Data Protection Tips for Proposed US Cybersecurity Laws

Proposed cybersecurity legislation is making business owners nervous – with good reason. These tips will help you be prepared no matter what US Congress does.

Is Washington waging a war on security technology? In April, U.S. Senators Richard Burr  and Dianne Feinstein introduced what became a highly controversial bill that -- if it were to be promulgated into law -- would effectively outlaw strong encryption.

By the end of it was thought the bill as good as dead in the water because of strong public opposition. This is potentially an overstatement. Despite a lack of support from their Senate colleagues, Burr and Feinstein have urged "patience" to Senate-watchers where the bill is concerned.

Proposed Cybersecurity Legislation

Meanwhile, Beltway insiders have reportedly indicated that there is substantial reluctance to go to battle against the technology industry in a presidential election year. Indeed, a separate legislative measure drafted by Senators Burr and John McCain (R-Ariz.) that would have made it easier for federal law enforcement to obtain the electronic communications data of private persons without worrying about pesky court orders or other due process measures was defeated late last month -- albeit narrowly.

With the Burr-Feinstein legislation on life support for now, an alternative bill -- introduced in both houses of the legislature, by Senator Mark Warner (D-Va.) and Representative Mike McCaul (R-Tex.) respectively -- has emerged as a possible compromise: The Digital Security Commission Act of 2016 is hailed by proponents as a measure that is far less "hasty" than the heavy-handed Burr-Feinstein bill.

The McCaul-Warner legislation would merely establish a commission -- made up of 16 people from across the public and private sectors -- who would study the issue of further encryption-related legislation and issue reports. Critics are skeptical, however, of the bill's ability to establish meaningful compromise.

Meanwhile, the FBI has been pushing for more electronic search-and-seizure leeway for quite some time. FBI Director James Comey has said that his top priority is to obtain the legal power necessary to be able to collect personal electronic communications data without obtaining a court order.

With all of this political posturing, cybersecurity- and privacy-minded companies should bear these three tips in mind to proactively keep their data safe -- regardless of which way the winds blow in Washington.

Look to California's Actions on Data Privacy

Are you considering founding a new company or relocating your current operations? Recent California legislation could potentially protect your company from law enforcers who may demand you break your own encryption or reverse-engineer your own products -- if your company is located within the state, that is.

On January 1, a California state law took effect banning the sale or use of voice data collected in that state via smart televisions or smart devices that connect to televisions (such as set-top boxes, DVRs, video-game consoles) for advertising purposes. The bill further bans any voice recognition operation by smart TVs "without prominently informing ... the user" (or, during installation, the user's designee). These measures resulted from lawsuits related to the alleged collection and improper use of consumer data by Vizio smart TVs.

More pertinently, however, a separate clause in the law protects California businesses from being compelled to modify their devices to assist law enforcement or other investigators. Undoubtedly this is a move to protect Silicon Valley and other California tech companies in the wake of the recent Apple-FBI encryption scuffle after December's terror attack in San Bernardino. 

Whether that part of the law will stand up against federal preemption is another story, but the California tech sector -- and those considering a move to California -- can at least take heart in knowing that their state government legally stands behind them when it comes to law enforcement-compelled reverse engineering and encryption breaking.

Business owners may want to encourage their own state legislatures to adopt similar measures. At the very least, you will want to keep informed about your own state's legislative efforts involving cybersecurity and data protection.

Consider a Warrant Canary

Certain types of federal law enforcement subpoenas and information requests -- such as National Security Letters, FISA court orders and the like -- are usually accompanied by a gag order, preventing the recipient from confirming or denying the existence of receipt of the subpoena or request (or, for that matter, the gag order). If the FBI gets its way, the federal government will enjoy even broader powers to issue broad information requests and bar speech about them.

The theory behind a warrant canary remains legally untested as of yet, but it goes like this: Regularly discuss and update your users, your customers and the public on the fact that you have not received any such demands or requests for information that are normally accompanied by a gag order. Thus when and if you do become subject to a gag order, your silence on the issue (and takedown or edit of the corresponding notice -- the "canary" -- on your website or in other communication) will at once be compliant and inform the world-at-large with a wink and a nod that Uncle Sam has his hand over your mouth.

