The Growing Importance of Terms Addressing Cybersecurity and Law Enforcement Data Gathering Risks associated with turning over, or failing to turn over, information to law enforcement or in response to a civil litigation subpoena: Communications Assistance with Law Enforcement Act (CALEA) and other legal requirements; lessons from recent cases Overview I. Communications for Law Enforcement Act of 1994 (CALEA) II. Electronic Communications Privacy Act (ECPA) III. Consequences of Refusal/Compliance with Law Enforcement Data Requests IV. Importance of Contract Terms with Regards to Law Enforcement Data Requests I. CALEA Communications Assistance for Law Enforcement Act (“CALEA”), Pub. L. No. 103-414, 108 Stat. 4279 (codified at 47 U.S.C. §§ 1001-1010): • Intended to preserve the ability of law enforcement agencies to use wiretapping by requiring telecommunications carriers to design their systems to ensure that such wiretapping could be accomplished • Requires telecommunications providers to assist law enforcement in isolating “call-identifying information” – i.e., “dialing or signaling information that identifies the origin, direction, destination, or termination’ of a communications” • Excludes information on the physical location of the subscriber from being acquired by law enforcement “solely pursuant to the authority for pen registers and trap/trace devices” I. CALEA CALEA applies to: • “Entity engaged in the transmission or switching of wire or electronic communications” • Authorizes FCC to expand to any service that it finds is a “ substantial replacement ” for local exchange service • In 2005, FCC used the substantial replacement concept to expand CALEA to I-VoIP and Broadband Internet Access Services I. CALEA FCC’s rules also require covered entities to: • Develop internal policies and procedures to address CALEA compliance, including record-retention policies subject to FCC review; and • File a certification attesting to the company ’ s procedures and appointing a senior officer to oversee CALEA compliance I. CALEA Three methods of CALEA compliance (In the Matter of Communications Assistance for Law Enforcement Act and Broadband Access and Services, ET Docket No. 04-295, RM-10865, Second Report and Memorandum Opinion and Order (rel. May 12, 2006)): • Carrier may develop its own compliance solution for its unique network (the FCC does not provide safe harbor provisions) • Carrier may purchase a compliance solution from vendors, including the manufacturers of the equipment it is using to provide service • Carrier may purchase a compliance solution from a trusted third party (TPP) I. CALEA Risks of non-compliance: i. NSA Scandal ii. Criminal Enforcement iii. FCC Enforcement iv. DOJ Enforcement v. Team Telecom Enforcement vi. Subscriber Enforcement I. CALEA i. Enforcement Risk from NSA Scandal: • Misconception: NSA surveillance programs moot the need for communications service providers to comply with CALEA • Reality: NSA programs do not replace CALEA because they do not support criminal investigations, gather content, or intercept in real time • Irony: NSA programs may generate more demand for CALEA compliance because they help identify criminal suspects I. CALEA ii. Enforcement by Criminal Court: • Triggered by: failure to implement an order for lawful surveillance • Applies to: service providers and equipment vendors • Involves: show cause order by federal or state court under 18 U.S.C. § 2522(a), hearings and evidentiary submissions • Potential liability: includes fines up to $10,000 per day for each day of violation and/or remedial action (immediate CALEA upgrade) • Factors: reasonable availability of alternate technologies, compliance is reasonably achievable, nature and extent of violation; good faith efforts to comply; degree of culpability; ability to continue to do business; ability to pay; “other matters as justice may require” I. CALEA iii. Enforcement by the FCC: • Triggered by: FBI complaint • Applies to: service providers and equipment vendors • Involves: notice of apparent liability under Section 229 of Communications Act, questionnaire, evidentiary submissions, meetings with FCC Enforcement Bureau, possible periodic reports • Potential liability: settlement agreement (with immediate CALEA upgrade) and/or fines • Factors: nature and extent of violation; good faith efforts to comply; degree of culpability; ability to continue to do business; ability to pay I. CALEA iv. Enforcement by Department of Justice: • Triggered by: Persistent non-compliance • Applies to: service providers and equipment vendors • Involves: civil suit in U.S. district court under 18 U.S.C. § 2522(b), hearings and evidentiary submissions • Potential liability: civil fine of $10,000 per day for each day of violation and/or remedial action (immediate CALEA