Technology Compliance Cliff Notes

HIPPA:Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized. If closed systems/networks are utilized, existing access controls are considered sufficient and encryption is optional.
Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner.
Data corroboration, including the use of check sum, double-keying, message authentication, and digital signature may be used to ensure data integrity.
Covered entities must also authenticate entities it communicates with. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.
Covered entities must make documentation of their HIPAA practices available to the government to determine compliance.
In addition to policies and procedures and access records, information technology documentation should also include a written record of all configuration settings on the components of the network because these components are complex, configurable, and always changing.
Documented risk analysis and risk management programs are required. Covered entities must carefully consider the risks of their operations as they implement systems to comply with the act. (The requirement of risk analysis and risk management implies that the act’s security requirements are a minimum standard and places responsibility on covered entities to take all reasonable precautions necessary to prevent PHI from being used for non-health purposes.)

The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition among banks, securities companies and insurance companies. The Glass-Steagall Act prohibited a bank from offering investment, commercial banking, and insurance services. The Gramm-Leach-Bliley Act (GLBA) allowed commercial and investment banks to consolidate. For example, Citibank merged with Travelers Group, an insurance company, and in 1997 formed the conglomerate Citigroup, a corporation combining banking and insurance underwriting services. Other major mergers in the financial sector had already taken place such as the Smith-Barney, Shearson, Primerica and Travelers Insurance Corporation combination in the mid-1990's. This combination announced in 1993 and finalized in 1994 already violated the Glass-Steagall Act by combining insurance and securities companies. The law was passed to legalize these mergers. Historically, the combined industry has been known as the financial services industry.

Many of the largest banks, brokerages, and insurance companies desired the Act at the time. The justification was that individuals usually put more money in investments when economy is good, but they put their money into savings accounts when it turns bad. With the new Act, they would do both with the same company, so it would be doing well in all economic times.

Prior to the Act, most financial services companies were doing this anyway. On the retail/consumer side, a bank called Norwest led the charge in offering all types of financial services products in 1986. American Express attempted to own almost every field of financial business (although there was little synergy between them). Things culminated in 1997 when Travelers, a financial services company with everything but a retail/commercial bank, bought out Citibank, creating the largest and the most profitable company in the world. The move was technically illegal and provided impetus for the passage of the Gramm-Leach-Bliley Act.

Also prior to the passage of the Act, there were many relaxations to the Glass-Steagall Act. For example, a few years earlier, commercial Banks were allowed to get into investment banking, and before that banks were also allowed to get into stock and insurance brokerage. Insurance underwriting was the only main operation they weren't allowed to do, something rarely done by banks even after the passage of the Act.

Much consolidation occurred in the financial services industry since, but not at the scale some had expected. Retail banks, for example, do not tend to buy insurance underwriters, as they seek to engage in a more profitable business of insurance brokerage by selling products of other insurance companies. Other retail banks were slow to market investments and insurance products and package those products in a convincing way. Brokerage companies had a hard time getting into banking, because they do not have a large branch and backshop footprint. Banks have recently tended to buy other banks, such as the recent Bank of America and Fleet Boston merger, yet they have had less success integrating with investment and insurance companies. Many banks have expanded into investment banking, but have found it hard to package it with their banking services, without resorting to questionable tie-ins which caused scandals at Smith Barney.

Senator Phil Gramm led the Senate Banking Committee which sponsored the Act; he later joined UBS Warburg, at the time the investment banking arm of the largest Swiss bank.

Some restrictions remain to provide some amount of separation between the investment and commercial banking operations of a company. For example, licensed bankers must have separate business cards, eg. "Personal Banker, Wells Fargo Bank" and "Investment Consultant, Wells Fargo Private Client Services". Much of the debate about financial privacy is specifically centered around allowing or preventing the banking, brokerage, and insurances divisions of a company from working together.

In terms of compliance, the key rules under the Act include The Financial Privacy Rule which governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies, regardless of whether they are financial institutions, who receive such information. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions – such as credit reporting agencies – that receive customer information from other financial institutions.

GLBA compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity
Major Components put into place to govern the collection, disclosure, and protection of consumers’ nonpublic personal information; or personally identifiable information:

Financial Privacy Rule
Safeguards Rule
Pretexting Protection

(Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. § 6801 through 15 U.S.C. § 6809)

The Financial Privacy Rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and annually thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer’s right to opt-out of the information being shared with unaffiliated parties per the Fair Credit Reporting Act. Should the privacy policy change at any point in time, the consumer must be notified again for acceptance. Each time the privacy notice is reestablished, the consumer has the right to opt-out again. The unaffiliated parties receiving the nonpublic information are held to the acceptance terms of the consumer under the original relationship agreement. In summary, the financial privacy rule provides for a privacy policy agreement between the company and the consumer pertaining to the protection of the consumer’s personal nonpublic information.


(Subtitle A: Disclosure of Nonpublic Personal Information, codified at 15 U.S.C. § 6801 through 15 U.S.C. § 6809)

The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information. (The Safeguards Rule also applies to information of those no longer consumers of the financial institution.) This plan must include:

Denoting at least one employee to manage the safeguards,
Constructing a thorough [risk management] on each department handling the nonpublic information, Develop, monitor, and test a program to secure the information, and
Change the safeguards as needed with the changes in how information is collected, stored, and used.

This rule is intended to do what most businesses should already be doing: protect their clients. The Safeguards Rule forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes. No process is perfect, so this has meant that every financial institution has had to make some effort to comply with the GLBA.

