Legal Implications of Data Collection at Airports (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

26    ACRP LRD 42 For airports, as governmental entities, the Supreme Court While these First and Fourteenth Amendment privacy chal- decisions on the constitutional protections for privacy under lenges are less obvious than ones predicated on the Fourth the Fourth Amendment should result in an examination of Amendment, they remain a concern for government entities how surveillance systems like CCTV and tracking technologies seeking to capture and use data. This concern is particularly are used. This includes both uses for law enforcement and for pronounced where data is collected regarding the travel habits commercial services. In the absence of express consent from of individuals traveling together or traveling to attend events or individuals, the capture and use of this data may raise Fourth meetings. Amendment concerns. V. SURVEY OF FEDERAL STATUTORY 5. Constitutional Protections for Collected Data Based on First and Fourteenth Amendment Theories PROVISIONS AND FEDERAL AGENCY ACTIONS In addition to Fourth Amendment-based privacy protec- A. Early Federal Statutory Efforts to Address Privacy tions, the First and Fourteenth Amendments also offer theories Understanding two particular 1970s statutes is critical to of protecting information associated with individuals. For ex- understanding the U.S. legal approach to protecting privacy. ample, the Supreme Court in NAACP v. Alabama,114 found that Though not controlling on all privacy issues, the Fair Credit Re- the compelled disclosure of membership in an organization was porting Act (FCRA)120 and the Privacy Act of 1974121 represent a violation of the constitutional protection of the right to free the two most mature federal statutory efforts in the privacy field. association and political expression. In instances where data While some privacy advocates would like to see the introduction collections held by government are seen to impact the ability of of federal measures expanding data protection as a fundamental individuals to associate for cultural, religious, or political rea- right, the U.S. Congress has not taken that approach. Instead sons, the ability of government to collect and maintain that data of imposing universal privacy standards, Congress has imple- might be challenged under both First and Fourteenth Amend- mented a “sectoral approach”122 meaning that only information ment theories. Roberts v. U.S. Jaycees.115 gathered for certain purposes or by certain organizations is pro- Potential concern with respect to associational freedom tected by mandated privacy requirements. Some examples of under Roberts could clearly arise when technology captures regulated sectors include financial and health data. videos, images, or audio from demonstrations or other events The development of early federal legislation to address indi­ at airports. The applicability of First Amendment activity in vidual privacy provides an example of likely future statutory and airports is well established.116 While First Amendment rights regulatory enactments at the federal, state, and local ­levels. The may be more limited at an airport than at a traditional public FCRA and the Privacy Act originated as a result of the private forum, the use of data collection may nevertheless present First background check database industry’s rise123 and public concern Amendment concerns. at the time about informational privacy.124 These statutes also In addition to protections afforded to more extended social created a framework for understanding the concepts of individ- relationships, the Court has also recognized associational pro- ual interest in informational privacy and the measures necessary tections under the Fourteenth Amendment for intimate rela- to protect those interests. These early efforts have shaped the tionships as well. Where collection of data exposes information U.S. approach to protecting privacy. Interestingly, the billion- in the “zones of privacy”117 of these intimate relations (marriage, dollar private database industry has both spurred and worked to intimate family, and friendship relations), challenges to gov- circumvent federal efforts and protections of indi­vidual privacy ernment activity under the Fourteenth Amendment may still through the FCRA and the Privacy Act.125 ­exist.118 Those restrictions can even apply to intimate relation- ships occurring in a public context.119 114   357 U.S. 449 (1957). 120   15 U.S.C. § 1681, et seq. 115   468 U.S. 609 (1984). 121   5 U.S.C. § 552a, et seq. 116   Regulations Affecting the Exercise of First Amendment Activities 122   Daniel J. Solove & Chris Jay Hoofnagle, A Model Regime of Pri- at Airports, Nat’l Acads of Scis., Eng’g, & Med. (2015), https://doi. vacy Protection (Version 3.0). 