A group of cybersecurity firms just threw a wrench in the privacy debate: according to their filing with the National Technology and Information Administration (NTIA), companies occasionally need to compromise customers’ personal data and privacy in order to protect themselves from cyber threats.
The filing raises the old debate over privacy versus security, and it is by no means an easy question — many cybersecurity degrees and programs include classes on “Cybersecurity and Ethics” which raise this very issue.
In their filing, the Cybersecurity Coalition explains that in order to learn more about cyberattacks and prevent them from happening again or to other companies, the affected company will share data and “large-scale information” about the threat or attack.
“This is consistent with consensus best practices for comprehensive security programs, such as the NIST Cybersecurity Framework,” the coalition wrote in the filing.
But as a result of the data-sharing to mitigate cyber threats and attacks, companies may compromise their users’ or customers’ personal, private information.
“By necessity, some of this data can be linked to individuals or specific devices, thereby potentially falling under common definitions of ‘personal information,'” the coalition wrote. “For example, phishing, a highly prevalent and effective attack vector used to steal sensitive data, is based on spoofed emails and identities. To detect and avoid suspected phishing attempts, cybersecurity service providers may process such personal information including the email address, purported identity, and the IP address associated with the origination of the phishing email.”
This can create some friction over future privacy legislation. Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, told InsideSources that he teaches a class on cybersecurity and ethics at MIT, and every year he asks, which is more important, privacy or security?
His students are always “splattered” across the scale, he said.
“This is one of those things where people can have very legitimately different views,” he said. “Some people believe privacy is paramount, some people believe security is paramount. In most battles between privacy and security, privacy prevails.”
Some privacy law drafts, like proposals by the Center for Democracy and Technology and by Sen. Brian Schatz (D-Hawaii), would require companies to notify consumers of a data breach within 72 hours of a breach, even if not all consumers were affected. According to the Cybersecurity Coalition, this could be problematic from a cybersecurity perspective.
“If you’re a company and your computer is broken into, you don’t want to report it because 1) no one wants to do business with a company that’s been broken into, 2) more cybercriminals may try to break in,” Madnick said. “In this case privacy and cybersecurity are the same, because if I don’t tell someone I was broken into, more cybercriminals won’t try to break in. So this whole issue of privacy and security is an entangled web. If we don’t tell people we were broken into, we can do the research to make sure other people aren’t broken into.”
Sometimes, Madnick said, law enforcement will advise a high-profile company or federal agency not to disclose the attack or breach to avoid encouraging more cyberattacks and so they can track down the criminals more quickly.
For example, the Federal Communications Commission (FCC) did not publicly disclose an alleged cyberattack from May 2017 at the request of the Office of the Inspector General until the investigation of the incident concluded.
Still, refraining from disclosing an attack or breach looks bad from a privacy perspective and often results in a loss of trust from consumers. The FCC suffered severe backlash over the decision and the subsequent OIG report casting doubt over whether a cyberattack actually occurred.
Similarly, when Target suffered a data breach resulting in the compromise of millions of shoppers’ financial information, the retail giant did not immediately disclose the incident, ultimately resulting in bad press, a Secret Service investigation, hundreds of layoffs and financial loss for the company.
But that doesn’t mean companies should always report attacks and breaches right away. Last fall, the Democratic National Committee (DNC) rushed to cry “cyberattack” only to find out it was only a cybersecurity test.
“If you talk too soon, you can embarrass yourself,” Madnick said. “It’s really a set of knotty problems.”
Because the balance between maintaining users’ and customers’ privacy and keeping with good cybersecurity practices is so precarious, it may complicate future privacy legislation, especially provisions requiring agencies, companies or municipalities to immediately notify users of a data breach.
According to the Cybersecurity Coalition, lawmakers should develop future privacy legislation through a “risk-based approach” instead of a rights-based one advocated by consumer privacy groups.
“[We] support the development of reasonable, risk-based, fairly applied federal privacy regulations where robust security principles are included as a necessary and integrated part of the solution,” the coalition wrote.