How to Respond to National Security Letters That Ask for Personal Information

National Security Letters (“NSLs”) refer to a collection of statutes that authorize certain government agencies to obtain information and simultaneously impose a secrecy obligation upon the recipient of the letter.

Four statutes permit government agencies to issue NSLs: (1) the Electronic Communication Privacy Act,1 (2) the Right to Financial Privacy Act,2 (3) the National Security Act,3 and the (4) Fair Credit Reporting Act.4 Although differences exist between the NSLs issued under each statute, in general, all of the NSLs permit a requesting agency to prevent an organization that receives the NSL from disclosing the fact that it received the request, or the type of information that was requested, if disclosure may result in a danger to national security, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of a person. If the recipient of a NSL wishes to challenge a non-disclosure request accompanying a NSL, the recipient may file a petition with a U.S. district court in the district where the person does business,5 or, the recipient may request that the requesting agency obtain judicial review of the nondisclosure request.6 In both instances, the requesting agency must file an application with the court setting forth the reasons for the nondisclosure request. …


How to Respond to Government Subpoenas and Document Requests That Ask for Personal Information

Federal and state agencies traditionally obtain information for law enforcement purposes using a variety of methods including:

  • court issued subpoenas,
  • grand jury subpoenas,
  • search warrants,
  • litigation discovery requests, and
  • administrative subpoenas.1

A request by a government agency for personal information about one, or more, consumers may conflict with consumers’ expectations of privacy, and, in some instances, may arguably conflict with legal obligations imposed upon an organization not to produce information.  For example, if an organization promises within its privacy policy that it will never share the information that it collects with a “third party” and does not include an exception for requests from law enforcement, or government agencies, a consumer could argue that by producing information pursuant to a government request, an organization has violated its privacy policy and committed an unfair or deceptive practice in violation of federal or state law. …


Best Practices for Sharing Threat Indicators with the Government (2016)

After a security incident is identified organizations often consider whether to share information concerning the incident with government agencies. If the incident involved criminal conduct, federal law enforcement agencies – such as the Federal Bureau of Investigation or the United States Secret Service – may be interested in investigating and attempting to prosecute those responsible. It’s also possible that law enforcement already may be investigating similar incidents and can share information that may help in your investigation. For example, they may be able to identify IP addresses associated with bad actors, security vulnerabilities that are being exploited within other organizations, or evidence that might suggest that criminals successfully obtained information from your organization….


IAPP Denver Event

May 23, 2016

Bryan Cave is hosting an International Association of Privacy Professionals (IAPP) lunch event on May 23 in its Denver office. Boulder Partner David Zetoony is co-chair of the Colorado regional network of IAPP. Click here for more information or to register.

Steven Fritz, Special Counsel, Law Offices of Louise Bouzari

Responding to Government Investigations of Data Privacy and Security Practices

11:30 a.m. – 1 p.m.

CPE Credits:
CIPM, CIPP/G, CIPP/US and CIPT certificate holders will automatically receive 1.5 Group A continuing privacy education (CPE) credits for attending this KnowledgeNet Chapter meeting. For all other IAPP certifications, credits will be applied to Group B. If you have certification questions, please read our cpe policy or e-mail