Questioned Documents v. 2009 NRC Report Decision of Note:

The D.C. Court of Appeals has held on the state of forensic science-that handwriting comparison and identification, as practiced by FBI examiners, passes the Frye test for admissibility. The case came about as a result of the findings in the 2009 NRC report  that concluded, “With the exception of nuclear DNA analysis, . . . no forensic method [of ‘matching’] has been rigorously shown to have the capacity to consistently, and with a high degree of certainty, demonstrate a connection between evidence and a specific individual or source.”

Labor and Employment Law Related:

Law Enforcement Needs No Warrant for Phone Number:

7^th U.S. Circuit Court of Appeals out of Chicago has ruled that police may search a cell phone for its number without obtaining a warrant. The phone number on the cell phone, which is effectively a computer, was seized from the defendant at the time of arrest in a narcotics bust. It was used to subpoena the owner’s call history, revealing conversations with co-conspirators. Judge Richard Posner, writing for the three-judge panel hearing arguments in this case on January 25 and which was decided February 29, compared a cell phone not only to a computer, but to a pocket diary.  He wrote: “If police are entitled to open a pocket diary to copy the owner’s address, they should be entitled to turn on a cellphone to learn its number.” Furthermore: “If allowed to leaf through a pocket address book, as they are … , they should be entitled to read the address book in a cellphone. If forbidden to peruse love letters recognized as such found wedged between the pages of the address book, they should be forbidden to read love letters in the files of a cellphone.”

Citing cases going back to the 1981 decision in New York v. Belson and the “Robinson Rule” it would be wise for professional investigators to take time to read Judge Posner’s 15-page decision. Many factors were considered, such as whether inspecting a cellphone is greater than the searching of a “container” or if such might actually be a “stun Gun.”

Although the actual make and model of the cell phone was never identified the decision noted  “that an iPhone application called an iCam allows one to access a home computer’s webcam, thus allowing one to survey inside a home while a thousand miles away. Thus at the touch of a button a cell phone search becomes a  house search, and not a search of a ‘container’ in any normal sense of that word, though a house contains data.” 

Judge Posner’s decision ends: “But these are questions for another day, since police did not search the content’s of the defendant’s cell phone, but were content to obtain the cell phone’s phone number. – Affirmed”  

Expect this Fourth Amendment issue to eventually be decided by the U.S. Supreme Court. It will have ramifications as controversial as the recent GPS tracking case of U.S. v. Jones.

The decision in USA v. Flores-Lopez is available at: http://www.abajournal.com/files/CellPhones.pdf

HR 4112: Security Related:

Legislation introduced by Congressman Thomas Marino (R-PA-10), if passed, will allow DOJ Authorized Third Party Screeners to Conduct FBI Checks in Instances Where States Do Not Provide for Such.

The National Association of Security Companies (NASCO), representing contract private security companies, has endorsed H.R. 4112, the Private Security Officer Screening Improvement Act (PSOSIA), introduced March 6 by Representative Thomas Marino (R-PA-10).

In 2004, Congress passed the PSOEAA, the Private Security Officer Employment Authorization Act, recognizing the need for employers of private security officers to have access to an important criminal background check — the FBI criminal history record check.  However, the PSOEAA required such checks to be conducted by a state government agency, and unfortunately, too many states still do not provide the checks for all security officers eligible to be checked under the PSOEAA. This effectively means that tens if not hundreds of thousands of security officers in the United States work without a full FBI check of their criminal history.

The PSOSIA amends the Private Security Officer Employment Authorization Act (PSOEAA) to allow Department of Justice authorized “screening entities” to conduct FBI checks on private security officers, as provided for in the PSOEAA, for authorized employers when such checks are not available from the State of employment.

“The PSOSIA will dramatically increase availability of FBI criminal background checks for all private security officers,” said Jeff Flint, Executive Director of NASCO, “and that will make the public safer.  The public wants to know that when they rely on a private security officer for their safety as they do in so many venues, that officer has been subject to a background check. It’s that simple.”

The PSOSIA would allow employers of security officers, to go through a Department of Justice-authorized “screening entity” for an FBI check when the state of employment does not provide the check. A “screener” is defined as a third-party entity authorized by DOJ to access FBI criminal records and provide background checks for employers.  Third party entities are already being used for congressionally authorized FBI background checks in fields such as banking, nursing homes, financial securities, and others.  Their use should also be expanded to private security. ISPLA has been actively working to gain similar access for other entities and for additional purposes.

“NASCO has always been at the forefront of increasing standards and professionalism in private security,” continued Flint. “The current gap in the PSOEAA is a public safety and homeland security risk and it must be closed.

ISPLA supports this legislation and applauds NASCO’s work in lobbying for this important legislation. We also urge Congress to act quickly to adopt it.

In a follow-up  last  week, The Washington Post writes: “The push for legislation comes after it was found that a piece of software called Carrier IQ was installed in about 150 cellphones from AT&T, Sprint and T-Mobile. The software recorded data such as carrier networks, data transmission speeds, phone numbers called, Web sites visited and battery life. The software was designed to tell mobile carriers about the status of their networks, but the company admitted in December that its software might have captured keystrokes or the content of messages by accident.”

Rep.Markey wants the Federal Trade Commission to investigate whether Carrier IQ was being unfair or deceptive toward consumers, saying that the software raised serious privacy concerns. Federal investigators are believed to be investigating those allegations.

In a press release from Markey’s office he states: “Consumers may have no idea that through monitoring software their mobile devices are transmitting personal information, including who is called and what is typed in text messages, to third parties, including companies such as Carrier IQ.  The presence of this type of monitoring software on mobile devices should be disclosed to consumers, says Congressman Edward J. Markey (D-Mass.), co-Chair of the Bi-Partisan Congressional Privacy Caucus. Which is why today, Rep. Markey released a discussion draft of “The Mobile Device Privacy Act,” legislation that would require companies to disclose to consumers the capability to monitor telephone usage, as well as require express consent of the consumer prior to monitoring. News broke last month that Carrier IQ software installed on millions of smart phones and mobile devices can track every keystroke of users and send the information back to the software company without user knowledge or permission.”

Representative Markey states his “Mobile Device Privacy Act” would protect consumers by requiring:

• Disclosure of mobile telephone monitoring software, including when a consumer buys a mobile phone; after sale, if the carrier, manufacturer, or operating system later installs monitoring software; and if a consumer downloads an app and that app contains monitoring
• Disclosure to include the fact that the monitoring software has been installed on the phone, the types of information that are collected, the identity of the third party to which the information is transmitted, and how such information will be used.
• Consumer consent be obtained before monitoring software begins collecting and transmitting information.
• Third party receiving the personal information must have policies in place to secure the information.
• Agreements on transmission to third parties must be filed at the Federal Trade Commission (FTC) and Federal Communications Commission (FCC).
• Outline an enforcement regime for the FTC and FCC, along with State Attorney General enforcement and a private right of action.

Link to Representative Markey’s 15-page draft of his “Mobile Device Privacy Act” is at:

http://markey.house.gov/sites/markey.house.gov/files/documents/Mobile%20Device%20Privacy%20Act%20–%20Rep.%20Markey%201-30-12_0.pdf

Bruce Hulme
ISPLA Director of Government Affairs
www.ISPLA.org

The Indiana legislature has introduced HB 1006 to repeal mandatory licensing of private investigators and security guards. The Indiana Association of Professional Investigators (IAPI) and the Indiana Society of Professional Investigators (INSPI) are working together to stop this bill from becoming law. Indiana has a short legislative session that will end in March 2012. It is important that all investigative and security professionals from around the country support the efforts of our colleagues in Indiana.

We are asking all licensed investigative and security professionals to download the attached letter that you can paste on to your own business letterhead (Feel free to add information you feel is important and to personalize it). The letter can be found by clicking on the following link:

Vote NO on HB 1006.doc
(If you are unable to open this link or download the document reply to this email and the document will be sent directly to you)

Once you have completed the letter please email it to isplavoice@gmail.com. ISPLA will be putting a booklet together of all letters received that will then be provided to the Indiana associations to use in their lobbying efforts. Please take a few minutes of your time to help our colleagues in Indiana fight this bad bill. The next time could be your state!!

Additional information on this issue, including the bill and the Indiana government report supporting the repeal of licensure, can be found at www.ispla.org/indiana

Peter Psarouthakis
ISPLA Executive Committee Chairman

Due to the rapid advances in technology Congress has attempted to address conflicts between technological innovation and privacy interests. At the same time the courts have been asked to resolve similar issues, particularly to determine whether the Fourth Amendment’s protection against unreasonable searches and seizures precludes police agencies from placing a GPS tracking device on a person’s vehicle without a warrant. Pending before the U.S. Supreme Court is the matter of United States v. Jones, 131 S. Ct.3064 (2011).  It is our hope that the government wins.  If not, our position is greatly weakened in those states that presently allow GPS tracking use by private sector investigators conducting lawful investigations. A loss by the U.S. will adversely affect our lobbying efforts regarding laws proposed to limit GPS use. Coupled to this issue are concerns of cell phone location tracking.

In New York , the matter of Michael Cunningham v. New York State Department of Labor, New York Supreme Court, Appellate Division, Third Department No. 512036, in a 3-2 decision, the court ruled that the NYS Department of Labor was within its rights when it utilized GPS tracking to follow an employee during and after work hours and while on vacation with his family. It dismissed the claims of Michael Cunningham, a former Labor Department employee, that the use of a GPS tracking device constituted an illegal search and seizure. The state relied on GPS data to show that Cunningham had submitted false expense sheets and other travel records. The court ruled that because the device was only monitored by an investigator during work hours its use was constitutional.  “To establish a pattern of serious misconduct, it was necessary to obtain pertinent and credible information over a period of time.” In a dissenting opinion it was argued that while the use of a GPS device to track employees suspected of misconduct is reasonable during work hours, the scope of the use in Cunningham’s caseundefinedwas unconstitutional. “(The Labor Department’s) valid interest in (Cunningham’s) whereabouts extended only to the hours of his workday, yet the device placed on (his) personal vehicle collected data 24 hours a day, seven days a week.”