upgrade) • Factors: reasonable availability of alternate technologies, whether compliance is reasonably achievable, nature and extent of violation; good faith efforts to comply; degree of culpability; ability to continue to do business; ability to pay, “other matters as justice may require” I. CALEA v. Enforcement by Team Telecom: • Triggered by: application under Section 214 of the FCC’s Rules to serve U.S. market • Applies to: foreign-owned service providers • Involves: “triage” questionnaire regarding ownership, operations, and law enforcement assistance capabilities • Potential liability: letter of no-action, letter of assurances, or national security agreement, which may guarantee capabilities beyond those minimally required by CALEA • Factors: nature and extent of risk to security of U.S. communications I. CALEA vi. Enforcement by Subscribers: • Triggered by: over-disclosure of data to law enforcement • Applies to: service providers, equipment vendors and application developers • Involves: (typically) class action data privacy suit in federal or state court under wiretap or privacy laws • Potential liability: civil or criminal penalties, remedial action • Factors: whether plaintiffs have standing, whether disclosure was made with due process (e.g., court order or emergency, whether network is equipped with CALEA safe harbor solution) II. ECPA Electronic Communications Privacy Act (“ECPA”), Pub. L. No. 99508,100 Stat. 1848 (codified in 18 U.S.C. §§ 1367, 2521, 2701 to 2709, 2711, 3117, 3121 to 3124, 3126 and 3127) Includes: • The Wiretap Act (“Title III”), as modified by the ECPA (18 U.S.C. §§ 2510-2522) • The Stored Communications Act (“SCA”), Title II of the ECPA (18 U.S.C. §§ 2701-2711) • The Pen Register and Trap and Trace Devices Act (“Pen/Trap Act”) (18 U.S.C. §§ 3121-3127) II. ECPA – Title III Title III: • General Rule: Interception and disclosure of wire, oral, or electronic communications is prohibited (18 U.S.C. § 2511(1)) • Exceptions (18 U.S.C. § 2511(2)): – – – – – – – – (i) expectation of privacy; (ii) open wireless network (e.g., Wi-Fi); (iii) Law Enforcement w/ Requisite Legal Authority; (iv) Accidental Acquisition; (v) Emergencies; (vi) Computer Trespass; (vii) Ordinary Couse of Business; and (viii) Consent II. ECPA – Title III Law Enforcement Exception (18 U.S.C. § 2518): Authority to intercept the content of messages contemporaneously with transmission: • “Contents” (18 U.S.C. § 2510(8)): When used w/ respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport or meaning of that communication. • “Intercept” (18 U.S.C. § 2510(4)): Defined broadly as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” II. ECPA – Title III Legal Process (18 U.S.C. § 2516(3)): Disclosure via Title III requires a Court Order: • Requirements for a Court Order: Law enforcement must demonstrate probable cause that the search will reveal evidence of criminal wrongdoing – The court order must also specify: (i) the identity of the targeted individual; (ii) the facilities that will be tapped; (iii) the type of communications to be intercepted; (iv) the criminal offense suspected; and (v) the authorized period of the tap • • • • Type of Criminal Act Required (18 U.S.C. § 2516(2)): Only certain types of felonies (e.g., hacking, CFAA violations) All reasonable and normal investigative procedures must be exhausted and that the facilities to be tapped are owned/ commonly used by the targeted individual (18 U.S.C. § 2518(1)(c)) Application must show “that the surveillance will be conducted in a way that minimizes the interception of communications that do not provide evidence of a crime” (18 U.S.C. 2518(C)) Time Limit (18 U.S.C. § 2518(5)): The warrant is valid for no more than 30 days, but can be extended II. ECPA – Title III Title III Consequences of a Violation: • Criminal Penalties: Interception, use, or disclosure in violation of Title III is generally punishable by imprisonment for not more than five years and/or a fine of not more than $250,000 for individuals and not more than $500,000 for organizations (18 U.S.C. § 2511(4)(a)) • Civil Penalties: Victims of a Title III violation may be entitled to equitable relief, damages (equal to the greater of actual damages, $100/day of violation, or $10,000), punitive damages, reasonable attorney fees, and reasonable litigation costs (18 U.S.C. § 2520 (a),(b) & (c)) II. ECPA – Title III Good Faith Defense (18 U.S.C. § 2520(d)) - “A good faith reliance on: • a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization; • a request of an investigative or law enforcement officer under section 2518 (7) of this title; or • a good faith determination that section 2511 (3) or 2511 (2)(i) of this title permitted the conduct complained of; is a complete defense against any civil or criminal action brought under