How to Respond to National Security Letters That Ask for Personal Information

National Security Letters (“NSLs”) refer to a collection of statutes that authorize certain government agencies to obtain information and simultaneously impose a secrecy obligation upon the recipient of the letter.

Four statutes permit government agencies to issue NSLs: (1) the Electronic Communication Privacy Act,1(2) the Right to Financial Privacy Act,2(3) the National Security Act,3and the (4) Fair Credit Reporting Act.4Although differences exist between the NSLs issued under each statute, in general, all of the NSLs permit a requesting agency to prevent an organization that receives the NSL from disclosing the fact that it received the request, or the type of information that was requested, if disclosure may result in a danger to national security, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere with diplomatic relations, or endanger the life or physical safety of a person. If the recipient of a NSL wishes to challenge a non-disclosure request accompanying a NSL, the recipient may file a petition with a U.S. district court in the district where the person does business,5or, the recipient may request that the requesting agency obtain judicial review of the nondisclosure request.6In both instances, the requesting agency must file an application with the court setting forth the reasons for the nondisclosure request.

Notwithstanding any nondisclosure requests, NSL recipients may publicly report on a semiannual or annual basis certain information regarding aggregate NSL requests the entity receives.7The information that may be reported is limited to identifying in aggregate the rough quantity of NSL requests received (e.g., 0-99 or 0-249) depending on the reporting format chosen.8

4 Number of statutes that authorize federal agencies to issue NSLs 46,648 Number of NSLs that a single federal agency (FBI) issued in a single year.9

If you receive a NSL, consider the following steps and questions:

1. Does your organization maintain an internal procedure or protocol for how to respond to a government information request, and specifically to a NSL? If so, to the extent permitted under the NSL, follow the procedure to ensure internal awareness of the request.
2. Was the information request actually issued by the agency that purported to issue it? Consider independently confirming with the issuing agency that the request is authentic.
3. Confirm that the issuing agency does, in fact, want you to produce personal information. If so, attempt to negotiate with the issuing agency to reduce the type or volume of personal information requested.
4. Is the issuing agency permitted, under the statutes discussed above, to issue NSLs?
5. If so, does the statute upon which the agency relies apply to your organization?
6. If so, does the statute upon which the agency relies permit the agency to collect the type of information requested?
7. Will complying with the NSL conflict with any contractual, statutory, or international privacy obligations? If so, consider raising this issue with the requesting agency to determine whether the NSL can be amended to avoid the conflict.

1.18 U.S. C. § 2709.

2.12 U.S.C. § 3414.

3.50 U.S.C. § 3162.

4.15 U.S.C. § 1681v; 15 U.S.C. § 1681u.

5.18 U.S.C. § 3511(b).

6.Id.

7.50 U.S.C. § 1874.

8.Id.

9.Semiannual Classified Congressional Reports concerning 2011.