What to Do When the Government Wants Your Data
CIO —
On the Friday before Memorial Day in 2002, FBI agents descended on a chain of scuba diving stores across the country called Dive Shops, trying to get data on everyone who had learned how to scuba dive since 1999. In order to help out panic-stricken shop owners, the Professional Association of Diving Instructors, the primary organization that oversees scuba certification, gave the FBI a zip drive containing names and other information on about 2 million Americans who had learned to dive over the previous three years.
It was one example of the private sector’s role in the war on terrorism. The U.S. government has over 30 data mining projects that use private-sector data. And while last year the departments of Justice and Homeland Security spent more than $25 million to purchase commercial records from data brokers such as ChoicePoint and LexisNexis, more often than not investigators get the data they want directly from companies, a tactic publicized by the recent National Security Agency project using telephone records. As the CIO, you are in charge of your company’s data. Therefore it is up to you to indemnify your company against legal liability by following the proper procedures when an investigator wants your data.
The first rule, says Behnam Dayanim, a partner with the law firm Paul, Hastings, Janofsky & Walker, is to take every request to the corporate counsel’s office. “You have to get a court order,” he says, or else you may be violating your company’s ¿privacy policy. Also, it is important to make sure that you comply with the request in the order and don’t give more than you are asked for.
Dayanim says that unless a company has a dedicated staffer to deal with requests from law enforcement (many telecommunications companies do, for example), investigators will most likely contact you through a letter addressed to a vague title like IT manager, or will call a junior-level database administrator directly. It is your responsibility to train your staff so they know that all requests must go through the legal department. “I think you have to hit people over the head with it,” says ¿Dayanim. “Most people’s response is to cooperate, but it exposes the company to a tremendous amount of legal liability. It puts the company at risk.”
© 2010 CXO Media Inc.
$firstKeyword
- Is ERP Ready for Corporate Social Responsibility?
- Changes to PCI Data Security Standard Leave Questions Unanswered
- Linux Compliance Program a Response to Surging Open Source Use
- Revisions to Credit Card Security Standard on the Way
- Supreme Court Didn't Touch The Real Issue With Sarbox
- Security Group Stretching Payment-Card Standards Cycle to Three Years
- PCI Council Launches Certification Program for IT Staff
- What's Wrong with the PCI Security Standard
- How Identity Governance Solves the Compliance
