Is the EU-US Privacy Shield in Jeopardy? – Breaking Down the Executive Order

By Jonathon Kirby

On January 25th, 2017, President Donald Trump signed the Executive Order titled Enhancing Public Safety in the Interior of the United States [1]. This Executive Order was immediately placed in the public eye of technology organizations everywhere due to Section 14 of the Executive Order stating:

Sec. 14.  Privacy Act.  Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information. [1]

The reason why this is important to organizations everywhere that conduct business globally is that the Executive Order seems to be in direct conflict with existing legislative frameworks such as the EU-US Privacy Shield. Privacy Shield guarantees certain rights to EU citizens and their personal data as well as requires that data be handled in specific ways [2]. Essentially, the US via Executive Order has deemed it necessary to process any personal data, EU or US citizen, within the confines of their own federal agencies. To dispel fear that has been swirling in concurrence with this Executive Order, IAITAM feels it is necessary to identify two important distinctions:

  1. This Executive Order only applies to Federal Agencies and their ability to process data, not private sector businesses or markets
  1. EU citizens are minimally impacted due to the clause in Section 14 that reads “to the extent consistent with applicable law.” Law firm Squire-Patton-Boggs has identified that the EU Commission’s interpretation is that EU citizens may rely on the Judicial Redress Act of 2015 to exert their privacy rights as well as gain access to US courts. As of February 1, 2017, the EU-US Umbrella Agreement became effective which grants EU citizens the same benefits as the US Privacy Act via the Judicial Redress Act [2].

Now that the impact to EU citizens has been identified and addressed it is important to understand how this Executive Order will directly influence the US and the Federal Agencies now granted the ability to process privacy data. The technology sector has historical precedent that applies to this situation and mirrors the actions taken by the US Government. These actions are strikingly similar to an organization that has decided, due to data safety concerns, that they will end their vendor agreement with data processors and distribute that responsibility within their organization.  By terminating business with an outsourced vendor and performing the job function within the organization several new challenges arises. To tackle these challenges it is best to approach with a broad analysis before focusing on the details:

  • Is this an optimized approach?
  • Am I at risk of an audit?
  • How is data security maintained?

It is fortunate that the technology sector has paved the road for the public sector to follow due to their history of improper data security when internally processed. Between audits, wasteful federal budget spending, and data breaches of personal data, the US government has shown that it is poorly equipped to process privacy data internally. Under this guise, the Executive Order puts at risk the personal data of every individual processed by the federal government.

IAITAM has identified areas where the US Government has improperly performed or optimized data security and financial responsibility for their ITAM Program [3]. These issues are widespread and include the Internal Revenue Service, the White House, the State Department, and the Veteran’s Administration. There were more than 60,000 cybersecurity and data integrity incidents in Fiscal Year 2013 and have continued to worsen. In 2014, the US Government suffered:

  1. Social media hack within the Department of Defense/ U.S. Central Command [4]
  2. China-linked state-sponsored cybersecurity attack on personal information within the U.S. Postal Service [5]
  3. A State-sponsored Russian intrusion into unclassified networks within the White House [6]
  4. State-sponsored Chinese hacker entered into the Department of Defense/ U.S. Transportation Command [7]
  5. Inspector-General reports of the Nuclear Regulatory Commission being hacked three times in three years [8]
  6. A Primary US security clearance contractor being compromised within the U.S. Investigation Services [9]
  7. An unclassified email network hacked into within the U.S. State Department [10]

With so many federal agencies being compromised on a regular basis it becomes readily apparent that granting personal data processing to these federal agencies puts the data and the people at risk. The historical precedent shows that the US Government is not currently prepared to handle the responsibilities necessary to process data as well as protect it. There needs to be a stop-gap between the processing of the data and the inability to protect it.  The only way to successfully do that is to institute and enforce a mature and robust ITAM Program.

At the root of much of what ails the federal government bloat in IT spending and related woes are a lack of meaningful IT Asset Management. ITAM is the bridge that links an organization’s financial, contractual, and physical IT inventory requirements with the goals and objectives of the operational IT environment.

The Federal Government’s approach to ITAM should include two components:

  • The first is a rigorous government-wide centralized ITAM program responsible for creating policies, procedures, processes, and metrics for all government agencies.
  • The second is an agency-level ITAM team, which would include the day-to-day management of all assets within that agency as set forth and required by the centralized program.