(Subtitle B: Fraudulent Access to Financial Information, codified at 15 U.S.C. § 6821 through 15 U.S.C. § 6827)

Pretexting (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by phone, by mail, by email, or even by "phishing" (i.e., using a "phony" website or email to collect data). The GLBA has provisions that require the financial institution to take all precautions necessary to protect and defend the consumer and associated nonpublic information. Pretexting is illegal and punishable by law beyond any recognition by the GLBA

The GLBA defines “financial institutions” as: …”companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance. The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these:

non-bank mortgage lenders,
loan brokers,
some financial or investment advisers,
debt collectors,
tax return preparers,
banks, and
real estate settlement service providers.
These companies must also be considered significantly engaged in the financial service or production that defines them as a “financial institution”.

Insurance has jurisdiction first by the state, provided the state law at minimum complies with the GLBA. State law can require greater compliance, but not less than what is otherwise required by the GLBA.

The Gramm-Leach-Bliley Act defines a ‘consumer’ as

"an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual." (See 15 U.S.C. § 6809(9).}
A ‘customer’ is a consumer that has developed a relationship with privacy rights protected under the GLBA. A ‘customer’ is not someone using an automated teller machine (ATM) or having a check cashed at a cash advance business. These are not ongoing relationships like a ‘customer’ might have; i.e. a mortgage loan, tax advising, or credit financing. A business is not an individual with personal nonpublic information, so a business cannot be a customer under the GLBA. A business, however, may be liable for compliance to the GLBA depending upon the type of business and the activities utilizing individual’s personal nonpublic information.

Under the GLBA, financial institutions must provide their clients a privacy notice that explains what information the company gathers about the client, where this information is shared, and how the company safeguards that information. This privacy notice must be given to the client prior to entering into an agreement to do business. There are exceptions to this when the client accepts a delayed receipt of the notice in order to complete a transaction on a timely basis. This has been somewhat mitigated due to online acknowledgement agreements requiring the client to read or scroll through the notice and check a box to accept terms.

The privacy notice must also explain to the consumer of the opportunity to ‘opt-out’. Opting out means that the client can say "no" to allowing their information to be shared with affiliated parties. The Fair Credit Reporting Act is responsible for the ‘opt-out’ opportunity, but the privacy notice must inform the consumer of this right under the GLBA. The client cannot opt-out of:

*information shared with those providing priority service to the financial
* institution marketing of products or services for the financial institution
* when the information is deemed legally required.

Violation of the GLBA may result in a civil action brought by the United States Attorney General. The penalties, as amended under the Financial Institution Privacy Protection Act of 2003 (108th CONGRESS - 1st Session - S. 1458; To amend the Gramm-Leach-Bliley Act to provide for enhanced protection of nonpublic personal information, including health information, and for other purposes., In The Senate of the United States, July 25 (legislative day, JULY 21), 2003)include,

”the financial institution shall be subject to a civil penalty of not more than $100,000 for each such violation”
“the officers and directors of the financial institution shall be subject to, and shall be personally liable for, a civil penalty of not more than $10,000 for each such violation”.

The Sarbanes-Oxley Act of 2002 (Pub. L. No. 107-204, 116 Stat. 745, also known as the Public Company Accounting Reform and Investor Protection Act of 2002 and commonly called SOX or Sarbox; July 30, 2002) is a United States federal law passed in response to a number of major corporate and accounting scandals including those affecting Enron, Tyco International, Peregrine Systems and WorldCom (recently MCI and now currently part of Verizon Businesses). These scandals resulted in a decline of public trust in accounting and reporting practices. Named after sponsors Senator Paul Sarbanes (D-Md.) and Representative Michael G. Oxley (R-Oh.), the Act was approved by the House by a vote of 423-3 and by the Senate 99-0. The legislation is wide ranging and establishes new or enhanced standards for all U.S. public company boards, management, and public accounting firms. The Act contains 11 titles, or sections, ranging from additional Corporate Board responsibilities to criminal penalties, and requires the Securities and Exchange Commission (SEC) to implement rulings on requirements to comply with the new law. Some believe the legislation was necessary and useful, others believe it does more economic damage than it prevents, and yet others observe how essentially modest the Act is compared to the heavy rhetoric accompanying it.

The first and most important part of the Act establishes a new quasi-public agency, the Public Company Accounting Oversight Board, which is charged with overseeing, regulating, inspecting, and disciplining accounting firms in their roles as auditors of public companies. The Act also covers issues such as auditor independence, corporate governance and enhanced financial disclosure. It is considered by some as one of the most significant changes to United States securities laws since the New Deal in the 1930s.


The House passed Rep. Oxley's bill (H.R. 3763) on April 25, 2002, by a vote of 334 to 90. The House then referred the "Corporate and Auditing Accountability, Responsibility, and Transparency Act" or "CAARTA" to the Senate Banking Committee with the support of President George W. Bush and the SEC. At the time, however, the Chairman of that Committee, Senator Paul Sarbanes (D-MD), was preparing his own proposal, Senate Bill 2673..

Senator Sarbanes’ bill passed the Senate Banking Committee on June 18, 2002, by a vote of 17 to 4. On June 25, 2002, WorldCom revealed it had overstated its earnings by more than $72 billion during the past five quarters, primarily by improperly accounting for its operating costs. Sen. Sarbanes introduced Senate Bill 2673 to the full Senate that same day, and it passed 97-0 less than three weeks later on July 15, 2002.

