Today, the Information Sharing and Analysis Organization (ISAO) Standards Organization published “SP 4000: Protecting Consumer Privacy in Cybersecurity Information Sharing.” The publication is a set of best practices that organizations of all kinds should take to protect consumer privacy when they share cybersecurity information.
The practices reflect the collaborative effort of civil society, industry, and the government to ensure that organizations appropriately consider consumer privacy when they engage in cybersecurity information sharing, including as authorized by the Cybersecurity Information Sharing Act of 2015 (CISA).
The following can be attributed to Megan Stifel, Cybersecurity Policy Director at Public Knowledge:
“Broad adoption of the practices published today will support consumer privacy and cybersecurity information sharing. The growing wave of cybersecurity threats makes these information sharing guidelines more important, and more practical, than ever to protecting consumer data. Cybersecurity remains an evolving challenge for all companies and organizations, and sharing cybersecurity information is one effective tool we can use to help manage the risks posed through expanding interconnection. But with these opportunities comes the responsibility to appropriately manage these growing connections, including information about them and the consumers and organizations that use them. We believe these practices mark a vital step toward achieving this goal of protecting consumer data.
“The practices published by the Standards Organization outline a concise set of actions organizations, large or small, for profit or not, manufacturing or service-based, should undertake to help address consumer privacy in connection with cybersecurity information. They are relevant to organizations regardless of their participation in ISAOs and Information Sharing and Analysis Centers. Much information sharing continues to occur in small circles of trust, where the exchange of personally identifiable information is rare. Nevertheless, we believe that the legal authorizations codified by CISA, together with the growing number of non-federal organizations that collect, maintain, and share information for cybersecurity purposes, raise the possibility that consumers’ personal information may be shared.
“We urge all organizations to consult this list as they develop their cybersecurity capabilities and recommend that they request the same of entities with whom they do business or otherwise engage through the internet. Finally, we call on organizations to be open and transparent about their adoption of these practices.”
You may view the paper here.
Members of the media may contact Communications Director Shiva Stella with inquiries, interview requests, or to join the Public Knowledge press list at shiva@publicknowledge.org or 405-249-9435.