Congress issued banks an implicit challenge last week when it ended the five-year controversy over how cybersecurity-threat information should be shared among companies and government agencies.
The issue had been clear: to what extent should companies protect customers' and employees' personal information as they compare notes about security incidents? Congress' answer was equally clear: not that much.
However, privacy experts still warn that the absence of consumer protections in the legislation — part of the omnibus spending bill approved last Friday on Capitol Hill — could backfire, making it easier for personally identifiable information to fall into the wrong hands while it circulates among private companies and federal authorities.
"The worst-case scenario is that this undermines data security and cybersecurity," said Robyn Greene, policy counsel at New America's Open Technology Institute. "Unless companies take upon themselves a higher burden than is required in the bill to remove personally identifiable information, a lot of PII can still be shared regardless of the fact it's totally unnecessary for increasing cybersecurity."
And that is where the challenge lies. It is up to banks and other private companies to do the right thing about data privacy: to try to protect it. It is a rare opportunity to help rebuild some of the public trust in bankers that was lost after the financial meltdown.
The Final Legislation
In the abstract, the sharing of information about threat indicators such as malware signatures could help companies react more quickly to cybercriminal attempts to break into their networks.
But where earlier versions of the cyberthreat-sharing bill had strong protections for consumer data built in, the final version of the Cybersecurity Sharing Information Act of 2015 eliminated or watered down many of those protections.
One clause stripped from the bill was a mandate to redact personal information that is not directly related to a cybersecurity event.
"They do have a requirement for companies to remove PII, but it's a dangerously weak requirement," Greene said. The standard for reviewing the data is low, she said.
"You run the risk of a cursory review that could miss some of the personally identifiable information that would have otherwise been identified and removed had that company engaged in reasonable efforts to review the data," she said. In the new bill, "there is no reasonable effort, there's no standard whatsoever. And the bill only requires the removal of data if you know at the time of sharing that it's not directly related to the threat. That creates a default position where companies can claim they don't have complete situational awareness and did not know whether or not the information was directly related to the threat. The default is to leave PII in the indicator, rather than remove it."
Also missing in the final act are provisions that would have prevented companies from directly sharing information with the National Security Administration. Privacy groups worry that the NSA and FBI could pull cybersecurity data feeds into their surveillance tools and mine it for their own purposes until they found actionable information.
That worry stems from the fact that "this program would have no judicial oversight," Greene said. "There wouldn't be that important check of Americans' civil liberties that courts usually serve in developing evidence in these situations."
The cybersecurity act no longer has restrictions on using gathered information for surveillance purposes. A requirement that the information be used only in a cybersecurity capacity was deleted. And where a prior bill had all breach data filtered through the Department of Homeland Security, the final version would allow free movement of cybersecurity data among all government agencies and storage at multiple government locations, several of which have been subject to data breaches in recent years.
Real-World Risks, Rewards
PII is coveted by malicious actors and hackers for various purposes, including identity theft and online-banking attacks. Sharing it among companies and government agencies creates more places where this information is stored and vulnerable to attack.
An example of how a consumer's personal data could be part of a threat indicator is if someone registered a website domain name that was being used to host malware.
"We might pull the information about who registered the domain, and depending on the nuances of the threat indicator, they might be an actual criminal or it may be a completely synthetic ID, which we see quite a bit of, or it might be a genuine person's information," said Sean Tierney, vice president of threat intelligence at IID, a threat intelligence platform provider. (Until November, Tierney was executive director of computer emergency response and cyberintelligence at Morgan Stanley.)"It could either be that they were involved in the suspicious activity or they may be a victim."
Most types of cyberthreat activity, such as malicious IP addresses and email addresses, do not include personally identifiable information, he said.
The lighter requirements for removing personal data also concern Joseph Pizzo, field engineer at security company Norse Corp. "What we will see moving forward is data that is questionably protected and stored, but now it is complete with actionable data that, if it falls into the wrong hands, can cause problems with identity theft and financial loss," he said.
Pizzo also worries about the removal of the restriction on using the gathered information for surveillance.
"This allows the agencies that will gather this data to potentially target victims of security breaches and continually monitor them," he said.
What Banks Should Do
There are several things banks can do going forward, including supporting further congressional consideration of pro-customer reforms.
The Open Technology Institute is hoping Congress will take further action that will reinstate some privacy protections.
"There are immediate things Congress can do such as update the Reforming the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act to ensure that security researchers can do the work they do without fear of prosecution or civil liability," Greene said.
Meanwhile, banks should interpret the authorities they have been given under the cybersecurity act as narrowly as possible, and place a higher burden on themselves than is placed on them to respect privacy, Greene said.
The Founding Fathers were pretty clear about Americans' right to privacy when they wrote the Fourth Amendment to the Constitution: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
Regardless of apparent weaknesses in the current cybersecurity bill, banks hold a responsibility to protect the ever-shrinking level of privacy and control Americans have over their personal information. Banks need to take the time and effort to strip personally identifiable information from the data they share with each other and the government, as responsible corporate citizens and as stewards of some of their customers' most valuable information. In return, they may win back a degree of trust and goodwill that has been gradually seeping out to nonbanks and fintech companies.
Editor at Large Penny Crosman welcomes feedback on her column at firstname.lastname@example.org.