Much like the concern about the type of information that can be shared under the CISA act with the U.S. Government, many companies and customers have justifiable concerns about the privacy of that information. While even the NSA can be hacked, there are several key provisions of the CISA act and facts about the information that should address these concerns and demonstrate that the value proposition of CISA provided coverages outweighs the potential disclosure of the type of information that would be collected.
The information doesn’t have to contain proprietary or corporate information: As stated in our last article, the information required to be provided is about the hack and is usually technical information such as the vector, domain, IP and information about the hack and successful defense and mitigation strategies. So even if the information provided was released, it would not be of any importance to the company, especially if it invokes anonymity. Complaints forms on the US-CERT or Internet Cyber Crime Center or IC3, website ask for technical data although proprietary information can be requested, especially in the case of sensitive or classified information.
Information must be filtered for personal information: The law recognizes that any entity, private, non-federal, federal, state, local etc. that receives cyber threat indicator information must screen that information for any personal information in accordance with Section 103.b.Ei and ii which states that the federal government is required to develop procedures to review cyber information for personal data and to remove it if its contained in any sharing capacity.
Trade Secret or Trademarked Data must be protected: While most companies would be hesitant to share the fact that trademarked or proprietary data has been stolen, there are times when disclosing such a theft would be beneficial and should be considered. If DHS is made aware of the theft, then the agency can take advantage of the government’s reach to search for the stolen data, possibly starting an investigation and giving the company evidence to be used in litigation. Without the disclosure, a company would be on its own in trying to track down the data using its own resources. These protections are outlined in Section 105.d.2 of the CISA law.
You can remain anonymous: information provided to DHS offers the reporting entity to remain anonymous if desired. If information is shared through an ISAO, the information is already protected through the ISAO membership and its originator cannot be divulged unless approved. The offer to remain anonymous is provided by DHS on its AIS webpage.
Shared Information Must Be Protected: In Section 104.d.1, the law also requires any entity that shares information to properly store that information and to invoke security controls to prevent access to that information. This means that an ISAO in reception of your information must store it in a protected manner and must ensure that all members use some security measures in storing the data. So any data submitted by the member is protected and secure.
Your data could be used by Law Enforcement in specific cases: The numerous and valuable protections under the CISA act are afforded to businesses that not only share cyber threat data so that they can mitigate cybercrime, but any data that a company finds that indicates that one of three specific threats or offenses could occur:
- A specific threat of bodily or economic harm, or the use of a weapon of mass destruction.
- An indicator that a threat to a minor including sexual exploitation or a threat to physical safety.
- Or an indicator that personal identity fraud, espionage or theft of intellectual property would take place.
What the government is saying here is that, if a company finds evidence that the above threats are possible, it can use the ISAO to transmit that data through the approved Automatic Information Sharing (AIS) system to Federal authorities for their action. Under the law, the member can also send an email to the appropriate address reporting the discovery. However, in this case, the sharing of information between non-entities and not the Federal Government may disallow critical CISA coverages to be invoked as the data was not shared with a Law Enforcement entity with the ability to mitigate the threats. It is recommended that sharing such data through an ISAO is accomplished since those protections would be of great value to any business that inadvertently became involved in one of those crimes through it employees.
The type of data shared does not outweigh the protections afforded under the CISA law. As stated, there is no involuntary requirement to share data that is proprietary or personal in nature. The data required by the US-CERT or IC3 is technical in nature and by law cannot have any personal data. In order to invoke the protections under CISA, it is critical that SMBs share data with DHS either by themselves, or through an ISAO.
While privacy of data is of great concern to businesses, it is crucial to ensure that you are covered by the CISA act at all times. This entails the sharing of data between the members and other non-Federal entities or through an ISAO to DHS ensures that these critical protections remain in place.