Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/22/2016
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

No Safe Harbor Is Coming -- CISA Made Sure Of It

It's time to take your data classification procedures more seriously. If not, that helpful information-sharing you did in the US could cost you hefty fines for privacy violations in the European Union.

What You Can Do

Just Don't Share Threat Information

Information-sharing through CISA isn't mandatory. You don't have to give your threat indicators to anyone, if you don't want. Some businesses will certainly take that route.

The initial recipients of the data shared through CISA will be the departments of Commerce, Defense, Homeland Security, Energy, Treasury, and the Office of the Director of National Intelligence, Herold notes. "These are huge agencies. So there is a great likelihood for a huge number of people to access the data that is shared from the privacy sector," she says.

Organizations concerned that data they share with the feds could be breached likely won't share it, she says. It could be a PR nightmare, even if they're not liable: "Just consider all that bad press that many tech companies have gotten when the public found out they had been sharing personal data with feds," she says.

Eliminate All Personal Information From Data You Share

If you do wish to share data, you can sanitize it of personally identifiable information before you hand it over. Even though the regulation doesn't require you to do so, it doesn't prohibit it -- not unless the Attorney General's guidelines change that.

Identity Finder's Stelzer says this is "very doable" using basic searches for PII and PHI available in current data classification technology.

The GDPR's expanding definition of personal data, however, may give those tools a serious challenge -- social security numbers and home addresses are easy enough to find, but shoe and dress sizes might be a bigger hurdle to clear.

Egnyte's Lahiri is optimistic about the innovation happening in the security industry to meet this challenge.

"[Data loss prevention] is kicking into very high gear," Lahiri says. "The new-age DLP really builds in this new kind of data recognition and classification."

New technology will not just recognize sensitive data and slide it into the right column, but will actually educate users about data privacy and security with prompts, she says.

"In a normal use case people are not wantonly doing something wrong," he says. "They just don't know."

Stelzer reminds security pros planning to share threat intel through CISA, that they might get away with being lax on PII scrubbing if they only have American users in their database. "No Europeans' data, no problem," he says.  But "you'd better redact the EU data before you share it."

Segregate Data To Begin With

All of this is much easier if you separate US data sets from non-US data sets as you collect it, experts say.

Regardless of what the courts ultimately decide on the DoJ vs. Microsoft case, you'll save yourself headaches in the future.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
1/25/2016 | 1:21:03 AM
Sensitive Data Management Application Opportunity
Sounds to me like this represents an opportunity for data management systems to step it up and formalize segregated management features.  Allowing companies to easily keep data traffic appropriately diverted, secured and viewable remotely only (the idea being the data never leaves the geographic locale in the first place), new ideas can be entertained on how to change methods of acquisition, analysis, and dispersal of information.  Playing with technologies like distributed computing and shared media across CDNs, programmers can experiment with a new model of data collection and sharing where laws are adhered to, but by re-defining the technical landscape it turns into a game of cate-and-mouse where authoring new laws becomes the cat trying to anticipate the mouse's next move (assuming there is a drive to keep the regulations growing tighter).  "Helpful information-sharing" shouldn't be a crime, and by no means are the laws at a point where the flow of data in one form or another is completely impossible, while keeping to the legal requirements of such regulations.

    
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/22/2016 | 1:11:07 PM
Global Standard
Do we need a global standard for which to adhere to? Meaning a standard that supersedes US and EU privacy regulations. Maybe there already is one that I am unaware of.
geriatric
50%
50%
geriatric,
User Rank: Moderator
1/22/2016 | 12:09:42 PM
Voluntary Today - Mandatory Tomorrow
Great article. I agree that the present solution is "just don't share". Bear in mind though, that what is voluntary today will become mandatory tomorrow. 
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11873
PUBLISHED: 2019-05-23
wolfSSL 4.0.0 has a Buffer Overflow in DoPreSharedKeys in tls13.c when a current identity size is greater than a client identity size. An attacker sends a crafted hello client packet over the network to a TLSv1.3 wolfSSL server. The length fields of the packet: record length, client hello length, to...
CVE-2019-12295
PUBLISHED: 2019-05-23
In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the dissection engine could crash. This was addressed in epan/packet.c by restricting the number of layers and consequently limiting recursion.
CVE-2019-12293
PUBLISHED: 2019-05-23
In Poppler through 0.76.1, there is a heap-based buffer over-read in JPXStream::init in JPEG2000Stream.cc via data with inconsistent heights or widths.
CVE-2018-7201
PUBLISHED: 2019-05-22
CSV Injection was discovered in ProjectSend before r1053, affecting victims who import the data into Microsoft Excel.
CVE-2018-7803
PUBLISHED: 2019-05-22
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in Triconex TriStation Emulator V1.2.0, which could cause the emulator to crash when sending a specially crafted packet. The emulator is used infrequently for application logic testing. It is susceptible to an attack...