CALEA Compliance: Do it yourself or Outsource?
Congress enacted the Communications Assistance for Law Enforcement Act (“CALEA”) in 1994, requiring telecommunications service providers to assist law enforcement agencies in executing electronic surveillance, according to a court order or other lawful authorization. Since 2006, the Federal Communications Commission (“FCC”) has extended the requirements of CALEA to service providers of two-way interconnected VoIP and broadband Internet access service. In deciding how to manage CALEA compliance, service providers need to consider several factors based on the options they choose:
- Develop a compliance program and manage internally
- Outsource the compliance program to a Trusted Third Party (TTP).
Service providers are in the business to provide an array of communication services, continuously creating new services and features as technology evolves to thrive and grow. In doing so, all communication service providers need to watch their bottom line and to manage their costs and profitability. All service providers have CALEA and other legal compliance obligations, where they need to provide timely and accurate responses to all law enforcement and legal requests, but these obligations are a distraction and subtraction from their business focus. While these obligations are necessary to save lives, protect subscriber’s privacy, as well as a plethora of other areas, they do affect a service provider’s bottom line and can add significant legal liabilities and risk to their business, if not managed properly.
There are several challenges for service providers to consider in creating a program to manage their legal compliance obligations internally or to outsource to a Trusted Third Party (TTP). These challenges affect several areas of service providers’ business infrastructure. Here are just a few:
- Thorough understanding of numerous current and historical regulations and mandates, including Electronic Surveillance (ELSUR), Electronic Communications Privacy Act (ECPA), Communications Assistance for Law Enforcement Act (CALEA), EU Data Retention Directive, UK Investigatory Powers Act, Canadian SolGen standards, and many others.
- Continuous review of federal, state, and local statutes and legislation that affect legal process procedures. Dynamic changes in regulations on the federal and state level require carriers to stay on top of pending legislation to minimize legal liability/risk.
- Initial development and continuous review of policies and procedures are necessary to ensure legal obligations, liability and risks, technical capabilities, and standard operating procedures are managed appropriately.
- 24 X 7 availability of trained personnel for the handling of the legal process including exigent circumstances for historical records and lawful intercepts.
- Detailed understanding of related industry standards, e.g., T1.678, J-STD-25A, T1.IAS, ETSI, etc.
- Maintaining ongoing compliance with CALEA Section 103 (US) or other international standards as standards evolve.
- Acquiring/maintaining CALEA compliant solutions (embedded or adjunct).
- Technology planning for pending legislation.
- Provisioning/maintaining active orders for the life cycle of the order.
- Development and maintaining of a Compliance Assessment Program.
- Appropriate Test plans for network services (the What, Where & How).
- Systems, applications equipment, and facilities for compliance assessment testing.
- Development/maintenance of appropriate data repositories for data retention.
- Application access for legal staff to retrieve records for the fulfillment of the legal process.
- Development and maintaining a legal process workflow management system: a secure, privacy-protected environment to support auditable processing and retaining of the legal process from receipt to fulfillment.
All of the above compliance requirements are costly and have inherent risks and liabilities. Any of the above compliance requirements can result in expensive litigation, if not addressed correctly. Additionally, with COVID-19, most companies have been hit hard with the stay-at-home orders while still trying to keep employees in their payroll. This makes non-revenue operations even more burdensome.
Outsourcing to a Trusted Third Party (TTP) can replace all of the above, reduce and, in some cases, eliminate the risk and liabilities of non-compliance or errors in the handling of legal process (assuming the TTP provides indemnification). Yaana’s NetDiscovery Legal Compliance Services do exactly that.
Yaana’s NetDiscovery Legal Compliance Service provides a complete end-to-end cost-effective legal compliance program taking the burden off the shoulders of the service provider, so they can focus on revenue-generating operations, not the non-core activities that primarily have a cost adding risk and liability. By using a proven service like Yaana’s NetDiscovery Legal Compliance Services, service providers can save up to 40% of their typical costs of supporting their CALEA obligations and handling of the legal process.