Public consultation on the Privacy Act – Submission – CrowdStrike

Cette soumission n’est disponible qu’en anglais.

I. Introduction

In response to the Canadian Government’s request for public consultation on the Privacy Act, CrowdStrike offers the following views.

We approach these questions from the standpoint of a leading cloud-native cybersecurity provider that defends globally distributed enterprises from globally distributed threats. CrowdStrike offers insights informed by multiple practice areas: cyber threat intelligence; proactive, incident response and managed security services; and an AI-powered software-as-a-service cybersecurity platform and marketplace. Accordingly, this perspective is informed by CrowdStrike’s role in protecting organizations from data breaches and a variety of other cyber threats.

II. Comments

A. Incorporating personal information protection principles from international models in the Privacy Act

We agree strongly with the need for a principles-based approach to a modern Privacy Act. It is critical to focus on internationally-accepted principles-based concepts rather than prescriptive technical requirements to enhance privacy while fostering technologies that secure personal data. A risk-based approach whereby factors such as the sensitivity of data in question, the impact of a breach, and mitigation actions taken by affected individuals reflects the realities of a world where technological innovation advances at a faster pace than law. This means that the nature of personal information and context of data processing activities should be central to the applicability of requirements. Consequently, principles-based approaches to data protection enable safeguards to follow sensitive data, without inhibiting technological innovation.

B. Updating rights and obligations, and introducing new ones

1. Breach Notification

Regarding the suggestion to create an obligation to notify the Privacy Commissioner and affected individuals in certain cases of data breaches, CrowdStrike believes that any mandatory data breach reporting should be predicated upon a risk and impact driven approach. For example, many global data breach reporting obligations, including PIPEDA’sFootnote 1, only require breach reporting where there is a risk of harm to affected individuals. Successful data breach reporting obligations can help incentivize organizations, including government agencies, to adopt adequate technical and organizational cybersecurity practices. Considerations regarding what constitutes an adequate cybersecurity practice should consider both the actual risks and the state of the art.Footnote 2 This approach further incentivizes organizations to take into account modern, rapidly-evolving data breach risks posed by cybersecurity threats from e-crime, ‘hacktivist’, and nation state actors using tactics such as ransomware, supply chain attacks, or malware-less intrusions.

Data breaches continue to increase over time. To this end, security and data protection capabilities must be robust precisely because of their (i) reliance on globally distributed infrastructure and (ii) compliance with international standards and procedures. In order to ensure the most robust cybersecurity methods remain feasible, it is imperative that organizations have the duty to utilize state of the art measures to protect personal data against unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

CrowdStrike commends the recognition that various categories of data should be treated differently on a case-by-case basis to protect individuals’ personal data and to spur innovation. But we caution that additional guidance and criteria for when to notify the Privacy Commissioner of a data breach may be necessary to avoid significant uncertainty for legal practitioners.

C. Allowing a greater role for “de-identified” personal information

Data protection involves confidentiality, integrity, and availability. Accordingly, the context of data processing activities may mean that it is impractical to segregate or otherwise give special treatment to de-identified, anonymized, or pseudonymized techniques. For example, in cybersecurity, raw telemetry data about computer processes, which may include identifiable information, is integral to distinguishing signals from noise, incidents from alerts, and significant data breaches from minor events. In this context and others, safeguards in the form of role-based access controls, cybersecurity protections, and contractual accountability can provide appropriate accountability mechanisms to meet data protection objectives. Moreover, marketplace competition already incentivizes the adoption of best practices related to de-identification, anonymization, and pseudonymization.

D. Introducing stronger accountability mechanisms in the Act

1. Cross-border transfers of personal information

The Consultation Paper suggests that one way to appropriately protect the personal information of Canadians sent outside of Canada is to have a written agreement that could be supported by regulation or policy.

CrowdStrike agrees that one way to adequately protect cross-border transfers of personal information are in the form of written agreements, specifically, contractual agreements. Each of the parties in a contract are bound to those with whom there is privity of contract, and the resulting legal protections create a “Chain of Contractual Accountability.” Moreover, each party must abide by its own directly applicable legal requirements in a “Chain of Independent Obligations.” In other words, data subject rights remain protected by (i) enforceable contractual obligations between respective parties, and (ii) direct application of law, such as the Privacy Act, to any party processing personal data within the law’s scope.

