Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/22/2016
10:00 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

No Safe Harbor Is Coming -- CISA Made Sure Of It

It's time to take your data classification procedures more seriously. If not, that helpful information-sharing you did in the US could cost you hefty fines for privacy violations in the European Union.

What You Can Do

Just Don't Share Threat Information

Information-sharing through CISA isn't mandatory. You don't have to give your threat indicators to anyone, if you don't want. Some businesses will certainly take that route.

The initial recipients of the data shared through CISA will be the departments of Commerce, Defense, Homeland Security, Energy, Treasury, and the Office of the Director of National Intelligence, Herold notes. "These are huge agencies. So there is a great likelihood for a huge number of people to access the data that is shared from the privacy sector," she says.

Organizations concerned that data they share with the feds could be breached likely won't share it, she says. It could be a PR nightmare, even if they're not liable: "Just consider all that bad press that many tech companies have gotten when the public found out they had been sharing personal data with feds," she says.

Eliminate All Personal Information From Data You Share

If you do wish to share data, you can sanitize it of personally identifiable information before you hand it over. Even though the regulation doesn't require you to do so, it doesn't prohibit it -- not unless the Attorney General's guidelines change that.

Identity Finder's Stelzer says this is "very doable" using basic searches for PII and PHI available in current data classification technology.

The GDPR's expanding definition of personal data, however, may give those tools a serious challenge -- social security numbers and home addresses are easy enough to find, but shoe and dress sizes might be a bigger hurdle to clear.

Egnyte's Lahiri is optimistic about the innovation happening in the security industry to meet this challenge.

"[Data loss prevention] is kicking into very high gear," Lahiri says. "The new-age DLP really builds in this new kind of data recognition and classification."

New technology will not just recognize sensitive data and slide it into the right column, but will actually educate users about data privacy and security with prompts, she says.

"In a normal use case people are not wantonly doing something wrong," he says. "They just don't know."

Stelzer reminds security pros planning to share threat intel through CISA, that they might get away with being lax on PII scrubbing if they only have American users in their database. "No Europeans' data, no problem," he says.  But "you'd better redact the EU data before you share it."

Segregate Data To Begin With

All of this is much easier if you separate US data sets from non-US data sets as you collect it, experts say.

Regardless of what the courts ultimately decide on the DoJ vs. Microsoft case, you'll save yourself headaches in the future.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio
 

Recommended Reading:

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
geriatric
50%
50%
geriatric,
User Rank: Moderator
1/22/2016 | 12:09:42 PM
Voluntary Today - Mandatory Tomorrow
Great article. I agree that the present solution is "just don't share". Bear in mind though, that what is voluntary today will become mandatory tomorrow. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
1/22/2016 | 1:11:07 PM
Global Standard
Do we need a global standard for which to adhere to? Meaning a standard that supersedes US and EU privacy regulations. Maybe there already is one that I am unaware of.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
1/25/2016 | 1:21:03 AM
Sensitive Data Management Application Opportunity
Sounds to me like this represents an opportunity for data management systems to step it up and formalize segregated management features.  Allowing companies to easily keep data traffic appropriately diverted, secured and viewable remotely only (the idea being the data never leaves the geographic locale in the first place), new ideas can be entertained on how to change methods of acquisition, analysis, and dispersal of information.  Playing with technologies like distributed computing and shared media across CDNs, programmers can experiment with a new model of data collection and sharing where laws are adhered to, but by re-defining the technical landscape it turns into a game of cate-and-mouse where authoring new laws becomes the cat trying to anticipate the mouse's next move (assuming there is a drive to keep the regulations growing tighter).  "Helpful information-sharing" shouldn't be a crime, and by no means are the laws at a point where the flow of data in one form or another is completely impossible, while keeping to the legal requirements of such regulations.

    
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15037
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
CVE-2019-4323
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
CVE-2019-4324
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2020-15036
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
CVE-2020-15577
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).