2006 Univ. of Ill. L. Rev. 357, at 357 org/10.17226/22099. (2006), https://ssrn.com/abstract=881294. 117   See Griswold v. Conn., 381 U.S. 479, 514-15 (1965). 123   The scope of the private industry that has grown up around the 118   See Roe v. Wade, 410 U.S. 113 (1973). collection of personal information (including criminal history informa- 119   See City of Dallas v. Stanglin, 490 U.S. 19 (1989). While rejecting tion) is well cataloged.  See James Jacobs & Tamara Crepet, The Expand- a challenge to dance hall restrictions based in part on claims of pro- ing Scope, Use, and Availability of Criminal Records, 11 N.Y.U. J. of Int’l tected intimate social association, the Stanglin Court noted the vitality Law & Policy 177 (2008), http://www.nyujlpp.org/wp-content/ of those protections. Citing a prior decision in Roberts, supra, footnote uploads/2012/10/Jacobs-Crepet-The-Expanding-Scope-Use-and- 115, it observed “the Court has concluded that choices to enter into and Availability-of-Criminal-Records.pdf. maintain certain intimate human relationships must be secured against 124   Daniel J. Solove & Chris Jay Hoofnagle, A Model Regime of Pri- undue intrusion by the State because of the role such relationships have vacy Protection (Version 3.0). Univ. of Ill. L. Rev. 357, 357 (2006),  played in safeguarding the individual freedom that is central to our con- https://ssrn.com/abstract=881294. stitutional scheme.” 490 U.S. at 24 (quotations omitted). 125   Id. 

ACRP LRD 42   27 1. The FCRA advises that the FCRA specifically provides individuals, among other protections, the following:138 The FCRA was developed and enacted in response to con- cerns over the expansion and power of credit reporting agen- • The right to review information; cies (CRAs). Initially formed in the 1950s and 1960s, these • The right to know if information has been used against firms collect and report individuals’ financial data. The advent you; of computers streamlined this processing for the industry and, • The right to dispute inaccurate information (inaccurate combined with demand, facilitated the industry’s growth.126 The information is required to be corrected); FCRA sought to bring clarity to these practices and protect indi­ • The right to have access to your information limited; viduals’ privacy rights. • The right to have your information released to prospec- The FCRA requires consumer reporting agencies,127 or other tive employers only upon written consent; and entities that prepare consumer reports,128 to maintain proce- • The ability to bring an action for damages if your rights dures that give consumers access to the data maintained about are violated. them, ensure accuracy of data reporting agencies submit and regulates collection, maintenance, dissemination, and use of These concepts of limited use, transparency, consent, indi­ consumer reports.129 vidual access, and right of correction are ones that are com­ Some government entities have limited rights to seek FCRA monly found in other privacy protection frameworks. The covered information.130 But generally, information sought for ­ability to seek damages against data holders who fail to meet law enforcement investigative purposes will require some legal those standards is also a common feature. process requirement like a court order.131 Exceptions exist for access related to counterterrorism and national security. 2. Privacy Act of 1974 Government enforcement of the FCRA is principally con- Congress passed the Privacy Act of 1974 in response to the ducted by the FTC. Although, in certain cases involving spe- HEW Commission Report referenced in Section III. The report cific industries other federal agencies have FCRA enforcement outlined concerns about large, computerized data collections of authority.132 For example, violations by airlines and other com- the federal government on personal privacy. The Privacy Act mon carriers are enforced by the U.S. Department of Transpor- of 1974 provides individuals with the right to access, the right to tation.133 The FCRA also recognizes and makes allowances for a request changes, and protection from unauthorized exposure of number of instances where similar state laws may apply.134 There government records that contain information about them. The is also a private right of action for FCRA violations.135 act places obligations on the federal government to ensure that Because the focus of the FCRA is limited to the consumer individual privacy rights are respected. This safeguarding is ac- reporting agencies defined in the FCRA using consumer re- complished though requirements that each federal agency only ports for credit, insurance, or employment related evaluations136 maintain individual information relevant to its governmental using consumer reports defined in the statute,137 it is unlikely purpose and maintain those records with accuracy, relevance, that