The House and the Senate formed a Conference Committee to reconcile the differences between Sen. Sarbanes' bill (S. 2673) and Rep. Oxley's bill (H.R. 3763). The conference committee relied heavily on S. 2673 and “most changes made by the conference committee strengthened the prescriptions of S. 2673 or added new prescriptions.” (John T. Bostelman, The Sarbanes-Oxley Deskbook § 2-31.)

The Committee approved the final conference bill on July 24, 2002, and gave it the name "the Sarbanes-Oxley Act of 2002." The next day, both houses of Congress voted on it without change, producing an overwhelming margin of victory: 423 to 3 in the House and 99 to 0 in the Senate. On July 30, 2002, President George W. Bush signed it into law, stating it included "the most far-reaching reforms of American business practices since the time of Franklin D. Roosevelt." (Elisabeth Bumiller: "Bush Signs Bill Aimed at Fraud in Corporations", The New York Times, July 31, 2002, page A1).

The Sarbanes-Oxley Act's major provisions include the following:

Creation of the Public Company Accounting Oversight Board (PCAOB)
A requirement that public companies evaluate and disclose the effectiveness of their internal controls as they relate to financial reporting, and that independent auditors for such companies "attest" (i.e., agree, or qualify) to such disclosure
Certification of financial reports by chief executive officers and chief financial officers
Auditor independence, including outright bans on certain types of work for audit clients and pre-certification by the company's Audit Committee of all other non-audit work
A requirement that companies listed on stock exchanges have fully independent audit committees that oversee the relationship between the company and its auditor
Ban on most personal loans to any executive officer or director
Accelerated reporting of insider trading
Prohibition on insider trades during pension fund blackout periods
Additional disclosure
Enhanced criminal and civil penalties for violations of securities law
Significantly longer maximum jail sentences and larger fines for corporate executives who knowingly and willfully misstate financial statements, although maximum sentences are largely irrelevant because judges generally follow the Federal Sentencing Guidelines in setting actual sentences
Employee protections allowing those corporate fraud whistleblowers who file complaints with OSHA within 90 days to win reinstatement, back pay and benefits, compensatory damages, abatement orders, and reasonable attorney fees and costs.

Auditing Standard No. 2' of the Public Company Accounting Oversight Board (PCAOB) has the following key requirements:

The design of controls-relevant assertions related to all significant accounts and disclosures in the financial statements
Information about how significant transactions are initiated, authorized, supported, processed, and reported
Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur
Controls designed to prevent or detect fraud, including who performs the controls and the regulated segregation of duties
Controls over the period-end financial reporting process
Controls over safeguarding of assets
The results of management's testing and evaluation

Under Sarbanes-Oxley, two separate certification sections came into effect—one civil and the other criminal. 15 U.S.C. § 7241 (Section 302) (civil provision); 18 U.S.C. § 1350 (Section 906) (criminal provision).

Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. The signing officers must certify that they are “responsible for establishing and maintaining internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared.” 15 U.S.C. § 7241(a)(4). The officers must “have evaluated the effectiveness of the company’s internal controls as of a date within 90 days prior to the report” and “have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date.” Id..

Moreover, under Section 404 of the Act, management is required to produce an “internal control report” as part of each annual Exchange Act report. See 15 U.S.C. § 7262. The report must affirm “the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting.” 15 U.S.C. § 7262)a). The report must also “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” Id. To do this, managers are generally adopting an internal control framework such as that described in COSO.

Under both Section 302 and Section 404, Congress directed the SEC to promulgate regulations enforcing these provisions. (See Final Rule: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, Release No. 33-8238 (June 5,2003), available at http://www.sec.gov/rules/final/33-8238.htm.)

In addition, outside auditors for companies must, for the first time, attest to managers' internal control assessment, pursuant to SEC rules, which currently require only large public companies comply with this part of SOX. This presents new challenges to businesses, specifically, documentation of control procedures related to information technology ("IT"). Public Company Accounting Oversight Board (PCAOB) has issued guidelines on how auditors should provide their attestations.

The PCAOB suggests considering the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework in management/auditor assessment of controls. Auditors have also looked to the IT Governance Institute's "COBIT: Control Objectives of Information and Related Technology" for more appropriate standards of measure. This framework focuses on information technology (IT) processes while keeping in mind the big picture of COSO's "control activities" and "information and communication". However, these certain aspects of COBIT are outside the boundaries of Sarbanes-Oxley regulation.

The financial reporting processes of most organizations are driven by IT systems. Few companies manage their data manually and most companies rely on electronic management of data, documents, and key operational processes. Therefore, it is apparent that IT plays a vital role in internal control. As PCAOB's "Auditing Standard 2" states:

"The nature and characteristics of a company's use of information technology in its information system affect the company's internal control over financial reporting."
Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. Systems such as ERP (Enterprise Resource Planning) are deeply integrated in the initiating, authorizing, processing, and reporting of financial data. As such, they are inextricably linked to the overall financial reporting process and need to be assessed, along with other important process for compliance with Sarbanes-Oxley Act. So, although the Act signals a fundamental change in business operations and financial reporting, and places responsibility in corporate financial reporting on the chief executive officer (CEO) and chief financial officer (CFO), the chief information officer (CIO) plays a significant role in the signoff of financial statements.

The SEC identifies the COSO framework by name as a methodology for achieving compliance. The COSO framework defines five areas, which when implemented, can help support the requirements as set forth in the Sarbanes-Oxley legislation. These five areas and their impacts for the IT Department are as follows:

Risk Assessment. Before the necessary controls are implemented, IT management must assess and understand the areas of risk affecting the completeness and validity of the financial reports. They must examine how the company's systems are being used and the current level and accuracy of existing documentation. The areas of risk drive the definition of the other four components of the COSO framework.

Control Environment. An environment in which the employees take ownership for the success of their projects will encourage them to escalate issues and concerns, and feel that their time and efforts contribute to the success of the organization. This is the foundation on which the IT organization will thrive. Employees should cross train with design, implementation, quality assurance and deployment teams to better understand the entire technology lifecycle.

Control Activities. Design, implementation and quality assurance testing teams should be independent. ERP and CRM systems that collect data, but feed into manual spreadsheets are prone to human error. The organization will need to document usage rules and create an audit trail for each system that contributes financial information. Further, written policies should define the specifications, business requirements and other documentation expected for each project.

Monitoring. Auditing processes and schedules should be developed to address the high-risk areas within the IT organization. IT personnel should perform frequent internal audits. In addition, personnel from outside the IT organization should perform audits on a schedule that is appropriate to the level of risk. Management should clearly understand and be held responsible for the outcome of these audits.

Information and Communication. Without timely, accurate information, it will be difficult for IT management to proactively identify and address areas of risk. They will be unable to react to issues as they occur. IT management must demonstrate to company management an understanding of what needs to be done to comply with Sarbanes-Oxley and how to get there.

In a recent article by the accounting and consulting firm of Deloitte Touche Tohmatsu entitled "Under Control", the need for "sustainable compliance" is encouraged. The article suggests leveraging lessons learned to shift to a long-term strategy. The following areas are described as impediments to the process:

"Project mindset: … many companies understandably treated section 404 compliance as a discrete project with a clearly defined ending point."
"Overextension of internal audit: If management continues to utilize internal audit for intensive 404 and 302 compliance-related work, then a significant infusion of resources (i.e., budget and headcount) to accommodate the additional workload will be needed."
"Poorly defined roles: Internal control-related roles and responsibilities, often poorly defined and segregated from the day-to-day routine of employees during the first year, will require greater clarity and integration going forward"
"Improvisational approach: Another symptom of deadline pressure showed up in the jerrybuilt practices that carried many companies through the first year."
"Underestimation of technology impacts and implications: …IT is recognized as critical for achieving the goals of the Act, and the impact and implications of technology are widely regarded as significant and pervasive. In many year-one projects, organizations focused heavily on business processes and did not consider the broader role that IT plays in managing financial information and enabling controls… IT will make a huge impact on compliance going forward. At a minimum, technology investments will be necessary to support sustainable compliance in several areas, including repository, work flow, and audit trail functionality. Technology will also be used to enable the integration of financial and internal control monitoring and reporting — a critical requirement at most large and complex enterprises."
"Ignored risks: Effective internal control is predicated on risk… the controls themselves — exist expressly for the purpose of minimizing the risk of financial reporting errors… In year one, risk assessment was treated as an afterthought — if addressed at all."
The future of SOX 404 will depend on the ability of businesses to respond to the areas noted above by making it a part of every-day business. Deloitte has developed the "Sustained Compliance Solution Framework". Key areas of the framework are also taken from "Under Control":

Effective and efficient processes for evaluating testing, remediating, monitoring, and reporting on controls
Integrated financial and internal control processes
Technology to enable compliance
Clearly articulated roles and responsibilities and assigned accountability
Education and training to reinforce the "control environment"
Adaptability and flexibility to respond to organizational and regulatory change.
Deloitte and the other auditing industry firms will generate significant revenue from these elaborate exercises.

The Foreign Corrupt Practices Act of 1977 (15 U.S.C. §§ 78dd-1, et seq.) is a United States federal law requiring any company that has publicly traded stock to maintain records that accurately and fairly represent the company's transactions; additionally, requires any publicly traded company to have an adequate system of internal accounting controls. The act does not only apply to public companies, it applies to all companies in the U.S. and all of those associated with it.

As a result of U.S. Securities and Exchange Commission investigations in the mid-1970s, over 400 U.S. companies admitted making questionable or illegal payments in excess of $300 million to foreign government officials, politicians, and political parties. The abuses ran the gamut from bribery of high foreign officials to secure some type of favorable action by a foreign government to so-called facilitating payments that allegedly were made to ensure that government functionaries discharged certain ministerial or clerical duties. Congress enacted the FCPA to bring a halt to the bribery of foreign officials and to restore public confidence in the integrity of the American business system.

The Act was amended in 1998 by the International Anti-Bribery Act of 1998 which was designed to implement the anti-bribery conventions of the Organisation for Economic Co-operation and Development (OECD)."

The antibribery provisions of the FCPA make it unlawful for a U.S. person, and certain foreign issuers of securities, to make a payment to a foreign official for the purpose of obtaining or retaining business for or with, or directing business to, any person. Since 1998, they also apply to foreign firms and persons who take any act in furtherance of such a corrupt payment while in the United States. The meaning of foreign official is broad. For example an owner of a bank who is also the brother of the minister of finance would count as a foreign official according to the U.S. government. There is no materiality to this act, making it illegal to bribe even a penny. The government focuses on the intent of the bribery more than the amount of it.

