Companies Providing Data Under Threat of Prosecution

Wednesday, July 27, 2011

Marjorie Morgan


An effort is underway to compel potentially thousands of companies to provide proprietary data under the Defense Production Act (DPA) under the threat of fines and criminal prosecution.

While use of the DPA has ample precedent, the current use seems to go well beyond its intended purposes with targets outside the traditional DIB companies.

We are told as many as 5000 companies from a variety of industry sectors may receive these compulsory surveys.

Several private sector firms have already received extensive requests for information from the Department of Defense and the Department of Commerce using the Defense Production Act (DPA) to enforce compliance.

“A response to this survey is required by law (50 U.S.C. app. Sec. 2155). Failure to respond can result in a maximum fine of $10,000, imprisonment of up to one year, or both."

The data requests include sensitive security, financial, and product and market forecasting data.  For example, one survey asks for five-year projection data on market forecast broken down by segment, specific product information and sensitive locations.

A collection of several industry organizations has reached out to several agencies of the Executive Branch questioning the need for such heavy handed tactics since much of the data requested in the survey is already available through other authoritative agencies such as, the SEC, the IRS.

Moreover, while the DPA does empower government to make legitimate requests from industry the law states that this information is to be requested “only after the scope and purpose of the... inquiry to be made have been defined... and it is assured that no adequate and authoritative data are available from any Federal or other responsible agency.” 

However neither the surveys nor the letter accompanying them have provide more than vague and general purposes for the inquiry and nothing that speaks to the need for specific proprietary information requested.

This use of DPA sets a dangerous precedent. This appears to be a fishing expedition rather than a real risk assessment process, with no clear objective as to how the data will be used and sets a dangerous precedent of government demanding private information without clear and compelling reason. 

By demanding corporate information under threat of fines and imprisonment, the Government is changing the fundamental nature of the relationship between it and the private sector from one of a public-private partnership to potential adversaries.

This use of DPA could have a chilling effect on needed information sharing between the public and private partnerships  and thus compromise our longer term security.

There is no assurance available from government that the information garnered through this process will be adequately secured. We have been unable to determine who will have access to the data, how the data will be used and under what authority, how long it will be retained, and whether it will be adequately protected.

We are mindful that much of the data in the current requests is valuable and proprietary.

We have a strong and proven interests and willingness to assist in our nation's cyber defenses. However the use of DPA authority could have a chilling effect on needed information sharing between the public and private partnerships, thus compromising our longer term security.

These survey requests can be construed as a fast track implementation of the administration’s regulatory proposal, even though it has not been acted on by Congress.

About the Internet Security Alliance

The Internet Security Alliance (ISA) is a unique multi-sector trade association which provides thought leadership and strong public policy advocacy as well as business and technical services to its membership. The ISA represents enterprises from the aviation, banking, communications, defense, education, financial services, insurance, manufacturing, security, and technology industries. ISA’s mission is to integrate advanced technology with the realistic business needs of its members and enlightened public policy to create a sustained system of cyber security.

Possibly Related Articles:
Enterprise Security
Information Security
Legal Government DoD Internet Security Alliance ISA Commerce Department Data Defense Production Act
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.