U.S. Intel Data Collection Retreat Offers Corporate Lessons

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

A leading U.S. intelligence agency’s roll back from collecting U.S. citizen electronic communications about certain foreign individuals abroad is a reminder to companies to limit their data collection and retention, privacy attorneys told Bloomberg BNA.

The National Security Agency’s move should remind companies that they can benefit from less collecting and retaining of sensitive data—including by making their company less attractive to cybercriminals. Companies should also be aware that they are subject to U.S. intelligence communications surveillance as “persons.”

The NSA announced April 28 that it would no longer collect communications that were solely between two U.S. citizens but contained information on a foreign surveillance target abroad. In addition, the agency said it would delete such data it had already collected.

The NSA routinely collects data on foreign surveillance targets abroad under the auspices of Section 702 of the Foreign Intelligence Surveillance Act (FISA). The NSA had been collecting communications between U.S. citizens if they were about a foreign surveillance target.

Now, a U.S. citizen’s communications can still be collected, but only if they are with a foreigner targeted for surveillance under Section 702 authority, Adam Klein, senior fellow at bipartisan think tank Center for a New American Security in Washington, told Bloomberg BNA. Likewise, U.S. companies are treated like people; their electronic communications with a foreign surveillance target remain subject to “incidental collection.”

Scott L. Vernick, privacy and data security partner at Fox Rothschild LLP in Philadelphia, told Bloomberg BNA that corporate secrets, intellectual property and sensitive internal personal data are potentially open to government surveillance. That should alert companies that they need robust policies on when to collect, retain and get rid of data.

Additionally, the move to end data collection of U.S. citizens in certain circumstances, and the decision to delete most of the already acquired data, should remind companies that mass collection of information raises the risk of a cyberattack or network breach, he said. Much like the NSA learned, companies can enhance their credibility with consumers by collecting less data—not more, Vernick said.

Sensitive Data Protection

Companies are often targeted by hackers due to the troves of sensitive customer data, trade secrets and other valuable information that’s collected and stored.

Yahoo Inc!, Target Corp. and the Home Depot Inc. are just a few of the many companies that have endured damage to their value and reputations from massive hacking incidents. Limiting the data that’s collected, stored and used, and having proper data destruction policies, can limit the impact of such security incidents, privacy professionals told Bloomberg BNA.

Matt Todd, co-chairman of the privacy and data security group at Polsinelli LLP in Houston, told Bloomberg BNA that companies are “concerned” because their trade secrets, IP, sensitive employee information and other personally identifiable information aren’t under their control. Companies need to take care in “how they communicate proprietary information"—as the NSA’s move to stop collecting certain U.S. citizens’ data demonstrates, he said.

Todd, however, questioned whether the NSA policy shift will significantly ease business concerns. The international intelligence community can collect sensitive corporate data, and companies should “work with employees on the communication of sensitive information” in order to quell concerns, he said.

Vernick said that, regardless of government surveillance concerns, it is always good to “get rid of data” that isn’t being actively used or doesn’t have a purpose down the road.

If companies decide there is value in data and want to retain it, they need to “anonomyze and de-identify the data.” They should also segment it so that if “somebody does break into corporate networks, they are only going to lose that much information,” he said.

To contact the reporter on this story: Daniel R. Stoller in Washington at dStoller@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security