Cyber Security Enhancement Act of 2002 (CSEA) Changes Rules of the Game Forever

New legislation gives security the power to trump customer privacy.

Right before Thanksgiving, an old mustachioed gent clad in tails and a top hat raced around the boardwalk to every service provider's data center and left a present. The gift was a little orange "Get Out of Jail Free" card, and after the delivery he sped off in his teeny silver sports car.

The security world may not correspond exactly to a Monopoly board, but the Homeland Security Act and one of its provisions, the Cyber Security Enhancement Act of 2002 (CSEA), did change the rules of the game forever. This act gives service providers and some manufacturers a permanent home-team advantage in the matchup between security and privacy. In the same vein as the litigation exemption for smallpox vaccine manufacturers, the CSEA protects ISPs against security-triggered disasters that could occur if service providers pass contaminated data from their clients on to government sources. Even though this law is targeted at ISPs, the language is vague and could be interpreted in a universally applicable way. Only time and the courts will clarify the ambiguity.

Some highlights of the CSEA include:

  • Companies can give their customers' electronic information (e-mail, chat, phone records, purchases) to government employees without legal documents or court warrants. This applies to any government employeeregional as well as federal. This includes park rangers and schoolteachers, not just law enforcement agents.
  • The information does not have to be offered in response to a request. It can be reported at the initiative of the company.
  • The litmus test is an "immediate threat to a national security interest." The company gets to make this determination. The bill gives no guidelines on what those terms mean.
  • If the company shows "good faith" in providing the information, it is free from resulting customer litigation.
  • Businesses that report internal security problems are shielded from customer litigation, and the reports are exempt from Freedom of Information Act requests.

This is why I call it a Get Out of Jail Free card. As a corporate executive, I'm relieved to know that I have the Cyber Security Enhancement Act in my back pocket. As a security professional, I'm afraid that I'm going to turn into the Maytag repairmanthe loneliest guy in town. It's easy to forget about security when you don't have to worry about lawsuits.

So CSOs, in the spirit of playing the game, here is my not-so-serious advice for cashing in on the opportunity:

When security problems arise, immediately disclose them to the government, and take advantage of the immunity from disclosure to shareholders. Encourage your operations staff to read all employee e-mail. Post the good ones in the coffee room, and give a weekly prize to whomever finds the most outrageous one. Since you are not cleared to know what an actual national security interest is, make sure you use the words good faith as often as possible in memos. If you take the draconian step of limiting which employees get to read the good e-mails, make sure that you clearly identify them to avoid confusion. Have them wear colored armbands with easily recognizable symbolsone for the guy who gets to read all e-mail love letters, another for the person scanning all the personal health-care information, and so on. By the way, you shouldn't just expect your people to know how to profile. Run a diversity training class that teaches the significance of surnames and other personal identifiers. Be creative in your attempts to spot the bad guys. Run pattern searches for words that you think are suspicious. You can include book titles like The Catcher in the Rye, big words like xenophobia or ethnic words like hummus. While you're at it, it's also reasonable to be suspicious of customers who are too clean and who don't use any suspicious terminology. Let's face it, they're probably hiding something, so you better watch them too. And, just for the heck of it, report everyone who uses encryption. People who use that much security are bound to be involved in something shady.

Seriously, though, it's a little depressing that the experience gained from years of protecting our customers' privacy is now as outmoded as funding for a dotcom or demand for a VCR. With this bill and the spirit behind it, we may have reached the tipping point of privacy in our society. It's hard to imagine any company refusing to comply with a request from the government no matter what business they're in, and eventually it will affect CSOs in all U.S. industries. The million-dollar question is whether the exemption from lawsuits will apply to cooperative non-ISPs. They might have to Go Directly to Jail.

Join the discussion
Be the first to comment on this article. Our Commenting Policies