"Security and Privacy After September 11

1
"Security and Privacy After September 11

• Professor Peter P. Swire
• Ohio State Law School
• Consultant, Morrison Foerster
• Privacy Data Security Summit
• January 31, 2002

2
Overview

• Background
• Security and Privacy after September 11
• Examples from USA Patriot Act
• Enron, Privacy, and the role of the CPO

3
I. Background

• Clinton Administration Chief Counselor for
  Privacy
• Unusual double major
• White House coordinator for HIPAA medical privacy
  rule, 1999-2000
• Chair, White House task force on how to update
  wiretap and surveillance laws for the Internet age

4
Currently

• Professor of Law, Ohio State University
• Resident in D.C. (currently visiting at GW Law
  School)
• Consultant, Morrison Foerster, especially for
  medical privacy
• www.osu.edu/units/law/swire.htm

5
II. Security Privacy After September 11

• Greater focus on security
• Security vs. privacy
• Security and privacy

6
Greater Focus on Security

• More physical security
• Cyber-security less tolerance for hackers and
  other unauthorized use
• Cyber-security the need to protect critical
  infrastructures
• Greater funding for security

7
Security vs. Privacy

• Security sometimes means greater surveillance,
  information gathering, information sharing
• Report possible terrorists
• Err on the side of public health reporting
• More support for surveillance
• In short, greater disclosures to foster security

8
Security vs. Privacy

• Physical Security
• Airport searches -- your bag, your shoes
• ID/authentication at more checkpoints
• Proposals for national ID system
• NAS Study coming soon
• Will be one of my research focuses

9
Security vs. Privacy

• Computer Security
• Less support for anonymity
• Stronger authentication
• Intrusion detection -- FIDNet
• Pressure to retain records -- Cybercrime
  Convention
• Information sharing among federal, state, local
  governments and system owners

10
Security and Privacy

• Security is a fair information practice
• FTC Lilly enforcement action
• Good data handling practices are more important
• Prevent intrusion from the outside
• Prevent unauthorized use by employees
• Penn. Homeland Defense Ombudsman looks at
  security and privacy of web sites

11
Security and Privacy

• Inventory your systems
• You dont know your security vulnerabilities
  until you know your own systems
• Key first step of any privacy compliance -- know
  your data flows
• Should be part of your GLB, HIPAA compliance

12
Security and Privacy

• Audit trails and accounting
• An essential security practice
• Polices and procedures should be followed
• Accounting specifically required by HIPAA

13
Summary on Security and Privacy

• Greater security threatens privacy when have
  greater surveillance
• Greater security helps privacy when create
  better-audited data systems
• Security as an opportunity
• The budget for security can help upgrade your
  systems, and build privacy in
• HIPAA philosophy -- transactions, security, and
  privacy should be built together

14
III. Anti-terrorism Examples

• In the name of security
• The Uniting and Strengthening America Act by
  Providing Appropriate Tools Required to Intercept
  and Obstruct Terrorism
• USA PATRIOT Act
• Changes to wiretap laws, foreign intelligence,
  money laundering, new terrorism crimes, etc.
• How manage for security and privacy?

15
Grand Jury Secrecy Changed

• Previous law separation between law enforcement
  (grand jury, constitution applies) and foreign
  intelligence
• New law All the walls are down now between
  FBI, CIA, etc.
• Example you release PHI to grand jury, records
  can go to foreign intelligence without notice to
  you or a judge

16
Nationwide search orders

• Previous law you must respond to an order from
  judge in your local federal district
• Section 220 USA-PATRIOT
• Electronic evidence e-mail and web surfing
  records
• Binding order from any federal judge in the
  country
• What if the order seems overbroad? Must contest
  with that distant judge.

17
Computer Trespasser Exception

• Previous law
• Under ECPA, could monitor your own system for
  security
• Could turn over evidence of past hacker attacks
• Could not invite law enforcement to surf over
  your shoulder to investigate possible ongoing
  attacks -- that was considered an open-ended
  wiretap

18
Computer Trespasser (cont.)

• Sec. 217 USA Patriot
• Now system owner can invite law enforcement to
  surf over the shoulder
• Only for
• Computer trespassers with no reasonable
  expectation of privacy
• Relevant to an investigation
• No communications other than those to/from the
  trespasser

19
Computer Trespasser (cont.)

• Any employee can authorize this surfing over the
  shoulder
• Do you have policies in place for this?
• What if health information would be disclosed?
• HIPAA issues
• Never any hearing before passage of the provision
  -- study before the sunset

20
IV. Enron, Privacy the Role of the CPO

• An important and good system
• Corporate financial statements
• We complied with all applicable rules
• The letter (but not the spirit) of accounting
  rules
• Huge transfers hidden from view
• Billions in off-balance sheet assets

21
Enron Applied to Privacy

• An important and good system
• Financial, medical, e-commerce systems to provide
  service to customers
• We complied with all applicable rules
• Perhaps the letter, likely not the spirit, of
  GLB and other laws
• Huge transfers hidden from view
• Are there data flows you would not want in the
  press?

22
Effects of bad accounting and hidden transfers

• For Enron, the hidden flows became public
• New, strict laws will result
• Strict enforcement
• For U.S. Bank, the hidden flows became public
• Immediate effect on GLB
• Strict enforcement
• In your organization, will hidden flows become
  public?

23
The Role of the CPO

• You dont want to have to be Sherron Watson, the
  Enron whistleblower
• How can you help create good policies in advance?
• How can you help create good compliance?
• How can there be credible accounting and
  accountability?

24
How to Talk like a CPO

• Move toward the letter and the spirit of good
  privacy policies
• Know the horror stories
• Breaches of security and privacy, and effects on
  the organizations
• Use security as a leverage for privacy
• Good data practices are essential after 9/11

25
In Conclusion

• Pass the friends and family test
• How would the Enron deals have sounded if they
  had been explained at the family dinner table?
• How do your data practices sound?
• Your security and privacy practices will become
  known
• Help your company be proud on that day
• None of us wants to be part of the next Enron

26
Contact Information

• Professor Peter Swire
• Phone (301) 213-9587
• Email pswire_at_law.gwu.edu
• Web www.osu.edu/units/law/swire.htm
• Presidential Privacy Archives www.privacy2000.org