Data Privacy: What to Do When Uncle Sam Wants Your Data

Memorial Day is typically the first big scuba weekend of the year, and the Friday before the 2002 holiday, May 24, proved no exception as dive shops around the country teemed with visitors. There was one notable difference, however. In addition to the usual beach bums, water bugs and vacationers renting equipment and booking trips, there were FBI agents demanding the names and addresses of everyone the shops had taught to dive since 1999.

They wouldn’t say why.

The Professional Association of Diving Instructors (PADI), an organization that oversees scuba certification, started hearing from panic-stricken shop owners that morning. “We got calls from all over the country saying, I don’t have [the data], what should I do?” says Jeff Nadler, PADI’s vice president of industry and government relations. In order to spare the dive shops further harassment on their first busy day of the year, Nadler made a critical decision: PADI would give the FBI a copy of its own database.

On Friday afternoon, he called the FBI agent in charge of the dive shop investigation and struck a deal. PADI would turn over its records if the FBI would agree not to share the information with any other organization, including other law enforcement groups.

Strictly speaking, PADI was acting voluntarily; the FBI had not subpoenaed its database. (One Florida dive shop owner refused the FBI’s request, and two-and-a-half hours later an agent returned with a subpoena.) The following Tuesday, Nadler mailed to the FBI a Zip drive containing the names, addresses and certification levels of almost every American who had learned to dive in the past three years?2 million names and their accompanying personal information.

PADI’s experience is not unique. In the year and a half since Sept. 11, 2001, supermarket chains, home improvement stores and others have voluntarily handed over large databases of customer records to federal law enforcement agencies?almost always in violation of their stated privacy policies. Many others have responded to court orders for information, as required by law. Clearly, the government wants your corporate data, and under new legislation passed in the shadow of Sept. 11, it has a right to it.

Companies that lack the proper procedures to handle the new government mandates can expect to lose business and even face lawsuits (from customers outraged at the loss of their privacy). And then there’s the cost of infrastructure improvements to meet the demand for data. As czars of information, CIOs must take a leading part in preparing their companies for when the feds come knocking. As a senior FBI official told Nadler, “Last month it was apartments; this month it is scuba. Who knows what it will be next month.”

The government’s hunger for data represents a profound about-face in how law enforcement operates. Before the terrorist attacks, when a crime occurred, investigators would work to determine the perpetrator’s identity, and then they would try to dig up as much information about the suspect as possible. Collect, then convict. Today, the FBI’s stated top priority is to “protect the United States from terrorist attacks,” which implies stopping the bad guys before they strike. In other words, the new attitude is detect and deter. The FBI is now wading through enormous amounts of data looking for activity that could indicate a terrorist plot or crime.

“One of the significant new data sources that needs to be mined to track terrorists is the transaction space,” says John Poindexter, the former national security adviser who now heads up the ominously named Total Information Awareness program (see “Taming Big Brother,” Page 62). “If terrorist organizations are going to plan and execute attacks against the United States, their people must engage in transactions, and they will leave signatures in this information space.” Of course, “transactions” could include just about anything, from transferring money to buying a sandwich at a local deli. Information gathering at this level is akin to searching for a terror needle in a data haystack.

Caught in the middle are American businesses, which are being forced to compromise their customers’ privacy to fulfill these new government mandates. Companies that don’t have the right language in their privacy statements or the proper process for handling data requests can expect trouble. And then there’s the cost. No one is quite sure what technology investments will be needed to satisfy law enforcement requests. Financial and travel companies have already had to create systems that check customer names against a government watch list in real-time. Some estimates for the cost of these systems run as high as $5 million for an average-size company. (The cost of not complying is even higher; the government fined Western Union $8 million in December when it failed to spot multiple transfers made by the same people.)

