US CLOUD Act Drives Adoption of Cloud Encryption

By Rich Campagna, Chief Marketing Officer, Bitglass

police badge close-upThe US Clarifying Lawful Overseas Use of Data (CLOUD) Act was quietly enacted into law on March 23, 2018. I say quietly due to the controversial nature of how it was passed—snuck into the back of a 2,300 page Federal spending bill on the eve of Congress’ vote. While debate rages on about both the way the bill was passed, and about the wide latitude the Act gives to the President and the State Department, the fact remains that it has been signed into law, and organizations need to start planning how to respond. For many, both in the US and abroad, that planning has drawn increased interest in Cloud Access Security Brokers (CASBs), and specifically, in cloud encryption.

The CLOUD Act is meant to expedite law enforcement access to online/cloud data, specifically when that data is stored abroad. CLOUD is an update to the Electronic Communications Privacy Act (ECPA), which was passed in 1986, long before cloud was even a twinkle in any entrepreneur’s eyes. Under ECPA, the only way for the US and a foreign government to exchange such data was under a Mutual Legal-Assistance Treaty (MLAT), which must be passed by a 2/3 vote of the Senate.

(Enough Four or Five Letter Acronyms (FFLAs) in this post for you yet?)

Cloud(y) with a chance of encryption

Under the CLOUD Act, US Law Enforcement Agencies, at any level, can require tech companies to turn over user data, whether that data is stored in the US or abroad. CLOUD also allows the President and/or State Department to enter into law enforcement data sharing agreements with ANY foreign government without approval from Congress.

The CLOUD Act eliminates the need for the foreign entity to show probable cause or obtain a search warrant to request access to this information. While a cloud service provider (CSP) can deny this access, forcing the requester back to the much more time consuming MLAT process, there is no assurance to enterprises that they will do this, putting the onus on the enterprise to take additional security measures to control access to their data.

The fix? Cloud encryption, typically implemented via CASB solutions.

Choosing a cloud encryption solution

Cloud encryption allows an organization to leverage cloud applications, while at the same time encrypting sensitive data with keys that the enterprise controls. Such a scheme combines the mobility, productivity and agility advantages of using the cloud, with the security of a private data center.

Not only does encryption help mitigate concerns over rogue CSP admins or hacking attacks by malicious outsiders, but in the event that a CSP turns over data as part of a now lawful request by US or Foreign Government agency, that data is useless to the third party without the cooperation of the enterprise.

What to look for in an encryption solution?

1) Preservation of cloud app functionality

2) Full-strength, peer-reviewed encryption algorithms

3) Full enterprise control over encryption keys

California’s CCPA Brings EU Data Privacy to the US

By Rich Campagna, Chief Marketing Officer, Bitglass

California state flagOver the summer a new data privacy law, the California Consumer Privacy Act of 2018 (CCPA), was passed. Assembly Bill 375 is scheduled to go into effect on Jan 1, 2020, which means there will likely be a lot of change before we see the final, enforced version of the bill.

The net for now?

The US’s most stringent data privacy law, CCPA, looks a lot like GDPR, and will likely have impact far beyond the State of California. It also means that companies in all industries are now what we used to refer to as “regulated.” That means more focus on data protection tools like data leakage prevention, cloud access security brokers (CASB), encryption, and more.

CCPA: The US’s most stringent data privacy law

According to the Bill, the following will be covered by the CCPA:

  • Grants consumers the right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
  • Requires businesses to make disclosures about the information and the purposes for which it is used.
  • Grants consumers the right to request deletion of personal information and would require the business to delete upon receipt of a verified request, as specified.
  • Grants consumers the right to request that a business that sells the consumer’s personal information, or discloses it for a business purpose, disclose the categories of information that it collects and categories of information and the identity of 3rd parties to which the information was sold or disclosed.
  • Requires businesses to provide this information in response to a verifiable consumer request.
  • Authorizes consumers to opt out of the sale of personal information by a business and would prohibit the business from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
  • Authorize businesses to offer financial incentives for collection of personal information.
  • Prohibits businesses from selling the personal information of a consumer under 16 years of age, unless affirmatively authorized, as specified, to be referred to as the right to “opt in.”

