government can do nothing to absolve companies of their duties to European data privacy regulations.

In passing CISA--officially titled the Cybersecurity Act of 2015 when signed into law--the US made life for multi-national companies, or any business with customers overseas, more difficult.

Here's what you need to know about CISA and Safe Harbor -- and what you can do about it.

 

The Messy Situation & Not-Very-Safe Harbor

The United States was already at odds with the European Union (EU) over privacy. In October, the European Court of Justice (ECJ) struck down Safe Harbor, the data transfer agreement that had, for the past 15 years, allowed multinationals to store Europeans’ data in the US if the companies agree to comply with the EU's data privacy laws.

The ECJ's ruling, in a nutshell, was that American companies were incapable of complying with European laws, simply because they were American. The US government's own invasive surveillance practices and the lack of sufficient American laws protecting privacy put the personal data of all citizens (American and European alike) perpetually at risk.

CISA just adds fuel to the flame. Not only does it absolve companies of some liability for data security, but the final version was stripped of may of  the proposed provisions requiring data to be scrubbed of personally identifiable information before being shared.

So, while American companies now have more legal leeway in the States, the situation in Europe is more treacherous than ever.

The threats of the EU Data Protection Directive and its upcoming replacement, the EU General Data Protection Regulation (GDPR), are real and the fines are significant. The GDPR, expected to be approved by Parliament this year and go into effect in 2018, has proposed fines of up to 4% of annual global revenue or €20 million ($21.76 million), whichever is greater.

"What we're seeing through CISA is just what the Europeans don't want," says Neil Stelzer, general counsel for data classification firm Identity Finder. "They will not want their citizens' data spread around."

This raises a few key questions:

How will the European Union react if an organization shares threat intelligence information with the US government via CISA, and that information includes some European citizens' personal data? Will they consider that a violation of the EU Data Protection Act? Will it further hinder efforts to replace Safe Harbor?

Who is liable if one of the agencies with which data was shared experiences a subsequent breach, further exposing this data?

Is there any way American companies can safely share threat intelligence data without causing themselves problems with the EU?

 

What We Still Need To Know


The Replacement For Safe Harbor, If There Is One

"So one undereported aspect to the Safe Harbor decision is that much of it hangs off the judgement by the ECJ that it's the United States' existing surveillance laws that are the problem, not just the companies' compliance with EU privacy law," says Danny O'Brien, international director of the Electronic Frontier Foundation.

In its judgment, the ECJ wrote that European Commission did not state in the Safe Harbor Agreement "that the United States in fact ‘ensures’ an adequate level of protection, by reason of its domestic law or its international commitments." Therefore, "without there being any need to examine the content of the safe harbour principles," the ECJ concluded that the agreement failed to comply with the requirements laid down by the EU Data Protection Directive "and that it is accordingly invalid."

In other words, the principles of safe harbor were irrelevant to the decision to striking down the agreement.

"What's important about this," O'Brien says, "is that without US legal reform, the Safe Harbor -- and all the other proposals to move personal data from the US to the EU -- fail."

That won't stop the authorities from trying, though. European Union privacy regulators will meet in Brussels Feb. 2, and hope to decide at that time "whether and how data transfers to the United States should continue," Reuters reported. Leaders of the Information Technology Industry Council, a tech trade organization that represents Apple and Microsoft, are meeting with authorities around the continent ahead of that meeting to help grease the wheels.

Yet O'Brien says that all these best efforts may be in vain. Any new data transfer agreements they cook up could be overruled by ECJ on the same grounds.

"Anyone reading the ECJ decision knows that those protections aren't going to stand another judicial review," says O'Brien, "because it's the US laws that are the problem. And with CISA, they're getting even worse. It'll take another ECJ review to highlight this, but the US hasn't done itself any favors with US companies by pushing CISA when they already have problems with their existing powers to obtain the personal info of non-US persons from US companies."

The U.S. also didn't improve matters when they delayed action this week on the proposed Judicial Redress Act, which would allow European citizens to sue the U.S. if law enforcement agencies misused their personal data. According to Politico.com, although the measure was passed by the House in October, "lawmakers are now considering adding a provision that would tie it to negotiations" for a new data transfer agreement.

US Attorney General's Forthcoming Guidelines On CISA Information-Sharing

"This is significant: generally no one will be held liable for bad things that happen to data that is shared, or the associated individuals," says privacy consultant and trainer Rebecca Herold. "The procedures that are required for supporting CISA include a provision for providing notice if personal information is breached, but that looks to be the extent of their required actions."

