1. "Security and Privacy After September 11 Professor Peter P. Swire Ohio State Law School Consultant, Morrison & Foerster Privacy & Data Security Summit January 31, 2002

2. Overview n Background n Security and Privacy after September 11 n Examples from USA Patriot Act n Enron, Privacy, and the role of the CPO

3. I. Background n Clinton Administration Chief Counselor for Privacy n Unusual double major: – White House coordinator for HIPAA medical privacy rule, 1999-2000 – Chair, White House task force on how to update wiretap and surveillance laws for the Internet age

4. Currently n Professor of Law, Ohio State University n Resident in D.C. (currently visiting at GW Law School) n Consultant, Morrison & Foerster, especially for medical privacy n www.osu.edu/units/law/swire.htm

5. II. Security & Privacy After September 11 n Greater focus on security n Security vs. privacy n Security and privacy

6. Greater Focus on Security n More physical security n Cyber-security: less tolerance for hackers and other unauthorized use n Cyber-security: the need to protect critical infrastructures n Greater funding for security

7. Security vs. Privacy n Security sometimes means greater surveillance, information gathering, & information sharing n Report possible terrorists n Err on the side of public health reporting n More support for surveillance n In short, greater disclosures to foster security

8. Security vs. Privacy n Physical Security n Airport searches -- your bag, your shoes n ID/authentication at more checkpoints n Proposals for national ID system – NAS Study coming soon – Will be one of my research focuses

9. Security vs. Privacy n Computer Security – Less support for anonymity – Stronger authentication – Intrusion detection -- FIDNet – Pressure to retain records -- Cybercrime Convention – Information sharing among federal, state, local governments and system owners

10. Security and Privacy n Security is a fair information practice – FTC Lilly enforcement action n Good data handling practices are more important – Prevent intrusion from the outside – Prevent unauthorized use by employees n Penn. Homeland Defense Ombudsman looks at security and privacy of web sites

11. Security and Privacy n Inventory your systems – You dont know your security vulnerabilities until you know your own systems – Key first step of any privacy compliance -- know your data flows – Should be part of your GLB, HIPAA compliance

12. Security and Privacy n Audit trails and accounting – An essential security practice – Polices and procedures should be followed – Accounting specifically required by HIPAA

13. Summary on Security and Privacy n Greater security threatens privacy when have greater surveillance n Greater security helps privacy when create better-audited data systems n Security as an opportunity – The budget for security can help upgrade your systems, and build privacy in – HIPAA philosophy -- transactions, security, and privacy should be built together

14. III. Anti-terrorism Examples n In the name of security: – The Uniting and Strengthening America Act by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism n USA PATRIOT Act – Changes to wiretap laws, foreign intelligence, money laundering, new terrorism crimes, etc. n How manage for security and privacy?

15. Grand Jury Secrecy Changed n Previous law: separation between law enforcement (grand jury, constitution applies) and foreign intelligence n New law: All the walls are down now between FBI, CIA, etc. n Example: you release PHI to grand jury, & records can go to foreign intelligence without notice to you or a judge

16. Nationwide search orders n Previous law: you must respond to an order from judge in your local federal district n Section 220 USA-PATRIOT: – Electronic evidence: e-mail and web surfing records – Binding order from any federal judge in the country – What if the order seems overbroad? Must contest with that distant judge.

17. Computer Trespasser Exception n Previous law: – Under ECPA, could monitor your own system for security – Could turn over evidence of past hacker attacks – Could not invite law enforcement to surf over your shoulder to investigate possible ongoing attacks -- that was considered an open-ended wiretap

18. Computer Trespasser (cont.) n Sec. 217 USA Patriot n Now system owner can invite law enforcement to surf over the shoulder n Only for – Computer trespassers with no reasonable expectation of privacy – Relevant to an investigation – No communications other than those to/from the trespasser

19. Computer Trespasser (cont.) n Any employee can authorize this surfing over the shoulder – Do you have policies in place for this? n What if health information would be disclosed? – HIPAA issues n Never any hearing before passage of the provision -- study before the sunset

20. IV. Enron, Privacy & the Role of the CPO n An important and good system – Corporate financial statements n We complied with all applicable rules – The letter (but not the spirit) of accounting rules n Huge transfers hidden from view – Billions in off-balance sheet assets

21. Enron Applied to Privacy n An important and good system – Financial, medical, e-commerce systems to provide service to customers n We complied with all applicable rules – Perhaps the letter, likely not the spirit, of GLB and other laws n Huge transfers hidden from view – Are there data flows you would not want in the press?

22. Effects of bad accounting and hidden transfers n For Enron, the hidden flows became public – New, strict laws will result – Strict enforcement n For U.S. Bank, the hidden flows became public – Immediate effect on GLB – Strict enforcement n In your organization, will hidden flows become public?

23. The Role of the CPO n You dont want to have to be Sherron Watson, the Enron whistleblower n How can you help create good policies in advance? n How can you help create good compliance? n How can there be credible accounting and accountability?

24. How to Talk like a CPO n Move toward the letter and the spirit of good privacy policies n Know the horror stories – Breaches of security and privacy, and effects on the organizations n Use security as a leverage for privacy – Good data practices are essential after 9/11

25. In Conclusion: n Pass the friends and family test – How would the Enron deals have sounded if they had been explained at the family dinner table? – How do your data practices sound? n Your security and privacy practices will become known n Help your company be proud on that day n None of us wants to be part of the next Enron

26. Contact Information n Professor Peter Swire n Phone: (301) 213-9587 n Email: pswire@law.gwu.edu n Web: www.osu.edu/units/law/swire.htm n Presidential Privacy Archives: www.privacy2000.org