UPDATED Jan. 25 -- By passing the Cybersecurity Information Sharing Act (CISA) as part of the omnibus spending bill last month, the US legislature has encouraged American companies to share threat intelligence with the government by absolving them of some of the data privacy liability concerns that stilled their tongues in the past. Yet, the federal government can do nothing to absolve companies of their duties to European data privacy regulations.
In passing CISA--officially titled the Cybersecurity Act of 2015 when signed into law--the US made life for multi-national companies, or any business with customers overseas, more difficult.
Here's what you need to know about CISA and Safe Harbor -- and what you can do about it.
The Messy Situation & Not-Very-Safe Harbor
The United States was already at odds with the European Union (EU) over privacy. In October, the European Court of Justice (ECJ) struck down Safe Harbor, the data transfer agreement that had, for the past 15 years, allowed multinationals to store Europeans’ data in the US if the companies agree to comply with the EU's data privacy laws.
The ECJ's ruling, in a nutshell, was that American companies were incapable of complying with European laws, simply because they were American. The US government's own invasive surveillance practices and the lack of sufficient American laws protecting privacy put the personal data of all citizens (American and European alike) perpetually at risk.
CISA just adds fuel to the flame. Not only does it absolve companies of some liability for data security, but the final version was stripped of may of the proposed provisions requiring data to be scrubbed of personally identifiable information before being shared.
So, while American companies now have more legal leeway in the States, the situation in Europe is more treacherous than ever.
The threats of the EU Data Protection Directive and its upcoming replacement, the EU General Data Protection Regulation (GDPR), are real and the fines are significant. The GDPR, expected to be approved by Parliament this year and go into effect in 2018, has proposed fines of up to 4% of annual global revenue or €20 million ($21.76 million), whichever is greater.
"What we're seeing through CISA is just what the Europeans don't want," says Neil Stelzer, general counsel for data classification firm Identity Finder. "They will not want their citizens' data spread around."
This raises a few key questions:
How will the European Union react if an organization shares threat intelligence information with the US government via CISA, and that information includes some European citizens' personal data? Will they consider that a violation of the EU Data Protection Act? Will it further hinder efforts to replace Safe Harbor?
Who is liable if one of the agencies with which data was shared experiences a subsequent breach, further exposing this data?
Is there any way American companies can safely share threat intelligence data without causing themselves problems with the EU?
What We Still Need To Know
The Replacement For Safe Harbor, If There Is One
"So one undereported aspect to the Safe Harbor decision is that much of it hangs off the judgement by the ECJ that it's the United States' existing surveillance laws that are the problem, not just the companies' compliance with EU privacy law," says Danny O'Brien, international director of the Electronic Frontier Foundation.
In its judgment, the ECJ wrote that European Commission did not state in the Safe Harbor Agreement "that the United States in fact ‘ensures’ an adequate level of protection, by reason of its domestic law or its international commitments." Therefore, "without there being any need to examine the content of the safe harbour principles," the ECJ concluded that the agreement failed to comply with the requirements laid down by the EU Data Protection Directive "and that it is accordingly invalid."
In other words, the principles of safe harbor were irrelevant to the decision to striking down the agreement.
"What's important about this," O'Brien says, "is that without US legal reform, the Safe Harbor -- and all the other proposals to move personal data from the US to the EU -- fail."
That won't stop the authorities from trying, though. European Union privacy regulators will meet in Brussels Feb. 2, and hope to decide at that time "whether and how data transfers to the United States should continue," Reuters reported. Leaders of the Information Technology Industry Council, a tech trade organization that represents Apple and Microsoft, are meeting with authorities around the continent ahead of that meeting to help grease the wheels.
Yet O'Brien says that all these best efforts may be in vain. Any new data transfer agreements they cook up could be overruled by ECJ on the same grounds.
"Anyone reading the ECJ decision knows that those protections aren't going to stand another judicial review," says O'Brien, "because it's the US laws that are the problem. And with CISA, they're getting even worse. It'll take another ECJ review to highlight this, but the US hasn't done itself any favors with US companies by pushing CISA when they already have problems with their existing powers to obtain the personal info of non-US persons from US companies."
The U.S. also didn't improve matters when they delayed action this week on the proposed Judicial Redress Act, which would allow European citizens to sue the U.S. if law enforcement agencies misused their personal data. According to Politico.com, although the measure was passed by the House in October, "lawmakers are now considering adding a provision that would tie it to negotiations" for a new data transfer agreement.
US Attorney General's Forthcoming Guidelines On CISA Information-Sharing
"This is significant: generally no one will be held liable for bad things that happen to data that is shared, or the associated individuals," says privacy consultant and trainer Rebecca Herold. "The procedures that are required for supporting CISA include a provision for providing notice if personal information is breached, but that looks to be the extent of their required actions."
"If I disclose info [via] CISA," says Stelzer, "I am shielded as long as I am sharing under the guidelines that are eventually laid out by the Attorney General."
