Data Protection Tips for Proposed US Cybersecurity Laws

Uploaded on 2016-08-05 in NEWS-News Analysis, FREE TO VIEW, BUSINESS-Services-Law

Proposed cybersecurity legislation is making business owners nervous – with good reason. These tips will help you be prepared no matter what US Congress does.

Is Washington waging a war on security technology? In April, U.S. Senators Richard Burr  and Dianne Feinstein introduced what became a highly controversial bill that -- if it were to be promulgated into law -- would effectively outlaw strong encryption.

By the end of it was thought the bill as good as dead in the water because of strong public opposition. This is potentially an overstatement. Despite a lack of support from their Senate colleagues, Burr and Feinstein have urged "patience" to Senate-watchers where the bill is concerned.

Proposed Cybersecurity Legislation

Meanwhile, Beltway insiders have reportedly indicated that there is substantial reluctance to go to battle against the technology industry in a presidential election year. Indeed, a separate legislative measure drafted by Senators Burr and John McCain (R-Ariz.) that would have made it easier for federal law enforcement to obtain the electronic communications data of private persons without worrying about pesky court orders or other due process measures was defeated late last month -- albeit narrowly.

With the Burr-Feinstein legislation on life support for now, an alternative bill -- introduced in both houses of the legislature, by Senator Mark Warner (D-Va.) and Representative Mike McCaul (R-Tex.) respectively -- has emerged as a possible compromise: The Digital Security Commission Act of 2016 is hailed by proponents as a measure that is far less "hasty" than the heavy-handed Burr-Feinstein bill.

The McCaul-Warner legislation would merely establish a commission -- made up of 16 people from across the public and private sectors -- who would study the issue of further encryption-related legislation and issue reports. Critics are skeptical, however, of the bill's ability to establish meaningful compromise.

Meanwhile, the FBI has been pushing for more electronic search-and-seizure leeway for quite some time. FBI Director James Comey has said that his top priority is to obtain the legal power necessary to be able to collect personal electronic communications data without obtaining a court order.

With all of this political posturing, cybersecurity- and privacy-minded companies should bear these three tips in mind to proactively keep their data safe -- regardless of which way the winds blow in Washington.

Look to California's Actions on Data Privacy

Are you considering founding a new company or relocating your current operations? Recent California legislation could potentially protect your company from law enforcers who may demand you break your own encryption or reverse-engineer your own products -- if your company is located within the state, that is.

On January 1, a California state law took effect banning the sale or use of voice data collected in that state via smart televisions or smart devices that connect to televisions (such as set-top boxes, DVRs, video-game consoles) for advertising purposes. The bill further bans any voice recognition operation by smart TVs "without prominently informing ... the user" (or, during installation, the user's designee). These measures resulted from lawsuits related to the alleged collection and improper use of consumer data by Vizio smart TVs.

More pertinently, however, a separate clause in the law protects California businesses from being compelled to modify their devices to assist law enforcement or other investigators. Undoubtedly this is a move to protect Silicon Valley and other California tech companies in the wake of the recent Apple-FBI encryption scuffle after December's terror attack in San Bernardino. 

Whether that part of the law will stand up against federal preemption is another story, but the California tech sector -- and those considering a move to California -- can at least take heart in knowing that their state government legally stands behind them when it comes to law enforcement-compelled reverse engineering and encryption breaking.

Business owners may want to encourage their own state legislatures to adopt similar measures. At the very least, you will want to keep informed about your own state's legislative efforts involving cybersecurity and data protection.

Consider a Warrant Canary

Certain types of federal law enforcement subpoenas and information requests -- such as National Security Letters, FISA court orders and the like -- are usually accompanied by a gag order, preventing the recipient from confirming or denying the existence of receipt of the subpoena or request (or, for that matter, the gag order). If the FBI gets its way, the federal government will enjoy even broader powers to issue broad information requests and bar speech about them.

