Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/22/2016
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

No Safe Harbor Is Coming -- CISA Made Sure Of It

It's time to take your data classification procedures more seriously. If not, that helpful information-sharing you did in the US could cost you hefty fines for privacy violations in the European Union.

What You Can Do

Just Don't Share Threat Information

Information-sharing through CISA isn't mandatory. You don't have to give your threat indicators to anyone, if you don't want. Some businesses will certainly take that route.

The initial recipients of the data shared through CISA will be the departments of Commerce, Defense, Homeland Security, Energy, Treasury, and the Office of the Director of National Intelligence, Herold notes. "These are huge agencies. So there is a great likelihood for a huge number of people to access the data that is shared from the privacy sector," she says.

Organizations concerned that data they share with the feds could be breached likely won't share it, she says. It could be a PR nightmare, even if they're not liable: "Just consider all that bad press that many tech companies have gotten when the public found out they had been sharing personal data with feds," she says.

Eliminate All Personal Information From Data You Share

If you do wish to share data, you can sanitize it of personally identifiable information before you hand it over. Even though the regulation doesn't require you to do so, it doesn't prohibit it -- not unless the Attorney General's guidelines change that.

Identity Finder's Stelzer says this is "very doable" using basic searches for PII and PHI available in current data classification technology.

The GDPR's expanding definition of personal data, however, may give those tools a serious challenge -- social security numbers and home addresses are easy enough to find, but shoe and dress sizes might be a bigger hurdle to clear.

Egnyte's Lahiri is optimistic about the innovation happening in the security industry to meet this challenge.

"[Data loss prevention] is kicking into very high gear," Lahiri says. "The new-age DLP really builds in this new kind of data recognition and classification."

New technology will not just recognize sensitive data and slide it into the right column, but will actually educate users about data privacy and security with prompts, she says.

"In a normal use case people are not wantonly doing something wrong," he says. "They just don't know."

Stelzer reminds security pros planning to share threat intel through CISA, that they might get away with being lax on PII scrubbing if they only have American users in their database. "No Europeans' data, no problem," he says.  But "you'd better redact the EU data before you share it."

Segregate Data To Begin With

All of this is much easier if you separate US data sets from non-US data sets as you collect it, experts say.

Regardless of what the courts ultimately decide on the DoJ vs. Microsoft case, you'll save yourself headaches in the future.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
1/25/2016 | 1:21:03 AM
Sensitive Data Management Application Opportunity
Sounds to me like this represents an opportunity for data management systems to step it up and formalize segregated management features.  Allowing companies to easily keep data traffic appropriately diverted, secured and viewable remotely only (the idea being the data never leaves the geographic locale in the first place), new ideas can be entertained on how to change methods of acquisition, analysis, and dispersal of information.  Playing with technologies like distributed computing and shared media across CDNs, programmers can experiment with a new model of data collection and sharing where laws are adhered to, but by re-defining the technical landscape it turns into a game of cate-and-mouse where authoring new laws becomes the cat trying to anticipate the mouse's next move (assuming there is a drive to keep the regulations growing tighter).  "Helpful information-sharing" shouldn't be a crime, and by no means are the laws at a point where the flow of data in one form or another is completely impossible, while keeping to the legal requirements of such regulations.

    
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/22/2016 | 1:11:07 PM
Global Standard
Do we need a global standard for which to adhere to? Meaning a standard that supersedes US and EU privacy regulations. Maybe there already is one that I am unaware of.
geriatric
50%
50%
geriatric,
User Rank: Moderator
1/22/2016 | 12:09:42 PM
Voluntary Today - Mandatory Tomorrow
Great article. I agree that the present solution is "just don't share". Bear in mind though, that what is voluntary today will become mandatory tomorrow. 
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14832
PUBLISHED: 2019-10-15
A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.
CVE-2017-10022
PUBLISHED: 2019-10-15
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing ...
CVE-2019-10759
PUBLISHED: 2019-10-15
safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-10760
PUBLISHED: 2019-10-15
safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-17397
PUBLISHED: 2019-10-15
In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.