Staying Compliant with the Patriot Act
The USA Patriot Act is an Act of Congress that was passed in a response to the terror attacks of September 11, 2001. Parts of the Act have been updated with a 2002 inclusion providing significant insight into how data and cloud services must comply with its reporting requirements.
While the law has changed over the years, most of the policies centered on data collecting and reporting have grown through the years.
For your data, there are some considerations about the information you need to keep a record of, to provide it to law enforcement. Here we’ll touch on the compelled disclosure from the Act as well as the data to be included.
This Act will require that you keep this information or dispose of it in its entirety. Securis the partner you can rely on for complete data destruction in a way that complies with the Act.
Part of the U.S. Patriot Act is a compelled disclosure to the government. It allows the FBI to access certain business records with a court order. It also applies to other data and agencies.
The Patriot Act also provides information on how National Security Letters can be used to obtain records — think of them like an administrative form of subpoena that would come with the regular power of a subpoena but tell you who can and you cannot know about the data requests.
The law limits the ability of data providers — whether it’s physical records or cloud-based systems and digital data storage options — to reveal that they have received an order, complied with the order, or explain the order to their users.
Companies that hold the data typically cannot tell their users about a disclosure.
Who Discloses the Data?
According to the Patriot Act, any company that owns or operates a “protected computer” can give permission for authorities to intercept communications carried out on the machine, thus bypassing the requirements of the existing wiretap statute.
Companies and enterprises that own or operate similar protected computers and networks can be required to disclose data when they are the collector, originator, or developer of the information.
Subpoenas issued to Internet Service Providers were expanded by the order to include:
- local and long-distance telephone toll billing records,
- telephone number or other subscriber number or identity,
- length of service of a subscriber,
- session times and durations,
- types of services used,
- communication device address information (IP addresses),
- payment method and bank account and credit card numbers.
Communication providers are also allowed to disclose customer records or communications if they suspect there is a danger to “life and limb” of others.
Patriot Act and State Laws
One important note about the Patriot Act is that it does not overturn any other state or federal laws. All those other laws are still in place, so you need to make sure you maintain compliance relevant to your industry or locality.
State and local law enforcement cannot get FISA search warrants, but they can extend federal wiretapping authorities so that you may be required to provide a broader set of information than previously required.
Stay Compliant with Securis
All of the data management and destruction services provided by Securis are fully compliant with the Patriot Act of 2002 as well as any changes in its reauthorizations.
Not only does all of our data destruction staff go through complete background checks, we take steps to ensure that no one is alone with data so that there is no risk of loss of your information. If you do work with federal agencies, we can ensure that you keep records of the data you need.
For partners and other companies working with consumer data, we can ensure that your data is thoroughly destroyed when necessary. This includes complete audit trails so that you can prove to law enforcement and others that data was securely destroyed.
You must confirm the destruction or return of data to comply with the Patriot Act’s guidance on the transfer of, access to, and retention of data. Securis provides everything you need to stay in compliance of data that could be accessed through your equipment.
The Patriot Act has a wide range of regulations that you may be subject to, even without being aware of it.
We recommend you contact us to hear from a regulatory expert so we can ensure your data destruction follows all requirements set out in the Patriot Act and other regulations that impact your business.