Data Privacy: What to Do When Uncle Sam Wants Your Data

Memorial Day is typically the first big scuba weekend of the year, and the Friday before the 2002 holiday, May 24, proved no exception as dive shops around the country teemed with visitors. There was one notable difference, however. In addition to the usual beach bums, water bugs and vacationers renting equipment and booking trips, there were FBI agents demanding the names and addresses of everyone the shops had taught to dive since 1999.

They wouldn’t say why.

The Professional Association of Diving Instructors (PADI), an organization that oversees scuba certification, started hearing from panic-stricken shop owners that morning. "We got calls from all over the country saying, I don’t have [the data], what should I do?" says Jeff Nadler, PADI’s vice president of industry and government relations. In order to spare the dive shops further harassment on their first busy day of the year, Nadler made a critical decision: PADI would give the FBI a copy of its own database.

On Friday afternoon, he called the FBI agent in charge of the dive shop investigation and struck a deal. PADI would turn over its records if the FBI would agree not to share the information with any other organization, including other law enforcement groups.

Strictly speaking, PADI was acting voluntarily; the FBI had not subpoenaed its database. (One Florida dive shop owner refused the FBI’s request, and two-and-a-half hours later an agent returned with a subpoena.) The following Tuesday, Nadler mailed to the FBI a Zip drive containing the names, addresses and certification levels of almost every American who had learned to dive in the past three years?2 million names and their accompanying personal information.

PADI’s experience is not unique. In the year and a half since Sept. 11, 2001, supermarket chains, home improvement stores and others have voluntarily handed over large databases of customer records to federal law enforcement agencies?almost always in violation of their stated privacy policies. Many others have responded to court orders for information, as required by law. Clearly, the government wants your corporate data, and under new legislation passed in the shadow of Sept. 11, it has a right to it.

Companies that lack the proper procedures to handle the new government mandates can expect to lose business and even face lawsuits (from customers outraged at the loss of their privacy). And then there’s the cost of infrastructure improvements to meet the demand for data. As czars of information, CIOs must take a leading part in preparing their companies for when the feds come knocking. As a senior FBI official told Nadler, "Last month it was apartments; this month it is scuba. Who knows what it will be next month."

The government’s hunger for data represents a profound about-face in how law enforcement operates. Before the terrorist attacks, when a crime occurred, investigators would work to determine the perpetrator’s identity, and then they would try to dig up as much information about the suspect as possible. Collect, then convict. Today, the FBI’s stated top priority is to "protect the United States from terrorist attacks," which implies stopping the bad guys before they strike. In other words, the new attitude is detect and deter. The FBI is now wading through enormous amounts of data looking for activity that could indicate a terrorist plot or crime.

"One of the significant new data sources that needs to be mined to track terrorists is the transaction space," says John Poindexter, the former national security adviser who now heads up the ominously named Total Information Awareness program (see "Taming Big Brother," Page 62). "If terrorist organizations are going to plan and execute attacks against the United States, their people must engage in transactions, and they will leave signatures in this information space." Of course, "transactions" could include just about anything, from transferring money to buying a sandwich at a local deli. Information gathering at this level is akin to searching for a terror needle in a data haystack.

Caught in the middle are American businesses, which are being forced to compromise their customers’ privacy to fulfill these new government mandates. Companies that don’t have the right language in their privacy statements or the proper process for handling data requests can expect trouble. And then there’s the cost. No one is quite sure what technology investments will be needed to satisfy law enforcement requests. Financial and travel companies have already had to create systems that check customer names against a government watch list in real-time. Some estimates for the cost of these systems run as high as $5 million for an average-size company. (The cost of not complying is even higher; the government fined Western Union $8 million in December when it failed to spot multiple transfers made by the same people.)

"I see this as a critical issue for businesses in this decade," says Alan Westin, professor of public law and government at Columbia University and president of Privacy and American Business, a nonprofit newsletter on privacy issues. Ultimately, says Westin, the burden falls on the CIO?the keeper of information and a company’s last line of data defense?to make sure that his company meets these new requirements and doesn’t get sued or fined.

"[The new legislation] forces more discipline around knowing your customer," says Peter McCormick, general manager and the CIO for Sumitomo Mitsui Banking, the U.S. wing of Japanese financial holding company Sumitomo Mitsui Financial Group. "It requires a different rigor than previously." McCormick says he now has to scan more data, respond to more requests for information and do it faster than ever before.

Fortunately, CIOs from data-sensitive industries such as finance, telecom and travel have already confronted this challenge and can offer some practical advice about sharing information with law enforcement. Herewith is a primer on the latest legislation, its policy and technical implications, and what you should be doing about it all.

A Recipe for Litigation

The primary legal instrument for this new data-sharing policy is the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (the payoff of this cumbersome name is the acronym USA PATRIOT, or Patriot, Act). While most of the bill outlines strict reporting requirements for financial institutions (more on that later), Section 215 of the Patriot Act amends the little known Foreign Intelligence Surveillance Act of 1978 to allow much broader access to private data. Specifically, Section 215 says federal agents "may make an application for an order requiring the production of any tangible things (including books, records, papers, documents and other items) for an investigation to protect against international terrorism or clandestine intelligence activities."