most data use by airports will implicate FCRA provisions. timeliness, and completeness to ensure fairness in decision- However, the focus of the FCRA on promoting consumer ac- making.139 Agencies must publish notice regarding the infor- cess to records affecting them and affording them the ability to mation systems they maintain.140 Additionally, agencies are re- correct data errors is something that airports or airport stake- quired to promulgate rules for individual access and correction holders should address in their policies governing the use of of records.141 The clear purpose is to create an understanding consumer data. In that regard, consideration should be given to of the records being kept about individuals so individuals can the FTC’s Consumer Financial Protection Bureau. The Bureau intelligently exercise their access rights. Where individuals identify violations of their rights, the Pri- vacy Act of 1974 provides a private cause of action for redress in the form of injunctive relief to enforce compliance.142 Successful 126   Mark J. Furletti, An Overview and History of Credit Reporting (June litigants can also seek attorney’s fees.143 2002), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=927487. This statute was the first of its kind designed to limit govern- 127   15 U.S.C. § 1681a(f). mental establishment and use of databases of personal informa- 128   15 U.S.C. § 1681a(d). tion. The statute limits government collection, dissemination 129   15 U.S.C. § 1681, et seq. 130   16 C.F.R. § 608. 138   Summary of Your Rights Under the Fair Credit Reporting Act, 131   Id. at § 604(1). Consumer Finance Protection Bureau, https://files.consumerfinance. 132   15 U.S.C. § 1681s(b). gov/f/documents/bcfp_consumer-rights-summary_2018-09.pdf. 133   15 U.S.C. § 1681s(b)(1)(c). 139   Id. § 552a(e). 134   15 U.S.C. §§ 1681s(c), 1681t. 140   Id. 135   15 U.S.C. §§ 1681n, 1681o. 141   Id. § 552a(f). 136   15 U.S.C. § 1681a(d). 142   Id. at § 552a(g). 137   Id. 143   Id. 

28    ACRP LRD 42 and use of personal information. It also imposes penalties for credit card number and the expiration date for a period of over improper disclosure of personal information as well as afford- four months. The court approved certification over an argument ing individuals, access to files maintained by governmental enti- by the defendant that certifying a class action where the likely ties. Its terms specifically apply only to data maintained by the plaintiffs would have no actual damages and only an entitlement federal government, but those provisions have been used as a to statutory awards would result in an unreasonable penalty for model by state and local entities seeking to provide their own failure to comply with FACTA. data protections. These cases demonstrate that while small failures to enforce requirements concerning statutorily protected data, even when 3. Limitations of FCRA and Privacy Act Protections the release of that data does not create actual harm, can result Since the enactment of these protections there is increasing in substantial penalties. This fact is particularly true for finan- evidence of their inadequacy in addressing the issue of infor- cial data. If airports or airport stakeholders are involved in the mational privacy. While both statutes provide some protections, collection of covered data, then they must be careful to comply they are limited by their very terms in what they protect. For with these statutory requirements. Failure can result in substan- example, the Privacy Act of 1974 is limited to information gen- tial liability even in the absence of actual injury to individuals. erated and maintained by the federal government. However, the In some instances, the FCRA may be implicated where in- federal government has made extensive use of private databases formation is gathered and marketed for a usage that may be to circumvent the protections of the Privacy Act. The extensive covered under the FCRA. Consider Spokeo v. Robins,147 where use of these private databases escapes regulation. the Supreme Court addressed the question of an individual’s The narrow statutory definition of the FCRA allows for standing to bring suit against an open-source data mining com- unregulated use of data for a large range of other activities. pany whose data mining services were allegedly being used to Recognizing the weakness of the FCRA in regulating the use evaluate the conduct of prospective employees. The Plaintiff of information that could result in identity theft, Congress ­alleged he was injured because the false information collected amended the FCRA with the passage of the Fair and Accurate by Spokeo was used to deny him employment opportunities. Credit ­Transactions Act (FACTA).144 FACTA was designed to While Spokeo represents an expansion of FCRA into the ­strengthen protections