Privacy Versus the FBI

CIOs have a good reason to rethink their company’s privacy policy. The antiterrorism law President Bush signed in late October makes it easier for officials investigating potential terrorist activity to get court orders to search companies’ business records. Having the right privacy policy in place can save executives from bad PR or lawsuits by customers or business partners whose data they may have to turn over if the feds come knocking.

Michael Arruda, chair of the Privacy and Security Practice Group of McCutchen, Doyle, Brown & Enersen in San Francisco, says many privacy policies promise customers that the company won’t share their data without their permission. Under the new law, however, the feds can actually prohibit companies from telling people when they share data with law enforcement.

In the past, companies didn’t have to worry about compromising privacy when they cooperated with investigators because the feds could get court orders to seize only specific data they could prove would implicate a suspect. Now investigators can go fishing and subpoena data they merely think might help their case. For instance, if they believe a suspected terrorist is using his employer’s e-mail system to plot attacks, they can get his entire address book, not just the addresses of suspected coconspirators. From there, it’s easy for them to get a warrant to read any of the suspect’s e-mail.

Companies can protect themselves with a privacy policy that clearly states any information could be turned over to the government during a criminal investigation, Arruda says. He says such a clause gives customers and business partners fair warning that their data isn’t completely confidential.

Other privacy experts see this differently. Cindy Cohn, legal director for the Electronic Frontier Foundation, a San Francisco-based civil liberties group, argues that using a privacy policy as a shield against lawsuits when cooperating with the government violates the intent of having the policy in the first place. A privacy policy that says executives will turn anything over to the government becomes “an explanation of how and when they’re going to violate your privacy,” she says, rather than a statement of how they’ll protect it.

The public wants law enforcement to have information valuable to a terrorism investigation, Cohn says, but people “aren’t ready to embrace a world where the government can look at everything they do.” With consumer confidence falling and dotcoms failing, Cohn thinks making a statement saying the company can no longer protect a customer’s data will create a backlash against doing business online.

According to Cohn, any executive presented with a subpoena should think carefully about what information he hands over. Most court orders are negotiable, she says, and company lawyers can ask investigators to scale back their requests if certain corporate information doesn’t seem relevant to the investigation. Arruda agrees that’s an option, but he says executives still risk being sued by a disgruntled customer or partner if they give up too much.

Privacy concerns are taking a backseat to national security in Congress these days, so it’s less likely now than before Sept. 11 that lawmakers are going to take any steps toward defining privacy protections for individuals. Civil libertarians such as Sen. Patrick Leahy (D-Vt.) see the antiterrorism bill?which also gives law enforcement officials expanded powers to monitor suspects’ e-mail and share the information they gather with intelligence agencies?as good fodder for creating privacy protections through court cases. Meanwhile, Leahy, who is chairman of the Senate Judiciary Committee, says he wants the panel to monitor the extent to which the privacy of innocent people is compromised by the law.

CIOs are now in the unusual position of having to balance national security interests with the needs of their companies. A privacy policy that takes both needs into account is a good place to start.