A panel at the 7th Annual Homeland Security Law Institute event in March raised the specter of an international hacking incident.
The panel — composed of senior attorneys from the CIA, FBI, Office of the Director of National Intelligence and the Justice Department’s National Security Division — presented a hypothetical scenario involving a defense contractor that had an agreement with a U.S.-based cloud computing company.
The hypothetical company stored highly sensitive data, including satellite design documents, and notified the defense contractor that its data center in a Southeast Asian country was hacked and a large amount of data was exfiltrated. There is reason to believe the attack is ongoing, some of the data was stolen, and the event is an inside job involving an employee of the company with administration, root-level access to the network, who is sympathetic to the ideals of the hacking group claiming credit for the incident.
Why raise this topic in a column generally directed at import-export issues? Does your company have a Web site on which goods are offered for sale to the public? If so, the above hypothetical presents a vey real potential nightmare.
Unlike the defense contractor, which has a duty to report to the Department of Defense that its data was hacked, you, as an international trader, generally don’t have a similar legal obligation because of the nature of your business. If you’re selling goods through your Web site, however, you have collected personal data, such as names, addresses and credit card details. If you discover you were hacked, how long can you take, or should you take, before notifying your customers?
Your sales likely are to many countries. Assuming you have proper screening software, you have eliminated sales to prohibited end-users and end-uses, but what about the privacy rights of those to whom you have sold your products?
U.S. laws are quite different from those in the European Union. EU data privacy rights are quite strict. Those rights protect “any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
The burden is put on the controller to comply, meaning he who collects the data must ensure it remains confidential and applies if you’re located in the EU, but equally when you use equipment located in the EU.
Have you checked lately where the vendor you use to store your data locates his servers? Does your contract with that vendor require advance notice of new servers being put into use so you know the country of their location and can opt out to comply with relevant U.S. laws?
Although there’s no question the EU’s laws are quite strict, U.S. laws are not much more liberal. And the laws within the U.S. differ from state to state. In all but a few states, some sort of immediate or at least prompt notice to those whose data has been exposed is mandated.
In some states, the requirements as to how data subject to privacy is to be maintained is detailed, laying out the exact steps required. Regardless of the legal framework, companies would be foolish to collect personal data, discover a breach and then conceal it for any length of time. If you’re going to wait to disclose, the only legitimate excuse seems to be cooperation with law enforcement.
If you’re the cloud computing company, however, do you really want to let the world know your supposedly secure database can be breached, even if it’s an inside job by a disgruntled employee? Probably not.
Are the rules different if you don’t sell product through your Web site, but only advertise on it? Of course, because you presumably don’t collect personal data.
The definition of personal data can be broad. California’s definition includes an individual’s first name or initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: social security number; driver’s license number or California identification card number; account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; medical information.
While, admittedly, international traders don’t generally collect medical information (unless they are in a business that deals in medical-related products), they often collect other personal data. For example, as a customs broker or freight forwarder, you might obtain an individual’s name and Social Security number to file the entry or transmit via the Automated Export System on the person’s behalf. You also might obtain an individual’s name and a copy of his driver’s license to establish his bona fides.
If you sell goods to individuals, regardless of whether it’s online or through more traditional means, you again regularly obtain the same types of data mentioned above from your customers in filling their orders. How much of this personal data is somewhere in your computer system? For all of us, the answer is it can be found in electronic format somewhere in our systems.
Susan Kohn Ross is an international trade attorney with Mitchell Silberberg & Knupp in Los Angeles. Contact her at firstname.lastname@example.org.