EXECUTIVE SUMMARY

  1.  The personal information and payment card data of millions of individuals in the United States have been obtained by thieves who have electronically penetrated commercial and government databases and have stolen laptops and other computer hardware. In the one-year period ending September 2006, criminals used such stolen data to commit fraud against more that eight million individuals in the US Data breach notice laws in the US have exposed the breadth of this problem but have not motivated data controllers to implement adequate data security measures. New laws that are currently being proposed and adopted in the US will shift costs incurred due to data thefts from banks and individuals that currently bear those costs to organizations from which data are stolen if the organizations fail to implement certain data security measures. Mr Gainer advises businesses in the US regarding their legal duties to implement data security measures and to respond to data thefts. His testimony addresses the positive features and shortcomings of current US data breach notice laws and the new cost-shifting laws.

  2.  Mr Gainer is also co-counsel with lawyers from the American Civil Liberties Union in a lawsuit against the US National Security Agency regarding the NSA's interception of phone calls and emails of US persons and the NSA's data mining of telephone call records. He will testify about some of the issues raised by that case and will recommend certain restrictions on governments' use of data mining.

TESTIMONY

  3.  Thank you, Chairman Denham and members of the Committee for this opportunity to address some of the issues raised by the "Surveillance Society" report drafted for Commissioner Thomas. The report highlights serious threats to the privacy of residents of the U.K and of other countries, including the US I address here two issues raised by the report with which I have experience in the US: protecting the security of computerized consumer data and regulating government anti-terrorism surveillance. My testimony reflects my own views and not necessarily those of my firm, our clients, or my co-counsel at the ACLU.

The Positive Effects and Limitations of U.S. Data Breach Notice Laws

  4.  I represent businesses in matters that involve computer technology. In the last few years, I have assisted many businesses regarding thefts of electronic data. I would like to address some of the lessons we have learned in the US about statutes intended to protect consumer data from such thefts.

  5.  Theft of personal information is a serious problem in the US, as I understand it is in the UK In the one-year period ending September 2006, the last one-year period for which complete statistics have been reported, electronic data regarding more than 73 million individuals were stolen or lost in the US The information of at least 8.3 million of those 73 million persons was misused for fraud. Thirty-seven states in the US have enacted statutes that require entities that own or license computerized personal information about individuals to notify those individuals if unencrypted data about them is disclosed to an unauthorized person. The US Congress is considering proposed statutes that would apply across the US that would preempt these state laws and would require notice to consumers in all parts of the US in similar circumstances.

  6.  I understand that the UK has no similar data breach notice law, though some commentators have suggested that such a law should be adopted. A data breach notice law would be an important component of an effort to reduce the theft of consumer data. It would undoubtedly expose the extent of such thefts, just as such laws have done in the US Before California adopted the first US data breach law in 2003, reports of the theft of consumer data in the US were extremely rare. Now such thefts are reported daily. While there has likely been some increase in the number of such thefts between 2003 and today, it is not likely that such thefts began only after the notice laws were adopted. More likely is that organizations did not publicly disclose similar thefts that occurred before 2003.

  7.  Bringing the extent of data thefts into public view is important but it is not enough. One purpose of data breach notice laws is to expose companies and government agencies that fail to take available steps to protect data to negative publicity—with the hope that such exposure will cause them to improve their security measures. Another, important purpose is to permit potentially affected individuals and businesses to take defensive measures when individuals' data have been stolen. While the second purpose of data breach notice laws has been served by the statutes—individuals can monitor their accounts and banks and payment card companies can cancel accounts or change account numbers—the first purpose, improving security, has not been well-served by these statutes.

  8.  As part of my practice, I attempt to persuade business officials that they should take additional steps to protect consumer data. I regularly advise them that such preventive measures will be much less expensive than the costs of litigation, payment card association fines, or government penalties, all of which are possible if a data theft occurs. Very few businesses take adequate preventative steps to protect consumer data until after thieves have stolen such information. Business managers state that tight budgets generally do not permit expenditures for preventative security assessments and corrective measures.

