Ever since Mr. Edward Snowden released classified information about the U.S. spying program “Prism,” a dirty little secret within the tech service industry has emerged – namely, that when it comes to securing mission-critical data, companies like Google, Facebook, Yahoo, etc., must, in accordance with the law, hand over such data, thereby throwing a wrench into what exactly their fiduciary obligations are. On one hand, federal and state laws may require disclosure of released data, but subject to statutory obligations, disclosure of data to the government may be compulsory, and that notification of such disclosures could potentially make businesses criminally liable for revealing such participation in a classified government program. Up until a few days ago, most consumers likely never connected those points.
This is the conundrum tech firms face, and is an image crisis at the very least – i.e. they want to be portrayed as protecting the privacy of their consumers, but not at the expense of being uncooperative with a court order or government investigation. There are many laws that protect disclosing companies from prosecution for failing to immediately report a release of mission-critical data. As that relates to state data breach laws, companies are not required to immediately disclose a breach of data, if such disclosure would hinder an ongoing criminal investigation. Additionally, under the Foreign Intelligence Surveillance Act (“FISA”), tech firms must comply with a legitimate request from the government to release information related to an investigation.
The profile narrative for modern-day whistleblowers revels that a majority of the high-profile whistleblowers are people in their 20’s (i.e. PFC Manning; Mr. Snowden). My hypothesis for why the government has had a hard time protecting secret government programs is that government “chief’s” have failed to recognize that the next generation of government workers (i.e. Gen X, Gen Y, and Gen .me) grew up in a society with a diminished expectation of privacy. For better or worse, those government chief’s have failed to translate to the next generation “GS-Worker” the importance of securing mission-critical information. The same could be said for many private sector organizations.
As for tech firms, when faced with the twin fiduciary dragon of protecting mission-critical data and complying with a court order, contact your general counsel to see if there is a way to work with the government so as to have as minimal an impact/footprint as possible. More often than not, government officials are willing to work with firms’ upon whom a request of data has been made.