Wednesday, October 10, 2007

The Privacy Lawyer: Actions Must Follow Privacy Mea Culpas

First JetBlue Airways, then Northwest Airlines, and now American Airlines. Each has admitted sharing passenger information with government agencies or companies associated with agencies. Passenger-name records typically include itinerary, name, address, phone number, and credit information. They also may include E-mail addresses and flight preferences (such as kosher meals). Much of this is sensitive to consumers and subject to strict laws overseas. Now all three airlines face class-action lawsuits and potential federal sanctions for releasing the information without passengers' consent or legal process.

Sharing data in the interest of security is understandable. Frankly, I find it surprising that only three complied when asked for personal information to study risk-assessment tools. I suspect more airlines will come forward in time.

JetBlue's was the first shoe to drop, last September. The airlines gave data to Torch Concepts, a would-be defense contractor. Five million JetBlue passenger-name records, involving 1.5 million passengers, were involved. These records were later matched with data purchased by Torch from Acxiom, JetBlue's data aggregator, which included income, occupation, home ownership, and Social Security numbers.

The data was used in a report Torch presented at one of its conferences, and a chart was posted online. It contained personal data belonging to a specific, nonconsenting passenger. That information stayed on the site for about six months, until discovered by privacy advocates in September. JetBlue admitted that the disclosure violated its privacy policy in effect at that time.

In January, Northwest said that beginning in December 2001, it had given passenger name records (involving more than 10 million passengers) for two months to NASA. Again, the data was used for a study of risk assessment. Northwest denies violating its privacy policy.

And now American says it gave passenger-name records affecting 1.2 million passengers to four companies seeking contracts with the Transportation Security Administration in June 2002.

The trio, which seem to have learned a lesson, insist that the volunteered data either has been destroyed or returned by the recipients. Each says it won't give records for tests of the government's proposed Computer Assisted Passenger Prescreening System, a nationwide computer system designed to assess risks, unless compelled to do so. Wise move, legally speaking. All companies, no matter how much they would like to help, should insist on a formal, legal demand before giving up private consumer data (see "Patriotism, Compliance, And Confidentiality," Oct. 20).

I suspect that there are more examples like these. All companies should audit post-Sept. 11 data disclosures to uncover mistakes, and ensure that any records disclosed are now secure and that affected consumers are notified.

Finally, I would caution that hindsight is always 20/20. While doing all we can to protect personal and private information, we also should remember the national atmosphere in the immediate aftermath of Sept. 11, 2001, and not be too quick to indict well-intentioned actions, no matter how unwise. It was a difficult time for all, not least of which the airlines.


http://www.informationweek.com/showArticle.jhtml?articleID=19200120