APPENDIX 40
Memorandum submitted by Randal Gainer,
Partner, Davis Wright Tremaine LLP
EXECUTIVE SUMMARY
1. The personal information and payment
card data of millions of individuals in the United States have
been obtained by thieves who have electronically penetrated commercial
and government databases and have stolen laptops and other computer
hardware. In the one-year period ending September 2006, criminals
used such stolen data to commit fraud against more that eight
million individuals in the US Data breach notice laws in the US
have exposed the breadth of this problem but have not motivated
data controllers to implement adequate data security measures.
New laws that are currently being proposed and adopted in the
US will shift costs incurred due to data thefts from banks and
individuals that currently bear those costs to organizations from
which data are stolen if the organizations fail to implement certain
data security measures. Mr Gainer advises businesses in the US
regarding their legal duties to implement data security measures
and to respond to data thefts. His testimony addresses the positive
features and shortcomings of current US data breach notice laws
and the new cost-shifting laws.
2. Mr Gainer is also co-counsel with lawyers
from the American Civil Liberties Union in a lawsuit against the
US National Security Agency regarding the NSA's interception of
phone calls and emails of US persons and the NSA's data mining
of telephone call records. He will testify about some of the issues
raised by that case and will recommend certain restrictions on
governments' use of data mining.
TESTIMONY
3. Thank you, Chairman Denham and members
of the Committee for this opportunity to address some of the issues
raised by the "Surveillance Society" report drafted
for Commissioner Thomas. The report highlights serious threats
to the privacy of residents of the U.K and of other countries,
including the US I address here two issues raised by the report
with which I have experience in the US: protecting the security
of computerized consumer data and regulating government anti-terrorism
surveillance. My testimony reflects my own views and not necessarily
those of my firm, our clients, or my co-counsel at the ACLU.
The Positive Effects and Limitations of U.S. Data
Breach Notice Laws
4. I represent businesses in matters that
involve computer technology. In the last few years, I have assisted
many businesses regarding thefts of electronic data. I would like
to address some of the lessons we have learned in the US about
statutes intended to protect consumer data from such thefts.
5. Theft of personal information is a serious
problem in the US, as I understand it is in the UK In the one-year
period ending September 2006, the last one-year period for which
complete statistics have been reported, electronic data regarding
more than 73 million individuals were stolen or lost in the US
The information of at least 8.3 million of those 73 million persons
was misused for fraud. Thirty-seven states in the US have enacted
statutes that require entities that own or license computerized
personal information about individuals to notify those individuals
if unencrypted data about them is disclosed to an unauthorized
person. The US Congress is considering proposed statutes that
would apply across the US that would preempt these state laws
and would require notice to consumers in all parts of the US in
similar circumstances.
6. I understand that the UK has no similar
data breach notice law, though some commentators have suggested
that such a law should be adopted. A data breach notice law would
be an important component of an effort to reduce the theft of
consumer data. It would undoubtedly expose the extent of such
thefts, just as such laws have done in the US Before California
adopted the first US data breach law in 2003, reports of the theft
of consumer data in the US were extremely rare. Now such thefts
are reported daily. While there has likely been some increase
in the number of such thefts between 2003 and today, it is not
likely that such thefts began only after the notice laws were
adopted. More likely is that organizations did not publicly disclose
similar thefts that occurred before 2003.
7. Bringing the extent of data thefts into
public view is important but it is not enough. One purpose of
data breach notice laws is to expose companies and government
agencies that fail to take available steps to protect data to
negative publicitywith the hope that such exposure will
cause them to improve their security measures. Another, important
purpose is to permit potentially affected individuals and businesses
to take defensive measures when individuals' data have been stolen.
While the second purpose of data breach notice laws has been served
by the statutesindividuals can monitor their accounts and
banks and payment card companies can cancel accounts or change
account numbersthe first purpose, improving security, has
not been well-served by these statutes.
8. As part of my practice, I attempt to
persuade business officials that they should take additional steps
to protect consumer data. I regularly advise them that such preventive
measures will be much less expensive than the costs of litigation,
payment card association fines, or government penalties, all of
which are possible if a data theft occurs. Very few businesses
take adequate preventative steps to protect consumer data until
after thieves have stolen such information. Business managers
state that tight budgets generally do not permit expenditures
for preventative security assessments and corrective measures.