this chapter or any other law.” II. ECPA – Title III • Although 18 USCS § 2520 does not define “good faith”, however, there is analogy to good faith defense allowed under 42 USCS § 1983 cases • Defendant may invoke defense good faith reliance on court order only if he can demonstrate: (1) that he had subjective good faith belief that he acted legally pursuant to court order; and (2) that this belief was reasonable; there was sufficient testimony at trial which if believed by jury would establish that telephone company held honest and reasonable belief that it acted legally pursuant to court order. Jacobson v. Rose (1978, CA9 Nev.), 92 F.2d 515,, cert den 442 US 930 (1979) II. ECPA – SCA Stored Communications Act: • “Stored Communications” (18 U.S.C. § 2510(17)): “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” • Protections: Email, voicemail, another electronic communications (only somewhat akin to that available for telephone and face-to-face conversations under 18 U.S.C. §§ 2510-2522) • Prohibitions: Generally bars surreptitious access to communications at rest/storage, although it goes beyond the confines that apply to interception II. ECPA – SCA General Prohibitions Under Section 2701(a): It is a federal crime to: (1) Intentionally access w/o authorization or exceed an authorization to access; (2) a facility through which an electronic communication service is provided; and (3) thereby obtain, alter, or prevent authorized access to a wire/ electronic communication while it is in electronic storage in such system (18 U.S.C. § 2701(a)(1)) II. ECPA – SCA Exceptions to Section 2701(a): • 18 U.S.C. § 2701(c): Section 2701(a) does not apply w/ respect to conduct authorized: (1) by the person/entity providing a providing a wire or electronic communications service; (2) by a user of that service w/ respect to a communication of or intended for that user; or (3) in Section 2703 [requirements for gov’t access], Section 2704 [backup preservation], or 2518 [court ordered wiretapping/ electronic eavesdropping] of this title • 18 U.S.C. § 2707(e): Good Faith Defense provided when there is a good faith reliance on: – – – • (1) a court warrant or order, a grand jury subpoena, a legislative authorization, or a statutory authorization (including a request of a governmental entity under section 2703(f) of this title) [relating to an official request for a service provider to preserve evidence]; (2) a request of an investigative or law enforcement officer under section 2518(7) of this title [relating to emergency wiretapping and electronic eavesdropping]; or (3) a good faith determination that section 2511(3) of this title [relating to the circumstances under which an electronic communications provider may divulge the contents of communication] permitted the conduct complained of is a complete defense to any civil or criminal action brought under this chapter or any other law 18 U.S.C. § 2703(e): General immunity from civil liability for electronic communications providers – “[N]o cause of action shall lie in any court against any provider of wire or electronic communication service, its officers, employees, agents, or other specified persons for providing information, facilities, or assistance in accordance with the terms of a court order, warrant, subpoena, statutory authorization, or certification under this chapter.” II. ECPA – SCA • Secondary Prohibitions Under Section 2702: Section 2702 bans the disclosure of the content of electronic communications and records relating to them by those who provide the public w/ electronic communications service/ remote computing service. • Forbids providers to disclose: (1) the content of certain communications to anyone [18 U.S.C. § 2702(a)(1) & (2)]; or (2) related records to governmental entities [18 U.S.C. § 2702(a)(3)] II. ECPA – SCA Exceptions (18 U.S.C. § 2702(b)): Permits disclosure of the contents of a communication: (1) to an addressee or intended recipient of such communication or an agent of such addressee or intended recipient; (2) as otherwise authorized in section 2517 [relating to disclosures permitted under Title III], 2511(2)(a)[relating to provider disclosures permitted under Title III for protection of provider property or incidental to service], or 2703 [relating to required provider disclosures pursuant to governmental authority] of this title; (3) with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service; (4) to a person employed or authorized or whose facilities are used to forward such communication to its destination; (5) as may be necessarily incident to the rendition of the service or to the protection of the rights or property of the provider of that service; (6) to the National Center for Missing and Exploited Children, in connection with a report submitted thereto under section 227 of the Victims of Child Abuse Act of 1990; (7) to a law enforcement agency—(A) if the contents—(i) were inadvertently obtained by the service provider; and (ii) appear to pertain to the commission of a crime; (8) to a Federal, State, or local government entity, if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency. II. ECPA – SCA Government Access Requirements: Generally less demanding than those under Title III • Two kinds of information: In the custody of the communications service provider: (1) communications records; and (2) the content of electronic/ wire communications • Two avenues of law enforcement access: – Permissible/Voluntary Provider Disclosure (18 U.S.C. § 2702) • Inadvertent discovery of information relating to the commission of a crime (18 U.S.C. § 2702(b)) • Emergency situation (18 U.S.C. § 2702(b)) – Required Provider Access (18 U.S.C. § 2703) • Search warrant required to compel providers to supply content of wire/electronic communications held in electronic storage for less than 180 days (18 U.S.C. § 2703(a)) • Use of a search warrant/ subpoena/ court order to force content disclosure w/ respect to communications held for more than 180 days (18 U.S.C. § 2703(a)) II. ECPA – SCA Consequences of Violation of SCA: • Criminal: – Serious offenses are punishable by imprisonment for not more than five years (not more than 10 years for a subsequent conviction) and/or a fine of not more than $250,000 (not more than $500,000 for organizations); – Lesser offenses are punishable by imprisonment for not more than one year (not more than five years for a subsequent conviction) and/or a fine of not more than $100,000 (18 U.S.C. § 2701(b)) • • Civil: Victims of a violation of subsection 2701(a) have a cause of action for equitable relief, reasonable attorneys’ fees and costs, and damages equal to the amount of any offender profits added to the total of the victim’s losses (18 U.S.C. § 2707) Good Faith Defense Limitations for Service Providers: Service providers are unable to claim the benefit of one of the section’s exceptions, of the good faith defense under subsection 2707(e), or of the immunity available under subsection 2703(e)—may be liable for civil damages, costs and attorneys’ fees under section 2707 for any violation of section 2702. II. ECPA – Pen/Trap Act The Pen/Trap Act: • • • Definitions: A trap and trace device identifies the source of incoming calls, and a pen register indicates the numbers called from a particular instrument (18 U.S.C. § 3127(3) & (4)) Application: The Title III wiretap provisions apply when, due to the nature of advances in telecommunications technology, pen registers and trap and trace devices are able to capture wire communication “content.” [In re United States, 441 F.Supp.2d 816 (S.D. Tex. 2006)] Prohibitions/ Exceptions: Subsection 3121(a) outlaws installation or use of a pen register or trap and trace device, except under one of seven circumstances: – (1) pursuant to a court order issued under sections 3121-3127; – (2) pursuant to a Foreign Intelligence Surveillance Act (FISA) court order; – (3) with the consent of the user; – (4) when incidental to service; – (5) when necessary to protect users from abuse of service; – (6) when necessary to protect providers from abuse of service; or – (7) in an emergency situation II. ECPA – Pen/Trap Act • Government Access: Officials may apply for a court order authorizing the installation and use of a pen register and/or a trap and trace device upon certification that the information that it will provide is relevant to a pending criminal investigation (18 U.S.C. § 3122) • Court Order Requirements: – (1) specify (i) the person upon whose telephone line the device is to be installed, (ii) the person who is the subject of the criminal investigation, (iii) the telephone number, the location of the line to which the device is to be attached, and geographical range of the device, and (iv) a description of the crime to which the investigation relates; – (2) upon request, direct carrier assistance under section 3124; – (3) terminate within 60 days, unless extended; – (4) involve a report of particulars of the order’s execution in Internet cases; and – (5) impose necessary nondisclosure requirements (18 U.S.C. § 3123) II. ECPA – Pen/Trap Act Consequences of Violation of Pen/Trap Act: • Criminal: Punishable by imprisonment for not more than a year and/or a fine of not more than $100,000 ($200,000 for an organization) (18 U.S.C. §§ 3121(d), 3571) • Good Faith Defense: Subsection 3124(e) creates a good faith defense for reliance upon a court order under subsection 3123(b), an emergency request under subsection 3125(a), “a legislative authorization, or a statutory authorization.” (18 U.S.C. § 3124(e)) III. Consequences of Refusal/Compliance with Law Enforcement