Data Protection Tips for Proposed US Cybersecurity Laws

Proposed cybersecurity legislation is making business owners nervous – with good reason. These tips will help you be prepared no matter what US Congress does.

Is Washington waging a war on security technology? In April, U.S. Senators Richard Burr  and Dianne Feinstein introduced what became a highly controversial bill that -- if it were to be promulgated into law -- would effectively outlaw strong encryption.

By the end of it was thought the bill as good as dead in the water because of strong public opposition. This is potentially an overstatement. Despite a lack of support from their Senate colleagues, Burr and Feinstein have urged "patience" to Senate-watchers where the bill is concerned.

Proposed Cybersecurity Legislation

Meanwhile, Beltway insiders have reportedly indicated that there is substantial reluctance to go to battle against the technology industry in a presidential election year. Indeed, a separate legislative measure drafted by Senators Burr and John McCain (R-Ariz.) that would have made it easier for federal law enforcement to obtain the electronic communications data of private persons without worrying about pesky court orders or other due process measures was defeated late last month -- albeit narrowly.

With the Burr-Feinstein legislation on life support for now, an alternative bill -- introduced in both houses of the legislature, by Senator Mark Warner (D-Va.) and Representative Mike McCaul (R-Tex.) respectively -- has emerged as a possible compromise: The Digital Security Commission Act of 2016 is hailed by proponents as a measure that is far less "hasty" than the heavy-handed Burr-Feinstein bill.

The McCaul-Warner legislation would merely establish a commission -- made up of 16 people from across the public and private sectors -- who would study the issue of further encryption-related legislation and issue reports. Critics are skeptical, however, of the bill's ability to establish meaningful compromise.

Meanwhile, the FBI has been pushing for more electronic search-and-seizure leeway for quite some time. FBI Director James Comey has said that his top priority is to obtain the legal power necessary to be able to collect personal electronic communications data without obtaining a court order.

With all of this political posturing, cybersecurity- and privacy-minded companies should bear these three tips in mind to proactively keep their data safe -- regardless of which way the winds blow in Washington.

Look to California's Actions on Data Privacy

Are you considering founding a new company or relocating your current operations? Recent California legislation could potentially protect your company from law enforcers who may demand you break your own encryption or reverse-engineer your own products -- if your company is located within the state, that is.

On January 1, a California state law took effect banning the sale or use of voice data collected in that state via smart televisions or smart devices that connect to televisions (such as set-top boxes, DVRs, video-game consoles) for advertising purposes. The bill further bans any voice recognition operation by smart TVs "without prominently informing ... the user" (or, during installation, the user's designee). These measures resulted from lawsuits related to the alleged collection and improper use of consumer data by Vizio smart TVs.

More pertinently, however, a separate clause in the law protects California businesses from being compelled to modify their devices to assist law enforcement or other investigators. Undoubtedly this is a move to protect Silicon Valley and other California tech companies in the wake of the recent Apple-FBI encryption scuffle after December's terror attack in San Bernardino. 

Whether that part of the law will stand up against federal preemption is another story, but the California tech sector -- and those considering a move to California -- can at least take heart in knowing that their state government legally stands behind them when it comes to law enforcement-compelled reverse engineering and encryption breaking.

Business owners may want to encourage their own state legislatures to adopt similar measures. At the very least, you will want to keep informed about your own state's legislative efforts involving cybersecurity and data protection.

Consider a Warrant Canary

Certain types of federal law enforcement subpoenas and information requests -- such as National Security Letters, FISA court orders and the like -- are usually accompanied by a gag order, preventing the recipient from confirming or denying the existence of receipt of the subpoena or request (or, for that matter, the gag order). If the FBI gets its way, the federal government will enjoy even broader powers to issue broad information requests and bar speech about them.

The theory behind a warrant canary remains legally untested as of yet, but it goes like this: Regularly discuss and update your users, your customers and the public on the fact that you have not received any such demands or requests for information that are normally accompanied by a gag order. Thus when and if you do become subject to a gag order, your silence on the issue (and takedown or edit of the corresponding notice -- the "canary" -- on your website or in other communication) will at once be compliant and inform the world-at-large with a wink and a nod that Uncle Sam has his hand over your mouth.

