Rollback of FCC privacy requirements could have broad repercussions
- 11 April, 2017 21:30
Last week's roll-back of FCC privacy regulations was good news for ISPs and marketers and bad news for privacy advocates. But the decision could also have an impact on enterprise cybersecurity, experts say.
The FCC privacy rules repeal does not actually make the privacy situation worse, since the proposed rules hadn't gone into effect yet.
But it may inspire ISPs to expand their data collection efforts.
"What we're going to see is the extension of whatever products and services these telcos have been offering," said Fatemeh Khatibloo, analyst and privacy expert at Forrester Research. "It's just going to be happening a little more aggressively and a little bit faster. They've gotten a bit of a green light."
That has a number of implications for security teams tasked with protecting their company's customers, employees, and business partners.
The most obvious impact is that customers, increasingly concerned about online security, may pay closer attention to how the websites they visit handle the issue.
"From a business perspective, you've got to make sure you've got an encrypted website," she said. "HTTPS is going to be increasingly important, and consumers are being told to make sure they're on a secure and encrypted site."
In addition, CISOs might be called on to work with business and marketing departments on whether to take advantage of the data available to them from the ISPs and broadband providers, she said. "Is there a risk to the organization by doing so?"
Then there's the question of protecting employees when they're online.
Craig Spiezle, executive director and president at Online Trust Alliance
"This has some interesting implications for the privacy of employees using the web and the data that may now be collected on them and their online activities," said Craig Spiezle, executive director and president at Online Trust Alliance. "For some, this might include the need to use VPN services."
Outsiders may gain access to data about employees' VoIP calls, location, and search history, he said.
"In an era of the U.S. government focusing on alleged wiretaps and cyber spying, we are now effectively handing this same data over to broadband providers to sell and share as they like," he said.
It's not just marketers who might want to gain access to this data.
"This information provides context around who we are, what we think, where we go and what we do," said Jeff Kukowski, CEO at SecureAuth. "The potential misuses of this information in the hands of attackers is concerning and therefore needs to be critically protected like any other identity-related information."
The ruling may also hurt the global competitiveness of US cloud service providers and may conflict with European privacy regulations.
"I think it will cause businesses to rethink where to put their data," said Forrester's Khatibloo. "It just doesn't shine a good light on the U.S. and its privacy policies."
"This has already called out some issues with GDPR and Privacy Shield," said Spiezle.
The decision may prompt other jurisdictions to step up their privacy protections.
"One likely outcome is that this will be another blow to the trust in the US privacy framework from European regulators that may make challenges or skepticism about Privacy Shield grow," said Dana Simberkoff, chief compliance and risk officer at AvePoint.
Fatemeh Khatibloo, analyst and privacy expert at Forrester Research
And it's not just foreign countries that could be taking a harder line on US companies. With the FCC now weakened when it comes to privacy protection, other US agencies may need to intervene.
"The FTC may have to step up by making examples of companies that act badly," she said.
And the federal government isn't the only player in the game.
"State privacy laws may step in to add to pressure on internet providers to be privacy respectful and good corporate citizens," she said.
One particularly worrisome aspect is the rollback of breach notification requirements, said Jeff Williams, CTO and cofounder at Contrast Security.
"The idea that ISPs don’t have to disclose breaches is just irresponsible," he said. "And with the cybersecurity threat higher than ever, the timing couldn’t be worse. I’ve argued for years that the best path to better cybersecurity is more visibility."
Companies make better cybersecurity decisions when they have to be transparent about their security practices and breaches, he said.
"Breach disclosure has worked and should be expanded – perhaps even establishing stronger federal rules," he said.
Meanwhile, companies can no longer rely on security provided by their ISPs, or the security at the other end of the connection from the ISPs used by their customers, employees and business partners, he said. That means that all communications everywhere should be using encrypted channels.
"I’m concerned that this is all a smokescreen to help undermine the use of encryption and allow law enforcement to gain access to internet communications," he added. "I’m hopeful that this will backfire completely and encourage increased use of VPNs."