Concurrently, legislation should be enacted to protect and manage our greatest resource (technology) at the federal level, state level, and in critical infrastructure in the private sector. This legislation should address the areas of procurement, disposal, inventory management to the component level of IT Assets (such as hard drives), data security, and other mandated policies which would mitigate the risk to the United States and the critical infrastructure that is not owned by the government but is enabled and regulated by legislation.

A focus on ITAM at the federal level will decrease:

  • IT security threats by understanding what you have, how it is being used, where it is located, who is using it, and when it is being used.
  • Unnecessary IT spending by eliminating unused or underused products, maintenance, storage, and potentially hundreds of other areas from procurement to disposal.
  • Gross underutilization of existing IT assets by understanding what we actually have and what is actually needed.
  • Software license compliance violations by not only ensuring proper licensing but also eliminating rogue purchases.
  • Equipment missing and/or lost — by having the knowledge of what you own you will be able to identify the danger in a speedy and efficient manner should the situation arise of a missing or lost piece of technology.
  • Unauthorized user access by ensuring the standards are in place and backed by policy on who and when access is needed.
  • Data lost by tracking the components of assets containing information.
  • Unauthorized software programs installed and purchased outside of normal procurement process by ensuring a policy and standard is in place to eliminate rogue acquisition and installations.
  • Project mismanagement by establishing a set of standards by which all projects must follow.
  • Contract inconsistencies by establishing a set of standards by which all contracts and negotiations must follow.

A focus on ITAM at the federal level will increase:

  • Infrastructure security by providing the knowledge and understanding of what you have, how it is being used, where it is located, who is using it, and when it is being used within your environment.
  • IT accountability by providing measurements to understand what is owned and how it is used.
  • IT asset value by ensuring assets are used to their full potential and overspending is mitigated.
  • IT compliance by ensuring the procedures are in place to adhere to legislation and requirements.
  • Usable, reliable, real-time information for proactive IT business decision-making by enacting a reporting structure that monitors performance of assets.
  • Effectiveness in process adoption and automated management by defining procedures and processes that are repeatable and measurable.
  • ITAM awareness and ownership by establishing a communication and education key process area which promotes ITAM awareness.
  • Visibility of the IT asset environment to support IT Service Management through the association between the service and the asset.
  • Software patch management accuracy by providing the knowledge and understanding of what you have and where it lies in the lifecycle process.

[1] Trump, Donald J. “Executive Order: Enhancing Public Safety in the Interior of the United States.” The White House. The United States Government, 25 Jan. 2017. Web. 31 Jan. 2017.

[2] Ramos, Gretchen, and Zerina Curevac. “A White House Executive Order May Affect Validity of Privacy Shield.” Global IP & Privacy Law Blog. Squire Patton Boggs, 27 Jan. 2017. Web. 02 Feb. 2017.

[3] IAITAM. “IT Government Insecurity Report.” IAITAM. IAITAM, 01 Feb. 2015. Web. 2 Feb. 2017.

[4] Zetter, Kim. “Central Command’s Twitter Account Hacked…As Obama Speaks on Cybersecurity.” Wired. Conde Nast, 12 Jan. 2015. Web. 02 Feb. 2017.

[5] Nakashima, Ellen. “China Suspected of Breaching U.S. Postal Service Computer Networks.”The Washington Post. WP Company, 10 Nov. 2014. Web. 02 Feb. 2017.

[6] Nakashima, Ellen. “Hackers Breach Some White House Computers.” The Washington Post. WP Company, 28 Oct. 2014. Web. 02 Feb. 2017.

[7] Congress, 113th. “SASC Investigation Finds Chinese Intrusions into Key Defense Contractors | United States Committee on Armed Services.” Press Release | Press | United States Committee on Armed Services. United States Government, 17 Sept. 2014. Web. 02 Feb. 2017.

[8] Rogers, James. “Hackers Attack Nuclear Regulatory Commission 3 times in 3 Years.” Fox News. FOX News Network, 20 Aug. 2014. Web. 02 Feb. 2017.

[9] Finkle, Jim, and Mark Hosenball. “U.S. Undercover Investigators among Those Exposed in Data Breach.” Reuters. Thomson Reuters, 22 Aug. 2014. Web. 02 Feb. 2017.

[10] Chiacu, Doina, and Arshad Mohammad. “State Department’s Unclassified Email Systems Hacked.” Reuters. Thomson Reuters, 17 Nov. 2014. Web. 02 Feb. 2017.

Download Press Release in PDF Format

About the Author