The National Attorneys General Training & Research Institute
Corporate and Government Responsibility to Protect Data and Assist Law Enforcement
Karina Concepcion Medina, Prosecutor, Prosecutor Office of the Prosecutor General, Dominican Republic; Laura Conway, Senior Lawyer, Serious Fraud Office, United Kingdom; Yi-Hon Hsiao, Prosecutor, Taiwan Taipei Prosecutor Office, Taiwan; Joel King, Special Prosecutor, Office of the Attorney General of Ohio, USA; Julie Roy, Prosecutor, Director of Criminal and Penal Prosecutions, Canada
This group was asked to consider the responsibility that corporations and governments have to ensure protection of private data being stored on social media platforms. These platforms routinely have material stored that will aid investigators and governments on matters involving national security and/or criminal or civil cases. The group discussed the value of personal data and why cybercriminals go to such great lengths to obtain it, the challenges and consequences of failing to protect it, and how to hold entities accountable when they fail to practice good corporate governance or comply with investigations. The article offers recommendations that law enforcement and corporations can implement collaboratively to decrease cybercrime.
Individuals, corporations, and governments from around the world are increasingly embracing and relying upon digital technologies and are moving more deeply into an ever-evolving digital world. This new and ever-developing environment presents significant challenges because massive amounts of personal data are being collected and shared every day, often without the users’ knowledge or actual consent. Personal data has become a valuable asset for governments and for businesses and its use has developed in every sphere. Individuals sometimes choose to share personal information but are more often than not compelled to do so in order to interface with platforms or to receive government or business services being offered. Corporations and governments thus have a joint responsibility to protect private data. This article will examine the current state of affairs with respect to protecting data and make some recommendations about how to ensure that corporations and government institutions take their role seriously to protect citizens’ personal information.
Value of Personal Data and Responsibility to Protect It
More and more often, citizens are notified of security breaches where their personal information has been compromised, whether it includes credit card companies, health care or insurance companies holding personal information of patients, or retailers. These breaches result in very personal data being stolen or acquired by criminals seeking to do extensive harm and often succeeding in obtaining personal information on consumers.
Personal data, including financial or other identifying information, is extremely valuable to criminals. Cybercriminals can use personal data for a variety of illegal purposes, such as harassment, economic crimes including fraud and theft of intellectual property, or simply a sale of information to advertising and marketing companies for profit. They also can use it to disrupt infrastructures, such as banking systems and health care services. Both corporations (who collect and hold information) and governments (who also collect and hold information but have an additional public interest duty and mandate to protect citizens) have a responsibility in this situation. Both should assist and enable law enforcement to effectively investigate cybercrime and both should take concerted steps to secure their networks, conduct training for staff, and protect consumers’ very personal data.
The extent to which government and social media companies work with law enforcement and cooperate in investigations is an important consideration for prosecutors and investigators in their work to deter and resolve crimes and hold cybercriminals accountable. Both governments and corporations have to strike a balance between, on the one hand, the protection of individuals’ privacy and information and, on the other hand, the necessary and appropriate release of the same information for law enforcement purposes. Although it is incumbent upon all parties to assist law enforcement and reveal information when necessary to move investigations forward, corporations are often reluctant to reveal information voluntarily as this erodes customer confidence in the confidentiality of their service.
Protecting Private Data
Personal data is valuable to corporations for a variety of reasons and protecting that information should be equally important. In some instances, the data itself is the product and has considerable financial value. In other instances, the personal data supports the primary function of the business. Corporations have many legitimate uses for information ranging from the basics of knowing where to deliver products and services and collecting payment for those products and services to more detailed analysis, for example, analyzing customer trends to predict future buying patterns.
Corporations should also have a strong interest in protecting personal information through appropriate business practices. Loss of data can cause direct financial loss to the business itself, can cause significant reputational damage to the business, and can result in financial penalties in most jurisdictions. Individuals themselves can, of course, be harmed emotionally and financially by the loss of their personal data through identity theft or harm to their reputation.
Access to government services also depends on the robust collection and sharing of personal data, for example, for public purposes that vary as widely as population statistics and planning, administration of benefits, provision of education, collection of taxes, voting, and public safety. Given that citizens are often compelled by law or regulation to provide personal data to their government, governments have a strong moral and legal obligation to protect that information..
How to Protect Data and Prevent Cybercrime
Corporations and governments both have an important role in preventing cybercrime and protecting personal data and cyber infrastructures., Corporations, in particular, should spend more time and money to protect customer data because they are in a financial position to do so, in part because they are reaping financial rewards from consumers providing that private data. The harmful consequences of failing to do so far outweigh the cost.
Corporations, no matter how big or small, should have appropriate security measures in place to prevent data breaches. Not all data is equally sensitive, so this involves a balancing exercise depending on the sensitivity and amount of the information held as well as the resources of the company. Measures as simple as ensuring that software is updated in a timely fashion can help prevent data breaches and cybercrime. Conducting thorough background checks and putting into place very stringent safeguards and practices to ensure that employees do not have access to material unless they need it to perform their duties would help to minimize and prevent hacks and release of private information. Companies also should have policies that ensure mandatory training, compliance, and security checks.