against identity theft. It offers indi­viduals realm of internet activity and online search, it does not change the opportunity to receive a free annual credit report from each the underlying limitation of FCRA applicability to “consumer of the major credit reporting companies. It requires notice to reports” as defined in the statute. That definition limits the ap- consumers and credit scores in the event of denials or offers of plicability of the FCRA to narrowly defined categories of infor- less favored credit. It provides individuals the opportunity to mation usage. It is because the Spokeo reports were allegedly place fraud alerts into their credit histories. Lastly, it imposes inaccurate and shared with prospective employers that Robins additional safeguards with respect to transactions designed to could proceed with his claim. combat identity theft, including limiting the number of digits While Spokeo will likely have little direct impact for airports that can be publicly viewable on transaction receipts. (unless they are using social media search services as part of Airports and airport facilities have been involved in litiga- their hiring process), the decision should raise concern over the tion brought under FACTA. In Garland v. Memphis-Shelby fact that subsequent use of collected data may result in liability. County Airport Authority, the district court approved a class ac- This is true even if the prohibited or improper use is done by a tion settlement of a FACTA claim, brought in connection with third-party. This case should serve as a reminder that if an air- the issuance of credit card receipts for parking at the airport.145 port or airport stakeholder collects data and shares data with a The receipts issued for parking had more than five digits of the third party, the third-party’s use of data in a way that is incon- credit card listed on the receipt in violation of the limits set in sistent with the purpose for which the data was collected may FACTA. While the Plaintiff admittedly suffered no injury, he cause liability. brought a class action suit seeking statutorily provided damages. The result of the suit was the award of $275,000 in attorney’s fees 4. Lessons of FCRA and Privacy Act to the Plaintiff ’s lawyer and the creation of a $1,005,000 settle- While the FCRA and Privacy Act are the oldest federal at- ment fund. tempts at privacy protection, they are not alone. Congress In Beringer v. Standard Parking Corp.,146 customers from has passed other statutes that protect privacy and ensure data the parking facility at O’Hare International Airport sought ­security in several other contexts. However, these statutes do not class certification in a dispute over parking charges. The court provide a comprehensive framework to address individual pri- ­granted certification for a class of over 15,300 members. The vacy concerns across multiple domains. Instead, these statutes O’Hare parking facility, like the facility in Garland was accused address relatively narrow spheres of individual privacy applying of issuing parking receipts with more than five digits of the only to certain types of information and data usage. And many of these legislative enactments have only tangential relevance 144   15 U.S.C. § 1681j. in an airport context. However, these laws form a part of the 145   No. 09-2749, 2011 U.S. LEXIS 159344 (W.D. Tenn. July 19, 2011). overall legislative approach to data privacy in the United States. 146   No. 07 C 5027, 2008 U.S. Dist. LEXIS 72873 (N.D. Ill. Sept. 4, 2008).   136 S. Ct. 1540 (2016). 147 

ACRP LRD 42   29 In this sense, while they are not controlling, they do offer some electronically by Delta.160 The court held that Plaintiffs failed to guidance for internal controls that practitioners might consider. state a Section 2701 claim because “[t]he Court would have to accept the conclusion that Delta, in unlawfully accessing its own B. Additional Federal Statutory Provisions servers, did not have Delta’s own authorization.”161 The court There are several additional federal statutory provisions concluded that “Plaintiffs’ argument defies common sense.”162 regarding data collection, storage, access, and dissemination. The court also held that Plaintiffs failed to state a Section 2702 While a number of the federal statutes listed below are not claim finding that “the Court cannot conclude that Delta is an ­directly governing, they may provide airports with templates for entity providing either an ‘electronic communication service’ or policy creation in the data privacy context. ‘remote computing service.’”163 In reaching this conclusion, the court in Pica relied on In re JetBlue Airways Corporation Privacy 1. The Stored Communications Act (SCA)148 Litigation,164 which explained that “a company such as JetBlue Contained at Title II of the omnibus Electronic Commu- does not