Scope of Stored Communications Act Continues to Be Defined: DOJ Says Companies Can Share Aggregated Cyber Threat Data
By Mary-Elizabeth Hadley
According to Deputy Attorney General James Cole, the new guidance resulted from company executives’ desire “to work more closely with the government . . . without compromising consumer privacy.” He further noted that DOJ “share[s] that concern and developed this guidance to help clarify that companies can and should share aggregated information with the government” so that the two can partner “to protect consumers from malicious cyber threats.”
This latest development in the interpretation of the SCA (18 U.S.C. § 2701 et seq.), which governs the obligations of communications services providers to protect or disclose subscriber or customer information or records, provides
The DOJ provided several examples of the types of information it believes communications service providers could share without fear of violating the SCA:
Their total number of customers;
Cyber threat characteristics, provided they do not pertain to specific customers or subscribers;
Information on computer viruses or malicious cyber tools (such as the associated file size, protocol or port) that do not divulge subscriber or customer-specific details; and
Internet traffic pattern information, such as irregular surges or drops “which could be harbingers of a serious cyber incident.”
In support of its position that the SCA permits the disclosure of aggregated data, the DOJ analogized to the Telecommunications Act of 1996 and Cable Communications Privacy Act of 1984. Both statutes regulate the disclosure of information possessed by telecommunications providers, and both permit the disclosure of aggregated information provided it does not identify particular persons or customers. The DOJ also found instructive the Federal Trade Commission’s exclusion of aggregated data from the definition of “personally identifiable financial information” under the Gramm-Leach-Bliley Act.
The DOJ warned, however, that its views should not be interpreted as creating any substantive or procedural rights. And, because the legal framework involved requires a very fact-specific analysis, the DOJ emphasized that all entities considering non-content disclosures should seek their own legal counsel. (That is advice we here at caveat-vendor always endorse!)
Notably, this is the second set of guidance on sharing of cybersecurity information issued by the DOJ within the span of a month. In April, the DOJ and the FTC issued ajoint statementto clarify that antitrust concerns should not act as a “roadblock” to the sharing of cybersecurity information. The antitrust statement distinguished arrangements for disclosure of cyber threats “from the sharing of competitively sensitive information such as current or future prices and output or business plans.”
With threats to data security on the rise and continuing congressional inaction, the government clearly seems focused on ways to help companies improve data protection efforts within the framework of existing laws. These latest efforts do not carry the force of law but should provide companies with some comfort that in venturing a bit further toward careful, cooperative data-sharing they will not face governmental opposition.
Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.