The final version of the law does still contain text -- SEC. 104 (d)(2)(A) -- about removal of "certain personal information," but privacy advocates have criticized it for leaving too much room for interpretation. It requires that, prior to sharing, non-federal entities "review such cyber threat indicator to assess whether such cyber threat indicator contains any information not directly related to a cybersecurity threat that the non-Federal entity knows at the time of sharing to be personal in- formation of a specific individual or information that identifies a specific individual and remove such information."
The definitions of "not directly related to a cybersecurity threat" and "personal information" are what give privacy experts pause. The US Attorney General and the Department of Homeland Security have been given 60 days from the passage of the law to issue more guidelines on how precisely cyber threat indicators must be shared. The details of those rules will provide a clearer picture of what data government agencies may and may not obtain.
"They will be collecting," Stelzer says. "We just don't know how much yet."
Another question which may or may not be answered in the forthcoming guidelines is its definition of "personal information," and how it may differ from that of the Europeans.'
"Privacy is a right that is protected more strongly there [in the EU]," says Stelzer.
This has always been the case. The GDPR will take it further, expanding the definition of personal data to "encompass other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity," according to IT Governance.
"Shoe size and dress size," says Kris Lahiri, chief security officer of file-sharing company Egnyte. "All of that is considered personal information."
"As written, only personal information that is 'not directly related to a cybersecurity threat' needs to be removed," Herold says. That doesn't sound too bad, but as she points out, "Based upon the monitoring that has occurred by the NSA in recent years, it would not be surprising to see the federal agencies subsequently claim that much/most/all personal information is necessary for investigating a threat."
The Final Ruling on DoJ's Case Vs. Microsoft
Microsoft and the US Department of Justice are still at loggerheads over a subpoena DoJ issued in 2013 for email messages that derived from a Hotmail account hosted in Ireland.
Microsoft refused to comply with DoJ's request, on the grounds that data on Irish servers are protected by Irish laws, and that DoJ is overreaching its authority. DoJ argues that that Microsoft is an American company, and therefore all of its data is subject to American laws.
As The Guardian wrote:
The DoJ contends that emails should be treated as the business records of the company hosting them, by which definition only a search warrant would be needed in order to compel the provision of access to them no matter where they are stored. Microsoft argues the emails are the customers’ personal documents and a US warrant does not carry the authority needed to compel the company to hand it over.
"What comes out of that case is of major interest to a company like Egnyte," Lahiri says.
His business has been geographically segregating data for years -- European customers on servers in Europe, Americans on servers in America -- mostly for performance and management reasons. However, if DoJ emerges as the ultimate victor in this long legal battle, it will dash any privacy benefits of the practice.
The case is still awaiting a ruling by the Second U.S. Circuit Court of Appeals in New York. If Microsoft doesn't get its way there, they may raise it to the Supreme Court.
Jan. 4, Politico.com called it "the court case that could sink Safe Harbor."
What You Can Do
Just Don't Share Threat Information
Information-sharing through CISA isn't mandatory. You don't have to give your threat indicators to anyone, if you don't want. Some businesses will certainly take that route.
The initial recipients of the data shared through CISA will be the departments of Commerce, Defense, Homeland Security, Energy, Treasury, and the Office of the Director of National Intelligence, Herold notes. "These are huge agencies. So there is a great likelihood for a huge number of people to access the data that is shared from the privacy sector," she says.
Organizations concerned that data they share with the feds could be breached likely won't share it, she says. It could be a PR nightmare, even if they're not liable: "Just consider all that bad press that many tech companies have gotten when the public found out they had been sharing personal data with feds," she says.
Eliminate All Personal Information From Data You Share
If you do wish to share data, you can sanitize it of personally identifiable information before you hand it over. Even though the regulation doesn't require you to do so, it doesn't prohibit it -- not unless the Attorney General's guidelines change that.
Identity Finder's Stelzer says this is "very doable" using basic searches for PII and PHI available in current data classification technology.
The GDPR's expanding definition of personal data, however, may give those tools a serious challenge -- social security numbers and home addresses are easy enough to find, but shoe and dress sizes might be a bigger hurdle to clear.
Egnyte's Lahiri is optimistic about the innovation happening in the security industry to meet this challenge.
"[Data loss prevention] is kicking into very high gear," Lahiri says. "The new-age DLP really builds in this new kind of data recognition and classification."
New technology will not just recognize sensitive data and slide it into the right column, but will actually educate users about data privacy and security with prompts, she says.
"In a normal use case people are not wantonly doing something wrong," he says. "They just don't know."
Stelzer reminds security pros planning to share threat intel through CISA, that they might get away with being lax on PII scrubbing if they only have American users in their database. "No Europeans' data, no problem," he says. But "you'd better redact the EU data before you share it."
Segregate Data To Begin With
All of this is much easier if you separate US data sets from non-US data sets as you collect it, experts say.
Regardless of what the courts ultimately decide on the DoJ vs. Microsoft case, you'll save yourself headaches in the future.