Sign Up

Stay current with GH&R Newsletters. Click here to sign up.

E-Commerce News

Proposed Bill Seeks to Protect Data/Privacy; JetBlue Avoids Privacy Turbulence

January 17, 2006

PROPOSED BILL SEEKS TO PROTECT DATA/PRIVACY

On November 17, the Judiciary Committee of the United States Senate approved a broad identity theft bill (the "Personal Data Privacy and Security Act" [S. 1789]) introduced by Committee Chairman Arlen Specter (R-Pa.) and ranking minority member Patrick J. Leahy (D-Vt.).  Some Republican senators, however, expressed strong objections.

The proposed bill would require companies to implement comprehensive data security programs and to vet third-party contractors hired to process data.  It would also require notification to "any resident in the United States whose sensitive personally identifiable information has been, or is reasonably believed to have been, accessed, or acquired" as a result of a data security breach.  Any company seeking an exemption would have to file a report with the U.S. Secret Service showing the breach poses "no significant risk of harm" to consumers.
 
Under the bill's provisions, an organization could be fined up to $50,000 per day for improper notification.  Individuals who "intentionally and willfully" conceal facts related to a breach could be imprisoned for up to five years.

The law would also increase criminal penalties for identity theft involving electronic personal data; allow consumers access to, and the opportunity to correct, any personal information held by data brokers; and require the government to establish rules protecting privacy and security when it uses data broker information and to impose penalties on government contractors that fail to comply with such rules.

The bill also would require companies to implement comprehensive personal data security programs that include "administrative, technical, and physical safeguards." Among other things, the measure includes requirements on training, vulnerability testing, and contracts with service providers.

The bill would require companies to go through several steps to avoid reporting breaches to consumers. An exemption would be given where:

  • an assessment concludes there is "no significant risk" of harm to consumers; 
  • the company notifies the U.S. Secret Service in writing about the assessment results and the decision to not send breach notices to consumers; and 
  • the Secret Service does not indicate, in writing, within ten days of receiving an assessment report, that notice should be given.

Companies would have to send their assessment reports to the Secret Service within 45 days of the breach, unless that time is extended by the agency.

The legislation would require companies to notify consumers "without unreasonable delay." However, the bill would allow notification to be delayed if a law enforcement agency determined that notification would impede a criminal investigation.

The bill would supersede "any other provision of federal law or any provision of law of any state relating to notification of a security breach," except that states could still require notices to include information regarding victim protection assistance.
 
In the area of government access and use of commercial data, the bill would:

  • require the General Services Administration to evaluate the privacy and security practices of potential government contractors handling personal data and include penalties in government contracts for failure to protect data privacy and security; 
  • require federal agencies to audit the information security practices of commercial data brokers hired for projects involving personal data and include protections and penalties in contracts with data brokers to protect data privacy and security; and 
  • require federal agencies to conduct privacy impact assessments on their use of commercial databases to access personal data on U.S. persons and to adopt regulations to ensure the security and privacy of data obtained through commercial data brokers.

It's hard to predict how legislation, once proposed, will end up.  It's clear that legislators are determined to respond to the concerns of their constituents in the area of data privacy.  

JETBLUE AVOIDS PRIVACY TURBULENCE

JetBlue Airways has successfully fended off claims filed by two privacy advocacy groups that alleged the airline improperly transferred passenger name records (PNR).  The California appellate court affirmed a trial court ruling dismissing the suit.  The appellate court affirmed the ruling that the transfer of the PNR's to a Defense Department contractor did not violate federal and state law, even absent passenger consent to the transfer.

The appellate court found that the federal Airline Deregulation Act of 1978 (ADA) preempted state consumer protection law claims.  The appellate court also determined that the privacy groups -- the Privacy Rights Clearinghouse and Privacy Activism -- lacked standing to bring the lawsuit. 

The case arose in 2002, when JetBlue worked with a directive of Transportation Security Administration officials, and transferred approximately 5 million PNR's to a DOD contractor studying data mining of personal characteristics, to determine security threats posed by visitors to military bases.  The lawsuit arose after JetBlue publicly admitted in 2003 to sharing the customer data in violation of its own privacy policy. The appellate court's primary reason for affirming the dismissal of the claims was that the ADA broadly preempted all claims against airlines involving their services.  According to the court, "service" should be interpreted "broadly enough to encompass the ticketing and reservation process" under which the PNR information was collected.  If that weren't reason enough, the court noted that the Transportation Department regulations govern the collection and use of airline passenger information, and thus are encompassed within the ADA's expressed preemption of other laws.  The federal law's preemption also shielded the military subcontractor that received the PNR data.

Although the court's decision on preemption effectively disposed of the suit, the court went on to find that the two privacy groups lacked standing even to bring the suit.  Under Proposition 64, which California voters approved in 2004, only persons who suffer an "injury in fact" -- that is, lost money or property - have standing to bring unfair competition consumer class claims.  The privacy groups could make no such claim.

Unauthorized transfer of private data is a growing source of litigation and potential liability for unwary data collectors.  JetBlue's ability to rely on federal preemption is a luxury generally not available to companies outside the airline industry.

This Newsletter is a periodic publication of Graydon Head & Ritchey LLP and should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own advisor concerning your situation and any specific legal question you may have.