<p>As cumbersome as its name, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT Act) is on the verge of having key provisions extended well beyond their original expiry dates.</p>
<p><b>PATRIOT Act Redux</b></p>
<p>In 2005, the House of Congress renewed the <a target="_blank" href="http://www.epic.org/privacy/terrorism/hr3162.html">PATRIOT Act</a> - beyond its initial four-year lifespan - until December 31, 2005. Since then, Congress has allowed two extensions of five weeks each to continue negotiations around the renewal of the Act's controversial powers. These powers include search-and-seizure of business records.</p>
<p>Given the House's willingness to extend the Act so far, it is likely that PATRIOT will be renewed again in 2006. Of all the provisions, the search-and-seizure clause poses the most concern for business and IT. Without reasonable cause or warning, the FBI can demand that an enterprise immediately disclose and report:</p>
<ul type="disc">
<li>E-mail, IM, and voicemail messages.</li>
<li>Customer data (e.g. in CRM applications).</li>
<li>Financial data (e.g. in ERP and accounting software).</li>
</ul>
<p>Organizations that fail to produce such business records immediately risk failing to comply. Non-compliance with FBI requests for information, as well as for other infractions, can result in severe penalties depending on the situation.</p>
<p><b>Reaching from Sea to Shining Sea</b></p>
<p>Unlike specific laws such as HIPAA, GLBA, or Sarbanes-Oxley, the PATRIOT Act applies to many different companies and organizations of varying industry verticals. Below are just a few examples of how far-reaching this Act truly is:</p>
<ul type="disc">
<li><b>Anyone</b> who discloses that the FBI sought records from their organization can be jailed for up to five years.</li>
<li><b>Financial institutions</b> can be fined up to $1 million for failing to monitor account ownership/usage and instances of money laundering.</li>
<li><b>Investments firms and real estate companies</b> found "trading with the enemy" can be fined $1 million per infraction, plus $100,000 for individual fines.</li>
<li><b>Libraries</b> must submit "tangible items" when requested. This includes records of book lists, academic papers, documents, and other items checked out by a library patron under investigation.</li>
<li><b>ISPs</b> are required to submit browsing histories of clients when requested. Universities also fall under this category if they provide wholesale Internet access to the student body.</li>
<li><b>Universities</b> are also required to comply with Section 416, the Foreign Student Monitoring Program. Colleges and universities must have a software system that can track the identity, address, visa details, and entire record of foreign students.</li>
</ul>
<p><b>PATRIOT Act Risk Scenarios</b></p>
<p>There are a number of scenarios where the Act could disrupt processes, possibly causing loss of business to U.S. companies. Use scenario planning to determine if corporate strategies are strong enough to ensure business continuity in the face of PATRIOT Act compliance. It is an exercise in speculation, where multiple "worst case" PATRIOT Act situations are imagined and response strategies for dealing with them are mapped out.</p>
<div align="center">
<table cellspacing="0" border="1" cellpadding="0" width="606">
<tr>
<td valign="top" width="187">
<h3 align="center">Risk</h3>
</td>
<td valign="top" width="419">
<h3 align="center">Scenario</h3>
</td>
</tr>
<tr>
<td valign="top" width="187">
<p align="center">Inability to quickly retrieve data from non-American companies to which tasks are being outsourced.</p>
</td>
<td valign="top" width="419">
<p align="center">Assume that an American enterprise outsources its data processing to an offshore company. If the FBI demands to see records, is the American firm able to quickly obtain those records from the outsourcer?</p>
</td>
</tr>
<tr>
<td valign="top" width="187">
<p align="center">Contract invalidation with countries to which American services are provided.</p>
</td>
<td valign="top" width="419">
<p align="center">For example, the Canadian PIPEDA privacy law protects personal information of its citizens. If a Canadian bank outsources its credit card processing to an American firm, does seizure of the Canadian data invalidate the contract with the data processing company?</p>
</td>
</tr>
<tr>
<td valign="top" width="187">
<p align="center">Compliance of offshore subsidiaries of American companies.</p>
</td>
<td valign="top" width="419">
<p align="center">A U.S. firm is targeted by the FBI for search-and-seize, but the data officially belongs to a subsidiary in another country. Is the data still obtainable under that country's privacy laws?</p>
</td>
</tr>
</table>
</div>
<p><b>Recommendations</b></p>
<p>PATRIOT Act compliance is a question of assessing risk, managing outsourcers, and being able to produce records within reasonable timeframes.</p>
<p>1.<b>Control enterprise risk.</b> Risk management is the comprehensive assessment and management of all risks (regulatory, as well as financial, human capital, strategic, operational, and technological) that face the enterprise. Determine which scenarios apply to the enterprise and begin plans to mitigate associated risk.</p>
<p>- Use the risk scenarios developed earlier in conjunction with Info-Tech's "<a sc_linktype="internal" sc_url="/Home/MR/Issues/20040512/Risk Management Spreadsheet" target="_self" href="http://www.infotech.com/MR/Issues/20040512/Risk%20Management%20Spreadsheet.aspx" sc_text="Risk Management Spreadsheet">Risk Management Spreadsheet</a>" and dynamic risk map to track and plot risks to IT and business.</p>
<p>- For more information on scenario planning, Info-Tech Advisor subscribers can also read "<a sc_linktype="internal" sc_url="/Home/ITA/Issues/20030203/Articles/Scenario Planning,-c-, Full-Dress Rehearsal" target="_self" href="http://www.infotech.com/ITA/Issues/20030203/Articles/Scenario%20Planning,-c-,%20Full-Dress%20Rehearsal.aspx" sc_text="Scenario Planning: Full-Dress Rehearsal">Scenario Planning: Full-Dress Rehearsal</a>."</p>
<p>2.<b>Manage/organize information.</b> Records requested by the FBI must be retrieved quickly, or within a reasonable timeframe. One way to ensure rapid retrieval is to implement document archiving via Information Lifecycle Management (ILM). There are at least <a target="_blank" href="http://www.usdoj.gov/opa/pr/2005/April/05_opa_163.htm">16 PATRIOT Act provisions</a> up for renewal. Review them alongside the risk scenarios to determine what data could be requested, and where it currently resides. Particular impact of PATRIOT on IT includes:</p>
<p>- Seizure of voicemail messages (Section 209).</p>
<p>- Subpoena of records of electronic communications (Section 210).</p>
<p>- Emergency disclosure of e-communications to protect life (Section 212).</p>
<p>- Interception of computer trespasser communications (Section 217).</p>
<p>3.<b>Understand the legal system of offshore locations.</b> Find out if the country being outsourced to respects data protection. To help identify the risk of doing business in different countries, consult "<a target="_blank" href="http://ww1.transparency.org/cpi/2005/cpi2005_infocus.html">Corruption Perceptions Index 2005</a>," from Transparency International. Though the index doesn't discuss specific laws in other countries, the corruptibility of a foreign government pretty much tells the story of how that government views law and order. In addition, establish data retrieval clauses with outsourcers in the event of a search-and-seize event.</p>
<p><b>Bottom Line</b></p>
<p>The PATRIOT Act is going to be renewed within the next few days. Establish strategies now to address the Act, or risk non-compliance with the law and the FBI.</p>
<p> </p>