  9.  Further, the deluge of data theft notices that have been issued since notice laws became effective in the US in 2003-04 has caused some consumers to ignore them. Something additional must be done.

  10.  I am aware that serious criminal penalties have recently been authorized in the UK for persons who steal private data. States in the US have even harsher criminal penalties available—and they impose serious penalties on data thieves when they police catch them. For example, a contractor's employee was recently convicted of stealing data from one of my clients. He was sentenced to four years in jail. Such potential criminal penalties have not, however, prevented the widespread theft of consumer data in the US.

  11.  A new approach is beginning to be adopted in the US. Last month, Minnesota became the first state in the US to adopt a law that permits financial institutions to recover costs related to data breaches from retailers that retain consumers' payment card data longer than necessary if the card data are later stolen. Financial institutions often have to replace payment cards when card data are stolen, which can cost up to $25 per card. In the past, US courts have held that banks may not recover those costs from retailers whose poor security contributed to a data theft. Five other US states are considering proposed statutes similar to the Minnesota law. AB 779, pending in California, would permit any owner or licensor of personal data to recover costs to send notices to affected individuals that are incurred after data are stolen from a business covered by California's data breach notice law.

  12.  Even these proposed new laws do not address a huge component of the financial costs of data thefts: pursuant to payment card association rules and standard payment card contracts, if a merchant accepts a fraudulent card for a transaction, the merchant will have to absorb the cost of the fraud. The cardholder is protected from having to pay such fraudulent charges by federal law in the US and by card issuers' policies. Card issuing banks are permitted to chargeback the losses to the merchant; therefore, unless the merchant has gone out of business, the issuer is protected as well. Merchants who get stuck with fraudulent charges typically pass those charges on to consumers by raising prices, ie, merchants adjust their prices to compensate for fraud losses. As is too often the case, it is the public that is penalized in the end.

  13.  If the best features of the recently enacted Minnesota statute and the other pending bills were combined, this outcome could be avoided. Any individual or business that incurs costs of any kind due to a data breach that was caused, in part, by another business's poor security measures should be able to recover those costs from the negligent business. Adequate security standards exist to determine whether a business has deployed adequate security, including the Payment Card Industry Data Security Standards and ISO 17799. Standards are not the problem. Failure to implement recommended security measures is the problem.

  14.  If such cost-shifting were authorized, negligent business would pay rather than consumers. Perhaps the risk of incurring such potential costs would motivate businesses to take additional steps to protect consumer data. Experience in the US shows that, until businesses (and perhaps government agencies) are threatened with paying for the costs of lax data security, many will fail to implement security measures that could prevent data thefts. Data controllers know that if a thief steals consumer data, others will bear most of the costs.

  15.  Some businesses do implement state of the art data security measures and they should be applauded. But the epidemic of thefts shows that data security is not the priority it should be.

  16.  Shifting the costs of data breaches has two additional benefits: it is fair—the negligent party pays—and it harnesses the power of economic incentives. Relying on mere shaming of data controllers has proven inadequate.

  17.  Cost-shifting could be adapted to the UKs regulatory approach to protecting data. The Information Commissioner could be authorized to order such cost-shifting if his investigation determines it is warranted.

The ACLU Litigation Against the National Security Agency

  18.  As you know, The New York Times disclosed the NSA's domestic surveillance program in December 2005. Two aspects of the NSA program were disclosed by the Times and by other media. One part of the surveillance program was the interception of emails and phone calls between US persons and non-US persons without either a criminal warrant or an order from the Foreign Intelligence Surveillance Court. The FIS Court is a specialized US court that considers government requests to authorize surveillance of foreign governments and terrorists. President Bush publicly admitted that he had authorized the phone call and email interception parts of the NSA program. The second aspect of the NSA program was the data mining of US persons' telephone call records to try to identify terrorists, which was also done without a warrant or FIS Court order.