become an ‘electronic communication service’ pro- nications Privacy Act of 1986 (ECPA),149 the SCA addresses vider simply because it maintains a website that allows for the both voluntary and compelled disclosure of “stored wire and transmission of electronic communications between itself and electronic communications and transactional records” held by its customers.”165 third-party internet service providers (ISPs). The SCA contains In McGarry v. Delta Air Lines, Inc.,166 the U.S. District Court criminal penalties150 and provides for a civil cause of action.151 for the Central District of California again dismissed another In In re Am. Airlines, Inc. Privacy Litigation,152 the U.S. Dis- nationwide putative class action claim filed under the SCA trict Court for the Northern District of Texas, Dallas Division, against a company called “24/7”167 for the same malware attack dismissed a nationwide putative class action claim filed under in the Pica case, but used different grounds for its decision.168 As the SCA against American Airlines (American).153 The com- to the Section 2701 claim, the court found that “Plaintiff ’s con- plaint asserted that the putative class was allegedly injured when sumer data is not a ‘facility’ (i.e., servers and databases) through American authorized a corporation to disclose highly confiden- which an electronic communication service is provided.”169 As to tial passenger information to the TSA without the passengers’ the Section 2702 claim, the court concluded that P ­ laintiff failed consent.154 The court found that Plaintiffs relied on a theory to state a claim because she failed to allege that 24/7 knowingly of unauthorized disclosure of information, not of access that divulged her customer data.170 exceeded authorization.155 Thus, the court held that Plaintiffs Enacted in 1986, the SCA was not amended until March, failed to state a Section 2701 claim because that section “does 2018, and its provisions have not anticipated many, if not most, not proscribe unauthorized use or disclosure of information of the advancements in modern-day technology.171 The amend- obtained from authorized access to a facility.”156 The court also ment to the SCA in 2018 was the Clarifying Lawful Overseas held that Plaintiffs failed to state a Section 2702 claim because Use of Data Act (CLOUD Act),172 which expressly allows U.S. they alleged that they conveyed personal information to Ameri- can, and therefore, American was an intended recipient of such 160   2019 U.S. Dist. LEXIS 65985 at **3-4. communication, and Section 2702(b)(3) permits disclosure of 161   2019 U.S. Dist. LEXIS 65985 at *18. electronic communications “with the lawful consent of…an 162   2019 U.S. Dist. LEXIS 65985 at *18. . . . intended recipient of such communication . . . .”157 163   2019 U.S. Dist. LEXIS 65985 at *19. In Pica v. Delta Airlines, Inc.,158 the U.S. District Court for 164   379 F. Supp. 2d 299 (E.D.N.Y. 2005). the Central District of California dismissed a nationwide puta- 165   379 F. Supp. 2d at 307. tive class action claim filed under the SCA against Delta Airlines 166   No. cv 18-9827-MWF (Ex), 2019 U.S. Dist. LEXIS 106236 (C.D. (Delta).159 The complaint asserted that the putative class was Cal. June 18, 2019). ­allegedly injured by malware that gained unauthorized access to 167   The court described “24/7” as a “customer experience software and services company” that provides online chat services and collects Plaintiffs’ identities and debit and credit card information stored end user data for Delta.” 2019 U.S. Dist. LEXIS 106236 at *2 (citations omitted). 148   18 U.S.C. §§ 2701-2712. 168   2019 U.S. Dist. LEXIS 106236 at **22-24. 149   18 U.S.C. §§ 2701 et seq. 169   2019 U.S. Dist. LEXIS 106236 at *22. For a thorough explanation 150   18 U.S.C. §§ 2701-2702. of what constitutes a “facility” under Section 2701 of the SCA, see In re 151   18 U.S.C. § 2707(a). Google, No. 19-cv-04286-BLF, 2020 U.S. Dist. LEXIS 80971 (N.D. Cal. 152   370 F. Supp. 2d 552 (N.D. Tex. 2005). May 6, 2020) (noting that “Courts in this Circuit and others have inter- 153   370 F. Supp. 2d at 568. preted ‘facility’ to exclude users’ personal devices” and further stated that “it was skeptical that software could properly be considered a 154   370 F. Supp. 2d at 555. ­facility”). 155   370 F. Supp. 2d at 558. 170   2019 U.S. Dist. LEXIS 106236 at **22-23. 156   370 F. Supp. 2d at 559. 171   See e.g., Gabriel R. Schlabach, Privacy in the Cloud: The Mosaic 157   370 F. Supp. 2d at 560. Theory and the Stored Communications Act, 67 Stan. L. Rev. 677, 693- 158   No. CV 18-2876-MWF (Ex), 2019 U.S. Dist. LEXIS 65985 (C.D. 94 (2015) (discussing inter alia five main problems with the SCA Cal. Feb. 14, 2019). including its basis in 1980s technology and dated terminology). 159   2019 U.S. Dist. LEXIS 65985 at *21. 172   18 U.S.C. § 2713. 

