The Foreign Intelligence Surveillance Act (FISA)

• Establishes standards and procedures for electronic surveillance that collects foreign intelligence within the U.S. FISA orders can issue when foreign intelligence gathering is a significant purpose of the investigation.

• Orders issue from a special court of federal district court judges, the Foreign Intelligence Surveillance Court (FISC).

• FISA authorizes wiretap orders, pen register, and trap and trace orders (for phone numbers, email addresses, and other addressing and routing info) and orders for video surveillance

• Entities that receive FISA orders to produce records generally cannot disclose the fact of the order to targets of the investigation. There is generally no disclosure after the fact to the target of a FISA wiretap as there is for law enforcement wiretaps.

• Section 702 refers to a provision in the FISA Amendments Act which revised FISA

o Applies to a collection of electronic communications of targeted individuals for listed

foreign intelligence purposes o Must annually approve certifications by the director of national intelligence and the

attorney general setting the terms for section 702 surveillance. To target the communications of any person, the gov must have a foreign intelligence purpose to conduct the collection and a reasonable belief that the person is a non-U.S citizen located outside the U.S o Two surveillance programs:

▪ PRISM: collection, acting under a section 702 court order, the government sends a judicially approved and judicially supervised directive requiring collection of certain selectors such as an email address. The company’s lawyers have the opportunity to challenge the request

▪ Upstream: targets Internet based communications as they pass through physical Internet infrastructure located w/in the U.S. Designed to only acquire Internet communications that contain a tasked selector. Emails and other transactions that make it through the filters are stored for access by the NSA, while info that does not make it through the filters is never accessed by the NSA or anyone else.

The Communications Assistance to Law Enforcement Act (CALEA)

• Aka Digital Telephony Bill

• Lays out the duties of defined actors in the telecommunications industry to cooperate in the interception of communications for law enforcement and other needs relating to the security and safety of the public.

• Requires telecommunications carriers to design their products and services to ensure that they can carry out a lawful order to provide gov access to communications.

• FCC implemented CALEA

• Applies to telecommunications carriers but not other information services

o VOIP is considered a telecommunication service and must operate under CALEA

requirements

The USA Patriot Act

• Section 217 permits, but does not require, the owner or operator of a computer system to provide such access in defined circumstances. For computer trespassers, law enforcement can now perform interceptions if:

o The owner or operator of the protected computer authorizes the interception of the

computer trespasser’s communications on the protected computer o The person acting under color of law is lawfully engaged in an investigation

CIPP/US Outline

o The person acting under color of law has reasonable grounds to believe that the

contents of the computer trespasser’s communications will be relevant to the investigation o Such interception does not require communications other than those transmitted

• Expanded definition of pen register/trap and trace beyond telephone numbers to include dialing, routing, addressing, or signaling info

• Section 215: provides that a federal court order can require the production of any tangible thing for defined foreign intelligence and anti-terrorism investigations

o Disclosure is permitted to the persons necessary to comply with the order and to an

attorney

• Expanded the use of National Security Letters

o Included strict rules against disclosing that an org had received an NSL o 2006 amendment said that recipients are bound to the confidentiality only if there is a finding by the requesting agency of interference with criminal or counterterrorism investigation or for other listed purposes o Recipients could petition the court to modify or end the secrecy requirement o As of 2015, the FBI now presumptively terminates NSL secrecy for an individual order

when an investigation closes, or no more than three years after the opening of a full investigation

The Bank Secrecy Act of 1970 (BSA)

• Aka “The Currency and Foreign Transaction Reporting Act” authorizes the U.S treasury secretary to issue regulations that impose extensive record-keeping and reporting requirements on F.I’s

• Anti-money laundering and fraud effort

• F.I must keep records and file reports on certain financial transactions

o currency transactions in excess of $10,000 (does not include credit secured by real

property) o bank checks, drafts, cashier’s checks, money orders, travelers checks for $3000 or more

in currency

• Applies to: any entities subject to supervision by state or federal bank supervisory authority (banks, securities brokers, card clubs, etc)

• Certain funds transfer exempted from regulation including those governed by the Electronic Funds Transfer Act and those made through automated clearinghouses, ATM or point of sales systems.