"If I disclose info [via] CISA," says Stelzer, "I am shielded as long as I am sharing under the guidelines that are eventually laid out by the Attorney General."

The final version of the law does still contain text -- SEC. 104 (d)(2)(A) -- about removal of "certain personal information," but privacy advocates have criticized it for leaving too much room for interpretation. It requires that, prior to sharing, non-federal entities "review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal in- formation of a specific individual or information that identifies a specific individual and remove such information."

The definitions of "not directly related to a cybersecurity threat" and "personal information" are what give privacy experts pause. The US Attorney General and the Department of Homeland Security have been given 60 days from the passage of the law to issue more guidelines on how precisely cyber threat indicators must be shared. The details of those rules will provide a clearer picture of what data government agencies may and may not obtain.

"They will be collecting," Stelzer says. "We just don't know how much yet."

Another question which may or may not be answered in the forthcoming guidelines is its definition of "personal information," and how it may differ from that of the Europeans.'

"Privacy is a right that is protected more strongly there [in the EU]," says Stelzer.

This has always been the case. The GDPR will take it further, expanding the definition of personal data to "encompass other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity," according to IT Governance.

"Shoe size and dress size," says Kris Lahiri, chief security officer of file-sharing company Egnyte. "All of that is considered personal information."

"As written, only personal information that is 'not directly related to a cybersecurity threat' needs to be removed," Herold says. That doesn't sound too bad, but as she points out, "Based upon the monitoring that has occurred by the NSA in recent years, it would not be surprising to see the federal agencies subsequently claim that much/most/all personal information is necessary for investigating a threat."

The Final Ruling on DoJ's Case Vs. Microsoft

Microsoft and the US Department of Justice are still at loggerheads over a subpoena DoJ issued in 2013 for email messages that derived from a Hotmail account hosted in Ireland.

Microsoft refused to comply with DoJ's request, on the grounds that data on Irish servers are protected by Irish laws, and that DoJ is overreaching its authority. DoJ argues that that Microsoft is an American company, and therefore all of its data is subject to American laws.

As The Guardian wrote:

The DoJ contends that emails should be treated as the business records of the company hosting them, by which definition only a search warrant would be needed in order to compel the provision of access to them no matter where they are stored. Microsoft argues the emails are the customers’ personal documents and a US warrant does not carry the authority needed to compel the company to hand it over.

"What comes out of that case is of major interest to a company like Egnyte," Lahiri says.

His business has been geographically segregating data for years -- European customers on servers in Europe, Americans on servers in America -- mostly for performance and management reasons. However, if DoJ emerges as the ultimate victor in this long legal battle, it will dash any privacy benefits of the practice. 

The case is still awaiting a ruling by the Second U.S. Circuit Court of Appeals in New York. If Microsoft doesn't get its way there, they may raise it to the Supreme Court.

Jan. 4, Politico.com called it "the court case that could sink Safe Harbor."

Page 2: What You Can Do 

 

 

 

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/25/2016 | 1:21:03 AM
Sensitive Data Management Application Opportunity
Sounds to me like this represents an opportunity for data management systems to step it up and formalize segregated management features.  Allowing companies to easily keep data traffic appropriately diverted, secured and viewable remotely only (the idea being the data never leaves the geographic locale in the first place), new ideas can be entertained on how to change methods of acquisition, analysis, and dispersal of information.  Playing with technologies like distributed computing and shared media across CDNs, programmers can experiment with a new model of data collection and sharing where laws are adhered to, but by re-defining the technical landscape it turns into a game of cate-and-mouse where authoring new laws becomes the cat trying to anticipate the mouse's next move (assuming there is a drive to keep the regulations growing tighter).  "Helpful information-sharing" shouldn't be a crime, and by no means are the laws at a point where the flow of data in one form or another is completely impossible, while keeping to the legal requirements of such regulations.

    
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/22/2016 | 1:11:07 PM
Global Standard
Do we need a global standard for which to adhere to? Meaning a standard that supersedes US and EU privacy regulations. Maybe there already is one that I am unaware of.
geriatric
50%
50%
geriatric,
User Rank: Strategist
1/22/2016 | 12:09:42 PM
Voluntary Today - Mandatory Tomorrow
Great article. I agree that the present solution is "just don't share". Bear in mind though, that what is voluntary today will become mandatory tomorrow. 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You should see what I wear on my work from home days!
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.