The Privacy Lawyer: Actions Must Follow Privacy Mea Culpas
This isn't a problem just for airlines. Audit your data disclosures.
First JetBlue Airways, then Northwest Airlines, and now American Airlines. Each has admitted sharing passenger information with government agencies or companies associated with agencies. Passenger-name records typically include itinerary, name, address, phone number, and credit information. They also may include E-mail addresses and flight preferences (such as kosher meals). Much of this is sensitive to consumers and subject to strict laws overseas. Now all three airlines face class-action lawsuits and potential federal sanctions for releasing the information without passengers' consent or legal process.
Sharing data in the interest of security is understandable. Frankly, I find it surprising that only three complied when asked for personal information to study risk-assessment tools. I suspect more airlines will come forward in time.
JetBlue's was the first shoe to drop, last September. The airlines gave data to Torch Concepts, a would-be defense contractor. Five million JetBlue passenger-name records, involving 1.5 million passengers, were involved. These records were later matched with data purchased by Torch from Acxiom, JetBlue's data aggregator, which included income, occupation, home ownership, and Social Security numbers.
And now American says it gave passenger-name records affecting 1.2 million passengers to four companies seeking contracts with the Transportation Security Administration in June 2002.
The trio, which seem to have learned a lesson, insist that the volunteered data either has been destroyed or returned by the recipients. Each says it won't give records for tests of the government's proposed Computer Assisted Passenger Prescreening System, a nationwide computer system designed to assess risks, unless compelled to do so. Wise move, legally speaking. All companies, no matter how much they would like to help, should insist on a formal, legal demand before giving up private consumer data (see "Patriotism, Compliance, And Confidentiality," Oct. 20).
I suspect that there are more examples like these. All companies should audit post-Sept. 11 data disclosures to uncover mistakes, and ensure that any records disclosed are now secure and that affected consumers are notified.
Finally, I would caution that hindsight is always 20/20. While doing all we can to protect personal and private information, we also should remember the national atmosphere in the immediate aftermath of Sept. 11, 2001, and not be too quick to indict well-intentioned actions, no matter how unwise. It was a difficult time for all, not least of which the airlines.
Parry Aftab is a cyberspace lawyer, specializing in online privacy and security law, and she's also executive director of WiredSafety. She can be reached at firstname.lastname@example.org.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.