The FCPA also requires companies whose securities are listed in the United States to meet its accounting provisions. See 15 U.S.C. § 78m. These accounting provisions, which were designed to operate in tandem with the antibribery provisions of the FCPA, require corporations covered by the provisions to make and keep books and records that accurately and fairly reflect the transactions of the corporation and to devise and maintain an adequate system of internal accounting controls.

Regarding payments to foreign officials, the act draws a distinction between bribery and facilitation or "grease payments", which may be permissible if they are not against local laws. A company's legal department generally still has to approve such payments. The primary distinction is that grease payments are made to an official to expedite his performance of the duties he is already bound to perform.

Notable cases of the application of FCPA are with Lucent Technologies and Invision Technologies.


The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Public Law 107-56), known as USA PATRIOT Act or simply the Patriot Act, is an American act which President George W. Bush signed into law on October 26, 2001. The Act passed in the Senate by a vote of 98 to 1, and in the House by a vote of 357 to 66. Although the Patriot Act has overwhelming support at all levels of the the federal government, Some feel to be over reaching and highly controversial.

Originally passed after the September 11, 2001 attacks on the World Trade Centers in New York, New York; the Act (full text) was formed in response to the terrorist attacks against the United States, and dramatically expanded the authority of American law enforcement for the stated purpose of fighting terrorism in the United States and abroad. It has also been used to detect and prosecute other alleged potential crimes, such as providing false information on terrorism. Federal courts declared some sections unconstitutional because they interfere with civil liberties. It was renewed on March 2, 2006 with a vote of 89 to 11 in the Senate and on March 7 280 to 138 in the House. The renewal was signed into law by President Bush on March 9, 2006.

Some of the more controversial provisions of USA PATRIOT act were largely inspired by the RICO act, which restricted due process for individuals involved in organized crime, racketeering, and drug trafficking. The USA PATRIOT Act essentially extended the qualifications to those involved in terrorism.

Among laws which the USA PATRIOT Act has amended are immigration laws, banking laws, and money laundering laws. It also amended the Foreign Intelligence Surveillance Act (FISA).

With respect to terrorism definitions, for example, section 802 of the Act created the new crime category of "domestic terrorism." According to this provision, which is found in the U.S. criminal code at 18 U.S.C. § 2331, domestic terrorism means activities that (A) involve acts dangerous to human life that are a violation of the criminal laws of the U.S. or of any state, that (B) appear to be intended (i) to intimidate or coerce a civilian population, (ii) to influence the policy of a government by intimidation or coercion, or (iii) to affect the conduct of a government by mass destruction, assassination, or kidnapping, and (C) occur primarily within the territorial jurisdiction of the U.S.

Section 2331 also includes the crime of international terrorism, which is identical to domestic terrorism, except that it transcends national boundaries. But this provision predates the Act.

Other terrorism definitions are found in section 411 of the Act, which amends sections 212 and 219 of the Immigration and Nationality Act (INA). 8 U.S.C. § 1182 (which is INA sec. 212) relates to "Excludable Aliens." This is where the definitions of "terrorist activity" and "terrorist organization" may be found. 8 U.S.C. § 1189 (INA s. 219) provides for the designation of foreign terrorist organizations.

These provisions interact with other provisions in the criminal code, for example, 18 U.S.C. § 2339A and 18 U.S.C. § 2339B, which criminalize "material support" to terrorists and to foreign terrorist organizations, respectively, drawing on the INA terrorism definitions.

In 1978, the Foreign Intelligence Surveillance Act (FISA) was passed to produce legal guidelines for federal investigations of foreign intelligence targets. Among the rules put in place were regulations governing:

Electronic Surveillance
Physical Searches
Pen registers and Trap and trace devices for Foreign Intelligence Purposes
Access to certain Business Records for Foreign Intelligence Purposes
In addition to defining how foreign intelligence investigations were to be performed, FISA also defined who could be investigated. Only foreign powers or agents of foreign powers were to be subject to FISA investigations. Thus, targets are primarily those foreign persons who are engaged in espionage or international terrorism. Section 6001 of the Intelligence Reform and Terrorism Prevention Act of 2004, expanded FISA to permit targeting of so-called "lone wolf" terrorists without requiring any showing that they are members of a terrorist group or agents of such a group or of any other foreign power.

The USA Act (Public Law 107-56) was passed on October 12, 2001, and subsequently folded into the USA PATRIOT Act. Under the USA Act, a terrorist who was not an agent of a foreign power could be the target of a federal investigation of foreign intelligence.

The Financial Anti-Terrorism Act was passed on October 17, 2001 by both Houses and also folded into the USA PATRIOT Act. It increases the federal government's powers to investigate and prosecute the financial supporters of terrorism.

Introduced into the House of Representatives as H.R. 3162 by Congressman James F. Sensenbrenner (R, WI), the Act swept through Congress remarkably quickly and with little dissent. House Resolution 3162 was introduced in the House of Representatives on October 23, 2001. Assistant Attorney General Viet D. Dinh and future Secretary of Homeland Security Michael Chertoff were the primary drafters of the Act. The bill passed in the House of Representatives on October 24, 2001, and in the Senate (Senator Russ Feingold (D-WI) cast the lone dissenting vote, and Senator Mary Landrieu (D-LA) was the sole non-voting member) on October 25, 2001. President George W. Bush signed the bill into law on October 26, 2001. The original Act had a sunset clause to ensure that Congress would need to take active steps to reauthorize it. Like many sweeping reform laws, the people of the United States needed time to test and implement its measures before deciding what provisions to keep and which to modify. One of the challenges to the original Act had been perceived civil liberties intrusions. The reauthorization resolution passed in 2006 contained the following civil liberties protections ("Safeguards")[1]:

