Some of those requirements have yet to be met, according to a General Accounting Office report issued last month on CAPPS II. It concludes that the program lacks the security and oversight needed to safeguard privacy and fails to give passengers adequate means of clearing their names.
The government is as concerned as private industry is about maintaining consumer privacy, says O'Connor Kelly, who's responsible for ensuring that Homeland Security complies with privacy laws. But this is new territory, she says. The rules laid out in the Privacy Act of 1974 are clear when it comes to how government contractors handle private-sector data or when data is collected in relation to a specific national-security threat, but they're murky in the context of an ongoing threat. "Both sides have to have clear rules about what goes where and why," she says. "There are some really valid outstanding questions. I think the use of private-sector data for homeland security or any other governmental purpose is one of the most important privacy issues we're dealing with in the federal government."
Hotels are still trying to figure out what the government wants, McInerney says.
An executive in the hotel division of Cendant Corp., which owns the Days Inn, Howard Johnson, and Travelodge hotel chains, among others, says hotels would prefer to run internal checks against terrorism databases, provided the government gives them access to those lists. Rick Martinez, director of strategic planning and security for Cendant's hotel IT operation, says Cendant's senior management has launched an initiative on how to deal with government requests, but he wouldn't provide details.
"Everybody is resolved to the fact that we have to give this information," McInerney says. The association has received assurances from federal officials that the privacy of any data surrendered would be diligently protected and not used for purposes unrelated to terrorist threats. But Martinez says he's still concerned that the government won't provide guarantees about how customer data would be used and protected. "We all know how one-sided that relationship can be," he says.
"Mission creep," in which information intended for one purpose ends up being used for another, is a valid concern for companies asked to cough up customer data, says Mary Culnan, Slade professor of management and information technology at Bentley College in Waltham, Mass.
Some regulated industries have more practice working through these issues. Under the USA Patriot Act, Wachovia Corp., like all financial-services companies, is required to check lists provided by the Treasury Department against its own customer database to detect people who might be funneling money to terrorist organizations. To avoid unauthorized disclosure of customer data, Wachovia has a designated person within its security operations charged with the job. "You want to have a process that an individual oversees and is accountable for," says Bill Langley, the bank's chief compliance officer.
While the government has a responsibility to build public confidence in its ability to protect privacy, it's the companies that will pay dearly if consumers believe they're loose with personal information. The lawsuits against the airlines illustrate how unprepared companies are to deal with the situation, says Jim Harper, editor of Privacilla.org, a Web site that reports on privacy laws and policies. "They've got a social issue dropped in their lap, and they're struggling to deal with it," he says. "The first obligation is to the customers."
-- with Rick Whiting