A bipartisan bill S. 1212 and H.R. 2168, the Geolocational Privacy and Surveillance Act, or GPS Bill, offered by Senator Ron Wyden [D-OR] and Representative Jason Chaffetz [R-UT-3], seeks to clarify and establish the standards government must meet to monitor an individual’s movements. It would effectively ban GPS use by private investigators without permission of the vehicle’s owner. The proposed legislation calls for a broad prohibition against the disclosure or use of geolocation information making it unlawful for any person to (A) intentionally intercept geolocation information pertaining to another person; (B) Intentionally disclose geolocation information pertaining to another person when it is known that information was obtained in violation of the act; (C) intentionally use any geolocation when it is known that information was obtained in violation of the act; or (D) intentionally disclose information that was lawfully obtained under the act, but not authorized to be released to third parties.

Under this GPS bill the government’s only means for acquiring geolocation information would be pursuant to a warrant under Rule 41 of the Federal Rules of Criminal Procedure or the Foreign Intelligence Surveillance Act (FISA) of 1978. The Stored Communication Act or Pen Register/Trap and Trace Act would no longer be the method whereby such information is required.

In an emergency or exigent circumstances the police or emergency responders are allowed to use geolocation information to a person requesting assistance, such as a 911 call or where police “believe that the life or safety of the person is threatened or to assist the person.” There are other permitted circumstances for such methods by the US Attorney General and states’ Attorneys General to intercept geolocation information without a warrant.  An exclusionary rule is also contained in the GPS bill that no evidence acquired in violation of the act may be received in evidence in any trial or judicial proceeding.  This contrasts between the ECPA which does not contain an exclusionary rule.

A coalition of industry representatives, including Apple, AT&T, and Google, has joined with the ACLU and the Constitution Project to form the “Digital Due Process Coalition to advocate amending various federal surveillance laws. Senate Judiciary Chairman Patrick J. Leahy [D-VT] introduced S. 1011, the Electronic Communications Privacy Act Amendments of 2011 which would not only amend the 25-year old ECPA but the Stored Communications Act as well.

Representative Edward J. Markey [D-MA-7] in a December 2, 2011 letter to the chairman of the Federal Trade Commission raised privacy issues and claims of potential violations of Section 5 FTC “unfair or deceptive acts or practices” concerning reported technology developed by Carrier IQ, a cell phone monitoring provider. An item published in “Wired” magazine was an impetus for Representative Markey’s writing to the FTC. The effects of the reported technology are apparently applicable to Android, BlackBerry and Nokia users. Representative Markey’s letter may be found at:

http://markey.house.gov/docs/2011_1201_letter_to_ftc.pdf

Wireless carriers will be claiming that the data of 150 million potential users presently does not violate their privacy and the carriers’ use of this software is only to diagnose smartphone and network issues. Senator Al Franken [D-MN] chairs the Senate Privacy Subcommittee and has also entered into the fray. Earlier in 2011, he held hearings on the S. 1223, the Location Privacy Protection Act of 2011. a bill he cosponsored with Senator Richard Blumenthal [D-CT].  There has been speculation that the FBI may be handling an investigation regarding Carrier IQ.

A class action lawsuit has also been filed in the USDC for the District of Delaware in Pacilli et al v. Carrier IQ, Inc. et al. The complaint may be found at:

http://www.siannistraite.com/sites/default/files/Carrier%20IQ%20Class%20Action%20Complaint%202%20DEC%202011FINAL.pdf

There are numerous other bills pending, as well as proposed FTC regulations, regarding Internet tracking and keystroke monitoring about which ISPLA has reported throughout 2011 to members via email listservs. As we enter the Second Session of the 112th Congress, we can expect more action from Representative Markey, who also co-chairs the bipartisan Congressional Privacy Caucus.  He has been outspoken on providing privacy protections of personal consumer information. He is a longtime advocate of “opt-in” remedies.  He has investigated the data privacy and security practices of Amazon, Apple, Facebook, and Google, and the four major wireless carriers as well as the Social Security Administration. He is our profession’s “Nemesis” with a history of refusing to negotiate with private investigators regarding our concerns. Expect to hear more from him in 2012!

The following link provides the December 1, 2011 Congressional Research Service report entitled Governmental Tracking of Cell Phones and Vehicles: The Confluence of Privacy, Technology, and the Law.

http://www.fas.org/sgp/crs/intel/R42109.pdf

The writer of  the CRS report in his conclusion states: “Congress, the courts, and the people will continue to grapple with ‘what limits there are upon [the] power of technology to shrink the realm of guaranteed privacy.’ …Several Members of Congress have introduced legislation to mend this perceived problem, and overhaul the current federal regime.”