30    ACRP LRD 42 law enforcement through a warrant, subpoena, or court order to International Airport Centers v. Citrin,179 the U.S. Court of Ap- access electronically-stored communications data located out- peals for the Seventh Circuit held that an employer stated a civil side the U.S. by an electronic communication service or remote claim under CFAA against an employee who before departing computing service subject to U.S. jurisdiction, which includes employment downloaded all of his employer’s data from his all major U.S. cloud computing companies.173 employee laptop so that he could start a competing business.180 The court decisions under the SCA seem to leave it unlikely that an airport or other stakeholder in the airport space would 3. The Health Insurance Portability and Accountability have liability under the SCA. In cases where the airport or other Act (HIPAA)181 airport stakeholder is the lawful recipient of data, any alleged Congress enacted Title II of HIPAA, and its Administra- misuse would likely not be actionable under the SCA. tive Simplification (AS) provisions, to streamline the flow of healthcare information and to mandate how the healthcare 2. The Computer Fraud and Abuse Act (CFAA)174 and h­ ealthcare insurance industries should maintain Protected The CFAA prohibits accessing a computer without authori- Health Information (PHI) to be protected from fraud and theft. zation, or in excess of authorization. Like the SCA, the CFAA Under Title II, the U.S. Department of HHS has promulgated was enacted in 1986 and contains both criminal and civil en- five rules regarding AS: (1) the Privacy Rule;182 (2) the Trans- forcement mechanisms, but unlike the SCA, the CFAA has been actions and Code Sets Rule;183 (3) the Security Rule;184 (4) the amended a number of times.175 Unique Health Identifiers Rule;185 and (5) the Enforcement The U.S. Supreme Court, in April 2020, agreed to hear Van Rule.186 The Privacy Rule contains a provision that specifically Buren v. United States, a case that will determine whether it is a addresses the wrongful disclosure of individually identifiable federal crime for someone authorized to access information on health information with penalties including both fines and im- a computer system to access that information for an unauthor- prisonment.187 ized purpose.176 In Van Buren, a police sergeant was convicted HIPAA also contains a provision that states its effect on state under the CFAA for selling license plate information obtained law as it relates to public health issues.188 In this regard, HIPAA from a police database, and the U.S. Court of Appeals for the states that nothing “shall be construed to invalidate or limit the Eleventh Circuit upheld the conviction and held that misusing authority, power, or procedures established under any law pro- a database that the defendant may lawfully access may still con- viding for the reporting of disease or injury, child abuse, birth, stitute computer fraud.177 The CFAA makes it a crime to “inten­ or death, public health surveillance, or public health investiga- tionally access a computer without authorization or exceed tion or intervention.”189 Therefore, even with the COVID-19 ­authorized access, and thereby obtain . . . information from any pandemic, it is clear that HIPAA would allow state agencies to protected computer.”178 The U.S. Courts of Appeals for the First, enact investigative and reporting requirements that would cer- Fifth, Seventh and Eleventh Circuits have each adopted a broad tainly affect airport operations for tenants governed by HIPAA interpretation of the statute. In contrast, the U.S. Courts of Ap- requirements. peals for the Second, Fourth, and Ninth Circuits do not consider In response to the COVID-19 pandemic, the OCR at HHS mere misuse of information that an individual is ­authorized to has issued both Bulletins and Guidance that detail its regulatory access a violation of the statute. The Court’s decision in Van priorities under HIPAA. In February, 2020, the OCR issued a Buren will undoubtedly both guide prosecution efforts and in- Bulletin reiterating that the HIPAA Privacy Rule permits a cov- fluence civil litigation under the CFAA. Because of the broad ered entity to disclose certain patient health information with- ranging applicability of this issue, any employer, including air- out the individual’s authorization to support to a public health ports, should follow this case. authority such as the CDC or a state or local health department, The CFAA should convince airports and stakeholders in the that is authorized to collect or receive such information, for airport space to ensure that security safeguards are in place to the purpose of preventing or controlling disease, injury, or dis- mitigate possible fraudulent use of systems by employees. Fail- ure can result in potential CFAA violations. Employees need to be reminded that improper access to and use of data can result in criminal penalties as well as civil liability. For example, in 179   440 F.3d 418 (7th Cir. 2006). 