Peter Smith, co-founder of Idaho law firm Smith + Malek, is a data privacy expert who got interested in the field in 2013 as news was breaking about the federal government’s unprecedented domestic surveillance.
Edward Snowden, a U.S. government contractor, had leaked the story to the media, revealing that the National Security Agency was collecting reams of information on citizens’ private communications.
Smith became interested in the constitutional right to privacy – and its potential violation by new high-tech tools. As a result, he sued President Barack Obama, the FBI and the NSA.
In the years since, data privacy and cybersecurity have become larger and larger concerns for businesses of every type. Smith recently sat down with the Idaho Business Out Loud podcast to discuss the implications.
This interview has been edited for length and clarity.
How did you get initially interested in the data privacy field?
First, I want to say thank you for doing this. My start in looking at privacy and data privacy really happened in 2013. That was when Edward Snowden, who was a contractor for the U.S. government, took a thumb drive and ran to Hong Kong with it. And then he met with reporters and a story came out about the data that the United States government was collecting about United States citizens.
When I read that story, I thought “this is very interesting,” but it didn’t really have an impact too much until I started talking about it more and following the story about the 4th Amendment implications. So the 4th Amendment in the United States Constitution says we all have a reasonable expectation of privacy, and that was adopted in 1791, and here we are in 2013, 2019 today, what does that mean?
So they’re reinterpreting it with all the technological advances we have.
They’re trying to. They’re trying to find these boundaries on what’s a reasonable expectation of privacy. So we filed a lawsuit against President Obama and the FBI and the NSA and served that and had it argued here in Idaho in front of the District Court. Our judge dismissed our case, and the reason he dismissed it is he says, “You have no reasonable expectation of privacy in that information. You are giving it to the phone company – AT&T, Verizon, Sprint – has who you call, the time you call, what you’re telling them.” So once you give that away, you’ve lost your expectation of privacy. He did this rather reluctantly. He didn’t really want to find that, but he felt he was compelled to under the law.
We appealed to the 9th Circuit Court of Appeals and had an argument in December of 2014 over the issue. Between the time of the argument and when the case was decided, Congress changed the law. It stopped collecting, ordered the NSA to stop collecting that data every single day. Now it’s being stored by the tech companies for 180 days, and it sits in their databases and the government can get it, but they have to get a warrant to go look at it.
The reason this is important, the only reason it really matters, is metadata, which is what those records are called, shows a lot about a person. It shows who you’re calling and when. For example, if they had my wife’s calls and they knew that she received a call from her physician, and then she called me, and then she called her mom, and then she called an OB-GYN’s office, you can piece together that she’s pregnant or maybe has some other health issue.
The same thing goes for political affiliations. It goes with who we interact with. The government knows that it can be very powerful information. So that got me started on kind of what this data privacy means and why it’s important, especially in industries that are very bound to confidentiality like medicine. It applies to business as well. The 4th Amendment only applies to the government and what the government can do, but in this day and age, we’re walking around with a GPS tracker in our pocket. We’re walking down streets with our spatial recognition cameras looking at you.
There’s really no way to boycott being tracked. You’d have to wear a mask when you go out in public. I understand the City of Boise proposed putting it in City Hall so they could track people coming in and out. For all good reasons, right? For safety and protecting people, but at the same time, knowing who’s coming and going.
If you wanted to boycott it on a practical scale, you’d have to pay cash for everything and never put your money in a bank. It just makes it almost impossible now to have privacy. The data we’re giving away to companies, what they’re doing with it, how they’re protecting it, who they’re sharing it with – I think it’s a discussion we have, but nobody really knows how to tackle it.
And one of the big concerns is not just the collection, but the security of that. Even if the business who has it isn’t doing anything with it, couldn’t that be accessed? Isn’t cybersecurity a huge issue just by having that data stored somewhere?
Yeah, I think data security is a huge issue and it goes really two levels. One, the business that has it, what information does a business have? We run a law firm, so we have information about ourselves, all of our employees. We know, generally speaking, some health records, we know employment history, we know how much they’re being paid, we know bank account information. And so we have to protect that as ourselves. We also have our clients’ information, which we have to protect from other people seeing it. And we have to protect those that are interacting with our suppliers. They provide us information. It’s all just getting dumped in these buckets, and it’s hard to know how to protect all of those things. Then, beyond that, we’re now getting into the cloud-based world, where information is going out into a cloud, for example, Slack or a service like Asana.
How many businesses sit down and read their privacy policies before they click yes? We all can download apps and just click yes, but when that company has that information, what happens if they lose it? What happens if they’re sharing it? Do you have any liability as a business to number one, first understand what they’re doing and two, try to protect that information as it goes out into the world?
Data security is becoming a bigger and bigger thing, we’re seeing big companies, major companies screwing this up and failing to protect the data, and then it gets out there and then you lose trust.
Is it a concern for small businesses as well who might think, ‘Do we have something worth protecting?’
I think it’s probably a bigger concern for small businesses because they haven’t built the walls around it. They probably can’t even see if they’re had their data taken because you have to have an IT department to monitor these emails that are coming in with these little tiny programs that crawl within your system and pull data off of it.
And also, a lot of small businesses say the cloud is so convenient now. “I’m just going to put my data out there.” And that’s OK, but do you know who can get to that data, you know, who can log in just to see it?
So, what should a business do once a breach of security has happened?
You have a number of different requirements from different jurisdictions. One, the federal government may or may not require you to take steps to notify people whose data may have been affected. In Idaho, we have a specific statute that deals with it, and it requires notification to everyone whose data was taken within a reasonable period of time.
Is it a little vague on what is a reasonable period of time?