Understand your risks with this legal theory, and be prepared to shell out for a lawyer if the day ever comes that you have to potentially kill your canary and face a government challenge in court. Still, the notion of the warrant canary bears consideration.(It has even picked up traction with the ACLU and the EFF.)

Use Dark Web for Good, Not Evil

While the vast majority of content on the Dark Web reportedly involves illegal, quasi-legal and/or otherwise unsavory activity, it also has legitimate purposes such as protecting whistleblowers.

In a recent "Ask Me Anything" session on Reddit, warrant-canary activist Nicholas Merrill noted that any organization can easily set up their own Dark Web version of a website, accessible via an onion browser like Tor. 

Mainstream services and websites, including Facebook and ProPublica, already have their own "hidden" Dark Web presences.(ProPublica even offers instructions on how to browse its site using Tor.)

"It would be a great thing if Reddit would set up a hidden-service version of their website," Merrill observed. Merrill also urged individual users to use hidden-service browsers for all of their web surfing activities so as to maintain their anonymity, whether or not they browse the Dark Web.

"There is nothing stopping you from accessing [a regular website like] Reddit using The Tor Project's Tor Browser and maintaining the anonymity of your IP address and geolocation," Merrill told Redditors. "In fact, it would relieve Reddit of some of the burden of protecting you if you would do so."

SecurityPlanet

 

 

« Key Trends In Machine Learning & Artificial Intelligence
The End Of Your Undivided Attention »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Cato Networks

Cato Networks

Cato connects your branch locations, physical and cloud datacenters, and mobile users into a secure and optimized global network in the cloud.

Jetico

Jetico

Jetico provides pure & simple data protection software for all sensitive information throughout the lifecycle. Solutions include data encryption and secure data erasure.

ODVA

ODVA

ODVA is a global trade and standards development organization whose members comprise the world’s leading industrial automation companies.

Secure Soft

Secure Soft

Secure Soft are experts in Computer and Information Security with a presence in Peru, Colombia and Ecuador.

Mitre

Mitre

At Mitre we work across government to tackle challenges to the safety, stability, and well-being of our nation. Areas of expertise include Cybersecurity.

Bureau Veritas

Bureau Veritas

Bureau Veritas are a world leader in Testing, Inspection and Certification. We provide certification and training services in areas including cybersecurity and data protection.

Crosser

Crosser

The Crosser Platform enables real-time processing of streaming or batch data for Industrial IoT, Data Transformation, Analytics, Automation and Integration.

Option3

Option3

Option3 (formerly Option3Ventures - O3V) primarily seek control investments in the growing cybersecurity mid-market, seeking to build champions with the scale to bring cutting-edge products to market.

Echosec Systems

Echosec Systems

Echosec Systems is a data discovery company delivering social media and dark web threat intelligence. Our web based security software delivers critical information for situational awareness.

Ridge Global

Ridge Global

Ridge Global works with C-suite executives and corporate directors to build more resilient organizations through innovative preparedness, protection, response and education capabilities.

IN4 Group

IN4 Group

IN4 Group is a skills, innovation and start-up services provider that specialises in supporting businesses with the training, communities, networks and advice they need to scale.

TwoThreeFour

TwoThreeFour

ThreeTwoFour provide tailored cyber security solutions, delivered by highly-skilled, experienced consultants who respond to the real needs of you and your business.

SideChannel

SideChannel

At SideChannel, we match companies with an expert virtual CISO (vCISO), so your organization can assess cyber risk and ensure cybersecurity compliance.

SeeMetrics

SeeMetrics

SeeMetrics is an automated cybersecurity performance management platform that integrates security data and business objectives into a simple interface.

Omega Systems

Omega Systems

Omega Systems is a leading managed service provider (MSP) and managed security service provider (MSSP) to mid-market organizations.

Multipoint Group

Multipoint Group

Multipoint is an information security and protection solutions company operating in the South EMEA region through value-added distribution channels.