9. Further, the deluge of data theft notices
that have been issued since notice laws became effective in the
US in 2003-04 has caused some consumers to ignore them. Something
additional must be done.
10. I am aware that serious criminal penalties
have recently been authorized in the UK for persons who steal
private data. States in the US have even harsher criminal penalties
availableand they impose serious penalties on data thieves
when they police catch them. For example, a contractor's employee
was recently convicted of stealing data from one of my clients.
He was sentenced to four years in jail. Such potential criminal
penalties have not, however, prevented the widespread theft of
consumer data in the US.
11. A new approach is beginning to be adopted
in the US. Last month, Minnesota became the first state in the
US to adopt a law that permits financial institutions to recover
costs related to data breaches from retailers that retain consumers'
payment card data longer than necessary if the card data are later
stolen. Financial institutions often have to replace payment cards
when card data are stolen, which can cost up to $25 per card.
In the past, US courts have held that banks may not recover those
costs from retailers whose poor security contributed to a data
theft. Five other US states are considering proposed statutes
similar to the Minnesota law. AB 779, pending in California, would
permit any owner or licensor of personal data to recover costs
to send notices to affected individuals that are incurred after
data are stolen from a business covered by California's data breach
notice law.
12. Even these proposed new laws do not
address a huge component of the financial costs of data thefts:
pursuant to payment card association rules and standard payment
card contracts, if a merchant accepts a fraudulent card for a
transaction, the merchant will have to absorb the cost of the
fraud. The cardholder is protected from having to pay such fraudulent
charges by federal law in the US and by card issuers' policies.
Card issuing banks are permitted to chargeback the losses to the
merchant; therefore, unless the merchant has gone out of business,
the issuer is protected as well. Merchants who get stuck with
fraudulent charges typically pass those charges on to consumers
by raising prices, ie, merchants adjust their prices to compensate
for fraud losses. As is too often the case, it is the public that
is penalized in the end.
13. If the best features of the recently
enacted Minnesota statute and the other pending bills were combined,
this outcome could be avoided. Any individual or business that
incurs costs of any kind due to a data breach that was caused,
in part, by another business's poor security measures should be
able to recover those costs from the negligent business. Adequate
security standards exist to determine whether a business has deployed
adequate security, including the Payment Card Industry Data Security
Standards and ISO 17799. Standards are not the problem. Failure
to implement recommended security measures is the problem.
14. If such cost-shifting were authorized,
negligent business would pay rather than consumers. Perhaps the
risk of incurring such potential costs would motivate businesses
to take additional steps to protect consumer data. Experience
in the US shows that, until businesses (and perhaps government
agencies) are threatened with paying for the costs of lax data
security, many will fail to implement security measures that could
prevent data thefts. Data controllers know that if a thief steals
consumer data, others will bear most of the costs.
15. Some businesses do implement state of
the art data security measures and they should be applauded. But
the epidemic of thefts shows that data security is not the priority
it should be.
16. Shifting the costs of data breaches
has two additional benefits: it is fairthe negligent party
paysand it harnesses the power of economic incentives.
Relying on mere shaming of data controllers has proven inadequate.
17. Cost-shifting could be adapted to the
UKs regulatory approach to protecting data. The Information Commissioner
could be authorized to order such cost-shifting if his investigation
determines it is warranted.
The ACLU Litigation Against the National Security
Agency
18. As you know, The New York Times
disclosed the NSA's domestic surveillance program in December
2005. Two aspects of the NSA program were disclosed by the Times
and by other media. One part of the surveillance program was the
interception of emails and phone calls between US persons and
non-US persons without either a criminal warrant or an order from
the Foreign Intelligence Surveillance Court. The FIS Court is
a specialized US court that considers government requests to authorize
surveillance of foreign governments and terrorists. President
Bush publicly admitted that he had authorized the phone call and
email interception parts of the NSA program. The second aspect
of the NSA program was the data mining of US persons' telephone
call records to try to identify terrorists, which was also done
without a warrant or FIS Court order.
