Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
A leading U.S. intelligence agency’s roll back from collecting U.S. citizen electronic communications about certain foreign individuals abroad is a reminder to companies to limit their data collection and retention, privacy attorneys told Bloomberg BNA.
The National Security Agency’s move should remind companies that they can benefit from less collecting and retaining of sensitive data—including by making their company less attractive to cybercriminals. Companies should also be aware that they are subject to U.S. intelligence communications surveillance as “persons.”
The NSA announced April 28 that it would no longer collect communications that were solely between two U.S. citizens but contained information on a foreign surveillance target abroad. In addition, the agency said it would delete such data it had already collected.
The NSA routinely collects data on foreign surveillance targets abroad under the auspices of Section 702 of the Foreign Intelligence Surveillance Act (FISA). The NSA had been collecting communications between U.S. citizens if they were about a foreign surveillance target.
Now, a U.S. citizen’s communications can still be collected, but only if they are with a foreigner targeted for surveillance under Section 702 authority, Adam Klein, senior fellow at bipartisan think tank Center for a New American Security in Washington, told Bloomberg BNA. Likewise, U.S. companies are treated like people; their electronic communications with a foreign surveillance target remain subject to “incidental collection.”
Scott L. Vernick, privacy and data security partner at Fox Rothschild LLP in Philadelphia, told Bloomberg BNA that corporate secrets, intellectual property and sensitive internal personal data are potentially open to government surveillance. That should alert companies that they need robust policies on when to collect, retain and get rid of data.
Additionally, the move to end data collection of U.S. citizens in certain circumstances, and the decision to delete most of the already acquired data, should remind companies that mass collection of information raises the risk of a cyberattack or network breach, he said. Much like the NSA learned, companies can enhance their credibility with consumers by collecting less data—not more, Vernick said.
Companies are often targeted by hackers due to the troves of sensitive customer data, trade secrets and other valuable information that’s collected and stored.
Yahoo Inc!, Target Corp. and the Home Depot Inc. are just a few of the many companies that have endured damage to their value and reputations from massive hacking incidents. Limiting the data that’s collected, stored and used, and having proper data destruction policies, can limit the impact of such security incidents, privacy professionals told Bloomberg BNA.
Matt Todd, co-chairman of the privacy and data security group at Polsinelli LLP in Houston, told Bloomberg BNA that companies are “concerned” because their trade secrets, IP, sensitive employee information and other personally identifiable information aren’t under their control. Companies need to take care in “how they communicate proprietary information"—as the NSA’s move to stop collecting certain U.S. citizens’ data demonstrates, he said.
Todd, however, questioned whether the NSA policy shift will significantly ease business concerns. The international intelligence community can collect sensitive corporate data, and companies should “work with employees on the communication of sensitive information” in order to quell concerns, he said.
Vernick said that, regardless of government surveillance concerns, it is always good to “get rid of data” that isn’t being actively used or doesn’t have a purpose down the road.
If companies decide there is value in data and want to retain it, they need to “anonomyze and de-identify the data.” They should also segment it so that if “somebody does break into corporate networks, they are only going to lose that much information,” he said.
To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)