In a White Paper issued late last week, the Department of Justice (“DOJ”) asserted that the Stored Communications Act (“SCA”) does not prohibit network operators from voluntarily sharing aggregated non-content data with the government, provided that aggregated data does not reveal information about a particular customer or subscriber.
According to Deputy Attorney General James Cole, the new guidance resulted from company executives’ desire “to work more closely with the government . . . without compromising consumer privacy.” He further noted that DOJ “share[s] that concern and developed this guidance to help clarify that companies can and should share aggregated information with the government” so that the two can partner “to protect consumers from malicious cyber threats.”
This latest development in the interpretation of the SCA (18 U.S.C. § 2701 et seq.), which governs the obligations of communications services providers to protect or disclose subscriber or customer information or records, provides another example of the government’s broad view of what data the statute permits companies to share. Here, the DOJ concluded that Section 2702(a)(3)’s prohibition on the disclosure of a subscriber or customer’s record or other information to the government does not apply to the disclosure of non-content information in an aggregated form.
The DOJ provided several examples of the types of information it believes communications service providers could share without fear of violating the SCA:
- Their total number of customers;
- Cyber threat characteristics, provided they do not pertain to specific customers or subscribers;
- Information on computer viruses or malicious cyber tools (such as the associated file size, protocol or port) that do not divulge subscriber or customer-specific details; and
- Internet traffic pattern information, such as irregular surges or drops “which could be harbingers of a serious cyber incident.”
In support of its position that the SCA permits the disclosure of aggregated data, the DOJ analogized to the Telecommunications Act of 1996 and Cable Communications Privacy Act of 1984. Both statutes regulate the disclosure of information possessed by telecommunications providers, and both permit the disclosure of aggregated information provided it does not identify particular persons or customers. The DOJ also found instructive the Federal Trade Commission’s exclusion of aggregated data from the definition of “personally identifiable financial information” under the Gramm-Leach-Bliley Act.
The DOJ warned, however, that its views should not be interpreted as creating any substantive or procedural rights. And, because the legal framework involved requires a very fact-specific analysis, the DOJ emphasized that all entities considering non-content disclosures should seek their own legal counsel. (That is advice we here at caveat-vendor always endorse!)
Notably, this is the second set of guidance on sharing of cybersecurity information issued by the DOJ within the span of a month. In April, the DOJ and the FTC issued a joint statement to clarify that antitrust concerns should not act as a “roadblock” to the sharing of cybersecurity information. The antitrust statement distinguished arrangements for disclosure of cyber threats “from the sharing of competitively sensitive information such as current or future prices and output or business plans.”
With threats to data security on the rise and continuing congressional inaction, the government clearly seems focused on ways to help companies improve data protection efforts within the framework of existing laws. These latest efforts do not carry the force of law but should provide companies with some comfort that in venturing a bit further toward careful, cooperative data-sharing they will not face governmental opposition.