It’s very vague, and there’s some factors that come into play. One, you have to discover it and figure out how broad it was, right? And then you’ve got to figure out whose data may have been taken and then you’ve got to notify them. You can notify them in writing, you can call them, you can send them an email. But you do have to do that. If you don’t do that, under the Idaho statute, because if this gets out there, it will hurt my business, it’s a $25,000 penalty per breach.
Per breach. Looking at that, you’re thinking, “OK, a small business couldn’t withstand that kind of penalty if it was found that they just ignored it and didn’t provide notice.” And it would be very difficult.
We had a case up in North Idaho where gas stations were getting hit. The credit cards get run, you slip it in and out of the machine. Folks would come in and they’re replace that little plastic slide with their own, where they could take the data about the credit card. Now if you go to the gas station, you’ll see a little sticker over that device where the door is. If that sticker is broken, it’s supposed to be a warning to the consumer that your credit card number may be susceptible.
When that happened, when you think about how many people ran their credit card at one gas station on one day, and the business has to go back and look and find every one of those customers and then figure out how to reach them, because some of them are just traveling through.
So that reasonable period of time would be an extended period of time because you have to find all these people, but those are absolute steps that have to happen under the law or else the business is then exposing itself.
So data breach is a big deal, and it also goes to businesses protecting the information through secure passwords, using password generators instead of just passwords that they make up, securing devices as they go outside the office, those kinds of things.
So, one of the things that you’ve mentioned is that there is kind of exceptional liability when a business is going though a state of transition. Can you tell us why that is?
Data is an asset, just like a building, a tractor, the cash it has, the data about its customers, but it’s also a large liability. So if you’re selling a business, one of the things that you need to make sure is you have the processes in place, the plans in place to deal with a data breach on one end and also the protection of it.
If you can show a buyer that you’re collecting data and you’re securing it and you’re maintaining it in a safe way, that adds value to your business.
Repetitional damage. I think the bigger damage is probably, if you have a breach, you don’t trust that company as well. It kind of goes back to the whole case with Edward Snowden that we filed. There was a loss of trust in the federal government when U.S. citizens found out they were collecting the data, even if you didn’t really care. They have your phone records or mine. I’m not calling drug dealers. I’m not in any organized crime. I don’t really care they can see who I call. But as a law firm, or owning a law firm and having clients, that triggered a concern to me. Well, if they know who I’m calling, is there any avenue there that they could abuse that information?
When a company has that happen, there’s a loss of trust, which means a loss of an asset and value. So when you’re going to sell a business, I would say having that information and making sure that it’s secure and being able to show that to a buyer, that’s very valuable. On the buying side, it’s the due diligence to say, “What have they done? Are they protecting this? Is there going to be a story on the front page of the Statesman about a data breach related to this company after we buy it?”
And very simple steps to look at, is this data secure? Are there employees using appropriate passwords? Who has access to this information within the company and outside of it? What services are they using, third parties, and how do they secure that information, because in this day and age, we’re releasing stuff, information, on these free apps and paid apps and everything else and its being stored and those things are very important for if you’re looking to buy a business. Protect that asset, that reputation.
Are these threats often external or internal because I know we all have that kind of picture in our head of that hacker in the basement. Is that usually the case or is it often just a mistake made by an employee? Where are these attacks predominantly coming from?
Usually it comes from external, but it’s usually caused by an internal source. It’s usually someone being sloppy with their password, their browser history, opening a email that says you’re going to win a million dollars, or I’ve got money I want to wire you and all of a sudden you’ve been infected.
So usually it’s user error, which is easy to solved right? People can be trained not to do those things, and that is a great protection for the company just having that training in place.
We see what happens is they get in and then they take that data, and mostly what they’re using that data for is to try to sell it. It will go onto the dark web, and they’ll say, “We have x amount of information” or they’ll use ransom. They’ll contact your company and say, “We have this” or “We’ve frozen this.” “You can’t get to it anymore, and you need it. You need to pay us $15,000.” Well, you get that email and you respond and say, “I’ll wire the money.” How do you know when they get the money that they’re going to unlock it? You don’t. And it’s embarrassing, right? And now, this customer information is being locked down; we can’t get to it so we can’t do business.
Under Idaho law, you’d have to disclose that happened to you. A lot of businesses are frankly embarrassed that it happened, and then you’re held ransom by this external force that you have no idea where they are.
For companies that don’t have cyber security specialists on hand, which is often a lot of smaller businesses, what can they do to protect themselves against these threats?
That’s a really good question, and it’s a hard one to answer. I’ve been doing a number of presentations by different companies that say they provide this service. Everybody says the exact same thing, and so it’s hard to figure out who really knows what they’re doing in this space.
When I looked at it for our law firm, I said I want to try to get as big as I can so I know at least they have the staffing to kind of deal with it and they’re monitoring the threats that are coming in, but it’s expensive. It’s one of those things that as a business owner, you think about at 3 a.m. You wake up and think, “Man, if that happens.” And then by 8 a.m., you’ve forgotten about it because you have to deal with the HR crisis or the customer that’s upset or the new order that came in, right? So it’s one of those things that is there as kind of a low-lying stressor in a business owner. But I would say, using those larger services are probably the advice I would give.
It doesn’t seem like an immediate concern until suddenly it’s your chief concern, right?
Correct. When it becomes your chief concern, you’re telling your customers you had a breach and you’re trying to explain why, and there’s this feeling, “Well, I guess I could’ve done more.” And that feeling is true in this space because it’s so fluid and things are changing so fast every single day that you can always do more. But just taking basic steps, tell your employees to have a secure password, do authentication so if they login they have their cellphone. I have a computer log into my account on Facebook from Singapore and I was in Coeur d’Alene Idaho. You know that that’s a problem. Let’s find out who’s looking at things, and don’t open emails when you don’t know who they’re from, especially when they have a weird file attached to it. That’s probably the number one source of the breaches.