Data Requests • Consequences of Refusal of Subpoena/ Search Warrant/ Court Order: – Contempt of court – Fines – Jail – Forced Suspension of business (e.g., Lavabit) • Compliance with Law Enforcement Request may even lead to Civil Litigation (but there’s a statutory affirmative defense) III. Consequences of Refusal/Compliance with Law Enforcement Data Requests Civil Litigation and the Section 2520(d) Good Faith Defense: • McCready v. eBay, Inc., 453 F3d 882 (7th Cir. 2006) – Facts: McCready brought action against Internet sales service and numerous users of service alleging violations of Fair Debt Collection Practices Act (FDCPA), Fair Credit Reporting Act (FCRA), Bankruptcy Code, and Electronic Fund Transfers Act (EFTA).Court orders Ebay to produce documentation on plaintiff related to lawsuit. McCready sues Ebay for violation of the ECPA. – Holding: Corporation’s good faith reliance on subpoena was complete defense to individual’s actions under the ECPA. III. Consequences of Refusal/Compliance with Law Enforcement Data Requests Civil Litigation and the Section 2707(e)(1) Good Faith Defense: • Freedman v. AOL, Inc., 325 F.Supp.2d 638 (E.D. Va. 2004): – Facts: Subscriber brought action against AOL under SCA on the ground that AOL wrongfully disclosed plaintiff's subscriber information to law enforcement in response to a warrant application that had not been signed by a judge. – Holding: Court held that a genuine issue of fact existed as to the reasonableness of AOL’s good faith defense because it was disputable that AOL should have known that warrant was invalid. • Fox v. CoxCom Inc., No. CV-11-594-PHX-SMM, (D. Ariz. 2012): – Facts: CoxCom received a grand jury subpoena ordering the company to produce information on plaintiff, which was handled by CoxCom’s “Subpoena Compliance Office.” Plaintiff sued for violated of the SCA. – Holding: Court granted summary judgment in favor of CoxCom, Inc. stating that service provider had a good faith reliance on the subpoena due to CoxCom’s evidence of established procedures in responding to such data requests that were adequately applied in this situation. III. Consequences of Refusal/Compliance with Law Enforcement Data Requests Criminal Prosecution and the Implied Defense Under Section 2511(2)(a)(ii): • Litigation Under Section 2511(2)(a)(ii): If a plaintiff alleges that defendant cooperated improperly with law enforcement officials in violation of Section 2511(2)(a)(ii), the Senate Judiciary Committee Report (Senate Rpt. No. 99-541 at 26-27) explains how such cases should be litigated: – (1) The complaint must allege that a wire or electronic communications service provider (or one of its employees): (a) disclosed the existence of a wiretap; (b) acted without a facially valid court order or certification; (c) acted beyond the scope of a court order or certification; or (d) acted on bad faith. Acting in bad faith would include failing to read the order or collusion. If the complaint fails to make any of these allegations, the defendant can move to dismiss the complaint for failure to state a claim upon which relief can be granted. – (2) If during the course of pretrial discovery the plaintiff's claim proves baseless, the defendant can move for summary judgment. – (3) If the court denies the summary judgment motion, the case goes to trial. At the close of the plaintiff's case, the defendant again can move for dismissal. If that motion is denied, the defendant then has the opportunity to present to the jury its section 2520 good faith defense. III. Consequences of Refusal/Compliance with Law Enforcement Data Requests • Marshall v. Willner, No. 3:06-CV-665 (W.D.Ky. 2007): – Holding that telephone companies and individual employees of those entities, were exempt from liability under § 2511(2)(a)(ii) if, as the plaintiff alleged, they were presented with an order from the FBI permitting a wiretap, regardless of whether the order was obtained in violation of the law, and stating that “[t]o hold otherwise would place service providers, like Defendants, and their employees in the precarious situation of risking potential liability for following what appear to be valid court orders.” • Bansal v. Microsoft Hotmail, 267 F. App'x 184, 185 (3d Cir. 2008): – “Like the SCA, the Crime Control Act exempts ‘providers of ... electronic communication services” from liability if they have disclosed information pursuant to a court order.’ 