The 2019-03-14 show will focus on Information Security with InfoSec Specialist, Jason Maynard. Enjoy!
The 2019-03-14 show will focus on Information Security with InfoSec Specialist, Jason Maynard. Enjoy!
With the data the U.S. government has, it could write detailed biographies on nearly every resident.
While it’s true the U.S. government requires access to information to keep our nation safe, it need not be at the expense of personal privacy. Unfortunately, in the case of the National Security Administration’s (NSA’s) leaked Ragtime files, personal privacy appears to have taken a back seat. Was this data truly collected “incidentally” as claimed by the NSA?
The Ragtime program collects the contents of communications, such as emails, online exchanges and text messages, of foreign nationals under the authority of several U.S. surveillance laws. Until recently, there were four known variants of the program. These variants were originally revealed by the leaks of whistleblower Edward Snowden:
However, recently released information indicates the amount of data collected may be larger than previously thought. There now appears to be 11 total variants. One is called “Ragtime-USP,” which may stand for “U.S. person” and target Americans.
These findings resurface an age-old question:
Where should we draw the line between personal privacy and national security?
Of course, the government needs to use all applicable and appropriate data possible to help military efforts and keep our nation safe. At the same time, the government must strongly secure data and protect individual privacy. Unfortunately, to date, its practices have leaned toward sacrificing data security and personal privacy in the name of national security. It does not have to be this way; the government CAN get insights from data without sacrificing national security when the guidelines below are followed.
These same principles also apply to the private sector.
Limit data-gathering programs to their stated purposes. When the NSA gathers communications from foreign nationals, the data inherently includes information on individuals the foreign nationals communicate with – including U.S. citizens. The stated purpose of the Ragtime program is to capture the communications of foreign nationals. However, the reality is that individuals who are brought into a conversation by others are subject to having their communications collected, monitored and analyzed. If the NSA can continue to claim, without opposition, that this breach (by design) of the program’s stated purpose is a byproduct of keeping the U.S. safe, it will take no actions to re-engineer systems and processes.
Private sector businesses should keep the data of those within arm’s reach of their clients in mind as they craft their own data security and privacy policies. Gather only the data of those with whom you have a relationship, and discard the rest. If you don’t you could run afoul of the growing numbers of data protection laws and regulations that require you to obtain explicit consent prior to collecting personal information from individuals.
Hold agencies accountable. Government agencies should be held to the same security and privacy standards as the private sector and, importantly, be accountable for following those standards. Only entities that have a proven record of implementing and maintaining strong security and privacy controls should be allowed to hold such gigantic repositories of sensitive and privacy-impacting data. So far, the NSA has not demonstrated accountability for the data it has collected. And lawmakers show little desire to implement security and privacy controls that may get in their way of reaching as much data as possible in the name of national security.
Regulators hold your agencies accountable; those of us in the private sector must insist on the same from them.
Private sector businesses also need to be responsible and accountable for implementing and maintaining strong and effective information security and privacy controls. They should also know and be in compliance with applicable data protection laws, regulations and other legal requirements.
Examine data retention policies. Another issue that has not been addressed through these surveillance programs is data retention. The programs suck up all the data possible and then keep it forever. The amount of data the NSA has on U.S. residents could be used to create detailed biographies of nearly every person in the U.S. This is a dangerous position for an organization without the proper security measures in place. Unfortunately, hundreds of millions of personal data records have been compromised in recent years due to vulnerabilities at the NSA and its associated vendors.
Private sector businesses with similar stores of data must perform regular information security and privacy assessments (SIMBUS360 can help!) to ensure they are doing everything they can to protect clients and customers.
Implement strong security controls and privacy protections. The NSA has not demonstrated these capabilities to date. Furthermore, the majority of government lawmakers have long enabled the NSA’s lack of security and privacy controls. An objective, validated and non-partisan entity with ongoing audit oversight would be best to provide the security protections required.
Similarly, businesses and other organizations should consider working with neutral third parties to affirm they are following all required compliance statutes, as well as thinking through how their evolving technologies, systems and business models may be opening their firms up to new threats. Certainly, such organizations can do their own ongoing assessments internally, but bringing in objective third parties to do assessments every now and then (at least once every year or two, and when significant operational changes occur) allows for a different perspective. Objective eyes often find things missed by those in the environment each day.
