Pirates continue to plunder the sea lanes in some parts of the world, armed with AK47s instead of cutlasses, but a new iteration of piracy has become more common – this form well hidden from sight and employing nothing so primitive as swords or guns.
Today's cyberthieves, armed with computers linked to the internet and a variety of hacking skills, can penetrate networks anywhere in the world to abscond with corporate treasures and violate the privacy of individuals. In fact, according to a recent report from the World Economic Forum, cybersecurity ranks in the Top Five “risks to watch” for stakeholders across government and the private sector.
But, just who is responsible for protecting the privacy of individuals and organisations – particularly when data traverses national boundaries – has become a hot topic for debate.
Despite 46 states having breach notification laws, and compliance mandates that order adherence to privacy restrictions, such as Sarbanes-Oxley and HIPAA, this country lags the European Union in prescriptive requirements, experts say. Europeans, far more sensitive to the possibility of data exposure, owing to their experiences under authoritarian regimes during World War II, passed the Data Protection Directive, which offers a comprehensive system throughout the EU that incorporates recommendations made 30 years ago by the Organisation for Economic Cooperation and Development (OECD), an organisation comprised of 34 countries that was founded in 1961. While the United States endorsed the OECD's recommendations, it never implemented them.
“We don't have anything [in the United States] that specific,” says Hugh Thompson , program committee chairman of the RSA Conference, the security industry's largest trade event. Overall, there is a big cultural difference in how the United States treats privacy and how it is regarded in Europe. The laws in Europe, for example, dictate where data can be moved, says Thompson, a well-known application security expert who teaches at several universities and co-authored four books.
The transfer of data across geographic boundaries is a challenge for multinational corporations and government entities, he says. There are laws on the books in Europe that prescribe how long data must be retained and when it must be deleted. But the requirements vary from country to country, so often it is a juggling act to adhere to the commands. “There's a lot of confusion."
Patricia Titus , VP and CISO at Reston, Va.-based Unisys, agrees. Unisys – a company that designs, builds and manages systems for businesses and governments around the globe – works with a number of companies that have drafted transfer agreements with various countries to move their applications and data into the Unisys network. It's a process that is time-consuming and eats up a lot of personnel time.
Clients in each country must compile data transfer agreements that incorporate such standards as ISO 2700 or NIST. The next level implements standards from FISMA, a government dictate that adds another layer of data safeguards across the globe, she says.
It would be helpful for corporations if there were a global standard with bare minimums, Titus says. “It would go a long way to create a framework beginning with the United States and the EU.” There's been a lot of dialog around such a development, but little to nothing has been actually implemented, she says.
Too, it is expensive to manage all the data privacy laws. “There's no Gantt chart [a type of bar graph that illustrates the start and finish dates of a project] that shows the country, the standards it upholds, and the gap between its' and the United States' privacy laws," she says.
No one seems to have a workable response. Thompson is not aware of any group, public or private, moving toward a global standard that could take the guesswork out of the process. Nations and corporations are still grappling with what data is private and what needs to be protected, he says. “It is murky when moving data across borders,” he says.
And this ambiguity is causing headaches for a lot of people and organisations. Those wishing to shop for a cloud service provider, for example, must weigh not only which service offers the best rates, but with the rapidly evolving legal ramifications, which can provide some measure of protection.
In the past, negotiating a service-level agreement with a cloud provider wasn't a big issue, says Thompson. Now, though, with new laws being implemented in various countries, the logistics become more prohibitive. For example, he says, a German customer's data may not be moved out of the country, so how is that person supposed to make a purchase with a credit card from a business across the border?
Also, he adds, some types of data not considered private in the United States may prove to be a gateway to identification. What might not be considered personally identifiable information (PII), and thus safe from data privacy restrictions, still could provide access to truly private data, say, via a password reset, says Thompson.
“There is no legal body to sort it out, to give guidance, to help make sense of what one should do with a piece of data,” he says.
Following the trail of data transfer often proves too complex, as there are nodes in too many countries, Thompson says. Determining where an illegal act occurred or where an actual physical offense took place is proving too vague. “We're in serious catch-up mode,” Thompson says. “And, from a digital perspective, it is getting murkier.”
But there is some measure of hope. In his position as chair of the RSA Conference, Thompson is in a position to observe what the hot topics are. And despite the buzzwords of the day being cloud and cyberwarfare, when one digs deep into the agenda, privacy is the big ticket item, he says. Based on the proposals for sessions at the annual conference, both here and in its European edition, he's seeing issues being raised around transfer of data and the privacy implications.
Next: Controlling the airwaves