Re: PII

iluom · ‎03-03-2020

Hi all,

some ambiguity around PII

We have developed a web app to help us find missing or wrong detection like False Negative, False positives and URL classifications. Users are asked not to submit any personal data, but there are free text fields where they could potentially write whatever they want, including personal data. Users can also submit any kind of files, and again while they are asked not to send personal data, the files could contain anything.

I know this counts as PII and we do place necessary measures and controls. This data is being stored in a cloud DB

My worry about violation of any regulations/laws/standards. Does it????

Please throw your thoughts and suggestion.

Thank you.

Chandra Mouli, CISSP, CCSP, CSSLP

Caute_cautim · ‎03-03-2020

@iluom Who owns the original data? Who is the Data Controller? Who is the sub processor?

Is there transparency as to how, what and where you are processing the collected data?

Is the Cloud DB on premise? A private Cloud instance, Public Cloud or Hybrid?

Regards

Caute_cautim

dcontesti · ‎03-03-2020

@iluom wrote:
Hi all,

some ambiguity around PII

We have developed a web app to help us find missing or wrong detection like False Negative, False positives and URL classifications. Users are asked not to submit any personal data, but there are free text fields where they could potentially write whatever they want, including personal data. Users can also submit any kind of files, and again while they are asked not to send personal data, the files could contain anything.
I know this counts as PII and we do place necessary measures and controls. This data is being stored in a cloud DB
My worry about violation of any regulations/laws/standards. Does it????

Please throw your thoughts and suggestion.

Thank you.

@iluom

Additional to @Caute_cautim it is going to depend on where you live (too many privacy laws to list) but they can affect this app.

d

rslade · ‎03-03-2020

> iluom (Contributor I) posted a new topic in Tech Talk on 03-03-2020 10:30 AM in

> some ambiguity around PII

Ya think?

Just try to get anyone to define "privacy."

OK, this story goes back almost four decades. Was trying to do a systems analysis
for a church. With all the other major issues that they had to address, they got
totally deadlocked on the existence (just the existence, mind you, not even
mandating that it be populated) of a "birthdate" field in the member database.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
If you want the present to be different from the past, study the
past. - Baruch Spinoza
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468

iluom · ‎03-04-2020

@Caute_cautim

I understand the operators who process the data are playing the role of data controller or Data processor.

In my case the data which is being stored might be comprised of PII and sensitive data though there is a Denial of any connection with or knowledge of , i mean DISCLAIMER is given in the web app for not providing any PII data. Users can push their PII from the App ignoring the disclaimer.

So, my basic and fundamental question is are we responsible to any legal obligations for the data breach though there is a DISCLAIMER ?

For your questions:

Who owns the original data?
The organization who is collecting the data owns the data (but it has no intention to collect personal data or sensitive data.. only opinions required)

Who is the Data Controller?
The organization who is owning the data (again no intention to collect the PII data)

Is there transparency as to how, what and where you are processing the collected data?
Yes, no PII required , its very clearly mentioned in the Web App to provide info to identify FP, FN .Third Party API will process the data

Is the Cloud DB on premise? A private Cloud instance, Public Cloud or Hybrid?
The Data get stored in a DB in public AWS cloud provider before it is passed on to a third party API for processing

The third party is given the task of processing data but not personal data.

The Data controller is responsible for ensuring that the relevant requirements for the protection and compliance with requirements for PII .

So, if the DISCLAIMER avoid all legal obligation in case of breach... we don't need to put controls and measures to protect the sensitive data if submitted by the customer accidentally or by virtue of ignorance or negligence. I see there is a overhead of protecting the data which is not a requirement of the business.

will it work??

Thanks

Chandra Mouli, CISSP, CCSP, CSSLP

iluom · ‎03-04-2020

Yes , its a Global web page

Chandra Mouli, CISSP, CCSP, CSSLP

Caute_cautim · ‎03-04-2020

@iluom I think you have some work to do, regardless of putting in a disclaimer. People will be people as they say. I would personally go through the requirements and necessary controls for meeting GDPR as a minimum, in order to protect your organisation.

Things are changing so, fast, you would also have to review your Privacy policies at least annually, to keep up with the rate of change going on at the present time.

Regards

Caute_cautim

iluom · ‎03-04-2020

@Caute_cautim

Perfect. I do agree with you. I just want to know just in case as per the general rule will it work?

Chandra Mouli, CISSP, CCSP, CSSLP

Shannon · ‎03-07-2020

@iluom, as others have said, you should consider regulations that apply to the system / service you provide, and not bank on a disclaimer.

A hypothetical example:

We provide a service which requires user info that doesn't include PII. We have a disclaimer on the site, citing that we won't be responsible for PII compromise, having asked customers / users not to enter it. Also, the regulatory authority mandates that we secure all services / systems with MFA, DLP, HTTPS, etc.

Now, should any user's PII get compromised, he won't file a case against us, but take this to the government authority here. (That's how things work in Saudi Arabia) The government won't rule it out just because of the disclaimer, they will instead audit our system / service to ensure that we have met all their requirements --- if we aren't compliant with these in any way, we may have to bear the costs which may factor in the loss of user PII.

My example is based on how things happen in Saudi Arabia. Its best to cover all gaps on your side, ensuring that you don't depend on deterrent controls alone. If you aren't sure about the scope, get an opinion from legal personnel, a Data Protection Officer, etc, and then present a case to your management.

To sum it up, ask yourself the following:

Is your definition of PII very clear to users, and specify what types of data are classified as PII?
Is your system / service compliant with ALL requirements by regulatory authorities in your area?
Does your disclaimer fully remove liability from you --- irrespective of how the PII is obtained?
Is the 3rd party you deal with given any clear definition of PII?
Is your organization willing to accept the risks of users' PII getting compromised?

(Like @Caute_cautim said, there's are a lot of things to be considered)

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz