The Privacy Lawyer: Actions Must Follow Privacy Mea Culpas - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:22 PM

The Privacy Lawyer: Actions Must Follow Privacy Mea Culpas

This isn't a problem just for airlines. Audit your data disclosures.

First JetBlue Airways, then Northwest Airlines, and now American Airlines. Each has admitted sharing passenger information with government agencies or companies associated with agencies. Passenger-name records typically include itinerary, name, address, phone number, and credit information. They also may include E-mail addresses and flight preferences (such as kosher meals). Much of this is sensitive to consumers and subject to strict laws overseas. Now all three airlines face class-action lawsuits and potential federal sanctions for releasing the information without passengers' consent or legal process.

Sharing data in the interest of security is understandable. Frankly, I find it surprising that only three complied when asked for personal information to study risk-assessment tools. I suspect more airlines will come forward in time.

JetBlue's was the first shoe to drop, last September. The airlines gave data to Torch Concepts, a would-be defense contractor. Five million JetBlue passenger-name records, involving 1.5 million passengers, were involved. These records were later matched with data purchased by Torch from Acxiom, JetBlue's data aggregator, which included income, occupation, home ownership, and Social Security numbers.

The data was used in a report Torch presented at one of its conferences, and a chart was posted online. It contained personal data belonging to a specific, nonconsenting passenger. That information stayed on the site for about six months, until discovered by privacy advocates in September. JetBlue admitted that the disclosure violated its privacy policy in effect at that time.

In January, Northwest said that beginning in December 2001, it had given passenger name records (involving more than 10 million passengers) for two months to NASA. Again, the data was used for a study of risk assessment. Northwest denies violating its privacy policy.

And now American says it gave passenger-name records affecting 1.2 million passengers to four companies seeking contracts with the Transportation Security Administration in June 2002.

The trio, which seem to have learned a lesson, insist that the volunteered data either has been destroyed or returned by the recipients. Each says it won't give records for tests of the government's proposed Computer Assisted Passenger Prescreening System, a nationwide computer system designed to assess risks, unless compelled to do so. Wise move, legally speaking. All companies, no matter how much they would like to help, should insist on a formal, legal demand before giving up private consumer data (see "Patriotism, Compliance, And Confidentiality," Oct. 20).

I suspect that there are more examples like these. All companies should audit post-Sept. 11 data disclosures to uncover mistakes, and ensure that any records disclosed are now secure and that affected consumers are notified.

Finally, I would caution that hindsight is always 20/20. While doing all we can to protect personal and private information, we also should remember the national atmosphere in the immediate aftermath of Sept. 11, 2001, and not be too quick to indict well-intentioned actions, no matter how unwise. It was a difficult time for all, not least of which the airlines.

Parry Aftab is a cyberspace lawyer, specializing in online privacy and security law, and she's also executive director of WiredSafety. She can be reached at [email protected].

Contine to the sidebar: Not Everyone Is Bothered By Fed Access To Personal Data

Take our quick poll: Give us your opinion about privacy

To discuss this column with other readers, please visit the Talk Shop.

To find out more about Parry Aftab, please visit her page on the Listening Post.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
Register for InformationWeek Newsletters
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll