By Jim Garland, David Fagan, and Alex Berengaut

On January 27, 2014, the Attorney General and Director of National Intelligence announced that the U.S. government will allow Internet companies and telecommunications providers to disclose more information about government demands for customer data in national security investigations.  The government’s new transparency policy addresses legal demands served under two distinct statutory authorities.  First, under the Foreign Intelligence Surveillance Act (“FISA”), the government can apply to the U.S. Foreign Intelligence Surveillance Court (“FISC”) for orders compelling providers to disclose both the contents of their customers’ communications as well as non-content “metadata” relating to such communications.  Second, under the National Security Letter (“NSL”) statute, the FBI can compel companies to disclose certain non-content information about their customers.

Under the new policy announced on January 27, technology companies now have two options for reporting on the number of FISA orders and NSLs they receive:  

Under the first option, companies may separately report FISA orders seeking content information, FISA orders seeking non-content information, and NSLs.  Each category of legal demand must be reported in bands of 1,000, starting with 0-999.  Companies may also report the number of user accounts affected by each category of demands, again within bands of 1,000.  Under this option, companies may report FISA and NSL numbers (in bands) every six months, but for FISA numbers, there must be a six-month delay between the reporting date and the period in which the orders covered by the report were served.  There is an additional two-year delay for reporting on “New Capability Orders” issued under FISA — i.e., orders that seek communications data from new platforms, products, or services.

Alternatively, under the second option, companies may report the total number of all national security demands they received, including all NSLs and FISA orders, reported as a single number in bands of 250, starting with 0-249.  Companies are also authorized to report the number of accounts affected under all national security orders, again within bands of 250, starting with 0-249.

The government’s new policy comes on the heels of coordinated lawsuits filed in the FISC last year by several large electronic communication service providers seeking a declaration under the First Amendment that they were entitled to report on aggregate data regarding government national security demands.  (Covington represented Microsoft Corporation in that litigation.)  After the government announced its new policy, the companies voluntarily dismissed their lawsuits.  

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

David’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues—including through proactive mitigation and carve-outs—is a critical path for the transaction. David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multi-national companies across a range of industries to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China, as well as on emerging legal issues such as outbound investment restrictions and regulations governing information and communications technologies and services (ICTS). David also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In addition, in the foreign investment and national security area, David is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

In his cybersecurity practice, David has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. David has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.