18 U.S.C. § 2511(2)(a)(ii) . . . Because Microsoft Hotmail disclosed the contents of Bansal's emails pursuant to a court order, it cannot be liable under the statute.” III. Consequences of Refusal/Compliance with Law Enforcement Data Requests Discovery in Civil Proceedings: In a number of cases, courts have held that there is no civil subpoena exception to ECPA that permits the disclosure of the content of communications: • O'Grady v. Superior Court, 139 Cal.App.4th 1423 (Cal. Ct. of Appeal 2006): – – • In re Subpoena Duces Tecum to AOL, LLC, 550 F.Supp.2d 606 (E.D. Va. 2008): – – • Facts: Computer manufacturer filed action against Web site publishers alleging they published confidential company information about an impending product, and seeking to identify the source of the disclosures. Holding: “Since the Act makes no exception for civil discovery and no repugnancy has been shown between a denial of such discovery and congressional intent or purpose, the Act must be applied, in accordance with its plain terms, to render unenforceable the subpoenas seeking to . . . disclose the contents of emails stored on [the service provider’s] facilities.” Facts: Non-party witnesses in an action pending in another district moved to quash a subpoena duces tecum issued to their Internet service provider, seeking production of the witnesses' emails. Holding: “the issuance of a civil discovery subpoena is not an exception to the provisions of the Privacy Act that would allow an internet service provider to disclose the communications at issue here.” But see, Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich. 2008): – – Facts: In civil action, defendant city and one individual defendant moved to prevent discovery of communications exchanged among certain officials and employees of the city via city-issued text messaging devices retained by non-party service provider. Holding: The SCA did not preclude civil discovery of city's relevant, nonprivileged electronically stored communications that were maintained by a non–party service provider but remained within the city's control. IV. Importance of Contract Terms Regarding Law Enforcement Litigation Gathering • Discussion of how/ when companies disclose information to law enforcement vary widely between company privacy policies – Examples: • • • • • Google Facebook Comcast AT&T Verizon • DOJ recently permitted companies to disclose statistical information concerning disclosure of information to the federal government IV. Importance of Contract Terms Regarding Law Enforcement Litigation Gathering Google’s Privacy Agreement (https://www.google.com/intl/en/policies/privacy/ (last modified Dec. 30, 2013)): • “Information we share: We do not share personal information with companies, organizations and individuals outside of Google unless one of the following circumstances applies: . . . – For legal reasons • We will share personal information with companies, organizations or individuals outside of Google if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to: • meet any applicable law, regulation, legal process or enforceable governmental request. • enforce applicable Terms of Service, including investigation of potential violations. • detect, prevent, or otherwise address fraud, security or technical issues. • protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.” IV. Importance of Contract Terms Regarding Law Enforcement Litigation Gathering Facebook’s Data Use Policy (https://www.facebook.com/about/privacy/other (Last modified Nov. 15, 2013)) : “Responding to legal requests and preventing harm: We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so. This may include responding to legal requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law in that jurisdiction, affects users in that jurisdiction, and is consistent with internationally recognized standards. We may also access, preserve and share information when we have a good faith belief it is necessary to: detect, prevent and address fraud and other illegal activity; to protect ourselves, you and others, including as part of investigations; or to prevent death or imminent bodily harm. Information we receive about you, including financial transaction data related to purchases made with Facebook, may be accessed, processed and retained for an extended period of time when it is the subject of a legal request or obligation, governmental investigation, or investigations concerning possible violations of our terms or policies, or otherwise to prevent harm. We also may retain information from accounts disabled for violations of our terms for at least a year to prevent repeat abuse or other violations of our terms.” IV. Importance of Contract Terms Regarding Law Enforcement Litigation Gathering Comcast Xfinity’s Web Services Privacy Policy (http://xfinity.comcast.net/privacy/2014-01/ (Effective Jan. 23, 2014)): • “13. Disclosures of Information: Comcast holds customer privacy in the highest regard and we make every reasonable effort to protect your privacy as described in this Privacy Policy. Nevertheless, we may be required by law to disclose Personally Identifiable Information or other information about you or other users of