The United States Cyber Consequences Unit


US-CCU Guarantee of Confidentiality


The US-CCU is committed to providing every guarantee of confidentiality it can to those companies that cooperate with the US-CCU’s research efforts. To accomplish this the US-CCU commits itself to abiding by the following rules:

  1. No information provided by a cooperating company will be released to anyone outside the US-CCU until that company information has been processed in such as way as to make it anonymous. In other words, the US-CCU will release no data or information of any kind that could be attributed to a specific corporation.

  2. To make company information anonymous, all names and numbers that could be used to identify the specific company will be removed from the data, and all company information will be amalgamated with information from other companies, so that the specific cooperating companies cannot be identified by matching the US-CCU data with other published data. In other words, by the time any data is made available to anyone other than the US-CCU staff will be adjusted and processed, so that it represents either a typical sector member or the sector as a whole.

  3. Even within the US-CCU, the identities of cooperating companies will be shared only on a need-to-know basis. Whenever possible, the names, addresses, brands, trademarks, phone numbers, and personal names associated with the cooperating companies will be removed from the files, even before those files are distributed among US-CCU researchers for internal processing and analysis.

  4. The identification keys for information from cooperating companies will be stored in different computers or in different physical files from the information itself. These identification keys will be used only for the outside audits that will be periodically undertaken to verify the US-CCU’s work and then only when the outside auditors have themselves signed stringent non-disclosure agreements.

  5. Information from cooperating companies that can be connected to the specific companies will not be released even to government departments and agencies unless the US-CCU is compelled by a court order to release it.

  6. The US-CCU will not inform cooperating companies about their own company information or about the conclusions that the US-CCU has drawn from that information, unless the company has specifically requested that information in writing. This is so that companies will not be tempted to act on incompletely analyzed information, and so that the companies that cooperate with the US-CCU will not be unfairly penalized by having their liabilities increased in advance of the rest of their industry.

  7. The US-CCU will provide a written agreement to any company who agrees to cooperate which will designate that company as a “cooperating company” and confirm that all of the policies enumerated here will be applied to it.

  8. The US-CCU will not guarantee protection of company information to companies that are not “cooperating companies,” and that are investigated by the US-CCU using public information sources.

  9. All researchers and consultants employed by the US-CCU will take every reasonable precaution to avoid letting information collected by the US-CCU fall into the hands of those outside the US-CCU.

  10. The precautions taken by US-CCU personnel will include: a) keeping personal watch over any computers, paper files, or other physical objects containing company information when those objects are not locked away; b) making sure that non-US-CCU personnel are not left unsupervised in rooms where the company information is easily accessible, and c) storing the US-CCU information only in computers adequately protected with regularly updated firewalls and other safeguards against intrusion.

  11. All researchers and consultants employed by the US-CCU will be required to sign non-disclosure agreements that include a commitment to abide by all the rules enumerated here. External auditors and verifiers of the research will be bound by similar agreements.

Top of Page
  Copyright © 2004-2009 U.S. Cyber Consequences Unit. All Rights Reserved.