Balancing Security and Privacy Following the CISA Ruling
Posted January 15, 2016
By: Reed Taussig, president and CEO, ThreatMetrix
Amid a flurry of controversy, the Cybersecurity Information Sharing Act (CISA) passed in the U.S. Senate in late October by a 74-21 vote. If signed into law by President Obama, the bill will enable businesses to share cyber threat data with the government in an effort to prevent and mitigate cyberattacks. What has angered many, however, is the bill protects businesses from lawsuits if they voluntarily disclose consumer information for the purpose of assisting government or industry partners.
Threat intelligence sharing is necessary for maintaining national security, but only to a certain extent. Businesses must ensure that CISA does not infringe upon the privacy of individuals as it seeks to boost security through information sharing. Collecting an unreasonable amount of personal information could have a disastrous impact on privacy.
Here are three ways businesses can overcome the challenge of sharing threat information and effectively protecting against cybercrime without compromising privacy.
Anonymized shared intelligence
Safeguarding access to consumer data from both insider and outsider theft is the first step businesses can take to bolster security and maintain privacy. Other methods, including leveraging anonymized shared intelligence, behavior-based identity proofing and context-based authentication, will make it easier for businesses to balance between the two. With these tactics in place, businesses can appeal to concerned consumers while also providing government agencies with the data needed to stop cybercriminals in their tracks.
Keeping information collection to a minimum
When it comes to a user’s digital identity, most information should be kept under wraps. Although a bank app may require a user’s thumbprint and password to verify a financial transaction, this type of information isn’t necessary for ride-sharing services such as Uber. Considering the wealth of personal information stored on users’ mobile devices and in specific mobile apps, industry-wide authentication guidelines need to be established as a way to guarantee security – and privacy – for consumers.
Securing customer and corporate identities
Aside from implementing new strategies to balance both security and privacy, businesses should also be conscious of protecting valuable data. “Data in use” refers to customer or corporate identities that are used following a data breach without the individual’s knowledge. According to the Identity Theft Resource Center, more than 139 million personal records were compromised about midway through 2015. Through device identification, malware detection and anonymized trust federation, businesses can ensure personally identifiable information is screened against unauthorized use prior to being processed.
Although CISA recently passed in the Senate, debate surrounding the bill will rage on. Supporters of CISA will argue that information sharing prevents cybercriminals from carrying out attacks, while opponents will claim that it limits privacy. Regardless of your stance on the issue, one thing remains clear – cyber threats have grown more sophisticated than ever before. No business or individual is strong enough to stand alone against increasingly severe cybercrime.
By bringing together businesses and government agencies, information sharing remains one of the most effective ways to protect against such threats. Charged with regulating how much consumer information is shared with the government, it is up to businesses to ensure privacy is not sacrificed for the sake of security.