Cyber security is top of mind these days in corporate boardrooms, governments, and with consumers. Last week was exemplary with more reports of hacks and governments moving forward with measures attempting to address the growing threats.
The New York Times reported that bank hackers stole millions using malware in a scam that allegedly involved an attack on more than 100 banks and other FIs in 30 nations. This followed a series of seemingly unending reports of attacks against other organizations.
Faced with massive loss of confidence in U.S. cloud businesses, the U.S. moved to limit jurisdiction over data stored abroad. U.S. lawmakers introduced bipartisan bills seeking to limit the reach of U.S. courts over data stored in cloud services located outside the US. This move appears to attempt to reverse, in part, Microsoft’s lost legal challenge (and pending appeal loss) to U.S. warrants requiring it to produce documents stored on servers located outside the U.S.
Last week, president Obama signed an Executive Order — Promoting Private Sector Cybersecurity Information Sharing. The policy recognizes that in order to address cyber threats, private companies, nonprofit organizations, executive departments and agencies of the government, and other entities “must be able to share information related to cybersecurity risks and incidents and collaborate to respond in as close to real time as possible”. The Executive Order’s purpose, in part, is to encourage the voluntary formation of Information Sharing and Analysis Organizations (ISAOs) on the basis of sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities. ISAO membership may be drawn from the public or private sectors, or consist of a combination of public and private sector organizations.
In Canada, the Industry, Science and Technology Committee has been studying Bill S-4, the Digital Privacy Act. Bill S-4 has its problems and could be improved by amendments before it becomes law. The Bill has two important sections relevant to dealing with cyber security.
First, there is a new mandatory Federal security breach notification regime.
Second, the legislation would permit organization to organization disclosures in limited circumstances for the purposes of investigating a breach of an agreement or a federal or provincial law where getting the consent of the individual would compromise the investigation. Amendments to PIPEDA are required to ensure that organizations are able to collect, use, and share information related to cyber security threats to protect their own infrastructure and personal information they hold about members of the public. Such an amemedment is essential to protecting the public and is, perhaps, even more important than the new data breach notification amendments which really builds upon existing practices. The PIPEDA amendment should enable both organization to organization disclosures and disclosures to information sharing organizations, as contemplated by the U.S. Executive Order.