"Intelligence-based security also requires information
sharing at scale," said Coviello."
But these changes are held back by a number of things, including
current privacy laws.
Coviello recounted a discussion he had with a CIO at a leading
European manufacturer. Laws require him to protect personally
identifiable information in his company's possession or run the
risk of stiff fines and penalties, which is fair enough, the CIO
"However, if he implements the very technologies needed to
protect that information, including visibility of traffic on his
own network, he can potentially and inadvertently break laws
designed to protect workers' privacy. So he can't win,
ridiculous but true," said Coviello.
"Where is it written that cyber criminals can steal our
identities but any industry action to protect us invites cries of
Big Brother," Coviello asked.
Privacy advocates were quick to attack Coviello. But his
willingness to go public is significant. Until now, with rare
exceptions, no mainstream businessman wanted to take the heat for
condemning privacy excesses. But it looks as though the wall of
silence is beginning to break.
RSA is no stranger to the privacy debate. Indeed, it built its
business reputation in the 1990s by leading the fight against
NSA's Clipper chip and encryption controls, which RSA saw then
as the main enemy of Internet security.
I was part of that fight, though on the other side, so I find
RSA's defection from the privacy camp deliciously symbolic.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The National Institute of Standards and Technology has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations, and this marks a very important release in the world of data privacy controls and standards.
The obligations of hedge funds, investment managers and service providers to protect confidential information relating to investors and avoid breaches of data privacy legislation is increasingly in focus.
In a recently released decision from the U.S. District Court for the Southern District of Florida, Mais v. Gulf Coast Collection Bureau, et al., Judge Robert N. Scola, Jr., granted in part and denied in part cross motions for summary judgment in a putative class action before considering the issue of class certification.
The report also found that most utilities only comply with mandatory cybersecurity standards, and have not implemented voluntary NERC recommendations regarding general or specific threats (e.g., Stuxnet).