“I see this as a critical issue for businesses in this decade,” says Alan Westin, professor of public law and government at Columbia University and president of Privacy and American Business, a nonprofit newsletter on privacy issues. Ultimately, says Westin, the burden falls on the CIO?the keeper of information and a company’s last line of data defense?to make sure that his company meets these new requirements and doesn’t get sued or fined.

“[The new legislation] forces more discipline around knowing your customer,” says Peter McCormick, general manager and the CIO for Sumitomo Mitsui Banking, the U.S. wing of Japanese financial holding company Sumitomo Mitsui Financial Group. “It requires a different rigor than previously.” McCormick says he now has to scan more data, respond to more requests for information and do it faster than ever before.

Fortunately, CIOs from data-sensitive industries such as finance, telecom and travel have already confronted this challenge and can offer some practical advice about sharing information with law enforcement. Herewith is a primer on the latest legislation, its policy and technical implications, and what you should be doing about it all.

A Recipe for Litigation

The primary legal instrument for this new data-sharing policy is the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (the payoff of this cumbersome name is the acronym USA PATRIOT, or Patriot, Act). While most of the bill outlines strict reporting requirements for financial institutions (more on that later), Section 215 of the Patriot Act amends the little known Foreign Intelligence Surveillance Act of 1978 to allow much broader access to private data. Specifically, Section 215 says federal agents “may make an application for an order requiring the production of any tangible things (including books, records, papers, documents and other items) for an investigation to protect against international terrorism or clandestine intelligence activities.”

This law grants the FBI access to library records, video rentals and much, much more. “The language in 215 says ’including books,’” notes Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a technology and policy watchdog organization. “People who are not lawyers said ’books,’ then ’library,’ then ’They could get your reading record.’ They are right; it does apply to libraries and video rentals and bookstores. But it is also applicable to any business records.”

The Patriot Act also lowers the standard to obtain a court order from having a reason to believe that an individual is involved in criminal activity to having relevance to an investigation. “It means,” Tien says, “that there is more potential for fishing expeditions.”

Even more ominous, Section 215 also says that “no person shall disclose to any other person…that the Federal Bureau of Investigation has sought or obtained tangible things under this section.” In other words, it’s illegal to reveal if you have been asked for information. The attorney general is required to report the total number of orders requested and granted to the Senate and House judiciary committees every six months. However, the reports are classified.

Robert Levy, senior fellow in constitutional studies at the policy and research group Cato Institute, has his doubts about the constitutionality of these provisions. He adds that this is an issue for the courts to decide sometime in the near future (if Congress doesn’t step in first and amend the legislation).

Section 215 also has a clause intended to make companies feel better about sharing data: “A person who, in good faith, produces tangible things under an order pursuant to this section shall not be liable to any other person for such production.” At first glance, this would seem to give companies immunity against lawsuits brought by angry customers whose data has been given to the government. But there is enough gray here to make a rainy day envious. First of all, organizations that volunteer information, like PADI and others have done, are not covered by this legal protection, since the safe harbor provision in the Patriot Act applies only to companies that receive a court order. Nor is the FBI legally bound by a verbal agreement, with the scuba divers’ association or any other organization, to not share its data with anyone else. In fact, under the Homeland Security bill passed last fall, the FBI is required to share data with other law enforcement agencies.

Update That Privacy Policy

PADI doesn’t have a privacy agreement with its members that says what it will and won’t do with the information it collects, but most companies do. An informal study of 60 Fortune 100 companies’ privacy policies found that 11 make no mention of sharing customer information with the government, even though many companies already do. For example, Home Depot’s privacy policy as stated on its website says it will share customer data with law enforcement to “identify those individuals who use this site for fraudulent or other illegal activities.” (Home Depot’s policy does say it will share information customers submit about other people “as required by law” and “to comply with a court order or other legal process.”) Forty-five percent of companies have already supplied customer, employee or business partner data to government or law enforcement agencies, according to a December 2002 CSO magazine (a CIO sister publication) survey of 797 organizations (for full survey results, go to www.cio.com/printlinks).