Understand your risks with this legal theory, and be prepared to shell out for a lawyer if the day ever comes that you have to potentially kill your canary and face a government challenge in court. Still, the notion of the warrant canary bears consideration.(It has even picked up traction with the ACLU and the EFF.)

Use Dark Web for Good, Not Evil

While the vast majority of content on the Dark Web reportedly involves illegal, quasi-legal and/or otherwise unsavory activity, it also has legitimate purposes such as protecting whistleblowers.

In a recent "Ask Me Anything" session on Reddit, warrant-canary activist Nicholas Merrill noted that any organization can easily set up their own Dark Web version of a website, accessible via an onion browser like Tor. 

Mainstream services and websites, including Facebook and ProPublica, already have their own "hidden" Dark Web presences.(ProPublica even offers instructions on how to browse its site using Tor.)

"It would be a great thing if Reddit would set up a hidden-service version of their website," Merrill observed. Merrill also urged individual users to use hidden-service browsers for all of their web surfing activities so as to maintain their anonymity, whether or not they browse the Dark Web.

"There is nothing stopping you from accessing [a regular website like] Reddit using The Tor Project's Tor Browser and maintaining the anonymity of your IP address and geolocation," Merrill told Redditors. "In fact, it would relieve Reddit of some of the burden of protecting you if you would do so."

SecurityPlanet

 

 

« Key Trends In Machine Learning & Artificial Intelligence
The End Of Your Undivided Attention »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab

NUS-Singtel Cyber Security R&D Lab conducts research into predictive security analytics.

QA Systems

QA Systems

QA Systems provides software testing solutions for safety and business critical sectors and software safety and security standards.

Global Information Assurance Certification (GIAC)

Global Information Assurance Certification (GIAC)

GIAC provides certification in the knowledge and skills necessary for a practitioner in key areas of computer, information and software security.

Fortalice

Fortalice

Fortalice provide customizable consulting services built on proven methodology to strengthen your business cyber security defenses.

CyPhyCon

CyPhyCon

CyPhyCon is an annual event exploring threats and solutions to cyber attacks on cyber-physical systems such as industrial control systems, Internet of Things and Industrial Internet of Things.

Curricula

Curricula

Curricula's cyber security awareness training delivers short relatable security stories to your employees. We make learning cyber security simple and fun.

Privacera

Privacera

Privacera enables consistent data governance, security, and compliance across all your data services - on-premises and in the cloud - so you can maximize the value of your data.

Cipher

Cipher

Founded in 2000, Cipher is a global cybersecurity company that delivers a wide range of Managed Security Services.

Rubrik

Rubrik

Rubrik helps enterprises achieve data control to drive business resiliency, cloud mobility, and regulatory compliance.

Cyber Readiness Institute (CRI)

Cyber Readiness Institute (CRI)

At the Cyber Readiness Institute, our mission is simple: empower small and medium-sized enterprises with free tools and resources to help them become more secure and resilient.

Protexxa

Protexxa

Protexxa is a B2B SaaS cybersecurity platform that leverages Artificial Intelligence to rapidly identify, evaluate, predict, and resolve cyber issues for employees.

Schellman

Schellman

Schellman is a leading provider of attestation and compliance services.

SafeLiShare

SafeLiShare

SafeLiShare’s data security platform unifies encryption strategies for organizations with hybrid and multi-cloud infrastructures, ensuring data is secure regardless of its location.

Liquid C2

Liquid C2

Liquid C2 offers leading solutions to streamline workplace operations, secure cloud storage, rapid data recovery, and scale growth.

Kaavalan

Kaavalan

Kaavalan was founded with a mission and a vision to protect you against cyber threats in the connected world.

National Cybersecurity Agency (ANCI) - Chile

National Cybersecurity Agency (ANCI) - Chile

ANCI (Agencia Nacional de Ciberseguridad) is the National Cybersecurity Agency of Chile.