Posts Tagged: ECPA

Jan 15

Toward Better Privacy, Data Breach Laws

President Obama on Monday outlined a proposal that would require companies to inform their customers of a data breach within 30 days of discovering their information has been hacked. But depending on what is put in and left out of any implementing legislation, the effort could well lead to more voluminous but less useful disclosure. Here are a few thoughts about how a federal breach law could produce fewer yet more meaningful notice that may actually help prevent future breaches.

dataleakThe plan is intended to unify nearly four dozen disparate state data breach disclosure laws into a single, federal standard. But as experts quoted in this story from The New York Times rightly note, much rides on whether or not any federal breach disclosure law is a baseline law that allows states to pass stronger standards.

For example, right now seven states already have so-called “shot-clock” disclosure laws, some more stringent; Connecticut requires insurance firms to notify no more than five days after discovering a breach; California has similar requirements for health providers. Also, at least 14 states and the District of Columbia have laws that permit affected consumers to sue a company for damages in the wake of a breach. What’s more, many states define “personal information” differently and hence have different triggers for what requires a company to disclose. For an excellent breakdown on the various data breach disclosure laws, see this analysis by BakerHostetler (PDF).

Leaving aside the weighty question of federal preemption, I’d like to see a discussion here and elsewhere about a requirement which mandates that companies disclose how they got breached. Naturally, we wouldn’t expect companies to disclose the specific technologies they’re using in a public breach document. Additionally, forensics firms called in to investigate aren’t always able to precisely pinpoint the cause or source of the breach.

But this information could be publicly shared in a timely way when it’s available, and appropriately anonymized. It’s unfortunate that while we’ve heard time and again about credit card breaches at retail establishments, we know very little about how those organizations were breached in the first place. A requirement to share the “how” of the hack when it’s known and anonymized by industry would be helpful. Continue reading →

Dec 13

Help Bring Privacy Laws Into 21st Century

Lost in the ongoing media firestorm over the National Security Agency’s domestic surveillance activities is the discussion about concrete steps to bring the nation’s communications privacy laws into the 21st Century. Under current laws that were drafted before the advent of the commercial Internet, federal and local authorities can gain access to mobile phone and many email records without a court-issued warrant. In this post, I’ll explain what federal lawmakers and readers can do to help change the status quo [tl;dr: if you’d rather skip the explanation and go right to the What Can You Do? section, click here] cloudprivacy

The Center for Democracy & Technology, a policy think-tank based in Washington, D.C., has a concise and informative primer on the Electronic Communications Privacy Act (ECPA), the 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent.

Online messaging was something of a novelty when lawmakers were crafting the ECPA, which gave email moving over the network essentially the same protection as a phone call or postal letter. In short, it required the government to obtain a court-approved warrant to gain access to that information. But the Justice Department wanted different treatment for stored electronic communications. (Bear in mind that this was way before anyone was talking about “cloud” storage; indeed CDT notes that electronic storage of digital communications in 1986 was quite expensive, and it wasn’t unusual for email providers to delete messages that were more than a few months old).

CDT explains the bargain that was struck to accommodate the government’s concerns:

“Congress said that after 180 days email would no longer be protected by the warrant standard and instead would be available to the government with a subpoena, issued by a prosecutor or FBI agent without the approval of a judge,” CDT wrote. “At the same time, Congress concluded that, while the contents of communications must be highly protected in transit, the ‘transactional data’ associated with communications, such as dialing information showing what numbers you are calling, was less sensitive. ECPA allowed the government to use something less than a warrant to obtain this routing and signaling information.”

Fast-forward to almost 2014, and we find of course that most people store their entire digital lives “in the cloud.” This includes not only email, but calendar data, photos and other sensitive information. Big cloud providers like Google, Microsoft and Yahoo! have given users so much free storage space that hardly anyone has cause to delete their stuff anymore. Not only that, but pretty much everyone is carrying a mobile phone that can be used to track them and paint a fairly detailed account of their daily activities.

But here’s the thing that’s screwy about ECPA: If you’re the kind of person who stores all that information on your laptop, the government can’t get at it without a court-ordered warrant. Leave it in the hands of email, mobile and cloud data providers, however, and it’s relatively easy pickings for investigators.

“There has been an interpretation of the law from the government that says any document stored in the cloud can be accessed with a subpoena, regardless of how old it is,” said Mark Stanley, a communications strategist with CDT. “The government can access emails over 180 days old with just a subpoena. “We also know that the [Justice Department] has interpreted the law to say that any emails that are opened — regardless of how old they are — can be accessed without a warrant.”

Continue reading →