More startling, the CSO survey found that 41 percent of respondents said they are willing to share information without a court order if they believe it is in the interest of national security. But this eagerness to comply is a recipe for litigation, since volunteering data is quite different from being ordered to divulge information by a court, says Larry Ponemon, founder and senior partner of the compliance risk management practice at PricewaterhouseCoopers and head of the Ponemon Institute, a privacy and data protection think tank. Companies, he says, are putting themselves at risk “if you post a privacy policy and you don’t provide for every scenario or you go beyond what you say.”

Of course, any potential litigation is predicated on the fact that customers find out that their data is being shared, which under current law shouldn’t happen. One West Coast grocery store chain is counting on just that. After a midlevel marketing manager on his own initiative gave its customer database to the FBI, the chain weighed publicly apologizing to its customers before deciding to keep the incident secret (the company declined to be interviewed for this story).

Laws, however, change. “My perception is that [the Patriot Act] was created very quickly, and a lot of the issues were not well thought out,” says Ponemon. “There is an appetite for increasing public safety now. But say there is a political regime change or big corporations start to push back.”

The Patriot Act could change if the Democrats win back the Senate, the Supreme Court rules portions unconstitutional or the nation’s security and privacy barometer shifts. There’s even a legal precedent for large companies to be sued once laws change. The Cato Institute’s Levy says there are notable examples of civil proceedings stemming from changing legislation, including tax shelter lawsuits and the large tobacco settlements.

Get It in Writing

Amending your privacy policy to state that you will give information to law enforcement when required by law is just a first step?and a small one at that. The best protection against litigation is to have a companywide policy that explicitly states what happens if and when law enforcement asks for data. This needs to be set at the executive level and distributed to every employee.

Charlie Lathram, vice president for security and business controls for BellSouth, says that the first part of every good policy is designating one person to handle law enforcement requests. Last year the telecommuni- cations giant received 32,370 subpoenas and 636 court orders for customer information?about 100 requests a day. Due to the high volume, BellSouth actually has an entire request response team. Employees are trained so that the first thing they do when contacted by a law enforcement agent is to redirect that person to the team.

Albert Gidari, a Seattle-based attorney with Perkins Coie whose clients include AT&T Wireless and Nextel, companies with a long history of complying with investigations, says that even if a law enforcement agent says it is an emergency, companies need to get something in writing. “It can be on the back of a napkin if need be,” he says. Gidari has been involved with cases where law enforcement agents have lied about their motives. One U.S. attorney said he needed information to investigate a terror threat when he actually was looking into a bank robbery. Another agent asked for a large amount of information citing a bioterrorism threat that turned out to be a drug sting. “Getting a written and signed document protects you. You don’t want to be in court and have a he-said-she-said argument,” Gidari says. “The second thing is the public relations outcry. [When you get it in writing] you can say, ’We’re not collaborating, we are cooperating.’ The press will not be upset with you but with the agent who made the request.”

For Lathram, just having it in writing isn’t good enough. BellSouth discloses customer information only if there is a valid court order or subpoena. Determining the validity of an order takes some special knowledge. Not all subpoenas are legal. For example, about 20 states can’t issue investigatory or grand jury subpoenas, while others can. A valid subpoena must contain information such as where it was issued and the prosecutor’s name. Complying with an illegal subpoena doesn’t meet the “where required by law” disclaimer of most privacy policies.

Furthermore, it is possible to question a subpoena. One of the dive shops subpoenaed in the scuba investigation challenged a subpoena and rather than go to court (and have the investigation entered into the public record), the FBI simply dropped the request. BellSouth challenges subpoenas it deems burdensome and voluminous. One request asked for all the incoming calls to a bank during a 90-day period. “In essence we ask the court to narrow the scope,” says Lathram. “This is not an adversarial position. We’re just trying to understand what they are trying to get at.”

