The Privacy Lawyer: Actions Must Follow Privacy Mea Culpas
This isn't a problem just for airlines. Audit your data disclosures.
First JetBlue Airways, then Northwest Airlines, and now American Airlines. Each has admitted sharing passenger information with government agencies or companies associated with agencies. Passenger-name records typically include itinerary, name, address, phone number, and credit information. They also may include E-mail addresses and flight preferences (such as kosher meals). Much of this is sensitive to consumers and subject to strict laws overseas. Now all three airlines face class-action lawsuits and potential federal sanctions for releasing the information without passengers' consent or legal process.
Sharing data in the interest of security is understandable. Frankly, I find it surprising that only three complied when asked for personal information to study risk-assessment tools. I suspect more airlines will come forward in time.
JetBlue's was the first shoe to drop, last September. The airlines gave data to Torch Concepts, a would-be defense contractor. Five million JetBlue passenger-name records, involving 1.5 million passengers, were involved. These records were later matched with data purchased by Torch from Acxiom, JetBlue's data aggregator, which included income, occupation, home ownership, and Social Security numbers.
And now American says it gave passenger-name records affecting 1.2 million passengers to four companies seeking contracts with the Transportation Security Administration in June 2002.
The trio, which seem to have learned a lesson, insist that the volunteered data either has been destroyed or returned by the recipients. Each says it won't give records for tests of the government's proposed Computer Assisted Passenger Prescreening System, a nationwide computer system designed to assess risks, unless compelled to do so. Wise move, legally speaking. All companies, no matter how much they would like to help, should insist on a formal, legal demand before giving up private consumer data (see "Patriotism, Compliance, And Confidentiality," Oct. 20).
I suspect that there are more examples like these. All companies should audit post-Sept. 11 data disclosures to uncover mistakes, and ensure that any records disclosed are now secure and that affected consumers are notified.
Finally, I would caution that hindsight is always 20/20. While doing all we can to protect personal and private information, we also should remember the national atmosphere in the immediate aftermath of Sept. 11, 2001, and not be too quick to indict well-intentioned actions, no matter how unwise. It was a difficult time for all, not least of which the airlines.
Parry Aftab is a cyberspace lawyer, specializing in online privacy and security law, and she's also executive director of WiredSafety. She can be reached at firstname.lastname@example.org.
The Business of Going DigitalDigital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.