This law grants the FBI access to library records, video rentals and much, much more. "The language in 215 says ’including books,’" notes Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a technology and policy watchdog organization. "People who are not lawyers said ’books,’ then ’library,’ then ’They could get your reading record.’ They are right; it does apply to libraries and video rentals and bookstores. But it is also applicable to any business records."

The Patriot Act also lowers the standard to obtain a court order from having a reason to believe that an individual is involved in criminal activity to having relevance to an investigation. "It means," Tien says, "that there is more potential for fishing expeditions."

Even more ominous, Section 215 also says that "no person shall disclose to any other person...that the Federal Bureau of Investigation has sought or obtained tangible things under this section." In other words, it’s illegal to reveal if you have been asked for information. The attorney general is required to report the total number of orders requested and granted to the Senate and House judiciary committees every six months. However, the reports are classified.

Robert Levy, senior fellow in constitutional studies at the policy and research group Cato Institute, has his doubts about the constitutionality of these provisions. He adds that this is an issue for the courts to decide sometime in the near future (if Congress doesn’t step in first and amend the legislation).

Section 215 also has a clause intended to make companies feel better about sharing data: "A person who, in good faith, produces tangible things under an order pursuant to this section shall not be liable to any other person for such production." At first glance, this would seem to give companies immunity against lawsuits brought by angry customers whose data has been given to the government. But there is enough gray here to make a rainy day envious. First of all, organizations that volunteer information, like PADI and others have done, are not covered by this legal protection, since the safe harbor provision in the Patriot Act applies only to companies that receive a court order. Nor is the FBI legally bound by a verbal agreement, with the scuba divers’ association or any other organization, to not share its data with anyone else. In fact, under the Homeland Security bill passed last fall, the FBI is required to share data with other law enforcement agencies.

Update That Privacy Policy

PADI doesn’t have a privacy agreement with its members that says what it will and won’t do with the information it collects, but most companies do. An informal study of 60 Fortune 100 companies’ privacy policies found that 11 make no mention of sharing customer information with the government, even though many companies already do. For example, Home Depot’s privacy policy as stated on its website says it will share customer data with law enforcement to "identify those individuals who use this site for fraudulent or other illegal activities." (Home Depot’s policy does say it will share information customers submit about other people "as required by law" and "to comply with a court order or other legal process.") Forty-five percent of companies have already supplied customer, employee or business partner data to government or law enforcement agencies, according to a December 2002 CSO magazine (a CIO sister publication) survey of 797 organizations (for full survey results, go to www.cio.com/printlinks).

More startling, the CSO survey found that 41 percent of respondents said they are willing to share information without a court order if they believe it is in the interest of national security. But this eagerness to comply is a recipe for litigation, since volunteering data is quite different from being ordered to divulge information by a court, says Larry Ponemon, founder and senior partner of the compliance risk management practice at PricewaterhouseCoopers and head of the Ponemon Institute, a privacy and data protection think tank. Companies, he says, are putting themselves at risk "if you post a privacy policy and you don’t provide for every scenario or you go beyond what you say."

Of course, any potential litigation is predicated on the fact that customers find out that their data is being shared, which under current law shouldn’t happen. One West Coast grocery store chain is counting on just that. After a midlevel marketing manager on his own initiative gave its customer database to the FBI, the chain weighed publicly apologizing to its customers before deciding to keep the incident secret (the company declined to be interviewed for this story).

Laws, however, change. "My perception is that [the Patriot Act] was created very quickly, and a lot of the issues were not well thought out," says Ponemon. "There is an appetite for increasing public safety now. But say there is a political regime change or big corporations start to push back."

The Patriot Act could change if the Democrats win back the Senate, the Supreme Court rules portions unconstitutional or the nation’s security and privacy barometer shifts. There’s even a legal precedent for large companies to be sued once laws change. The Cato Institute’s Levy says there are notable examples of civil proceedings stemming from changing legislation, including tax shelter lawsuits and the large tobacco settlements.

Get It in Writing

Amending your privacy policy to state that you will give information to law enforcement when required by law is just a first step?and a small one at that. The best protection against litigation is to have a companywide policy that explicitly states what happens if and when law enforcement asks for data. This needs to be set at the executive level and distributed to every employee.

Charlie Lathram, vice president for security and business controls for BellSouth, says that the first part of every good policy is designating one person to handle law enforcement requests. Last year the telecommuni- cations giant received 32,370 subpoenas and 636 court orders for customer information?about 100 requests a day. Due to the high volume, BellSouth actually has an entire request response team. Employees are trained so that the first thing they do when contacted by a law enforcement agent is to redirect that person to the team.

Related:
1 2 Page 1
Page 1 of 2
Survey says! Share your insights in our 2020 CIO Tech Poll.