U.S. Needs GDPR-Like Privacy Laws: Cyber Expert

Dan Gunderman

“America is under (cyber) attack.” Those are the introductory words from “Task Force 7 Radio” host George Rettas on his Feb. 19 program. The information security executive outlined last week’s Senate Intelligence Committee hearings and spoke with Chilean-American corporate lawyer and security expert Adriana Sanford.

Rettas discussed the cautionary words from the Director of National Intelligence, Dan Coats, who told the Senate Intelligence Committee that the cyber security posture in the U.S. with regard to emerging technologies is concerning and a threat to the nation.

Senate Hearing

Coats warned the committee that the U.S. is under constant attack by Russia. Commenting on that, Rettas said, “Russia wants to create societal chaos among citizens in the U.S.” Their aim, the host believes, is to “distract us from what our true enemies are” because they “despise our liberty and freedoms we have” and want to “bring down America as the world’s sole superpower.”

Rettas also outlined Admiral Michael Rogers’ briefing – where he said that in order to reach peak cyber performance, intelligence agencies need information from the private sector.

Rettas, a former Secret Service agent, pointed to the agency’s retention problem as a part of this issue. He said there are plenty of former Secret Service agents embedded in the private sector, who can be called upon for crucial intelligence.

The remaining segments of his show featured Sanford, an author, professor and Georgetown-educated corporate lawyer. Sanford, who’s an international TV commentator and privacy/cyber security scholar, also teaches at Loyola Marymount University.

See Related: 'Cyber Touches Everything': Innovation In The Cyber Domain

Aadhaar Identity Program

She began her time on “TF7 Radio” by discussing the Aadhaar Identity Program (biometrics) in India, in which 92% of India’s population partakes to streamline government services and transactions.

Although the system was meant to facilitate welfare payments and provide medical services, in 2016 the World Bank’s World Development Report called the system helpful for disadvantaged groups. It’s now widely accepted in the nation – for opening accounts, authenticating loans, filing taxes, etc. The system, Sanford said, handles 100 million authentications per day.

Sanford also pointed to a critical ruling in the nation’s Supreme Court in August 2017, in which the bench declared that there was an unprecedented need to protect data and regulate how information is stored, processed and used. She said the ruling could have wide-ranging implications for the rest of the world. Specifically, it could affect companies who outsource to India.

Aadhaar Identity Program

September 2017: People applying to get the Aadhaar Card. (Photo: Marco Saroldi/Shutterstock.com)

Sanford added that large corporations like Microsoft and Google could struggle with the new measures – including the General Data Protection Regulation (GDPR) – as they are subject to a number of regulations worldwide which could prohibit their current practices. That could put them “between a rock and a hard place,” the cyber expert stated.

“Unless we all sit down and come up with a uniform set of rules, it’ll affect us,” she said. “(This could be) our executives, our counsels, our companies, our in-house counsel, (etc.).”

Sanford said that as the Aadhaar system rolls out even further, additional countries are looking to emulate its effectiveness. She said countries like Russia, Morocco, Tanzania, Bangladesh and others may be “interested” in the system. Elsewhere, in France, the nation is looking at collecting a database of passports and identification cards for 60 million citizens.

She pointed to the United States’ lack of regulation and control of data brokers and miners. “Maybe the U.S. will adopt a different framework for privacy,” she said. “Maybe we’ll be the ones to change.”

EU As Leading Regulator?

In policy emerging just before the GDPR out of the EU, the agreed-upon Privacy Shield meant that the U.S. agreed to judicial redress for EU citizens if the U.S. violates the right to privacy. The EU, she said, has stronger rights than the U.S.

“I, as an American, would like to have a stronger right to privacy as well,” Sanford added.

The scholar and cyber expert suggested that EU frameworks have been used as benchmarks for reform in the past. It could be similar with data privacy. She pointed to various measures such as Know Your Customer in banking systems, the Gatekeeper Initiative and others which have been adopted on a wider scale and originated within the EU.

Sanford said that with regard to corruption and internet reform, the EU has consistently stepped up.

“There is a new landscape, a deeper level of scrutiny going on with increased compliance and broader accountability,” the “TF7 Radio” guest said.

See Related: 'Space Race': The Growth Of Cyber Security And Its Young Talent

1990s Directive

On whether security can truly be risk- and value-centric, Sanford said that the answer requires a look back at signature legislation from the 1990s. The European Data Protection Directive, which first came to light when the internet emerged, began as an effort to eliminate the patchwork system in place in different countries. Although the directive was not binding, it provided safeguards and guidelines for EU member countries. Sanford said the measure “worked really well.”

Yet, because the directive was filled with guidelines, countries tweaked them in different ways. Compliance groups had to check laws and notify all authorities in nations where business was present. In the era of the hack attack, a new issue has emerged. This was exacerbated in 2013 by Edward Snowden, who suggested that privacy was not important to certain nations, Sanford reiterated.

Sweeping Reform

European regulators knew it was time to make a stand, since the directive was no longer sufficient due to advancements. The latest comprehensive measure, the GDPR, is now a “one-stop shop,” Sanford said. Companies working in Germany, France and Italy will no longer have to notify all authorities. A hack would be disclosed to a data protection authority. The measure, she said, is also binding, as the directive before it was not.

The broader new regulation will affect anyone who works with EU citizens, Sanford said. This even affects small or midsize banks which may not even know they have a European presence. Hefty fines could be leveled on anyone not in compliance.

“In the U.S., we’re not discussing (GDPR) as much as we should,” the guest added. “It’s a concern, because even in school systems, universities are not diving into this as much as they need to.” Because large, multinational organizations must hire a data protection officer, more members of the workforce must be trained for that capacity.

Another new GDPR component includes short-term notice for breaches. Any hacked organization handling EU citizen data must notify the data protection authority within 72 hours. Sanford predicts we will see plenty of GDPR-heavy stories in the news as it rolls out in May.

“All companies have to handle this issue,” Sanford said. She pointed to Privacy by Design on any product or app – meaning privacy must be considered at the design stage, and Privacy by Default, meaning firewalls, settings, etc. must be at the highest level to protect privacy.

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.

Task Force 7 Radio