Sumitomo Mitsui Banking’s McCormick says that financial companies can be fined under the Patriot Act if they do not respond to requests within five days. Fortunately, most law enforcement requests deal with data that is six to 12 months old, McCormick says. So he makes a point of keeping that kind of information online. Only occasionally does his staff have to scour through old, poorly indexed tape drives to find data that is more than a year old.

One issue that CIOs in particular need to be wary of is that their staffs?the individuals who will actually be collecting and supplying the data?don’t develop a relationship with specific law enforcement agents that result in a circumvention of the data-sharing policy. “More and more, law enforcement is making the assumption that companies will cooperate,” says Ponemon. “And in some cases they may be getting sloppy. By the time [an agent] goes back to a company the 10th time, you know Joe and that he can pull this off.” Ponemon has seen this firsthand. Recently, while performing a risk assessment for a CRM director at a large travel company, he discovered that the employee was about to give out new information under an old court order. “It was going to be complied with until I brought it to her attention,” he says.

The Cost of Sharing Data

Coming up with and enforcing a data-sharing policy is relatively straightforward. More byzantine are the technical challenges of sharing this data.

There is no doubt that financial CIOs have their work cut out for them. McCormick says that Sumitomo Mitsui has to scan every incoming and outgoing transaction for names of people and institutions on several watch lists, and stop any that match from going through. Thanks to earlier investments in a middleware-intensive infrastructure, McCormick was able to install additional software that can cross-check names on fund transfers against government-supplied watch lists with relative ease. He purchased the cross-checking software package from Sybase?it costs around $500,000 for large financial companies?and uses a previously installed Sybase E-Biz Integrator as the middleware.

“Payment flows are routed to E-Biz and then to the scanning software,” McCormick explains. “Assuming the payment is acceptable, the message is then routed onward. If the payment fails any of the required scans, the message is retained for investigation and further reporting. This architecture does not restrict us to any set number of systems. So if there were new requirements for scanning, it would not be difficult to integrate those into our infrastructure.”

But for a company without an infrastructure that can easily accommodate the new scanning requirements, the costs would be much higher. “If you don’t have the infrastructure in place, good luck,” McCormick says. “If you [search for suspicious activity] manually, you are in deep kimchi. I don’t think the government cares if you have systems or 10,000 guys going through 10,000 files, but at a certain point if you can’t scale, you are going down a slippery slope.”

Bill Irving, president of Antwerp, Belgium-based consultancy Capco, estimates that most financial companies will have to spend $4 million to $5 million retrofitting their infrastructures before all is said and done.

What it means for nonfinancial companies is less clear. “[The Patriot Act] expanded the regulation way beyond commercial banking,” Irving says. Now any company that processes financial transactions is considered a financial company. Case in point: Western Union’s $8 million ticket was the first fine under the Patriot Act and the largest ever for a money transmitter, even though it doesn’t fit the traditional definition of a financial company. Western Union spokeswoman Wendy Carver Herbert blamed IT for the failure that led to the fine. Financial institutions are required to report whenever someone makes transfers greater than $10,000. Western Union’s IT systems couldn’t tell when a single person was making multiple transfers from different locations totaling $10,000, and the company didn’t have plans to put the necessary systems in place. (It now will as part of the settlement.)

Few doubt that the new laws will expand the government’s reach well beyond financial services. But so far, the IT costs of data sharing are mostly anecdotal. JetBlue Airways spent about three months building a system that could match the passengers checking in with names on the FBI’s watch list, says Vice President and CIO Jeff Cohen. That project included rewriting large pieces of the code for its reservation system. Lathram says BellSouth will run up some significant costs making its communications infrastructure, including optical phone and data lines, compatible with next-generation wiretapping tools so that the telecom can comply with the new requirements.

Even so, the future of data sharing for national security purposes remains fuzzy. “[Government agents] don’t know what they need yet,” Lathram says.

So for now, they are asking for everything.