No Safe Harbor Is Coming -- CISA Made Sure Of It

It's time to take your data classification procedures more seriously. If not, that helpful information-sharing you did in the US could cost you hefty fines for privacy violations in the European Union.

What You Can Do


Just Don't Share Threat Information

Information-sharing through CISA isn't mandatory. You don't have to give your threat indicators to anyone, if you don't want. Some businesses will certainly take that route.

The initial recipients of the data shared through CISA will be the departments of Commerce, Defense, Homeland Security, Energy, Treasury, and the Office of the Director of National Intelligence, Herold notes. "These are huge agencies. So there is a great likelihood for a huge number of people to access the data that is shared from the privacy sector," she says.

Organizations concerned that data they share with the feds could be breached likely won't share it, she says. It could be a PR nightmare, even if they're not liable: "Just consider all that bad press that many tech companies have gotten when the public found out they had been sharing personal data with feds," she says.

Eliminate All Personal Information From Data You Share

If you do wish to share data, you can sanitize it of personally identifiable information before you hand it over. Even though the regulation doesn't require you to do so, it doesn't prohibit it -- not unless the Attorney General's guidelines change that.

Identity Finder's Stelzer says this is "very doable" using basic searches for PII and PHI available in current data classification technology.

The GDPR's expanding definition of personal data, however, may give those tools a serious challenge -- social security numbers and home addresses are easy enough to find, but shoe and dress sizes might be a bigger hurdle to clear.

Egnyte's Lahiri is optimistic about the innovation happening in the security industry to meet this challenge.

"[Data loss prevention] is kicking into very high gear," Lahiri says. "The new-age DLP really builds in this new kind of data recognition and classification."

New technology will not just recognize sensitive data and slide it into the right column, but will actually educate users about data privacy and security with prompts, she says.

"In a normal use case people are not wantonly doing something wrong," he says. "They just don't know."

Stelzer reminds security pros planning to share threat intel through CISA, that they might get away with being lax on PII scrubbing if they only have American users in their database. "No Europeans' data, no problem," he says.  But "you'd better redact the EU data before you share it."

Segregate Data To Begin With

All of this is much easier if you separate US data sets from non-US data sets as you collect it, experts say.

Regardless of what the courts ultimately decide on the DoJ vs. Microsoft case, you'll save yourself headaches in the future.