Requiring High-Level Approval and Additional Reporting to Congress for Section 215 Requests for Sensitive Information Such as Library or Medical Records: Without the personal approval of one of these 3 officials (FBI Director, Deputy Director or Official-in-Charge of Intelligence), the 215 order for these sensitive categories of records may not be issued.
Statement of Facts Showing Relevance to a Terrorism or Foreign Spy Investigation Required for Section 215 Requests: The conference report requires that a Section 215 application must include a statement of facts demonstrating that the records sought are "relevant" to an authorized investigation to obtain terrorism or foreign intelligence information. This statement of facts civil liberty safeguard contained in the conference report does NOT exist under current law.
Explicitly Allowing a United States Foreign Intelligence Surveillance Act (FISA) Court Judge to Deny or Modify a Section 215 Request: The PATRIOT Act conference report explicitly provides a FISA Court judge the discretion to not only approve or modify a Section 215 application, but also to deny an application.
Requiring Minimization Procedures to Limit Retention and Dissemination of Information Obtained About U.S. Persons From Section 215 Requests: The PATRIOT Act conference report requires that the Attorney General create minimization procedures for the retention and dissemination of this data and that the FBI use these procedures. This civil liberty safeguard is not contained in current law and was requested by Senator Leahy.
Explicitly Providing for a Judicial Challenge to a Section 215 Order: Current law requires judicial review before a Section 215 can be issued. The pending PATRIOT Act conference report explicitly established a judicial review process after the 215 order has been issued, to allow the recipient of a 215 order to challenge the order before the FISA Court.
Explicitly Clarifying that a Recipient of a Section 215 Order May Disclose Receipt to an Attorney or Others Necessary to Comply with or Challenge the Order: Current law is silent as to whether a 215 order recipient may disclose the receipt of such an order to an attorney to comply with the order. The pending PATRIOT Act conference report clarifies this issue by stating explicitly that the recipient of a 215 order may disclose receipt to an attorney or others necessary to comply with or challenge the order.
Requiring Public Reporting of the Number of Section 215 Orders: At the request of Senator Leahy and other Senate Democratic conferees, the PATRIOT Act Conference report requires the Justice Department to report to the public annually the aggregate number of Section 215 applications submitted, approved, modified, and denied.
Requiring the Justice Department's Independent Inspector General to Conduct an Audit of Each Justice Department Use of Section 215 Orders: The PATRIOT Act conference report provides additional public information and congressional oversight by requiring the Justice Department's independent Inspector General to conduct an audit for each Justice Department use of Section 215 orders.
Explicitly Providing for a Judicial Challenge to a National Security Letter (NSL): Current Law does not specify that an NSL can be challenged in court and provides no process for challenging an NSL. The conference report provides explicit authority to challenge in court an NSL under all existing statutes authorizing NSLs. This civil liberty safeguard is stronger than the Senate-passed bill, which only addressed one of the NSL statutes, does not exist under current law, and was written by Rep. Jeff Flake (R-Ariz.).
Explicitly Clarifying that a Recipient of a National Security Letter (NSL) May Disclose Receipt to an Attorney or Others Necessary to Comply with or Challenge the Order: Current law is silent as to whether an NSL may disclose the receipt of such an order to an attorney to comply with or challenge the order. The pending PATRIOT Act conference report clarifies this issue by stating explicitly that the recipient of an NSL may disclose receipt to an attorney or others necessary to comply with or challenge the order.
Providing that a Nondisclosure Order Does Not Automatically Attach to a National Security Letter (NSL): Instead, a nondisclosure requirement will attach to an NSL only upon a certification by the government that disclosure could cause one of the harms specified in the conference report, such as endangering a witness or threatening national security.
Providing Explicit Judicial Review of a Nondisclosure Requirement to a National Security Letter (NSL): The NSL recipient may challenge the nondisclosure requirement in the U.S. district court for the district in which the recipient does business or resides.
Requiring Public Reporting of the Number of National Security Letters (NSLs): At the request of Senator Leahy and other Senate Democratic conferees, the PATRIOT Act conference report includes – for the first time – public reporting on the aggregate number of NSLs requested for information about U.S. persons.
Requiring the Justice Department’s Independent Inspector General to Conduct Two Audits of the Use of National Security Letters (NSLs): The PATRIOT Act conference report provides additional public information and congressional oversight by requiring the Justice Department’s independent Inspector General to conduct two audits on the use of NSLs during the years 2003 - 2006.
Requiring Additional Reporting to Congress by the Justice Department on Use of National Security Letters (NSLs): Specifically, the conference report requires the House and Senate Judiciary Committees to receive all classified reports regarding use of NSLs; currently these committees only receive classified reports under one of the five statutes authorizing NSLs.
Requiring the Justice Department to Re-Certify that Nondisclosure of a National Security Letter (NSL) is Necessary: If an NSL recipient challenges the prohibition on disclosure more than a year after the NSL is issued, the Justice Department must re-certify that nondisclosure is necessary, or else the nondisclosure requirement lapses.
Narrowing the Deference Given to the Justice Department on a National Security Letter (NSL) Nondisclosure Certification: At the request of Senator Leahy, this heightened degree of deference is only provided to certifications made by a few Senate-confirmed officials at the time the nondisclosure petition is filed.
Requiring a Report to Congress on Any Use of Data-Mining Programs by the Justice Department: The PATRIOT Act conference report enhances congressional oversight of data-mining programs by requiring the Justice Department to report to Congress on the use or development of any of these programs by the Justice Department.
Requiring Notice Be Given on Delayed-Notice Search Warrants Within 30 Days of the Search: The PATRIOT Act reauthorization conference report narrows and clarifies the reasonable amount of time standard by providing a Court the discretion to delay notice for up to 30 days after the search is executed.
Limiting Delayed-Notice Search Warrants Extensions to 90 Days or Less: The PATRIOT Act conference report narrows and clarifies the permissible delayed-notice extension period by providing a Court the discretion to extend the delay of notice for up to 90 days.
Requiring an Updated Showing of Necessity in Order to Extend the Delay of Notice of a Search Warrant: To ensure that a Court considering extending a delay of notice has the best and most up-to-date information, the PATRIOT Act conference report requires an updated show of necessity by the applicant in order to extend the delay of notice of a search warrant.
Requiring Annual Public Reporting on the Use of Delayed-Notice Search Warrant: Specifically, the annual public report will include the “number of applications for warrants and extensions of warrants authorizing delayed notice, and the number of such warrants and extensions granted or denied during the preceding fiscal year.”
Requiring Additional Specificity from an Applicant Before Roving Surveillance May be Authorized: The PATRIOT Act conference report addresses concerns about vagueness in applications for “roving” wiretaps in foreign spying and terrorism investigations by requiring additional specificity in these applications in order for a FISA Court judge to consider authorizing a “roving” wiretap.
Requiring Court Notification Within 10 Days of Conducting Surveillance on a New Facility Using a “Roving” Wiretap: The PATRIOT Act conference report addresses concerns the “roving” wiretap authority could be abused by requiring the investigators to inform the FISA Court within 10 days when the “roving” surveillance authority is used to target a new facility.
Requiring Ongoing FISA Court Notification of the Total Number of Places or Facilities Under Surveillance Using a “Roving” Wiretap: The PATRIOT Act conference report enhances judicial oversight to address any concerns that the “roving” wiretap authority could be abused. Specifically, the conference report requires the FISA Court to be informed on an ongoing basis of the total number of places or facilities under surveillance using a “roving” wiretap authority.
Requiring Additional Specificity in a FISA Court Judge’s Order Authorizing a “Roving” Wiretap: The PATRIOT Act conference report addresses concerns about vagueness about the target in a FISA Court judge’s order authorizing a “roving” wiretap in foreign spying and terrorism investigations by requiring additional specificity.
Providing a Four-Year Sunset on FISA “Roving” Wiretap: Despite no evidence that the FISA “roving” wiretap authority has been abused, the PATRIOT Act conference report aggressively attempts to avoid any potential abuse of FISA “roving” wiretaps by providing a four-year sunset of this authority.
The Library of Congress' legislative history website, THOMAS, tracks the 45-day passage of the 300-plus page act, including links to successive versions.

