KrakenIO Data Handling Policy
KrakenIO is committed to handling data responsibly in our cybersecurity efforts. This policy guides how we collect threat intelligence and manage exposed data, ensuring we follow laws like the CFAA and SHIELD Act while acting ethically to support stronger digital security for our clients and community.
Scope
This policy applies to all employees, contractors, and third parties involved in KrakenIO's data-handling activities, emphasizing adherence to legal standards and ethical practices.
Objectives
- To conduct data-handling activities for legitimate cybersecurity purposes.
- To adhere to the SHIELD Act, U.S. federal guidelines, and ethical considerations in all data-handling practices
Principles of Data Handling
- Legitimate Use: Data handling, including intelligence gathering and data recovery, is conducted solely for legitimate cybersecurity purposes without intent to commit federal criminal violations.
- Compliance with Laws: KrakenIO commits to the SHIELD Act for protecting data like leaked credentials, the CFAA and ECPA for preventing unauthorized access, and the FTC Act alongside New York’s GBL Section 349 for ensuring honesty about work, such as using public data for OSRA demos. DOJ guidance supports lawful threat intelligence use to assist clients without harm.
- Ethical Considerations: KrakenIO ensures ethical practices by securing data during use, restricting its purpose to client protection, and erasing it immediately after that purpose ends, preventing access or requests while upholding trust and privacy in cybersecurity.
Handling Breach Data and Cyber Threat Intelligence
Reflecting the guidance from the U.S. Department of Justice, KrakenIO adopts the following principles in our cybersecurity practices:
- Legitimate Cybersecurity Activities: "If a practitioner does not intend to use information obtained on a forum to commit a federal criminal violation, asking questions or soliciting advice on a forum is unlikely to constitute as a crime."
- Ethical Intent for Use of Information: "... assumes the practitioners obtain information solely so that it can be used and shared for legitimate cybersecurity purposes (e.g., to help others and defend against cybersecurity threats) and with no criminal or malicious intent or motive."