The controversy of the day in Washington revolves around the White House ordering the National Security Agency to step up tapping of communications among persons and organizations suspected of involvement in attacks on the United States. Critics claim the tapping to be an unconstitutional violation of citizens’ protections against unreasonable searches and seizures, which will have an unconstitutional, chilling effect on free speech. The Administration argues the intercepts are a constitutional and necessary use of the President’s war powers in the War on Terror.
Simmering in the background is the allegation that the NSA’s wiretapping must require the complicity of the nation’s largest telephone companies and Internet service providers. Rep. John Conyers, the House Judiciary Committee’s ranking Democrat, is demanding a number of major telcos and ISPs — including Verizon, BellSouth, Microsoft and Google – whether they cooperated with the NSA or not.
The controversy of the day in cyberspace revolves around the White House’s subpoena of records from the nation’s largest search engine in connection with its efforts to enforce the Child Online Protection Act, which is aimed at keeping online porn away from children. Presumably, the records, which include samples of search queries received by the search engines, would be used by the government to show the prevalence and accessibility of online porn. Google is resisting its subpoena, refusing to turn over its records without a legal fight. However, the Justice Department has said at least three other search providers, Yahoo, MSN and AOL, have complied with the government’s demands.
These examples have drawn unwanted and uncomfortable attention to the companies involved. They have made news because of controversial nature of the requests, but they constitute just the tip of the iceberg. While government demands often get heavy press attention, subpoenas issue all the time in private litigation. For example, the identities, addresses and even the contents of communications of customers are often sought from Internet companies in connection with a wide variety of claims, including libel, insider trading, copyright infringement, and theft of corporate secrets.
Given American litigiousness, is anyone safe from having customer records subpoenaed? The answer is almost certainly “No.” What a company knows about its customers almost certainly will be of interest to someone one day. Consequently, every company should consider how they will respond when their records are subpoenaed or their cooperation is demanded in an investigation. Since immediate compliance with an order may be demanded, once a demand is served, there will be limited time to consider alternatives. A plan of action should be formulated in advance to avoid the necessity of making a decision under the pressure of imminent litigation and public scrutiny.
Formation of a contingency plan should include at least five points:
Know a lawyer to call. Any decision to comply or, more importantly, to resist a request should be discussed with a lawyer, who can advise on the law and the consequences of a course of action.
Consider what information to collect from customers. As a rule of thumb, it’s bad practice to collect more information than necessary from customers. Why collect information from a customer for whom there is no business purpose, particularly if the possession of the information only creates a target for a subpoena?
Consider how long to retain customer information. Given how cheaply data can be saved electronically, it’s tempting to hang on to information indefinitely. But information should be retained only as long as it has business value. Every company should have a carefully thought out records retention policy and should follow it.
Review privacy policies. Privacy policies should accurately reflect records collection and retention policies. Policies should also specify what will happen if records are requested. Every policy should have a legal out, allowing a company to turn over records when requested under law.
Consider notification and publicity. Decide how customers and the public will be informed when customer records are demanded.
While one can hope to avoid being drawn into a public controversy like those in today’s news, it’s unrealistic to expect that a demand for customer records will never be made. Taking steps to prepare now, however, can smooth the inevitable day when the government or someone else asks, “What do you know about your customers?”