News
Commentary
4/23/2004
03:22 PM
Commentary
Commentary
Commentary
Connect Directly
RSS
E-Mail
50%
50%

The Privacy Lawyer: Actions Must Follow Privacy Mea Culpas

This isn't a problem just for airlines. Audit your data disclosures.

First JetBlue Airways, then Northwest Airlines, and now American Airlines. Each has admitted sharing passenger information with government agencies or companies associated with agencies. Passenger-name records typically include itinerary, name, address, phone number, and credit information. They also may include E-mail addresses and flight preferences (such as kosher meals). Much of this is sensitive to consumers and subject to strict laws overseas. Now all three airlines face class-action lawsuits and potential federal sanctions for releasing the information without passengers' consent or legal process.

Sharing data in the interest of security is understandable. Frankly, I find it surprising that only three complied when asked for personal information to study risk-assessment tools. I suspect more airlines will come forward in time.

JetBlue's was the first shoe to drop, last September. The airlines gave data to Torch Concepts, a would-be defense contractor. Five million JetBlue passenger-name records, involving 1.5 million passengers, were involved. These records were later matched with data purchased by Torch from Acxiom, JetBlue's data aggregator, which included income, occupation, home ownership, and Social Security numbers.

The data was used in a report Torch presented at one of its conferences, and a chart was posted online. It contained personal data belonging to a specific, nonconsenting passenger. That information stayed on the site for about six months, until discovered by privacy advocates in September. JetBlue admitted that the disclosure violated its privacy policy in effect at that time.

In January, Northwest said that beginning in December 2001, it had given passenger name records (involving more than 10 million passengers) for two months to NASA. Again, the data was used for a study of risk assessment. Northwest denies violating its privacy policy.

And now American says it gave passenger-name records affecting 1.2 million passengers to four companies seeking contracts with the Transportation Security Administration in June 2002.

The trio, which seem to have learned a lesson, insist that the volunteered data either has been destroyed or returned by the recipients. Each says it won't give records for tests of the government's proposed Computer Assisted Passenger Prescreening System, a nationwide computer system designed to assess risks, unless compelled to do so. Wise move, legally speaking. All companies, no matter how much they would like to help, should insist on a formal, legal demand before giving up private consumer data (see "Patriotism, Compliance, And Confidentiality," Oct. 20).

I suspect that there are more examples like these. All companies should audit post-Sept. 11 data disclosures to uncover mistakes, and ensure that any records disclosed are now secure and that affected consumers are notified.

Finally, I would caution that hindsight is always 20/20. While doing all we can to protect personal and private information, we also should remember the national atmosphere in the immediate aftermath of Sept. 11, 2001, and not be too quick to indict well-intentioned actions, no matter how unwise. It was a difficult time for all, not least of which the airlines.

Parry Aftab is a cyberspace lawyer, specializing in online privacy and security law, and she's also executive director of WiredSafety. She can be reached at parry@aftab.com.

Contine to the sidebar: Not Everyone Is Bothered By Fed Access To Personal Data

Take our quick poll: Give us your opinion about privacy


To discuss this column with other readers, please visit the Talk Shop.

To find out more about Parry Aftab, please visit her page on the Listening Post.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.