Right before Thanksgiving, an old mustachioed gent clad in tails and a top hat raced around the boardwalk to every service provider's data center and left a present. The gift was a little orange "Get Out of Jail Free" card, and after the delivery he sped off in his teeny silver sports car.
The security world may not correspond exactly to a Monopoly board, but the Homeland Security Act and one of its provisions, the Cyber Security Enhancement Act of 2002 (CSEA), did change the rules of the game forever. This act gives service providers and some manufacturers a permanent home-team advantage in the matchup between security and privacy. In the same vein as the litigation exemption for smallpox vaccine manufacturers, the CSEA protects ISPs against security-triggered disasters that could occur if service providers pass contaminated data from their clients on to government sources. Even though this law is targeted at ISPs, the language is vague and could be interpreted in a universally applicable way. Only time and the courts will clarify the ambiguity.
Some highlights of the CSEA include:
- Companies can give their customers' electronic information (e-mail, chat, phone records, purchases) to government employees without legal documents or court warrants. This applies to any government employee
regional as well as federal. This includes park rangers and schoolteachers, not just law enforcement agents.
- The information does not have to be offered in response to a request. It can be reported at the initiative of the company.
- The litmus test is an "immediate threat to a national security interest." The company gets to make this determination. The bill gives no guidelines on what those terms mean.
- If the company shows "good faith" in providing the information, it is free from resulting customer litigation.
- Businesses that report internal security problems are shielded from customer litigation, and the reports are exempt from Freedom of Information Act requests.
This is why I call it a Get Out of Jail Free card. As a corporate executive, I'm relieved to know that I have the Cyber Security Enhancement Act in my back pocket. As a security professional, I'm afraid that I'm going to turn into the Maytag repairman
So CSOs, in the spirit of playing the game, here is my not-so-serious advice for cashing in on the opportunity:
When security problems arise, immediately disclose them to the government, and take advantage of the immunity from disclosure to shareholders. Encourage your operations staff to read all employee e-mail. Post the good ones in the coffee room, and give a weekly prize to whomever finds the most outrageous one. Since you are not cleared to know what an actual national security interest is, make sure you use the words good faith as often as possible in memos. If you take the draconian step of limiting which employees get to read the good e-mails, make sure that you clearly identify them to avoid confusion. Have them wear colored armbands with easily recognizable symbols
Seriously, though, it's a little depressing that the experience gained from years of protecting our customers' privacy is now as outmoded as funding for a dotcom or demand for a VCR. With this bill and the spirit behind it, we may have reached the tipping point of privacy in our society. It's hard to imagine any company refusing to comply with a request from the government no matter what business they're in, and eventually it will affect CSOs in all U.S. industries. The million-dollar question is whether the exemption from lawsuits will apply to cooperative non-ISPs. They might have to Go Directly to Jail.