We anticipate that in 2012 privacy legislation interest will remain strong with reports of security information breaches and Identity theft continuing to remain in the headlines. We expect that the Rupert Murdoch fiasco over tapping cell phone messages in the UK may become a larger problem for our profession here in the U.S. with DOJ investigators focusing on the possible the Foreign Corrupt Practices Act, violations of FCC licensing regulations possibly affecting Fox News, and Congressional hearings scheduled to be held.

Rest assured that ISPLA is well aware of these and other issues. We will continue to address them. We are grateful to the professional associations that have acknowledged our legislative efforts at the federal level these past three years. Recently allocated donations by ALDONYS of $2500 and an additional $2500 from its Security Guard Company Committee, $2000 from PALI, $1000 from NJLPIA and $500 from INTELLENET are truly appreciated.  It is through such support, and from our individual members, that we have financed our state and federal legislative tracking systems, maintained Federal Election Commission compliance of our political action committee, professionally executed the effective federal Washington lobbying campaign of our volunteers, and achieved continuing successful results.  Thank you!

Bruce Hulme, ISPLA Director of Government Affairs

To further help support our good work — please go to: www.ISPLA.org

The first proposed bill pertains to international travel of registered sex offenders, Megan’s Law, and the End Child  Prostitution, Child Pornography and Trafficking in Children for Sexual Purposes Act (ECPAT). The second bill concerns federal confidential informants who commit crimes and a recent letter from a U.S. Senator to the current FBI Director.

Bruce Hulme, ISPLA Director of Government Affairswww.ISPLA.gov

HR 3253, the International Megan’s Law of 2011, sponsored by Rep. Christopher Lynch [R-NJ-4] was introduced on October 24 and referred to the House Committee on Foreign Affairs, and in addition to the Committee on the Judiciary, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.

This bill’s stated purpose would be to protect children from sexual exploitation by mandating reporting requirements for convicted sex traffickers and other registered sex offenders against minors intending to engage in international travel, providing advance notice of intended travel by high interest registered sex offenders outside the United States to the government of the country of destination, requesting foreign governments to notify the United States when a known child sex offender is seeking to enter the United States, and for other purposes.

HR 3228, the Confidential Informant Accountability Act of 2011, sponsored by Rep. Stephen F. Lynch [D-MA-9] on October 14 has been referred to House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security.

This bill would require Federal law enforcement agencies to report to Congress serious crimes, authorized as well as unauthorized, committed by their confidential informants, to amend title 28, United States Code, with respect to certain tort claims arising out of the criminal misconduct of confidential informants, and for other purposes; to the Committee on the Judiciary.

This bill arises from the longstanding saga of the elusiveBoston FBI confidential informant mobster “Whitey” Bulger, recently captured in California who was implicated in 19 murders — and more recently from the disclosure of Mob Capo Mark Rossetti’s FBI involvement as an informant as reported in the Boston Globe.  The letter below from Senator Charles Grassley [R-IA] to FBI Director Robert S. Mueller III seems to tell it all.

“As a Ranking Member of the Senate Committee on the Judiciary, I write to inquire about recent reports from the Boston area regarding the Federal Bureau of Investigation’s (FBI) ties with alleged mafia “capo” and “acting consigliore” Mark Rossetti as a confidential informant and reports that the FBI misrepresented Mr. Rossetti’s status as an informant to the Massachusetts State Police.”

“Mr. Rossetti is currently under state indictment for a multitude of crimes including home invasions, heroin and marijuana trafficking, gambling, and loan sharking. Additionally Mr. Rossetti was convicted of armed robbery, beating a Massachusetts State Trooper nearly to death and was a suspect in multiple murders and the Isabella Steward Gardner Museum art heist, the largest in Boston history.”

“Despite all these alleged crimes and the claim that Mr. Rossetti was running a ‘sprawling criminal enterprise,’ it appears that the FBI may have engaged in a long-term relationship with Mr. Rossetti.”

“In fact, as early as 1992, an FBI agent’s pager number was found on Mr. Rossetti and former Massachusetts State Detective Bill McGreal stated that an FBI agent declined to pursue a case against Mr. Rossetti saying, ‘we decided to pass on Rossetti” despite strong evidence from a cooperating witness.’”

“According to media reports, the FBI initially misrepresented Mr. Rossetti’s status as an informant to the Massachusetts State Police. An August 16, 2011, Boston Globe article titled “Sleeping with enemy, again” reports that FBI agents initially denied that Mr. Rossetti was an FBI informant prior to commencing their investigation into his activities.

“According to the article, the FBI agents denied that they were working with Mr. Rossetti and it was only when Massachusetts State Police electronic surveillance picked up conversations between Mr. Rossetti and his FBI handler, that the FBI finally came clean and admitted its relationship to the Massachusetts State Police.”

“Given the well documented FBI malfeasance in the Whitey Bulger saga, the FBI’s actions related to organized crime in

Boston deserve a heightened level of scrutiny. In light of these past experiences and the questions raised by local media, please provide answers to the following questions:

1) Was Mr. Rossetti a confidential informant for the FBI?

a. If so, when did he become a confidential informant?

b. If so, when was this relationship terminated and why?

c. If so, was he a paid informant and how much was he paid?