19. The ACLU challenged the NSA program
because the US Foreign Intelligence Surveillance Act, adopted
in 1978 after politically motivated spying on US citizens by US
intelligence agencies was exposed, requires domestic foreign intelligence
surveillance to be conducted only as authorized by the FIS Court.
The ACLU also claims that the NSA program violates US persons'
free speech and due process rights. The ACLU challenged both aspects
of the NSA program in federal court in Detroit.
20. I volunteered to help the ACLU and asked
for help from other lawyers in our firm. More than a dozen attorneys
in our offices have helped the very capable lawyers of the ACLU's
national office with the litigation. We are doing that work pro
bono. Such work by US attorneys is not unique. Others of my
partners are representing prisoners at the Guantanamo Bay detention
center. Lawyers from many other US law firms are similarly representing
clients challenging US government actions that violate US and
international law.
21. In addition to the ACLU lawsuit, more
than 20 cases were filed in numerous cities across the US that
challenged telephone companies' disclosure of call records to
the NSA. Such disclosures are prohibited by US statutes in most
circumstances and the statutes provide substantial financial penalties
for each instance of unauthorized disclosure of call record data.
The lawsuits against the phone companies were consolidated before
a federal judge in San Francisco.
22. In the ACLU case, we obtained declarations
from the plaintiffscriminal defense lawyers, reporters,
and scholarsthat showed they could no longer communicate
with confidential non-US sources without putting those sources
at risk. The government did not dispute that evidence but sought
to have the case dismissed on the grounds that it endangered state
secrets. The government also claimed we could not show that the
plaintiffs were actually targets of the program. Finally, the
government argued that, if the court reached the merits, it should
hold that Congress authorized President Bush to conduct the surveillance
as part of the Authorization for Use of Military Force in Afghanistan
or that the President has inherent authority, as Commander in
Chief, to conduct the program.
23. In August 2006, Judge Anna Diggs Taylor
held that the NSA had violated FISA and the First and Fourth Amendments
to the US Constitution by intercepting US emails and phone calls
without FIS Court approval. She rejected the government's state
secrets claim about those aspects of the program because the government
had publicly admitted them. She rejected the government's remaining
arguments and ordered such surveillance to be stopped. Judge Taylor
dismissed our data mining claims, holding that those claims were
barred by the state secrets privilege.
24. Each side appealed. The Court of Appeals
in Cincinnati suspended the injunction until it decides the case.
Just before oral argument regarding the appeal on 30 January 2007,
and just before Congress began hearings about the NSA program,
the government announced that the FIS Court had approved the NSA
program but that the government reserved the right to re-commence
it at any time without FIS Court approval.
25. Judge Walker also refused to dismiss
the lawsuits against the phone companies, which challenged the
companies' disclosure of call records to the NSA. His decision
is being reviewed by an appellate court in San Francisco.
26. A few weeks ago, former Deputy Attorney
General James Comey testified to a Senate Committee that he and
former Attorney General Ashcroft concluded in 2004 that the NSA
program was illegal in its then-current form and that they had
refused to sign a certification as to its legality. Mr Comey described
an episode during which then Whitehouse counsel and now Attorney
General Gonzalez sought to get Ashcroft to sign the certification
while he was hospitalized for an acute illness. Mr Comey testified
that President Bush agreed that unspecified changes should be
made to the NSA program after numerous Department of Justice officials,
including Mr Comey, Attorney General Ashcroft, and FBI Director
Mueller, threatened to resign if the illegal program continued.
27. The cases regarding the NSA program
are important for several reasons. First, it is critical that
US courts reiterate the principle that even the President must
abide by statutes enacted by Congress. The rule of law requires
no less.
28. Second, it is important that the courts
reject the President's misuse of the state secrets privilege.
The rule of law cannot survive if the President can break the
law, admit it publicly, and then invoke the state secrets privilege
to prevent judicial review of his actions.
29. Finally, it is important that the courts
limit the government's computerized searching of billions of telephone
call records of millions of individuals, whom the government does
not allege have done anything wrong. If such surveillance is to
be conducted, court review and supervision should be required.