Indeed, when it comes to personal privacy and national security, we need to change it from an “either/or” conversation to an “and” conversation. While the NSA and your average law firm, accounting practice or health care provider may not have the same objectives, they do have much in common. Today’s growth-minded businesses understand data is a powerful currency, and will only increase in value as time goes on. As they are collecting, analyzing, storing and sharing data, there must be just as much strategy applied to protecting data.
Steptoe & Johnson LLPâs Privacy and Cybersecurity team will join Peter Weitz, host of In Black and Weitz “Data Breaches â How to Protect Against Them“Â on the Voice America Business Channel. Â Steptoe partners Stewart Baker, Michael Vatis, and Jason Weinstein, all of whom previously held significant positions in the US government relating to privacy and cybersecurity, will discuss the impact of data breaches on a company, how to prevent them, and how to respond should one occur, including a companyâs obligations to notify its customers and clients. The lawyers will also discuss cybercrime, electronic data, and other related topics.
Mr. Baker served as the first assistant secretary for the policy at the Department of Homeland Security where he set cybersecurity policy, including inward investment reviews focused on network security. He is the author of âSkating on Stilts âWhy We Arenât Stopping Tomorrowâs Terrorism,â a book on the security challenges posed by technology, and a blog of the same name. Mr. Baker also served as general counsel of the National Security Agency.
Mr. Vatis was the founding director of the National Infrastructure Protection Center at the FBI, the governmentâs first organization dedicated to detecting and investigating cyberattacks. He also served as associate deputy attorney general in the Department of Justice and special counsel at the Department of Defense, and was the first director of the Institute for Security Technology Studies at Dartmouth and the founding chairman of the Institute for Information Infrastructure Protection (I3P).
Mr. Weinstein is a former deputy assistant attorney general of the US Department of Justice (DOJ) who supervised the Computer Crime and Intellectual Property Section. In this position, he oversaw the most significant cybercrime, data breach, intellectual property theft, and transnational organized crime investigations in the country. He also regularly briefed government officials and members of Congress on cybercrime and intellectual property issues and testified on a number of occasions before Senate and House committees on cybercrime, cybersecurity, privacy and data protection, and intellectual property enforcement. Mr. Weinstein helped lead the DOJâs efforts to draft cybersecurity and data privacy legislation.
The three lawyers are authors of the Steptoe Cyberblog, which touches on topics including cybersecurity, cyberwar, data breach, privacy regulation, and security programs and policies. Featuring the authors sometimes contrasting insights, the Steptoe Cyberblog serves up opinionated and provocative thoughts on the issues â especially cybersecurity and privacy â that arise at the intersection of law, information technology, and security. The lawyers also host a weekly Cyberlaw Podcast that features top experts in the field.
During the show, the Steptoe lawyers will discuss the recently launched Data Breach Toolkit, a soup-to-nuts resource that provides companies with critical information and guidance to protect themselves before and after a data breach. The toolkit â which is a free resource but does not provide legal advice regarding breaches â was created by Steptoe to help companies minimize the chances of a breach, evaluate their level of preparation for a breach, and respond quickly and effectively to any breach that does occur despite the best preparation. The toolkit includes a useful outline of US federal and state breach notification laws.
Steptoe & Johnson LLP is an international law firm widely recognized for vigorous advocacy in complex litigation and arbitration, successful representation of clients before governmental agencies, and creative and practical advice in guiding business transactions. The firm has more than 500 lawyers and other professionals in Beijing, Brussels, Century City, Chicago, London, Los Angeles, New York, Palo Alto, Phoenix and Washington.
About Peter Weitz
Peter is a Senior Vice President and equity partner of Fusion Analytics Investment Partners. He joined the industry over ten years ago after spending 13 years in real estate development in Washington, DC. After several years working for a large retail wire house, he became uncomfortable with the inherit conflicts of major brokerage institutions and joined Fusion Analytics in 2009 opening its South Florida office. A dual graduate of George Washington University, Peter holds both an undergraduate degree in business and a Masterâs Degree in Finance. His primary areas of practice include: corporate 401(K) and defined benefit plans, retirement planning and wealth retention. He has published several articles and spoken on numerous panels regarding ERISA regulations as they pertain to defined contribution and benefit plans and has been a recognized as a top performer in the 401(K) market place.