The first half of the list reads very similar to similar provisions in the EU GDPR. The second half includes some interesting new twists.

GDPR … with a twist

The prohibition on discriminating against consumers that exercise their right to privacy, unless “the difference is reasonably related to value provided by the consumer’s data,” is a departure from GDPR regulations. That said, this clause seems far too vague to make it through to 2020 in its current form and will likely be heavily debated by lawmakers and lobbyists alike over the next 18 months.

Additionally, the authorization to offer financial incentives for collection of personal information is quite interesting as well, and it will be interesting to see how businesses make use of this. How does, “free 2-day shipping if we can sell your personal data to a third party” sound?

The cost of non-compliance? “Not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.” To put that into context, last year’s Equifax breach of 145.5 million records would have amounted in a fine somewhere between $34 billion and $255 billion. Yikes!

All told, the scope of CCPA’s protections look very similar to EU GDPR. For organizations that have applied GDPR globally, that’ll make the path to CCPA compliance much easier. And keep in mind that, like the GDPR, CCPA applies to any business handling California resident data, so even if you don’t have a physical presence in California, doing business in CA is enough to make you subject to the law.

Now what other states (and countries) do with their own privacy laws is a totally different story. It’s wishful thinking to think that others will follow California and the EU without changes of their own. The result will be either amazingly complicated enforcement, or the restriction of services in markets that aren’t nearly as large as California and the EU. If Congress were to step up and enact a national data privacy law it could go a long way towards simplifying this grim future picture. Bueller?

Australia’s First OAIC Breach Forecasts Grim GDPR Outcome

By Rich Campagna, Chief Marketing Officer, Bitglass

map showing GDPR and OAIC areasThe first breach under the Office of the Australian Information Commissioner’s (OAIC) Privacy Amendment Bill was made public on March 16. While this breach means bad press for the offending party, shipping company Svitzer Australia, more frightening is the grim outcome it forecasts for organizations subject to GDPR regulations, which go into effect on May 25, 2018.

In the Svitzer case, 60,000 emails containing sensitive personal information on more than 400 employees were “auto-forwarded” to external accounts, a not uncommon way for employees to “get access” to their work emails from outside of the office. While the details of why these auto-forwarding rules were set up, and whether the intent was malicious or benign, in many cases, the objective is to avoid IT management of the user’s device while still gaining access to sensitive data.

Another common scheme to bypass unwanted IT controls is to set up sharing of one’s cloud file sharing drive to a personal email account. Both of these challenges are easily solved with Cloud Access Security Brokers (CASBs), which can secure employee devices without taking management control (helping to avoid auto-forwarding outcomes), and control the flow of data into/out-of cloud apps (including external sharing control).

The outcome in this case is bad press for Svitzer, causing loss of goodwill and perhaps some customers. It could have been worse, however. Under the Australian scheme, when OAIC if notified of the breach, which Svitzer has apparently done, the breach is made public but there are no direct financial penalties. If Svitzer hadn’t notified, they would have been subject to fines of “up to $1.8 million.” Penalties initially start with public apologies and compensation payments to the victims, with continued examples of non-notification ratcheting up fines to a maximum of $1.8 million.

What does all of this have to do with GDPR? Simple. With the upcoming GDPR enforcement deadline, some organizations are scrambling to reach compliance, while others are taking a wait-and-see approach. Once we pass the deadline, there WILL be companies with similarly simple issues that have a breach. The difference is in the penalties with GDPR. Rather than starting with simple fixes such as apologies and victim compensation, GDPR comes with severe penalties of up to €20 million or 4% of annual revenue, whichever is greater. Depending on the size and health of the organization, penalties like this could be terminal.

My prediction? We’ll quickly see the first examples, like Svitzer, and before the end of 2018, we’ll see the first bankruptcy as a result of GDPR fines and loss of business.