On the Friday before Memorial Day in 2002, FBI agents descended on a chain of scuba diving stores across the country called Dive Shops, trying to get data on everyone who had learned how to scuba dive since 1999. In order to help out panic-stricken shop owners, the Professional Association of Diving Instructors, the primary organization that oversees scuba certification, gave the FBI a zip drive containing names and other information on about 2 million Americans who had learned to dive over the previous three years.
It was one example of the private sector’s role in the war on terrorism. The U.S. government has over 30 data mining projects that use private-sector data. And while last year the departments of Justice and Homeland Security spent more than $25 million to purchase commercial records from data brokers such as ChoicePoint and LexisNexis, more often than not investigators get the data they want directly from companies, a tactic publicized by the recent National Security Agency project using telephone records. As the CIO, you are in charge of your company’s data. Therefore it is up to you to indemnify your company against legal liability by following the proper procedures when an investigator wants your data.
Dayanim says that unless a company has a dedicated staffer to deal with requests from law enforcement (many telecommunications companies do, for example), investigators will most likely contact you through a letter addressed to a vague title like IT manager, or will call a junior-level database administrator directly. It is your responsibility to train your staff so they know that all requests must go through the legal department. “I think you have to hit people over the head with it,” says ¿Dayanim. “Most people’s response is to cooperate, but it exposes the company to a tremendous amount of legal liability. It puts the company at risk.”