2) When did the FBI first become aware of Mr. Rossetti’s criminal activity?

3) What alleged crimes was the FBI aware of?

4) Prior to being made aware of Mr. Rossetti’s alleged criminal activity by the Massachusetts State Police, was the FBI aware of any crimes alleged to have been committed by Mr. Rossetti?

a. If so, were any of those alleged crimes felonies, violent felonies, or homicides?

5) Did the FBI conduct an internal inspection, investigation, or review by the Office of Professional Responsibility into its agents’ handling of Mr. Rossetti?

a. If so, when was this investigation conducted and what entity conducted the review?

6) Have FBI agents at any time claimed to Massachusetts State Troopers that Mr. Rossetti was not a confidential informant for the FBI?

a. If so, describe the circumstances of these representations by FBI agents and when they occurred.

b. Were FBI agents ever disciplined for making representations that Mr. Rossetti was not a confidential informant? If so, please describe.

c. Please provide a written statement of the FBI’s policy regarding use of confidential informants and any other informal policies related to criminal informants and criminal activity.

Thank you for your cooperation and attention in this matter. I would appreciate a response by October 31, 2011.

Although the purpose of this bill ostensibly is to provide increased fines and/or imprisonment for using a false  identity in connection with tax fraud, Section 9 will restrict access to the Death Master File to just those persons who are certified to have a legitimate fraud prevention interest.  There are additional purposes for which such access should be granted if there are going to be restrictions to such access. The bill has been referred to the House Committee on Ways and Means.  Below is the section about which ISPLA has expressed concern.

Bruce H. Hulme
ISPLA Director of Government Affairs
www.ISPLA.org

SEC. 9. RESTRICTION ON ACCESS TO THE DEATH MASTER FILE.

(a) In General- The Secretary of Commerce shall not disclose information contained on the Death Master File to any person with respect to any individual who has died at any time during the calendar year in which the request for disclosure is made or the succeeding calendar year unless such person is certified under the program established under subsection (b).

(b) Certification Program-

(1) IN GENERAL- The Secretary of Commerce shall establish a program to certify persons who are eligible to access the information described in subsection (a) contained on the Death Master File.

(2) CERTIFICATION- A person shall not be certified under the program established under paragraph (1) unless the Secretary determines that such person has a legitimate fraud prevention interest in accessing the information described in subsection (a).

(c) Imposition of Penalty- Any person who is certified under the program established under subsection (b), who receives information described in subsection (a), and who during the period of time described in subsection (a)–

(1) discloses such information to any other person, or

(2) uses any such information for any purpose other than to detect or prevent fraud,

shall pay a penalty of $1,000 for each such disclosure or use, but the total amount imposed under this subsection on such a person for any calendar year shall not exceed $50,000.

(d) Exemption From Freedom of Information Act Requirement With Respect to Certain Records of Deceased Individuals-

(1) IN GENERAL- The Social Security Administration shall not be compelled to disclose to any person who is not certified under the program established under section 9(b) the information described in section 9(a).

(2) TREATMENT OF INFORMATION- For purposes of section 552 of title 5, United States Code, this section shall be considered a statute described in subsection (b)(3)(B) of such section 552.

The bill’s sponsors state their proposed bill “better protects consumers by replacing the current patchwork of state laws and establishing one set of national requirements. Presently, 49 states and U.S. territories have enacted laws governing data security and data breach notification standards.”

Senator Carper reiterated an ever increasing theme in the media: “While we have reaped enormous benefits from this powerful technology and innovation, millions of Americans are at risk for identity theft because of the vulnerability surrounding sensitive personal information. It seems nearly every other day there is a report of American consumers’ highly sensitive personal information being compromised by a store, a school or some third party data center.”

“At the very least, identity fraud can cause worry and confusion, and at the very most it can cause serious financial harm,” continued Sen. Carper. “We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country. This comprehensive approach will better serve consumers by making it easier for businesses and government agencies to take the steps necessary to adequately protect all Americans from identity theft and account fraud.” Although some state laws are similar, many have inconsistent and conflicting standards, forcing businesses to comply with multiple regulations, and leaving many consumers without proper recourse and protections.

“New technologies have greatly expanded the ways we access information and conduct day-to-day business, but these new tools also pose new security challenges that we must address as a nation,” said Senator Blunt. “This bill will help ensure that businesses and government agencies have consistent national standards across the board as we work to protect consumers’ personal information and prevent identity theft.”

If the financial establishment, retailer, federal agency or other entity determines that sensitive information was compromised or may have been compromised, the proposed bill the entity to investigate the scope of the breach, the types of information compromised or potentially compromised, and determine whether the information will likely be used to cause an individual harm or bank fraud. If the event will cause harm, then the entity must notify the appropriate federal government regulatory agency, law enforcement, and national consumer reporting agencies where the breach affects over 5,000 consumers and all consumers affected by the breach.

