Back on December 30, 2009 I blogged about how cloud storage could have a problem catching on with larger enterprises because of a lesser known provision in the Patriot Act called the National Security Letters.
Under the provisions of the Patriot Act, these National Security Letters, a form of administrative subpoena used by the United States Federal Bureau of Investigation and reportedly by other U.S. Government Agencies including the Central Intelligence Agency and the Department of Defense, can be used to require “carriers” to turn over records and data concerning individual customers (corporate customers) if asked to do so by the Federal government. The letters do not require the government to get a court order, so in effect the regulation allows the government to access that information on demand.
So the question was; how many GCs of large corporations will steer their companies away from this potential legal risk?
I have found out that the congress is working on changing how this provision of the Patriot Act can be applied to better protect organization’s data stored in the cloud.
Prohibits a national security letter (letter) (a request for information sought by the Federal Bureau of Investigation (FBI) in connection with a criminal investigation) from being issued unless the issuing official certifies specific facts providing reason to believe that the information or records sought pertain to a foreign power or agent thereof. It prohibits a letter from being issued in connection with an investigation of a U.S. person solely upon the basis of activities protected by the First Amendment to the Constitution. It prohibits: (1) a letter from containing unreasonable requirements or requiring privileged matter; or (2) disclosing to a person that the FBI has sought or obtained access to information under a letter for 30 days after receipt of the FBI’s request for such information. It authorizes judicial review for the modification or revocation of a letter. Provides limited uses of information acquired through a letter. It allows persons against whom evidence obtained from a letter is to be used to file a motion to suppress. It provides a civil cause of action for the misuse of letters. It requires the authority to issue letters to revert, five years after the enactment of this Act, to that provided by law on October 25, 2001. It requires the Attorney General to: (1) undertake minimization and destruction procedures with respect to information acquired through letters; and (2) report semiannually on the number and use of letters. It requires the disposal of wrongly acquired information. And it revises requirements relating to claims of emergency in connection with certain letters.
With these new protections (if H.R. 1800 is passed into law eventually) on how the National Security Letters can be used, I believe many of the larger organizations will embrace these new protections and speed up their adoption of cloud storage offerings.