In addition, corporations should report instances of data breaches to an appropriate body within each affected jurisdiction. Some corporations do not report until absolutely required to do so. To remedy this, governments ought to consider legislation requiring timely mandatory reporting. This will enable disruption of the continuing act of data breach, preservation of evidence, swifter investigatory action, and more effective harm mitigation for victims.
Governments should collaborate to create and enforce effective legislative standards for data protection. Because cybercrime is borderless, international collaboration is essential. By way of example, in 2018 the European Union issued the General Data Protection Regulation (GDPR), which aimed to harmonize data privacy laws across Europe, protect and empower all EU citizens concerning data privacy, and reshape the way organizations across the region approach data privacy. The GDPR’s penalties for data loss has incentivized corporations to protect information and has already motivated them to improve security and information handling.
Ensuring Law Enforcement Effectively Investigates Cybercrime
Corporations and governments have the responsibility to ensuree that law enforcement can effectively investigate cybercrime through suitable legal process. That legal process must of course be consistent with the rights of individuals and corporations. Law enforcement can effectively overcome challenges to investigating cybercrime through legal process (subpoena, court order, search warrant, etc.).
One of the greatest challenges to effective investigation of cybercrime is the stark difference in knowledge about technological capabilities and limitations between the corporate world in general and law enforcement. Corporations are subject matter experts about their systems and best understand their own system capabilities and limitations. Moreover, capabilities and limitations vary widely among corporations. Law enforcement officials are largely dependent on the corporation from whom they are seeking information.
Another very significant problem is that data can be compartmentalized and stored in various jurisdictions. Because cybercrime is transnational, investigating and obtaining digital evidence for cases becomes far more complex and investigations may be stymied when legal process crosses jurisdictions. Currently, access to that data is often dependent upon the Mutual Legal Assistance Treaty (MLAT) process which can be slow, cumbersome, and often opaque to the requesting party. Governments should consider implementing alternative and more prompt ways to share electronic evidence with trusted partners and work towards building trusting relationships where they do not yet exist. Further, governments should also consider ensuring that law enforcement can obtain and use data evidence when it is directly accessible in its own jurisdiction regardless of where it is stored. In other words, if a case has originated in a European country but the information is available on a server in the United States, the U.S. should ensure that the European country gets the evidence it needs so long as the case has legal merit and meets necessary legal standards. There should never be a delay in obtaining evidence simply because the server or information is not physically in that country of origin.
Governments and nations must work together to ensure that protecting the public safety is the paramount concern. The Clarifying Lawful Overseas Use of Data Act, enacted in the United States in 2018, is just one example of how a government initiative to address territorial jurisdiction issues has helped law enforcement obtain electronic data for evidentiary purposes.
The challenges identified above are complicated and there are no easy solutions, but we suggest focusing on two areas that we think will improve law enforcement’s ability to obtain information, protect cases, and protect consumer data that corporations and governments may have. Both recommendations require compromise and commitment but are not too difficult to implement. We understand that lack of trust is an impeding factor that may prevent corporations and governments from working together, but we encourage cooperation to jointly address any challenges that jeopardize consumer data and impede investigations.
One of the most obvious yet challenging solutions to improve corporate and government responsibility is to promote and facilitate improved collaboration. To ensure law enforcement requests are properly focused, the corporation and law enforcement should work collaboratively to identify the capabilities and limitations of the corporation’s systems and the data it has. This commitment to collaborate will both encourage rapid compliance and prevent overly broad disclosures of information.
A second way to improve collaboration is greater use of public-private initiatives. Task forces involving both law enforcement agencies and technology corporations sharing information would benefit both groups. While some issues would have to be addressed in terms of what and how much information is shared, we already have examples where such efforts have been impactful and helpful. The task force model has been particularly effective in financial crime investigations, such as the Financial Crimes Enforcement Network in the United States and the Joint Money Laundering Intelligence Taskforce in the United Kingdom. Additionally, ensuring that policy issues and the need for legislative change are part of the collaborative conversation will also allow corporations and governments to work together to support appropriate legislative solutions.
Governments should engage in a public information campaign that highlights corporate practices that are detrimental to consumers, whether intentional or unintentional. This campaign should focus on informing consumers about what they need to do to protect their data.
Finally, government efforts should also include working directly with corporations to ensure that they only retain information that is necessary for business purposes. There should be an understanding that the persistent storing of consumers’ information is unwarranted, unless actual permission for that sharing is given by the consumers. Prosecutors should be part of this conversation and, when corporations or governments engage in practices that may put consumers’ private information at risk, consumers should themselves have legal remedies.
The corporate and government use of personal data has become an integral part of daily life and a large amount of personal data is collected and shared every day for both legitimate and criminal purposes. Corporations and governments have a joint responsibility to protect private data and cooperate with law enforcement. This can be achieved by collaborative efforts, sharing of information, and strong effective legislative response to the malicious use of private data, as well as outreach campaigns to educate the public on how to protect their data and what harm can occur if data is compromised.
 CLOUD Act, S. 2383, 115th Cong. (2018).