The Data Security Act of 2011 is modeled after the data security and breach-response regime established under the Gramm-Leach-Bliley Act of 1999 and subsequent regulations. It builds on existing law to better ensure federal and state regulators comply with the law and to make sure that data security procedures are uniformly applied. Regulators of entities who do not comply would have the authority to levy finds, require corrective measures or even bar individuals from working in their respective industries.

As previously reported, ISPLA is actively monitoring numerous security breach bills pending before Congress.

Bruce Hulme
ISPLA Director of Government Affairs
www.ISPLA.org

Your Proactive Voice from State Capitals to the Nation’s Capital

In fact, ISPLA is not really a traditional association at all. Why? ISPLA’s primary functions include reviewing proposed federal and state laws and regulations in order to identify critical issues; developing policy statements; preparing “white papers;” implementing action plans; serving as a resource to the profession, government and the media; providing testimony before hearings, boards and study groups; identifying third-party stakeholders with mutual interests and acting as their liaison to government; serving as an advocate for or against specific bills affecting investigative and security professionals; engaging state and federal lawmakers to influence legislation beneficial to the investigative and security professions; and creating and administering a federal political action committee.

ISPLA members have direct access to a daily live state- and federal- tracking system in real time, an un-moderated web blog (a forum for open, uncensored debate and discussion within the investigative and security professions), timely bulletins on proposed state and federal legislation and regulations, and opportunities for professional development on policy advocacy and training relevant to legislative and regulatory processes. On a daily basis, ISPLA state association members have access to new bills; some have taken advantage of ISPLA’s advocacy program, Educate to Legislate.

As you can see, legislation is all we do. Political times are too volatile to have important time and funding focused on other “typical” association related activities.

Other national associations such as NCISS, ASIS, NASCO, NAPBS, NAPPS, USAPI, ACFE, WAD, CII and INTELLENET offer a wide range of member services including conventions and trade shows, newsletters, email listservs, membership directories, referral services, and the presentation of awards. ISPLA’s mission, which is singularly focused full-time on lobbying and PAC activities, does not involve these other programs. ISPLA does not view these professional associations as “competing organizations,” but rather as potential allies and stakeholders working together for a common cause for the benefit of all investigative and security professionals.

People have asked us, “What is the difference between ISPLA and NCISS?” We are not naive to the fact that there is discussion about this among the professions. This is a good question and one that should be answered.

Legislation is but one aspect of the mission of NCISS and is run by a five- member legislative committee with the assistance of a part-time paid lobbyist.  NCISS does not allow for policy discussion among its members relative to legislation and provides no opportunity for its members to search current state and federal bills. Such information is controlled solely by its lobbyist and legislative chairman.

NCISS is under the mistaken impression that it is the only voice in Washinton thatrepresents private investigators and contract security companies.  This is a myth. ISPLA together with ASIS, NASCO, NAPBS and NAPPS are doing the same work, each with its own retained lobbyist, and each having different points of view and possessing special areas of expertise.  Industry opposition is led by dozens of privacy advocacy groups and labor unions. NCISS, with competing interests within its organization, does not have the resources to provide effective opposition alone.

To make your voice really count in Washington, consider joining Investigative & Security Professionals for Legislative Action. Annual dues from the date of joining are just $99. All of our funds raised are used exclusively for lobbying and addressing regulatory and legislative matters affecting the investigative and security profession. Presently, we are all volunteers and pay our own travel expenses.

However, we do need funds to maintain our legislative tracking system and handle mandatory regulatory and legal filings.  We appreciate the many ISPLA professional association members that have given us annual donations ranging from $100 to $5,000.  And, we certainly would like the support of every professional association!

In the two short years of our existence, the average contribution from ISPLA member investigative firm contributors towards our government affairs and PAC services has been $500. From contract security firm contributors, it has been $1,000.  We will also gratefully accept individual contributions in any amount.

To join or contribute to the work of ISPLA on line, please visit www.ISPLA.org. Donations may also be mailed to the address below.  Thank you.

Bruce Hulme
ISPLA Director of Government Affairs
Investigative & Security Professionals for Legislative Action
235 N. Pine Street
Lansing, Michigan 48933

Some of the pertinent areas of the bill which ISPLA has concerns are contained in portions of the language which follows:

(b) Special Requirements for Information Brokers-

(1) SUBMISSION OF POLICIES TO THE FTC- The regulations promulgated under subsection (a) shall require each information broker to submit its security policies to the Commission in conjunction with a notification of a breach of security under section 3 or upon request of the Commission.

(2) POST-BREACH AUDIT- For any information broker required to provide notification under section 3, the Commission may conduct audits of the information security practices of such information broker, or require the information broker to conduct independent audits of such practices (by an independent auditor who has not audited such information broker’s security practices during the preceding 5 years).

(3) ACCURACY OF AND INDIVIDUAL ACCESS TO PERSONAL INFORMATION-

(A) ACCURACY-

(i) IN GENERAL- Each information broker shall establish reasonable procedures to assure the maximum possible accuracy of the personal information it collects, assembles, or maintains, and any other information it collects, assembles, or maintains that specifically identifies an individual, other than information which merely identifies an individual’s name or address.

