Home » Data Protection » PCI and Compliance

Opinion

The Long Arm of the Law

By William Cook

September 01, 2004 — CSO — A remarkable case involving computer security, Cobell v. Norton, is now working its way through the courts. Currently set for argument this month before the federal appellate court in Washington, D.C., the case raises two important issues: What are the proper remedies for privacy violations? And can the courts dictate website security standards?

Cobell v. Norton is a class-action lawsuit that was filed June 10, 1996, in the U.S. District Court in Washington, D.C., to force the federal government to account for the billions of dollars that have been held in trust since the late 19th century on behalf of approximately 500,000 Native American beneficiaries and their heirs. As trustee, the government took legal title to the land parcels and assumed full responsibility for management of the trust lands, including the obligation to collect and disburse to the beneficiaries any revenue generated by mining, oil and gas extraction, timber operations, grazing or similar activities.

In late 2001, attorneys for the plaintiffs questioned the computer security of the trust fund. Judge Royce C. Lamberth ordered an investigation. The special master running the investigation hired a computer forensics expert, who was able to break into the system with ease. On the strength of the forensic expert's report, the court determined that the trust accounts were vulnerable to hacking. He immediately took the unprecedented step of ordering the Department of the Interior to terminate all of its Internet connections on Dec. 5, 2001.

Although the Department of the Interior progressively implemented security upgrades mandated by the court, the Bureau of Indian Affairs (BIA), which is the central repository of the trust records, failed to meet the court's security requirements. Frustrated by the BIA's delays, on June 27, 2003, the court again ordered the Interior Department to disconnect from the Internet all systems that house or provide access to trust fund data. Those systems could be reconnected when the court "has determined that all individual Indian trust data is properly secured." The court's ruling to cut off the BIA's Internet connections again came at the request of the plaintiffs in the case, who had sought a preliminary injunction in order to protect trust fund data. A spokesman for the Native Americans said they wanted the BIA's systems taken offline because: "They wanted to make certain the systems could be tested and the trust beneficiaries could be assured that their monies were safe."

The court has periodically reviewed the government's efforts to bring the BIA website into security compliance. On March 15, 2004, the court continued its disconnect order. On Aug. 2, the website contained the following statement: "The BIA website as well as the BIA mail servers have been made temporarily unavailable due to the Cobell litigation. Please continue to check from time to time. We have no estimate on when authorization will be given to reactivate these sites." More than three and a half years after it was shut down, the BIA website continues to be the black hole of the Internet.