The theory behind a warrant canary remains legally untested as of yet, but it goes like this: Regularly discuss and update your users, your customers and the public on the fact that you have not received any such demands or requests for information that are normally accompanied by a gag order. Thus when and if you do become subject to a gag order, your silence on the issue (and takedown or edit of the corresponding notice -- the "canary" -- on your website or in other communication) will at once be compliant and inform the world-at-large with a wink and a nod that Uncle Sam has his hand over your mouth.

Understand your risks with this legal theory, and be prepared to shell out for a lawyer if the day ever comes that you have to potentially kill your canary and face a government challenge in court. Still, the notion of the warrant canary bears consideration.(It has even picked up traction with the ACLU and the EFF.)

Use Dark Web for Good, Not Evil

While the vast majority of content on the Dark Web reportedly involves illegal, quasi-legal and/or otherwise unsavory activity, it also has legitimate purposes such as protecting whistleblowers.

In a recent "Ask Me Anything" session on Reddit, warrant-canary activist Nicholas Merrill noted that any organization can easily set up their own Dark Web version of a website, accessible via an onion browser like Tor. 

Mainstream services and websites, including Facebook and ProPublica, already have their own "hidden" Dark Web presences.(ProPublica even offers instructions on how to browse its site using Tor.)

"It would be a great thing if Reddit would set up a hidden-service version of their website," Merrill observed. Merrill also urged individual users to use hidden-service browsers for all of their web surfing activities so as to maintain their anonymity, whether or not they browse the Dark Web.

"There is nothing stopping you from accessing [a regular website like] Reddit using The Tor Project's Tor Browser and maintaining the anonymity of your IP address and geolocation," Merrill told Redditors. "In fact, it would relieve Reddit of some of the burden of protecting you if you would do so."

SecurityPlanet

 

 

« Key Trends In Machine Learning & Artificial Intelligence
The End Of Your Undivided Attention »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Micron Technology

Micron Technology

Micron is a global leader in the semiconductor industry providing memory and secure storage devices for Networks, Mobile devices and IoT applications.

MetricStream

MetricStream

MetricStream provide integrated GRC solutions across business, IT, and security functions.

Openminded (OPMD)

Openminded (OPMD)

Openminded is a French security and network services company.

2Secure

2Secure

2Secure is one of Sweden's largest private security companies. Service inlcude personal security, corporate security, information and cyber security.

IoT European Research Cluster (IERC)

IoT European Research Cluster (IERC)

IERC brings together EU-funded projects with the aim of defining a common vision for IoT technology and development research challenges.

Foresite

Foresite

Foresite is a global service provider, delivering a range of managed security and consulting solutions.

SysTools

SysTools

SysTools provides a range of services including data recovery, digital forensics, and cloud backup solutions.

TI Safe

TI Safe

TI Safe provide cybersecurity solutions for industrial networks of main critical infrastructures in Latin America.

NAVEX Global

NAVEX Global

NAVEX Global’s compliance management system consolidates your entire GRC program onto a scalable cloud-based platform.

Caulis

Caulis

Caulis FraudAlert is a cyber security solution. It can detect fraud and identity theft based on users’ online behaviour.

DigiByte (DGB)

DigiByte (DGB)

DigiByte (DGB) is a rapidly growing global blockchain with a focus on cybersecurity for digital payments & decentralized applications.

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst

Rogers Cybersecure Catalyst helps Canadians and Canadian companies seize the opportunities and tackle the challenges of cybersecurity.

Myota

Myota

Myota intelligently equips each file to be resilient and achieve Zero Trust-grade protection. Withstand ransomware and data breach attacks. Reduce data restoration time and effort.

Softwerx

Softwerx

Softwerx is the UK’s leading Microsoft cloud security practice. We’ve been helping forward-thinking companies better secure their businesses for nearly twenty years.

Moro Hub

Moro Hub

Moro Hub, a subsidiary of Digital DEWA, is a UAE-based digital data hub focused on digital transformation and operational services.

HaystackID

HaystackID

HaystackID provides industry-leading computer forensics, eDiscovery, and attorney document review experts to help with complex, data-intensive investigations and litigation.