  19.  The ACLU challenged the NSA program because the US Foreign Intelligence Surveillance Act, adopted in 1978 after politically motivated spying on US citizens by US intelligence agencies was exposed, requires domestic foreign intelligence surveillance to be conducted only as authorized by the FIS Court. The ACLU also claims that the NSA program violates US persons' free speech and due process rights. The ACLU challenged both aspects of the NSA program in federal court in Detroit.

  20.  I volunteered to help the ACLU and asked for help from other lawyers in our firm. More than a dozen attorneys in our offices have helped the very capable lawyers of the ACLU's national office with the litigation. We are doing that work pro bono. Such work by US attorneys is not unique. Others of my partners are representing prisoners at the Guantanamo Bay detention center. Lawyers from many other US law firms are similarly representing clients challenging US government actions that violate US and international law.

  21.  In addition to the ACLU lawsuit, more than 20 cases were filed in numerous cities across the US that challenged telephone companies' disclosure of call records to the NSA. Such disclosures are prohibited by US statutes in most circumstances and the statutes provide substantial financial penalties for each instance of unauthorized disclosure of call record data. The lawsuits against the phone companies were consolidated before a federal judge in San Francisco.

  22.  In the ACLU case, we obtained declarations from the plaintiffs—criminal defense lawyers, reporters, and scholars—that showed they could no longer communicate with confidential non-US sources without putting those sources at risk. The government did not dispute that evidence but sought to have the case dismissed on the grounds that it endangered state secrets. The government also claimed we could not show that the plaintiffs were actually targets of the program. Finally, the government argued that, if the court reached the merits, it should hold that Congress authorized President Bush to conduct the surveillance as part of the Authorization for Use of Military Force in Afghanistan or that the President has inherent authority, as Commander in Chief, to conduct the program.

  23.  In August 2006, Judge Anna Diggs Taylor held that the NSA had violated FISA and the First and Fourth Amendments to the US Constitution by intercepting US emails and phone calls without FIS Court approval. She rejected the government's state secrets claim about those aspects of the program because the government had publicly admitted them. She rejected the government's remaining arguments and ordered such surveillance to be stopped. Judge Taylor dismissed our data mining claims, holding that those claims were barred by the state secrets privilege.

  24.  Each side appealed. The Court of Appeals in Cincinnati suspended the injunction until it decides the case. Just before oral argument regarding the appeal on 30 January 2007, and just before Congress began hearings about the NSA program, the government announced that the FIS Court had approved the NSA program but that the government reserved the right to re-commence it at any time without FIS Court approval.

  25.  Judge Walker also refused to dismiss the lawsuits against the phone companies, which challenged the companies' disclosure of call records to the NSA. His decision is being reviewed by an appellate court in San Francisco.

  26.  A few weeks ago, former Deputy Attorney General James Comey testified to a Senate Committee that he and former Attorney General Ashcroft concluded in 2004 that the NSA program was illegal in its then-current form and that they had refused to sign a certification as to its legality. Mr Comey described an episode during which then Whitehouse counsel and now Attorney General Gonzalez sought to get Ashcroft to sign the certification while he was hospitalized for an acute illness. Mr Comey testified that President Bush agreed that unspecified changes should be made to the NSA program after numerous Department of Justice officials, including Mr Comey, Attorney General Ashcroft, and FBI Director Mueller, threatened to resign if the illegal program continued.

  27.  The cases regarding the NSA program are important for several reasons. First, it is critical that US courts reiterate the principle that even the President must abide by statutes enacted by Congress. The rule of law requires no less.

  28.  Second, it is important that the courts reject the President's misuse of the state secrets privilege. The rule of law cannot survive if the President can break the law, admit it publicly, and then invoke the state secrets privilege to prevent judicial review of his actions.

