In case you didn’t hear about it yet, President Bush just signed into law changes to the U.S. Foreign Intelligence Surveillance Act (FISA) that, among other things, grants immunity to telecom companies that cooperate with the secret warrantless wiretap program.
I have not yet had a chance to read the complete ”FISA Amendments Act of 2008” , but from the analysis I’ve read so far, and the overview from the press releases from the white house and other government groups, the changes could have a significant impact to basically all organizations.
I can understand WHY the congress wanted to remove liability to telecoms for cooperating with investigations, but HOW it was done shows complete disregard for legitimate privacy concerns and also removes all accountability for not only the telecoms for their eavesdropping activities, but also provides for no accountability on the part of the government or law enforcement agencies, at least from what I’ve seen so far.
The government wrote the law in such a way that businesses will be left holding the bag for the bad, mistaken, irresponsible, or inappropriate actions the government and law enforcement agencies take with individuals’ personally identifiable information(PII) and other information that was collected during surveillance justified by this new FISA Amendments Act of 2008.
- When collected information on individuals is involved in a privacy breach, who will be held liable? Held responsible?
- When collected information on individuals is involved in a privacy breach, will the individuals involved even be notified?
- When individuals want someone to pay for the misuse or crime that occurs with the PII collected from surveillance, and they can’t get restitution from the government or the telecoms, will the businesses, whose networks were unknowingly being bugged, be taken to court and held responsible?
There are so many more questions to ask…I need to find time to read through the complete new amendment carefully…
However, it would seem that this new amendment would encourage organizations to strongly encrypt all the data flowing throughout, and outside of, their networks to ensure surveillance activities could not collect sensitive data for which they could possibly later be held liable.
Yes, I know…that could lead to yet another bill that would try and forbid businesses from encrypting data sent through networks, but I really doubt a law like that would pass in this age of mounting privacy breaches. Especially when growing numbers of laws state that encryption is a good way to protect sensitive information.
Tags: awareness and training, encryption, FISA, FISA Amendments Act of 2008, Foreign Intelligence Surveillance Act, Information Security, IT compliance, policies and procedures, privacy training, regulatory compliance, risk management, security training