(ii) LIMITED EXCEPTION FOR FRAUD DATABASES- The requirement in clause (i) shall not prevent the collection or maintenance of information that may be inaccurate with respect to a particular individual when that information is being collected or maintained solely–

(I) for the purpose of indicating whether there may be a discrepancy or irregularity in the personal information that is associated with an individual; and

(II) to help identify, or authenticate the identity of, an individual, or to protect against or investigate fraud or other unlawful conduct.

(B) CONSUMER ACCESS TO INFORMATION-

(i) ACCESS- Each information broker shall–

(I) provide to each individual whose personal information it maintains, at the individual’s request at least 1 time per year and at no cost to the individual, and after verifying the identity of such individual, a means for the individual to review any personal information regarding such individual maintained by the information broker and any other information maintained by the information broker that specifically identifies such individual, other than information which merely identifies an individual’s name or address; and

(II) place a conspicuous notice on its Internet website (if the information broker maintains such a website) instructing individuals how to request access to the information required to be provided under subclause (I), and, as applicable, how to express a preference with respect to the use of personal information for marketing purposes under clause (iii).

(ii) DISPUTED INFORMATION- Whenever an individual whose information the information broker maintains makes a written request disputing the accuracy of any such information, the information broker, after verifying the identity of the individual making such request and unless there are reasonable grounds to believe such request is frivolous or irrelevant, shall–

(I) correct any inaccuracy; or

(II)(aa) in the case of information that is public record information, inform the individual of the source of the information, and, if reasonably available, where a request for correction may be directed and, if the individual provides proof that the public record has been corrected or that the information broker was reporting the information incorrectly, correct the inaccuracy in the information broker’s records; or

(bb) in the case of information that is non-public information, note the information that is disputed, including the individual’s statement disputing such information, and take reasonable steps to independently verify such information under the procedures outlined in subparagraph (A) if such information can be independently verified.

(iii) ALTERNATIVE PROCEDURE FOR CERTAIN MARKETING INFORMATION- In accordance with regulations issued under clause (v), an information broker that maintains any information described in clause (i) which is used, shared, or sold by such information broker for marketing purposes, may, in lieu of complying with the access and dispute requirements set forth in clauses (i) and (ii), provide each individual whose information it maintains with a reasonable means of expressing a preference not to have his or her information used for such purposes. If the individual expresses such a preference, the information broker may not use, share, or sell the individual’s information for marketing purposes.

(iv) LIMITATIONS- An information broker may limit the access to information required under clause (i)(I) and is not required to provide notice to individuals as required under clause (i)(II) in the following circumstances:

(I) If access of the individual to the information is limited by law or legally recognized privilege.

(II) If the information is used for a legitimate governmental or fraud prevention purpose that would be compromised by such access.

(III) If the information consists of a published media record, unless that record has been included in a report about an individual shared with a third party.

(v) RULEMAKING- Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to carry out this paragraph and to facilitate the purposes of this Act. In addition, the Commission shall issue regulations, as necessary, under section 553 of title 5, United States Code, on the scope of the application of the limitations in clause (iv), including any additional circumstances in which an information broker may limit access to information under such clause that the Commission determines to be appropriate.

(C) FCRA REGULATED PERSONS- Any information broker who is engaged in activities subject to the Fair Credit Reporting Act and who is in compliance with sections 609, 610, and 611 of such Act (15 U.S.C. 1681g; 1681h; 1681i) with respect to information subject to such Act, shall be deemed to be in compliance with this paragraph with respect to such information.

(4) REQUIREMENT OF AUDIT LOG OF ACCESSED AND TRANSMITTED INFORMATION- Not later than 1 year after the date of the enactment of this Act, the Commission shall promulgate regulations under section 553 of title 5, United States Code, to require information brokers to establish measures which facilitate the auditing or retracing of any internal or external access to, or transmissions of, any data containing personal information collected, assembled, or maintained by such information broker.

(5) PROHIBITION ON PRETEXTING BY INFORMATION BROKERS-

(A) PROHIBITION ON OBTAINING PERSONAL INFORMATION BY FALSE PRETENSES- It shall be unlawful for an information broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by–

(i) making a false, fictitious, or fraudulent statement or representation to any person; or

(ii) providing any document or other information to any person that the information broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation.

(B) PROHIBITION ON SOLICITATION TO OBTAIN PERSONAL INFORMATION UNDER FALSE PRETENSES- It shall be unlawful for an information broker to request a person to obtain personal information or any other information relating to any other person, if the information broker knew or should have known that the person to whom such a request is made will obtain or attempt to obtain such information in the manner described in subparagraph (A).

(c) Exemption for Certain Service Providers- Nothing in this section shall apply to a service provider for any electronic communication by a third party that is transmitted, routed, or stored in intermediate or transient storage by such service provider.

In this Act, the following definitions apply:

(1) BREACH OF SECURITY- The term `breach of security’ means unauthorized access to or acquisition of data in electronic form containing personal information.

