With Patriot Act, companies forced to play informant on customers
By ROBYN E. BLUMNER
Published May 18, 2003
We all know homeland security is an expensive proposition. Assault-weaponed forces standing guard in front of all the bridge and tunnel entrances in New York City don't come cheap. And the cost for airport inspectors from the Transportation Security Administration to fill barrels full of confiscated cuticle scissors at the nation's airports runs upwards of $5.8-billion annually.
But what you may not have realized is just how much of the expense of our antiterrorism efforts is being borne by private industry. The USA Patriot Act, well known as a law that sacrificed civil liberties in the name of national security, may also be one of the largest unfunded mandates on private business since Social Security.
Section upon section of the law imposes new obligations on businesses to produce the personal records of their customers, or to spy and snitch on their customers as a condition of operating. Million-dollar fines and criminal liability are punishment for noncompliance.
For example, under Section 215, one of the more notorious parts of the Patriot Act - the one librarians have been raising a ruckus over - the FBI has the power to obtain library records, e-mail logs and entire business databases of all sorts just by claiming that the information is relevant to a counterterrorism or counterespionage investigation. Before the law, to obtain business records law enforcement would have to demonstrate to the secret Foreign Intelligence Surveillance Act court that the records related to an individual who had connections to terrorism or a foreign government. But the Patriot Act strikes down these particularity constraints, promoting instead a fishing expedition. And since it makes no provision for reimbursing businesses ordered to produce the records, there is little cost to the FBI for demanding far more information than is necessary.
According to the December 2002 issue of CSO - chief security officer - magazine, 45 percent of the 797 businesses surveyed have given law enforcement or the government data on their customers, employees or business partners. Internet service providers, financial institutions and telephone companies especially are repeated targets. BellSouth, for example, received 32,370 subpoenas and 636 court orders for information on customers last year and has an entire team of people who do nothing but respond to law enforcement.
Tim Lynch, director of the Cato Institute's Project on Criminal Justice, who is concerned about this burden on business, recently wrote in Forbes magazine about a wireless carrier that received a subpoena in 2001 that listed 50 pages of telephone numbers. The carrier had five days to come up with customer records for every number listed.
And this is not the worst of it. There is another part of the Patriot Act that markedly expands the kinds of companies expected to spy on their customers. Banks have had to do this for decades, but the new law extends this responsibility to a vast array of businesses - anywhere there is a potential for money laundering - such as insurance companies, brokerage firms and even casinos, pawn brokers and jewelers. These businesses are now expected to know their customers' identity and financial habits, and report suspicious activities to the government.
The rules are so difficult to implement that a cottage industry of compliance products has come on the market. Mike Ernst, product line director for Sybase Inc., a California-based software company that offers Patriot Act compliance software, explains that his product will help companies thoroughly scrutinize every transaction with every customer in every part of the companies' business. "A bank may have an insurance or credit card division and is required to review a customer's activities across all these institutions," Ernst says. "You have to do a 360-degree customer review to make sure you're in compliance with the act."
He estimates Sybase's potential market for this software and technical guidance is 10,000 financial institutions - about 10 percent of all depository institutions. Multiply that by the $200,000 it costs on average to implement the Sybase system and you have a $2-billion market. And this is just a sliver of the number of businesses now obliged to act as spooks.
All this might be good news for Ernst and Sybase but it is not so happy news for private industry stuck with the bill, nor, of course, for the privacy of customers. Suddenly, nearly every business we interact with is acting as an extension of the FBI. And businesses that don't comply are hit hard.
Western Union and its parent company recently paid a combined $11-million to settle charges stemming out of its failure to have a system in place to report whether customers were wiring more than $10,000 in one day from different locations.
One would have thought the business-friendly Bush administration would have been a little more sensitive to the expensive burdens it was creating under the Patriot Act. But no. When it comes to eradicating Americans' privacy no price is too high.