DATA MINING
OF GOVERNMENT
AND COMMERCIAL
TRANSACTION DATA
30. The "Surveillance Society"
report discusses at pages 38-48 some of the reasons that unregulated
government mining of personal data about ordinary citizens is
objectionable. Other authors have described additional reasons
that such government data mining should be strictly regulated.
31. There are at least six types of potential
errors and abuses that may result from governments' counter-terrorism
data mining efforts:
Mistaken identitya person
with a similar name or other characteristics shared with a terrorist
or criminal suspect may be misidentified as the target. This arises
frequently with use of "watch lists" used to screen
airline passengers.
Faulty inferenceinformation
may be misinterpreted to draw an erroneous inference that someone
is associated with terrorists when he is not.
Intentional abuseagents
authorized to access data have performed checks for fees for private
investigators.
Security breachesgovernment
data developed through data mining may be stolen or carelessly
disclosed.
Mission creepsystems
justified to fight terrorists may be used for additional purposes,
including law enforcement or increasing government control over
individuals.
Diminished trustcitizens
may feel that they are under generalized surveillance, which will
diminish their trust in government and inhibit their willingness
to participate in lawful activities that may be misinterpreted,
such as enrolling in pilot training.[236]
32. The last problem with data mining of
consumer records, that it will heighten public distrust of government,
is more ephemeral that the other potential abuses. It may, however,
be the most important because it draws on individuals' unease
about dramatic technological changes that have occurred in the
last few years. Growing computer power and the declining cost
of storing data make it practical for governments to store and
search vast quantities of data. This, in turn, has decreased the
"practical obscurity" that gave some comfort to individuals
when it was impractical to collect scattered paper records and
review them all. While there is still some potential obscurity
that results from the massive volume of data available to governments,
both from their own records and from commercial data aggregators,
software search tools are rapidly improving, which is decreasing
that obscurity as well.[237]
33. The threat to public safety has also
changed. Threats are no longer posed primarily by hostile nation
states. Terrorists, both those who are homegrown and those who
infiltrate our borders, now threaten mass murder. Governments
and individuals expect technology to be used to create actionable
intelligence to identify terrorists and to prevent them from harming
innocent people. US intelligence agencies' past failures to "connect
the dots" have been universally criticized.
34. The ability to store vast amounts of
data, the increasing ability to effectively search large databases,
and the need to use all lawful means to prevent terrorists from
carrying out their plans challenges policy makers to determine
how to protect both privacy and security. Several technological
tools can help and should be required:
Anonymizationpersonally
identifiable data in databases that are mined as part of counter-terrorism
efforts should be anonymized. If a search produces a "hit,"
the specifically identified dataset can be de-anonymized. Anonymization
should decrease individuals' concerns that every aspect of their
lives is scrutinized.
Access to data must be limitedpermissioning
rules for accessing the huge troves of government and commercial
data that are aggregated for data mining should be built into
system architecture and should be enforced.
Immutable audit trailseach
access to a database that contains personally identifiable data
should create a log entry that cannot be changed. Such logs should
be monitored to guard against intentional misuse of the data.
35. Requiring privacy impact statements
or "surveillance impact statements" for government surveillance
programs, as recommended by Commissioner Thomas, may also help
if a proposed surveillance project will be stopped or revised
if an impact statement shows that the project will compromise
individuals' privacy without producing results adequate to justify
the effect on privacy rights.
CONCLUSION
36. Public debate about data security and
about the privacy implications of governments' use of data mining
for counter-terrorism efforts is important. Commissioner Thomas's
report and these hearings are valuable parts of that debate. Thank
you for the opportunity to contribute.
June 2007
236 Jack X Dempsey and Paul Rosensweig, Technologies
that Can Protect Privacy as Information Is Shared to Combat Terrorism,
3-4, May 26, 2004, Center for Democracy and Technology. Back
237
K . Taipale, Designing Technical Systems to Support Policy:
Enterprise Architecture, Policy Appliances, and Civil Liberties,
in Emergent Information Technologies and Enabling Policies for
Counter-Terrorism, Robert L Popp and John Yen, editors (Wiley
Interscience 2006), 444-45. Back
|