The Act has ten titles, each containing numerous sections. These are:

Title I: Enhancing Domestic Security against Terrorism deals with measures that counter terrorism
Title II: Enhanced Surveillance Procedures gave increased powers of surveillance to various government agencies and bodies. There were 25 sections, with one of the sections (section 224) containing a sunset clause.
Title III: International money laundering abatement and anti-terrorist financing act of 2001
Title IV: Protecting the border
Title V: Removing obstacles to investigating terrorism
Title VI: Providing for victims of terrorism, public safety officers and their families
Title VII: Increased information sharing for critical infrastructure protection
Title VIII: Strengthening the criminal laws against terrorism
Title IX: Improved intelligence
Title X: Miscellaneous

The Act mostly incorporates the provisions of the earlier anti-terrorism USA Act (H.R. 2975 and S. 1510). The Senate passed the USA Act on October 11, 2001. The House passed it on October 12, 2001. The primary differences between the USA Act and the USA PATRIOT Act are:

The inclusion of the Financial Anti-Terrorism Act (H.R. 3004), which expands money laundering abatement to international terrorism.
Immunity against prosecution for the providers of wiretaps in accordance with the Foreign Intelligence Surveillance Act of 1978.
Request for a report on integrating automated fingerprint identification for ports of entry into the United States.
Start of a foreign student monitoring program.
Request for machine readable passports.
Prevention of consulate shopping.
Expansion of the Biological Weapons Statute.
Clearer definition of "Electronic Surveillance"
Miscellaneous benefits for victims of the September 11 attack and extra penalties for those who illegally file for such benefits.
Much criticism against the 2001 Act had been directed at the provisions for Sneak-and-Peek searches — a term coined by the FBI. Critics argued that Provision 213 authorizes "surreptitious search warrants and seizures upon a showing of reasonable necessity and eliminates the requirement of Rule 41 of the Federal Rules of Criminal Procedure that immediate notification of seized items be provided."[2]

In special cases covered by FISA (amended by the USA PATRIOT Act), the warrants may come from the Foreign Intelligence Surveillance Court (FISC) instead of a common Federal or State Court. FISC warrants are not public record and therefore are not required to be released. Other warrants must be released, especially to the person under investigation.

