Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

8/11/2020
02:00 PM
Sam Curry
Sam Curry
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

EU-US Privacy Shield Dissolution: What Happens Next?

In a world that isn't private by design, security and liability implications for US-based cloud companies are huge.

When the European Court of Justice (ECJ) last month struck down the EU's Privacy Shield regulation, it came as a big surprise for many of us in the world of cloud services, with potentially huge implications. Privacy Shield is the latest mechanism for allowing US companies to operate on, move, and otherwise use privacy data from European citizens and legal entities. It was the successor to Safe Harbor, which likewise suffered a similar fate in 2015, but so far hasn't generated the same degree of concern or public notice.

This is all in spite of five years in the interim where privacy and the importance of exchanging data in the digital world has become even more polarizing. So far, the security industry has not collectively, by and large, had a privacy-by-design philosophy in how to build applications and use and interact with data.

In a world that isn't private by design, the implications from a liability perspective are big. Customers of US-based cloud service providers are now potentially liable for all the things that happen with that data, with no shield at all. This means that lawyers are recalculating liability, discussions are reaching C-suites about implications, and auditors are sharpening their pencils. It's a small jump from these theoretical implications to fines and possible class-action lawsuits and torts.

Today, with more people working from home and commensurately using more online services and applications, the potential for liability is even higher. The stakes are bigger, yet the concern and outcry have yet to be realized by most security people, let alone business people. The fallback will be returning to the less well-known Standard Contract Clauses (SCCs) that provide legal terms that must exist contractually for European entities to do business and exchange privacy-related data with US companies. However, SCCs are not a mechanism in the sense that Safe Harbor and Privacy Shield were: They require certain qualities in technical capability like being able to have policies about classes of data, what they require, and how they can and can't be used. They also require business processes that verifiably state the intended use of data, deny the ability for forward use for other purposes, and provide clear services that elevate and respect EU citizens and their right to be accurately represented or even forgotten.

In the US, the tendency has been to legislate more access and special privilege for visibility into data. Perhaps this is because the US is concerned about security and safety and is a single, central government for over 300 million citizens. Contrast that with 27 nations and associates equal in the eyes of the European systems that require trust to move forward politically and economically and where privacy policy has emerged in a fundamentally different direction. The result is a different expectation on the role of government in the privacy of citizens. The battleground is now data sovereignty, and the stakes are high as the world suffers in COVID-induced global economic recession.

For those that see it and get ahead of it, the answer has to be privacy by design. In most cases, that means that heavy lifting and architectural changes have to be considered and undertaken. Companies that have large datasets have to build out features and consider the notion of data autonomy in which users receive a degree of respect and autonomy in determining what happens to privacy data related to them. This isn't easy by any stretch, but whatever follows Privacy Shield as an umbrella is a temporary reprieve.

The short-sighted perspective would be to return to the status quo of 2014 or 2019, but the smarter perspective will be to use the window of time that a new mechanism affords to address the gap in technological capability to support putting users first. Ownership of user data is a privilege, not a right, and getting this right is the surest way to avoid future liability.

More generally, it's a wake-up call to business models that treat users as the product rather than as customers. The philosophy in Europe that is likely to become the pattern of the future in the ongoing privacy and security debates says that if data is the new oil, then it should not be taken from the landowners. Privacy rights may still be emergent globally, but leaning in as champions of privacy is a great business opportunity for companies if they identify it now, and it's much better than being summoned to court for taking the opposite stance. It's time for a dialog with legal and with the business, to start the liability recalculation, and to become private by design not just in technology but in business practices.

Related Content:

Sam Curry is CSO at Cybereason. He is a security visionary and thought leader, has published broadly and has been interviewed hundreds of times on security trends, threats and the impact of "cyber" on us all. He is a Visiting Fellow with the National Security Institute. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...