  29.  Finally, it is important that the courts limit the government's computerized searching of billions of telephone call records of millions of individuals, whom the government does not allege have done anything wrong. If such surveillance is to be conducted, court review and supervision should be required.

DATA MINING OF GOVERNMENT AND COMMERCIAL TRANSACTION DATA

  30.  The "Surveillance Society" report discusses at pages 38-48 some of the reasons that unregulated government mining of personal data about ordinary citizens is objectionable. Other authors have described additional reasons that such government data mining should be strictly regulated.

  31.  There are at least six types of potential errors and abuses that may result from governments' counter-terrorism data mining efforts:

—    Mistaken identity—a person with a similar name or other characteristics shared with a terrorist or criminal suspect may be misidentified as the target. This arises frequently with use of "watch lists" used to screen airline passengers.

—    Faulty inference—information may be misinterpreted to draw an erroneous inference that someone is associated with terrorists when he is not.

—    Intentional abuse—agents authorized to access data have performed checks for fees for private investigators.

—    Security breaches—government data developed through data mining may be stolen or carelessly disclosed.

—    Mission creep—systems justified to fight terrorists may be used for additional purposes, including law enforcement or increasing government control over individuals.

—    Diminished trust—citizens may feel that they are under generalized surveillance, which will diminish their trust in government and inhibit their willingness to participate in lawful activities that may be misinterpreted, such as enrolling in pilot training.[236]

  32.  The last problem with data mining of consumer records, that it will heighten public distrust of government, is more ephemeral that the other potential abuses. It may, however, be the most important because it draws on individuals' unease about dramatic technological changes that have occurred in the last few years. Growing computer power and the declining cost of storing data make it practical for governments to store and search vast quantities of data. This, in turn, has decreased the "practical obscurity" that gave some comfort to individuals when it was impractical to collect scattered paper records and review them all. While there is still some potential obscurity that results from the massive volume of data available to governments, both from their own records and from commercial data aggregators, software search tools are rapidly improving, which is decreasing that obscurity as well.[237]

  33.  The threat to public safety has also changed. Threats are no longer posed primarily by hostile nation states. Terrorists, both those who are homegrown and those who infiltrate our borders, now threaten mass murder. Governments and individuals expect technology to be used to create actionable intelligence to identify terrorists and to prevent them from harming innocent people. US intelligence agencies' past failures to "connect the dots" have been universally criticized.

  34.  The ability to store vast amounts of data, the increasing ability to effectively search large databases, and the need to use all lawful means to prevent terrorists from carrying out their plans challenges policy makers to determine how to protect both privacy and security. Several technological tools can help and should be required:

—    Anonymization—personally identifiable data in databases that are mined as part of counter-terrorism efforts should be anonymized. If a search produces a "hit," the specifically identified dataset can be de-anonymized. Anonymization should decrease individuals' concerns that every aspect of their lives is scrutinized.

—    Access to data must be limited—permissioning rules for accessing the huge troves of government and commercial data that are aggregated for data mining should be built into system architecture and should be enforced.

—    Immutable audit trails—each access to a database that contains personally identifiable data should create a log entry that cannot be changed. Such logs should be monitored to guard against intentional misuse of the data.

  35.  Requiring privacy impact statements or "surveillance impact statements" for government surveillance programs, as recommended by Commissioner Thomas, may also help if a proposed surveillance project will be stopped or revised if an impact statement shows that the project will compromise individuals' privacy without producing results adequate to justify the effect on privacy rights.

CONCLUSION

  36.  Public debate about data security and about the privacy implications of governments' use of data mining for counter-terrorism efforts is important. Commissioner Thomas's report and these hearings are valuable parts of that debate. Thank you for the opportunity to contribute.

June 2007

237   K . Taipale, Designing Technical Systems to Support Policy: Enterprise Architecture, Policy Appliances, and Civil Liberties, in Emergent Information Technologies and Enabling Policies for Counter-Terrorism, Robert L Popp and John Yen, editors (Wiley Interscience 2006), 444-45. Back