Pop quiz – what do these people have in common: members of an Al Qaeda cell in Lackawanna, New York; a cruise ship passenger who left threatening notes in a bathroom of the Royal Caribbean's Legend of the Seas; a child pornographer in Indiana; a kidnapper in West Virginia, and hackers in California who had launched DoS attacks against ISPs?
All have been investigated and convicted thanks to Patriot Act provisions.
Confused? Join the club.
On October 26, 2001, President Bush signed into law the Patriot Act. It comprises ten elements providing stronger surveillance powers and criminal laws against terrorism, improving intelligence, and combating money laundering by requiring industry to monitor suspicious transactions.
In a nutshell, the Act mandates that affected businesses improve how they protect and control the systems within the enterprise and across partner, supplier and customer chains.
The underlying philosophy is that if organizations can enhance accountability, ensure data integrity, mitigate risk and streamline operations, they will be in a much better position to identify suspicious transactions or inform law enforcement during a criminal investigation.
Whatever your personal opinion on the matter, one thing is certain – the law personifies the phrases "vague" and "difficult to follow."
The Act amends dozens of existing laws, making it necessary to cross-reference multiple acts to make sense of it. So who needs to comply?
"Affected industries" might include financial institutions, ISPs, libraries, educational institutions, and/or any business transacting money.
Companies that fail to comply with the Act face criminal penalties of up to $1 million per incident. Civil fines of up to $250,000 per incident may also be levied. Executives may be personally fined or even imprisoned, depending on the severity of the violation.
But where is it going?
It is reasonable to assume that most of the Patriot Act will remain in force, or be renewed intact.
The best course to steer seems to be to start by knowing who your customers are, and what they do:
You must also investigate suspicious activities and file suspicious activity reports:
You must be able to answer requests for information pursuant to the Act within 120 hours (five days) of receipt. Written requests from law enforcement agencies must be fulfilled within seven days.
Can technology solve this problem? Unfortunately, there is no such thing as a comprehensive solution.
My advice is to analyze and assess your weaknesses in meeting the above, and seek a technology that best meets the tactical problems.
Choose the technology that best reduces your risk of non-compliance, and wait for the market to catch up with you.
Kristin Lovejoy is chief technologist and vice-president of technology and services at Consul Risk Management, Inc.