Data Privacy: What to Do When Uncle Sam Wants Your Data

1 2 Page 2
Page 2 of 2

Albert Gidari, a Seattle-based attorney with Perkins Coie whose clients include AT&T Wireless and Nextel, companies with a long history of complying with investigations, says that even if a law enforcement agent says it is an emergency, companies need to get something in writing. "It can be on the back of a napkin if need be," he says. Gidari has been involved with cases where law enforcement agents have lied about their motives. One U.S. attorney said he needed information to investigate a terror threat when he actually was looking into a bank robbery. Another agent asked for a large amount of information citing a bioterrorism threat that turned out to be a drug sting. "Getting a written and signed document protects you. You don’t want to be in court and have a he-said-she-said argument," Gidari says. "The second thing is the public relations outcry. [When you get it in writing] you can say, ’We’re not collaborating, we are cooperating.’ The press will not be upset with you but with the agent who made the request."

For Lathram, just having it in writing isn’t good enough. BellSouth discloses customer information only if there is a valid court order or subpoena. Determining the validity of an order takes some special knowledge. Not all subpoenas are legal. For example, about 20 states can’t issue investigatory or grand jury subpoenas, while others can. A valid subpoena must contain information such as where it was issued and the prosecutor’s name. Complying with an illegal subpoena doesn’t meet the "where required by law" disclaimer of most privacy policies.

Furthermore, it is possible to question a subpoena. One of the dive shops subpoenaed in the scuba investigation challenged a subpoena and rather than go to court (and have the investigation entered into the public record), the FBI simply dropped the request. BellSouth challenges subpoenas it deems burdensome and voluminous. One request asked for all the incoming calls to a bank during a 90-day period. "In essence we ask the court to narrow the scope," says Lathram. "This is not an adversarial position. We’re just trying to understand what they are trying to get at."

Sumitomo Mitsui Banking’s McCormick says that financial companies can be fined under the Patriot Act if they do not respond to requests within five days. Fortunately, most law enforcement requests deal with data that is six to 12 months old, McCormick says. So he makes a point of keeping that kind of information online. Only occasionally does his staff have to scour through old, poorly indexed tape drives to find data that is more than a year old.

One issue that CIOs in particular need to be wary of is that their staffs?the individuals who will actually be collecting and supplying the data?don’t develop a relationship with specific law enforcement agents that result in a circumvention of the data-sharing policy. "More and more, law enforcement is making the assumption that companies will cooperate," says Ponemon. "And in some cases they may be getting sloppy. By the time [an agent] goes back to a company the 10th time, you know Joe and that he can pull this off." Ponemon has seen this firsthand. Recently, while performing a risk assessment for a CRM director at a large travel company, he discovered that the employee was about to give out new information under an old court order. "It was going to be complied with until I brought it to her attention," he says.

The Cost of Sharing Data

Coming up with and enforcing a data-sharing policy is relatively straightforward. More byzantine are the technical challenges of sharing this data.

There is no doubt that financial CIOs have their work cut out for them. McCormick says that Sumitomo Mitsui has to scan every incoming and outgoing transaction for names of people and institutions on several watch lists, and stop any that match from going through. Thanks to earlier investments in a middleware-intensive infrastructure, McCormick was able to install additional software that can cross-check names on fund transfers against government-supplied watch lists with relative ease. He purchased the cross-checking software package from Sybase?it costs around $500,000 for large financial companies?and uses a previously installed Sybase E-Biz Integrator as the middleware.

"Payment flows are routed to E-Biz and then to the scanning software," McCormick explains. "Assuming the payment is acceptable, the message is then routed onward. If the payment fails any of the required scans, the message is retained for investigation and further reporting. This architecture does not restrict us to any set number of systems. So if there were new requirements for scanning, it would not be difficult to integrate those into our infrastructure."

But for a company without an infrastructure that can easily accommodate the new scanning requirements, the costs would be much higher. "If you don’t have the infrastructure in place, good luck," McCormick says. "If you [search for suspicious activity] manually, you are in deep kimchi. I don’t think the government cares if you have systems or 10,000 guys going through 10,000 files, but at a certain point if you can’t scale, you are going down a slippery slope."

Bill Irving, president of Antwerp, Belgium-based consultancy Capco, estimates that most financial companies will have to spend $4 million to $5 million retrofitting their infrastructures before all is said and done.

What it means for nonfinancial companies is less clear. "[The Patriot Act] expanded the regulation way beyond commercial banking," Irving says. Now any company that processes financial transactions is considered a financial company. Case in point: Western Union’s $8 million ticket was the first fine under the Patriot Act and the largest ever for a money transmitter, even though it doesn’t fit the traditional definition of a financial company. Western Union spokeswoman Wendy Carver Herbert blamed IT for the failure that led to the fine. Financial institutions are required to report whenever someone makes transfers greater than $10,000. Western Union’s IT systems couldn’t tell when a single person was making multiple transfers from different locations totaling $10,000, and the company didn’t have plans to put the necessary systems in place. (It now will as part of the settlement.)

Few doubt that the new laws will expand the government’s reach well beyond financial services. But so far, the IT costs of data sharing are mostly anecdotal. JetBlue Airways spent about three months building a system that could match the passengers checking in with names on the FBI’s watch list, says Vice President and CIO Jeff Cohen. That project included rewriting large pieces of the code for its reservation system. Lathram says BellSouth will run up some significant costs making its communications infrastructure, including optical phone and data lines, compatible with next-generation wiretapping tools so that the telecom can comply with the new requirements.

Even so, the future of data sharing for national security purposes remains fuzzy. "[Government agents] don’t know what they need yet," Lathram says.

So for now, they are asking for everything.


Copyright © 2003 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Discover what your peers are reading. Sign up for our FREE email newsletters today!