Originally published by the Journal of Commerce in April 2012.
At the recent 7th Annual Homeland Security Law Institute sponsored by the American Bar Association’s Administrative Law Section, the most interesting panel was one entitled: “Executive Agency General Counsel Panel: A Look At Homeland Security Legal and Policy Issues”. The participants were senior attorneys from the CIA, FBI, Office of the Director of National Intelligence and Justice’s National Security Division. The presentation raised issues through hypotheticals and presumed agency heads or the White House were to be briefed about the events portrayed.
The hypothetical of interest to international traders raised the specter of an international hacking incident. It was presented as involving a defense contractor which had an agreement with a U.S. based cloud computing company. Highly sensitive data, including satellite design documents, were being stored by the cloud computing company. The cloud computing company notifies the defense contractor its data center in an Southeast Asian country was hacked and a large amount of data was exfiltrated. There is reason to believe the attack is on-going, some of the data was stolen, and the event is an inside job involving an employee of the cloud computing company with administration, root-level access to the network who is sympathetic to the ideals of the hacking group claiming credit for the incident.
If this column is being read by your IT security staff, they have just cringed and twitched because some variation of this set of facts keeps them up at night. Why raise this topic in a column generally directed at import/export issues? Does your company have a website on which goods are offered for sale to the public? If so, the above hypothetical presents a vey real potential nightmare. Unlike the defense contractor who has a duty to report to the Dept. of Defense that its data was hacked, you, as an international trader, will generally not have a similar legal obligation because of the nature of your business. However, if you are selling goods through your website, you have collected personal data, such as names, addresses, credit card details, and the like. If you discover you have been hacked, how much time can you take/should you take before notifying your customers?
Likely, your sales are to many different countries. Assuming you have in place the proper screening software, you have eliminated sales to prohibited end users and end uses, but what about the privacy rights of those to whom you have sold your products? The laws in the U.S. are quite different from those in the European Union. EU data privacy rights are quite strict and include when someone is able to link the information to a person, even if the person holding the data cannot make this link, i.e., “any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity..” The burden is put on the controller to comply, meaning he who collects the data has to make sure it remains confidential and applies if you are located in the EU but equally when you use equipment located in the EU. Have you checked lately where the servers are located which your vendor is using to store your data? Does your contract with that vendor require advance notice of new servers being put into use so you know the country of their location and can opt out in order to comply with relevant U.S. laws?
While there is no question the laws in the EU are quite strict, the U.S. laws are not a much more liberal. Additionally, the laws within the U.S. differ between states. In just about all the states, some sort of immediate or at least prompt notice to those whose data has been exposed is mandated. In some states, the requirements as to how data subject to privacy is be maintain is quite detailed, laying out the exact steps which are required to be taken. Regardless of the legal framework, companies would be foolish to collect personal data, discover a breach and then conceal it for any length of time. If you are going to wait to disclose, the only legitimate excuse seems to be cooperation with law enforcement. On the other hand, if you are the cloud computing company, do you really want to let the world know your supposedly secure database can be breached, even if it is an inside job by a disgruntled employee? Probably not.
Are the rules different if you do not sell product through your website, but only advertise on it? Of course, because you presumably do not collect personal data. Well, but do you? The definition of personal data can be rather broad. The California definition includes: an individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (A) Social security number; (B) Driver’s license number or California identification card number; (C) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (D) Medical information.
While admittedly international traders do not generally collect medical information (unless they are in a business that deals in medical-related products), they often do collect other personal data. For example, as a customs broker or freight forwarder, you will often obtain an individual’s name and Social Security number in order to file the entry or transmit via AES on the person’s behalf. You may also obtain an individual’s name and a copy of this driver’s license to establish his bona fides. If you accept credit card payments, you have the individual’s name and his credit card number along with his security code (as you cannot process a payment without the two). So, you do collect personal data after all.
If you sell goods to individuals, even not on-line, but only through more traditional means, you again regularly obtain the same types of data mentioned above from your customers in filling their orders. How much of this personal data is somewhere in your computer system? For all of us, the answer is it can be found in electronic format somewhere in our systems. Note, there is no distinction drawn between the data which is input by the individual as part of an on-line order and that same data collected through a telephone call or receipt of an email or fax authorization.
The goal of this column is to point out yet another issue not driven by the laws or regulations governing the importing and exporting of goods, but which is becoming an ever greater potential headache for companies of all sizes. The sources for potential headaches continue to expand for companies. How are you keeping up?