Supporting such a written agreement can be done with a strong policy on cybersecurity. Cross-border data flows are necessary for cybersecurity in the private sector, not much unlike how national security depends upon cross-border data flows in the public sector.Footnote 3 In fact, many of the most innovative technologies for protecting personal data against data breaches leverage endpoint telemetry data, cloud-native Software-as-a-Service (SaaS) delivery, 24/7 global threat hunting, and cross correlation of indicators of attack. Moreover, modern IT infrastructure in general often invariably involves cross-border data transfers.

We recommend considering the importance of cybersecurity as a supplemental measure to the written agreements by looking at threats, predominantly in terms of threat actors. Malware, malicious infrastructure, and adversary tactics, techniques, and procedures (TTPs) change over time, but often the groups behind malicious activities are more durable. This means that considering threat actor motivations helps defenders understand everything from their incentives to the risks posed by failing to prevent them from breaching your environment. Threat actors generally fall into the categories of: criminal groups, which largely seek profit; nation state entities, which pursue a variety of geopolitical ends; and ‘hacktivists,’ which have ideological motives. When crafting guidance, governments must be concerned with each, particularly during a time of unprecedented attacks from specific nation states along with the general trend of increased e-crime.

Specific threats vary across these different types of actors, but a few are especially notable. Criminal groups increasingly target public sector entities with ransomware, which disrupts victim IT environments in order to extort funds. Nation state groups have also used ransomware-like tools and TTPs to cause disruptions for other ends. Additionally, nation states have been observed to hack and leak sensitive communications for political ends, or steal intellectual property or sensitive business information to strengthen domestic commercial actors. Across all types of threat groups, adversaries are leveraging TTPs that enable them to avoid using malware, which complicates detection and prevention for entities using unsophisticated or legacy security solutions.

Further, we advocate the “1-10-60 Rule.”Footnote 4 This concept holds that security teams should endeavor to reliably detect malicious events within one minute; investigate them within ten minutes; and isolate or remediate affected hosts or resources within one hour. Further, organizational leaders should measure each of these performance indicators over time, and continuously improve them until the goals are met. Organizations that can defend themselves at this velocity will be well-equipped to outpace the vast majority of threat actors,Footnote 5 and prevent minor security events from becoming costly, complex, and sometimes devastating incidents.

In sum, between the Chain of Contractual Accountability, the Chain of Independent Obligations and a strong policy on cybersecurity, personal information sent outside of Canada benefits from appropriate protection.

III. Conclusion

The Consultation Paper provides a thoughtful analysis of a complex legal and policy area. The Paper demonstrates Canada’s commitment to enhancing the trust of Canadians in the federal government’s treatment and management of personal information. As Canada considers appropriate updates to the Privacy Act, we recommend continued engagement with international stakeholders. Adversaries innovate at a record-pace, and it’s important to empower defenders to leverage global data flows, big data analytics, and machine learning to protect against ever-evolving threats. Finally, because the underlying technologies evolve faster than law and policy, we recommend and emphasize that any proposed legislative updates focus on principles rather than prescriptive requirements and include a mechanism for periodic revisions.

IV. About CrowdStrike

CrowdStrike® Inc. (Nasdaq: CRWD), a global cybersecurity leader, is redefining security for the cloud era with an endpoint protection platform built from the ground up to stop breaches. The CrowdStrike Falcon® platform’s single lightweight-agent architecture leverages cloud-scale AI and offers real-time protection and visibility across the enterprise, preventing attacks on endpoints on or off the network. Powered by the proprietary CrowdStrike Threat Graph®, CrowdStrike Falcon correlates over 3 trillion endpoint-related events 4 per week in real time from across the globe, fueling one of the world’s most advanced data platforms for security.

With CrowdStrike, customers benefit from better protection, better performance and immediate time-to-value delivered by the cloud-native Falcon platform.

There’s only one thing to remember about CrowdStrike: We stop breaches. Learn more: https://www.crowdstrike.com/

V. Contact

We would welcome the opportunity to discuss these matters in more detail. Privacy and public policy inquiries should be made to:

Drew Bagley CIPP/E
VP & Counsel
Privacy and Cyber Policy

Robert Sheldon
Director
Public Policy & Strategy

Email: Privacy@crowdstrike.com

©2020 CrowdStrike, Inc. All rights reserved. CrowdStrike, the falcon logo, CrowdStrike Falcon and CrowdStrike Threat Graph are trademarks owned by CrowdStrike, Inc. and registered with the United States Patent and Trademark Office, and in other countries. CrowdStrike owns other trademarks and service marks, and may use the brands of third parties to identify their products and services.