(2) COMMISSION- The term `Commission’ means the Federal Trade Commission.

(3) DATA IN ELECTRONIC FORM- The term `data in electronic form’ means any data stored electronically or digitally on any computer system or other database and includes recordable tapes and other mass storage devices.

(4) ENCRYPTION- The term `encryption’ means the protection of data in electronic form in storage or in transit using an encryption technology that has been adopted by an established standards setting body which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data. Such encryption must include appropriate management and safeguards of such keys to protect the integrity of the encryption.

(5) IDENTITY THEFT- The term `identity theft’ means the unauthorized use of another person’s personal information for the purpose of engaging in commercial transactions under the name of such other person.

(6) INFORMATION BROKER- The term `information broker’–

(A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any non-affiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and

(B) does not include a commercial entity to the extent that such entity processes information collected by and received from a non-affiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party to (1) provide benefits for its employees or (2) directly transact business with its customers.

(7) PERSONAL INFORMATION-

(A) DEFINITION- The term `personal information’ means an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

(i) Social Security number.

(ii) Driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity.

(iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

(B) MODIFIED DEFINITION BY RULEMAKING- The Commission may, by rule promulgated under section 553 of title 5, United States Code, modify the definition of `personal information’ under subparagraph (A)–

(i) for the purpose of section 2 to the extent that such modification will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act; or

(ii) for the purpose of section 3, to the extent that such modification is necessary to accommodate changes in technology or practices, will not unreasonably impede interstate commerce, and will accomplish the purposes of this Act.

(8) PUBLIC RECORD INFORMATION- The term `public record information’ means information about an individual which has been obtained originally from records of a Federal, State, or local government entity that are available for public inspection.

(9) NON-PUBLIC INFORMATION- The term `non-public information’ means information about an individual that is of a private nature and neither available to the general public nor obtained from a public record.

(10) SERVICE PROVIDER- The term `service provider’ means an entity that provides to a user transmission, routing, intermediate and transient storage, or connections to its system or network, for electronic communications, between or among points specified by such user of material of the user’s choosing, without modification to the content of the material as sent or received. Any such entity shall be treated as a service provider under this Act only to the extent that it is engaged in the provision of such transmission, routing, intermediate and transient storage or connections.

Although HR 1707 would preempt state information security laws, there are still avenues for State attorneys general to direct their activity, such as consumer protection laws. ISPLA will be working to insure that the activities of investigators do not fall under the definition of an information broker under the provision in this proposed legislation. ISPLA is carefully reviewing all aspects of this bill and will keep you apprised of further developments and our ongoing lobbying work in Washington, DC.

Bruce Hulme
ISPLA Director of Government Affairs

To join us and support our proactive efforts please visit www.ISPLA.org We do much more than just keeping the profession informed!

On April 21, Congressman Markey, a senior member of the House Energy and Commerce Committee and co-Chairman of the House Bi-Partisan Privacy Caucus, sent a letter to Apple CEO Steve Jobs asking him about Apple’s data collection, storage and disclosure practices. He referred to a recent The Guardian story entitled, “iPhone Keeps Record of Everywhere You Go”, reported that Apple’s iOS 4 operating system collects customers’ location data, stores it on the user’s iPhone and iPad, backs it up when synched with another device, and could leave it unprotected. In particular, the letter asks the company about compliance with Section 222 of the Communications Act, a provision that Rep. Markey authored, that requires companies to get express authorization from their customers for use, disclosure or access to location information for commercial purposes.

“Apple needs to safeguard the personal location information of its users to ensure that an iPhone doesn’t become an iTrack,” said Rep. Markey. “Collecting, storing and disclosing a consumer’s location for commercial purposes without their express permission is unacceptable and would violate current law. That’s why I am requesting responses to these questions to better understand Apple’s data collection and storage policies to make certain sensitive information can’t be left behind for others to follow.”

In his letter, Rep. Markey asked Apple to respond to questions that include:

• Is it accurate that Apple iPhone keeps track of where iPhone users go, saving this information to a file on the device that is then copied to the owner’s computer when the two are synchronized?
  
• Did Apple intentionally develop this functionality in order to log the locations of users?
  
• How does Apple collect this customer location information?
  
• Does Apple use this information for any purpose?
  
• Has Apple used this location information for any commercial purpose?
  
• Is it possible for customers to disable this feature?
  
• Given the widespread usage of iPhones and iPads by individuals under the age of 18, is Apple concerned that the wide array of precise location data logged by these devices can be used to track minors, exposing them to potential harm?

This issue was been picked up by the American print media today, including The Washington Post and Wall Street Journal. We expect that Congress will not waste much time bringing this issue before a committee hearing.

A copy of Rep. Markey’s letter to Apple can be found at:

http://markey.house.gov/apple_ios_letter_04.21.11.pdf

Rep. Markey has requested Apple respond to him by May 12.

Bruce Hulme
ISPLA Director of Government Affairs
www.ISPLA.org
“Educate to Legislate”