A second complaint against Sneak-and-Peek searches is that the owner of the property (or person identified in business/library records) does not have to be told about the search. There is a special clause that allows the Director of the FBI to request phone records for a person without ever notifying the person. For all other searches, the person must be notified, but not necessarily before the search. The judge providing the warrant may allow a delay in notification when there is risk of:

endangering the life or physical safety of an individual;
flight from prosecution;
destruction of or tampering with evidence;
intimidation of potential witnesses; or
otherwise seriously jeopardizing an investigation or unduly delaying a trial.
The delays are on average 7 days, but have been as long as 90 days. [1] Section 213, which federal agencies report they have used 155 times since 2001, does not expire later this year like other USA PATRIOT Act provisions.

The American Civil Liberties Union argues that the term "serious jeopardy" is too broad "and must be narrowly curtailed."[3]

However, "sneak and peek" searches have been in use for a long time in criminal cases. Title II of the USA PATRIOT Act was intended to bring the monitoring of foreign powers and the agents of foreign powers into line with such criminal legislation. The main difference between criminal and FISA delayed notification on search warrants is that FISA warrants use a different legal standard when approving such orders (they use reasonable cause, not probable cause).

Perhaps the most controversial section of the original Act was Section 215, dealing with a very narrow, implied right of federal investigators to access library and bookstore records. Section 215 allows FBI agents to obtain a warrant in camera (in secret) from the United States Foreign Intelligence Surveillance Court for library or bookstore records of anyone connected to an investigation of international terrorism or spying. On its face, the section does not even refer to "libraries," but rather to business records and other tangible items in general.[4] Civil libertarians and librarians in particular, argue that this provision violates patrons' human rights and it has now come to be called the "library provision." The Justice Department defends Section 215 by saying that because it requires an order to be issued by a FISA Court judge, it provides better protection for libraries.

On August 26, 2005, The New York Times reported that according to the ACLU, the FBI is demanding library records from a Connecticut institution as part of an intelligence investigation. This would be the first confirmed instance in which the Federal Bureau of Investigation has sought library records, federal officials and the ACLU said. Interestingly, though, the government did not seek the records under section 215, but instead used "National Security Letters," which are the FISA equivalent of grand jury subpoenas and do not require a court order and thus are easier to use than section 215. [5]

It is uncertain how many individuals or organizations have been charged or convicted under the Act. Throughout 2002 and 2003, the Department of Justice refused to release numbers. Former Attorney General John Ashcroft in his 2004 statement The Department of Justice: Working to Keep America Safer reported that there have been 368 individuals criminally charged in terrorism investigations, and later used the numbers 372 and 375. Of these he stated that 194 (later 195) resulted in convictions or guilty pleas. (The original statement [6]; the statement is reduced to a bullet list in 2004 Criminal Division Annual Report on page 9.). In June 2005, President Bush stated terrorism investigations yielded over 400 charges, more than half of which resulted in convictions or guilty pleas. In some of these cases, federal prosecutors chose to charge suspects with non-terror related crimes for immigration, fraud and conspiracy.

On September 11, 2005 the American Civil Liberty Union reports[7]:

30,000 National Security Letters Issued Annually Demanding Information about Americans: USA PATRIOT Act Removed Need for FBI to Connect Records to Suspected Terrorists
[...] According to the Washington Post, universities and casinos have received these letters and been forced to comply with the demands to turn over private student and customer information. Anyone who receives an NSL is gagged - forever - from telling anyone that the FBI demanded records, even if their identity has already been made public.
In New York and Connecticut, the ACLU has challenged the NSL provision that was dramatically expanded by Section 505 of the USA PATRIOT Act. The legislation amended the existing NSL power by permitting the FBI to demand records of people who are not connected to terrorism and who are not suspected of any wrongdoing. [...]

Provisions that would expire (original version)
§201. Authority To Intercept Wire, Oral, And Electronic Communications Relating To Terrorism.
§202. Authority To Intercept Wire, Oral, And Electronic Communications Relating To Computer Fraud And Abuse Offenses.
§203(b), (d). Authority To Share Criminal Investigative Information.
§206. Roving Surveillance Authority Under The Foreign Intelligence Surveillance Act Of 1978.
§207. Duration Of FISA Surveillance Of Non-United States Persons Who Are Agents Of A Foreign Power.
§209. Seizure Of Voice-Mail Messages Pursuant To Warrants.
§212. Emergency Disclosure Of Electronic Communications To Protect Life And Limb.
§214. Pen Register And Trap And Trace Authority Under FISA.
§215. Access To Records And Other Items Under FISA.
§217. Interception Of Computer Trespasser Communications.
§218. Foreign Intelligence Information. (Lowers standard of evidence for FISA warrants.)
§220. Nationwide Service Of Search Warrants For Electronic Evidence.
§223. Civil liability For Certain Unauthorized Disclosures.
§224. Sunset. (self-cancelling)
§225. Immunity For Compliance With FISA Wiretap.

Provisions that are permanent (original version)
§203(a), (c). Authority To Share Criminal Investigative Information.
§205. Employment of Translators by the Federal Bureau of Investigation.
§208. Designation Of Judges.
§210. Scope Of Subpoenas For Records Of Electronic Communications.
§211. Clarification Of Scope (privacy provisions of Cable TV Privacy Act overridden for communication services offered by cable providers, but not for records relating to cable viewing.)
§213. Authority For Delaying Notice Of The Execution Of A Warrant—"Sneak and Peek"
§216. Modification Of Authorities Relating To Use Of Pen Registers And Trap And Trace Devices.
§219. Single-Jurisdiction Search Warrants For Terrorism.
§221. Trade sanctions.
§222. Assistance To law enforcement agencies.