the Comcast Web Services. These disclosures may be made with or without your consent, and with or without notice, in compliance with the terms of a subpoena, court order, search warrant, or other valid legal process. We may also disclose information about you or users of the Comcast Web Services when we believe in good faith that the disclosure of information is necessary to prevent financial loss, address suspected illegal activity, protect our rights or property, or prevent imminent physical harm.” IV. Importance of Contract Terms Regarding Law Enforcement Litigation Gathering AT&T’s Privacy Policy (http://www.att.com/gen/privacy-policy?pid=13692#menu (Effective Sept. 16, 2013)): • “Some examples of who we share your Personal Information with: – Across AT&T companies to give you the best customer experience and to help you get everything we have to offer. – With other companies that perform services on our behalf only as needed for them to perform those services. We require them to protect your information consistent with our Policy. – With other companies and entities, to: • • • • • Respond to 911 requests and other emergencies or exigencies; Comply with court orders and other legal process; Assist with identity verification, and preventing fraud and identity theft; Enforce our agreements and property rights; and Obtain payment for products and services including the transfer or sale of delinquent accounts to third parties for collection” IV. Importance of Contract Terms Regarding Law Enforcement Litigation Gathering Verizon’s Privacy Policy (http://www.verizon.com/about/privacy/policy/ (Last modified Jan. 2014)): • “ Information Shared Outside the Verizon Family of Companies: . . . We may disclose information that individually identifies our customers or identifies customer devices in certain circumstances, such as: – to comply with valid legal process including subpoenas, court orders or search warrants, and as otherwise authorized by law; – in cases involving danger of death or serious physical injury to any person or other emergencies; – to protect our rights or property, or the safety of our customers or employees; – to protect against fraudulent, malicious, abusive, unauthorized or unlawful use of or subscription to our products and services and to protect our network, services, devices and users from such use; – to advance or defend against complaints or legal claims in court, administrative proceedings and elsewhere; – to credit bureaus or collection agencies for reporting purposes or to obtain payment for Verizon-billed products and services; – to a third-party that you have authorized to verify your account information; – to outside auditors and regulators; or – with your consent.” IV. Importance of Contract Terms Regarding Law Enforcement Litigation Gathering DOJ’s Agreement with Google, Facebook, LinkedIn, etc. re Reporting Gov’t Requests for Customer Data (Jan. 27, 2014): • “The government is now providing two alternative ways in which companies may inform their customers about requests for data . . . • Option One. A provider may report aggregate data in the following separate categories: – – – – – – – • Option Two. In the alternative, a provider may report aggregate data in the following separate categories: – – – • Criminal process, subject to no restrictions. The number of NSLs received, reported in bands of 1000 starting with 0-999. The number of customer accounts affected by NSLs, reported in bands of 1000 starting with 0-999. The number of FISA orders for content, reported in bands of 1000 starting with 0-999. The number of customer selectors targeted under FISA content orders, in bands of 1000 starting with 0-999. The number of FISA orders for non-content, reported in bands of 1000 starting with 0-999. The number of customer selectors targeted under FISA non-content orders, in bands of 1000 starting with 0-999. Criminal process, subject to no restrictions. The total number of all national security processes received, including all NSLs and FISA orders, reported as a single number in the following bands: 0-249 and thereafter in bands of 250. The total number of customer selectors targeted under all national security process, including all NSLs and FISA orders, reported as a single number in the following bands, 0-249, and thereafter in bands of 250. Other Stipulations: – – Provider may publish the FISA and NSL numbers every six months FISA info – six month delay between publication date and period covered by the report Conclusion • Companies should not automatically assume they must provide information in response to a subpoena if that information may be protected • Management should evaluate the risk of disclosing the information, and the potential consequences of doing so, against the risks of withholding the information