• Record Retention:

o Only those with “high degree of usefulness” o Must include:

▪ Borrower’s name and address

▪ Credit amount

▪ Purpose and date of credit o Such records may be maintained for five years o For deposit account records:

▪ Depositor’s taxpayer ID

▪ Signature cards

▪ Checks exceeding $100

• Suspicious Activity Reports (SAR)

o FI must file in certain situations. Alerts gov to suspicious transactions o Must be filed with the

U.S Department of Treasury’s Financial Crimes Enforcement

Network in the following circumstances:

▪ When an FI suspects an insider committing a crime regardless of dollar amount

▪ When entity detects crime involving $5000 and has substantial basis for identifying suspect

▪ When entity detects crime involving $25000 (no need for suspect)

▪ When entity detects currency transactions aggregating $5000 or more that involve potential money laundering

• Violations: civil penalties including fines up $25000 or the amount of the transaction (up to $100,000 max) as well as penalties for negligence ($500/violation). Additional penalties up to $5000 per day for failure to comply. Penalties up to $25000 for failure to comply with info sharing requirements of the USA PATRIOT Act. Penalties up to $1mil for failure to comply with due diligence requirements. Criminal penalties include up to $100,000 fine and/or 1 year imprisonment and up to $10,000 fine and or 5 year imprisonment.

The International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001

• Part of the USA PATRIOT Act. Expanded the BSA reach. Gave U.S Treasury secretary the ability to promulgate broad rules to implement modified Know Your Customer requirements.

USA FREEDOM ACT (2015)

ended bulk collection conducted under Section 215.

Medical Privacy Confidentiality of Substance Use Disorder Patient Records Rule

• Does not preempt stricter state laws

• Scope: covers the disclosure of “patient identifying” information by treatment programs for alcohol and substance abuse.

• Applicability: any program that receives federal funding:

o Individual or entity that provides alcohol or substance abuse diagnosis, treatment,

referral for treatment o An identified unit within a general medical facility that provides alcohol or substance abuse diagnosis, treatment, referral for treatment o Medical personnel or other staff in a general medical facility who primary function is the provision of alcohol or substance abuse diagnosis, treatment, referral for treatment.

• Disclosure: must obtain written patient consent before disclosing

• Redisclosure: prohibited when that information would “identify, directly or indirectly, an individual as having been diagnosed, treated, or referred for treatment.”

• Exceptions to consent requirements:

o Medical emergencies o Scientific Research o Audits and evals o Communications with a qualified service organization o Crimes on program premise or against personnel o Child abuse reporting o Court order

• Violations: First one not more than $500. $5000 for each subsequent offense. Reported to U.S Attorney’s Office

USA FREEDOM Act

• Set new rules for national security investigations prohibiting the use of pen register/trap and trace orders for bulk collection and restricting their use to circumstances where there were specific selectors such as an email address or telephone number.

• Ended bulk collection of Section 215 PATRIOT ACT

The Cybersecurity Information Sharing Act (CISA) 2015

CIPP/US Outline

• Permits the federal gov to share unclassified technical data with companies about how networks have been attacked and how successful defenses against such attacks have been carried out. CISA encourages companies to voluntarily share the same info with gov

• Company’s release of info about cyber threat indicators and defensive measures receive certain protections

o Limitations on liability o Non-waiver of privileges o Exemption from FOIA disclosure

• Provisions:

o Authorization for a company to share or receive cyber threat indicators or defensive

measures o Requirement for company to remove personal info before sharing o Sharing info with federal gov does not waive privileges (no similar provision for sharing

with state/local gov) o Share info exempt from federal and state FOIA laws o Prohibition on gov using shared info to regulate or take enforcement actions against

lawful activities o Authorization for company’s monitoring and operating defensive measures o Protection from liability for monitoring activities