Policing databases should be secure and protected from unauthorized access. At a minimum, this requires:
- (a) protection against access by non-police personnel, unless authorized by law;
- (b) identification of an officer who is responsible for security;
- (c) storage of the data on closed-network systems, when feasible;
- (d) continuous monitoring of the database for security breaches;
- (e) a plan for corrective action if a data breach occurs, and
- (f) penalties for breach of these rules.
Comment:
a. Rationale for the security requirement. Agencies that maintain databases have a duty to ensure the security of the data therein. The duty could be seen to arise from a fiduciary obligation toward the subjects of the records, or from the fact that, but for the government’s aggregation of information, data about individuals would not be as easily accessible. Section 6(b)(i) and (ii) of the Principles of the Law, Data Privacy, similarly recognizes that data users should maintain confidentiality when “entities hold themselves out to be privacy-respecting” and “cause individuals to reasonably believe that the entity will not disclose their personal data based on reasonable social expectations”—a consideration that applies here. Whatever its source, the duty of security has implications both for who should have access to databases and for how they should be maintained.
b. Non-police access. As a general matter, members of the public and other government agencies should not have access to policing databases. However, if a statute authorizes such access, then a democratic balancing of privacy and societal interests has presumably taken place. For instance, most states have a statute that permits limited public access to arrest and conviction records, and some states permit public access to police body-camera images for limited purposes. Defense attorneys or journalists also might be authorized to access records under certain circumstances. Private data vendors may be authorized to access records as well, but presumably only in aid of the agency’s legitimate policing objectives and, again, only if authorized by statute. Absent such statutes, this Section prohibits non-police personnel from accessing policing databases—a prohibition that is bolstered by § 6.06, which requires an unalterable auditing system that memorializes who has accessed the data, for what purpose, and when.
c. Security precautions. This Section requires that a policing agency take a number of steps to enhance the security of its database and prevent unauthorized access to it. First, it requires the agency to appoint an official whose primary duty is database security. Because of the expense and technological expertise required, many departments may farm out security arrangements to private companies or rely on centralized state repositories for much of their data maintenance. Nonetheless, this Section requires that each agency designate an officer who is responsible for data security, as a means of identifying a person to whom inquiries can be directed and who would be responsible for ensuring action is taken at the local level when necessary. Second, because one of the primary risks of unauthorized access is hacking by outside parties, this Section mandates that when data is not in current use or is not of the type that requires online access, an agency should maintain data in a way that makes online access impossible (often called a “closed network” or “air-gapped computer system”). Third, this Section requires that the policing agency, or its outside auditor, continually monitor the database for security breaches; simulation of possible attacks on the database system might be part of that endeavor. Fourth, in the event of a data breach, this Section requires that the agency have a containment plan, which might vary depending on whether the breach involves a virus, a distributed denial of service attack (involving flooding a network so that it cannot function), or a simple hack into the system to obtain information about a specific person or program. Finally, to further meaningful implementation of these rules, this Section requires that the agency provide for administrative penalties when they are violated.
Reporters’ Notes
1. Law on securing databases. Consistent with this Section, privacy acts typically mandate security. See, e.g., 5 U.S.C. § 552a(e)(10) (requiring agencies to “establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.”). A number of organizations have provided protocols for maximizing the security of databases. Two from the U.S. Department of Commerce’s National Institute of Standards and Technology are illustrative. Pauline Bowen, Joan Hash & Mark Wilson, Information Security Handbook: A Guide for Managers, Nat’l Inst. of Standards and Tech. (Oct. 2006), [https://perma.cc/6DSQ-NGSS] (laying out infrastructure, governance, and technological security requirements); Karen Kent & Murugiah Souppaya, Guide to Computer Security Log Management, Nat’l Inst. of Standards and Tech. (Sept. 2006), [https://perma.cc/P944-FKCM]. However, the NIST standards are aimed at federal bureaucracies and probably cannot feasibly be replicated or substantially met by any but the largest state and municipal departments.
With respect to consumer data collection, the Federal Trade Commission lists among its best practices encrypting data for transmission and storage, password protection, and storage of data on servers or computers inaccessible by modem. Fair Information Practice Principles, Federal Trade Commission (June 25, 2007), http://www.ftc.gov/reports/privacy3/fairinfo.shtm. However, in contrast to the stipulation in subsection (c) of this Section, few jurisdictions require segregation of data on closed networks in the law-enforcement context, even when such a practice would not compromise sharing data with other jurisdictions. Cf. N.Y. Comp. Codes R. & Regs. tit. 9 § 6210.11(g) (2017) (requiring that all voting devices “not be capable of being networked”). Another method of incentivizing security arrangements is to require the agency to buy insurance for data breaches, which is becoming increasingly common for small businesses. Michael N. DiCanio, Preparing for the Inevitable: Insurance for Data Breaches, N.Y. L.J. (May 19, 2015), http://www.newyorklawjournal.com/id=1202726774292/.
There are hints in the U.S. Supreme Court’s jurisprudence that at least minimal database security is a legally protected right. In Whalen v. Roe, 429 U.S. 589 (1977), the Court noted that “[t]he right to collect and use . . . data for public purposes is typically accompanied by a concomitant statutory or regulatory duty to avoid unwarranted disclosures” and went on to remark that “in some circumstances that duty arguably has its roots in the Constitution.” Id. at 605. Citing Whalen, in United States Department of Justice v. Reporters Committee for Freedom of the Press, the Court stated that “the fact that an event is not wholly ‘private’ does not mean that an individual has no interest in limiting disclosure or dissemination of the information,” 489 U.S. 749, 770 (1989) (internal quotations omitted). See also NASA v. Nelson, 562 U.S. 134, 159 (2011) (“In light of the protection provided by the Privacy Act’s nondisclosure requirement, and because the challenged portions of the forms consist of reasonable inquiries in an employment background check, we conclude that the Government’s inquiries do not violate a constitutional right to informational privacy.”).
2. Law governing access by parties other than law enforcement. A number of statutes permit public access to certain types of records under limited circumstances. See, e.g., Ga. Code Ann. §§ 35-3-34, 42-8-62.1 (2017) (allowing criminal-record access to third parties so long as they provide sufficient “identifying information” but allowing first-time offenders to limit public access at the discretion of the sentencing court); 20 Ill. Comp. Stat. Ann. 2635/5 (West 2017) (“All conviction information . . . shall be open to public inspection”); N.Y. Pub. Off. Law § 87 (McKinney 2017) (allowing access to body-camera footage through the state’s FOIA statute but applying that access provision narrowly to exclude footage for many categories, including noncriminal offenses, domestic violence, and ongoing criminal investigations); D.C. Mun. Regs. tit. 24 § 3902.6 (2017) (providing public access to body-camera footage through standard Freedom of Information Act (FOIA) procedure). But see Cal. Penal Code § 11122 (West 2017) (allowing individuals to access their own criminal record but denying third-party access). See also Erik Luna, Digital Innocence, 99 Cornell L. Rev 981 (2014) (arguing that the defense ought to have access to government-maintained surveillance data when it can provide exculpatory evidence).