Airlines and hotels face customer concerns arising from anti-terrorism efforts
But the Air Transport Association requested specific guarantees last week, including assurances that the TSA collects information pertaining only to aviation security, that the information is securely stored, that it's jettisoned as soon as travel is completed, and that passengers can access their own data and correct any errors. Several airlines contacted last week declined comment or didn't return phone calls.
Some of those requirements have yet to be met, according to a General Accounting Office report issued last month on CAPPS II. It concludes that the program lacks the security and oversight needed to safeguard privacy and fails to give passengers adequate means of clearing their names.
The government is as concerned as private industry is about maintaining consumer privacy, says O'Connor Kelly, who's responsible for ensuring that Homeland Security complies with privacy laws. But this is new territory, she says. The rules laid out in the Privacy Act of 1974 are clear when it comes to how government contractors handle private-sector data or when data is collected in relation to a specific national-security threat, but they're murky in the context of an ongoing threat. "Both sides have to have clear rules about what goes where and why," she says. "There are some really valid outstanding questions. I think the use of private-sector data for homeland security or any other governmental purpose is one of the most important privacy issues we're dealing with in the federal government."
Hotels are still trying to figure out what the government wants, McInerney says.
The hotel industry faces equally murky questions of how to balance anti-terrorism efforts with customer privacy. In December, the FBI asked for and received customer data from casino resorts in Las Vegas because of a feared terrorist act on New Year's Eve. Hotel industry executives and the government won't comment on whether they've had more recent communications or data exchanges, but government requests for such data are "something that's being talked about a lot among general counsels and operations people," says Joe McInerney, president and CEO of the American Hotel & Lodging Association. "They're trying to figure out what the government wants and how they can make it easy to cooperate."
An executive in the hotel division of Cendant Corp., which owns the Days Inn, Howard Johnson, and Travelodge hotel chains, among others, says hotels would prefer to run internal checks against terrorism databases, provided the government gives them access to those lists. Rick Martinez, director of strategic planning and security for Cendant's hotel IT operation, says Cendant's senior management has launched an initiative on how to deal with government requests, but he wouldn't provide details.
"Everybody is resolved to the fact that we have to give this information," McInerney says. The association has received assurances from federal officials that the privacy of any data surrendered would be diligently protected and not used for purposes unrelated to terrorist threats. But Martinez says he's still concerned that the government won't provide guarantees about how customer data would be used and protected. "We all know how one-sided that relationship can be," he says.
"Mission creep," in which information intended for one purpose ends up being used for another, is a valid concern for companies asked to cough up customer data, says Mary Culnan, Slade professor of management and information technology at Bentley College in Waltham, Mass.
Some regulated industries have more practice working through these issues. Under the USA Patriot Act, Wachovia Corp., like all financial-services companies, is required to check lists provided by the Treasury Department against its own customer database to detect people who might be funneling money to terrorist organizations. To avoid unauthorized disclosure of customer data, Wachovia has a designated person within its security operations charged with the job. "You want to have a process that an individual oversees and is accountable for," says Bill Langley, the bank's chief compliance officer.
While the government has a responsibility to build public confidence in its ability to protect privacy, it's the companies that will pay dearly if consumers believe they're loose with personal information. The lawsuits against the airlines illustrate how unprepared companies are to deal with the situation, says Jim Harper, editor of Privacilla.org, a Web site that reports on privacy laws and policies. "They've got a social issue dropped in their lap, and they're struggling to deal with it," he says. "The first obligation is to the customers."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.