180   Id. at 420. 181   42 U.S.C. § 1320d. 173   18 U.S.C. § 2713. 182   45 C.F.R. Part 160 & Subparts A, E of Part 164. 174   18 U.S.C. § 1030. 183   45 C.F.R. Subpart J of Part 162. 175   The CFAA has been amended in 1989, 1994, 1996, in 2001 by the 184   45 C.F.R. Part 160 & Subparts A, C of Part 164. USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforce- 185   45 C.F.R. Subparts A, D, E, F, I of Part 162. ment and Restitution Act. 186   45 C.F.R. Subparts C, D, E of Part 160. 176   Van Buren v. U.S., 206 L.Ed.2d 822 (2020) (granting petition for 187   42 U.S.C. § 1320d-6 (addressing wrongful disclosure of individ- certiorari). ually identifiable health information). 177   U.S. v. Van Buren, 940 F.3d 1192 (11th Cir. 2019). 188   42 U.S.C. § 1320d-7(b) Public health. 178   18 U.S.C. § (a)(2)(C). 189   Id. 

ACRP LRD 42   31 ability.190 In March, 2020, the OCR issued Guidance concern- This is particularly salient information in the airport space given ing COVID-19 and HIPAA and disclosures of protected health that a significant number of employees may be exposed to large information of an individual who has been infected with or ex- numbers of persons for extended periods of time. posed to COVID-19 to law enforcement, paramedics, other first Additionally, on April 10, 2020, the U.S. Department of responders, and public health authorities with the individual’s ­Labor’s Office of Occupational Safety and Health Administra- HIPAA authorization under certain circumstances.191 tion (OSHA) issued interim Guidance that classified COVID-19 It is important to emphasize that the HIPAA Privacy Rule192 as a recordable illness, making it reportable to OSHA if the em- applies only to covered entities or their business associates. ployee’s work environment exposed him or her to the virus.199 ­Covered entities are defined as health plans, health care clearing­ On May 19, 2020, the OSHA interim Guidance issued on April houses, and those health care providers that conduct one or 10, 2020 was revised.200 The interim Guidance issued on May 19, more covered health care transactions electronically, such as 2020, notes that an employer determining if a COVID-19 case transmitting health care claims to a health plan.193 Business asso­ is “work-related” under OSHA standards may pose a risk to the ciates are persons or entities (other than members of the work- employee’s privacy, and thus, an employee can request that his force of a covered entity) that perform functions or activities on or her name be excluded from an employer’s Form 300 (log of behalf of, or provide certain services to, a covered entity that in- work-related injuries and illnesses).201 Failure to comply with an volve creating, receiving, maintaining, or transmitting protected employee’s request202 can result in penalties.203 OSHA record- health information.194 Thus, in the airport space, HIPAA may keeping requirements are a concern for every employer whether have limited applicability. However, airport tenants that provide at an airport or not. physical therapy or massage therapy may be covered entities and, Because the reach of HIPAA extends only to statutorily- therefore, subject to HIPAA requirements. Addi­tionally, where defined covered entities and their business associates and other an airport offers emergency medical ­services, it would be subject acts apply only to employees, there have been a number of to HIPAA requirements for that activity. federal legislative initiatives to address more generalized data For entities not covered by HIPAA, other federal laws may privacy concerns generated by the COVID-19 pandemic.204 apply. For example, the Equal Employment Opportunity Com- While the HIPAA Privacy Rule205 and Security Rule206 may not mission (EEOC) issued updated Guidance for a 2009 publica- be expressly applicable to airports, they still provide a model tion to address its application to the COVID-19 pandemic.195 for consideration in addressing various and increasing data The Guidance enumerates questions and answers for employers information concerns. Additionally, the events surrounding regarding employees and what actions are specifically permit- the COVID-19 pandemic have demonstrated a willingness to ted during a pandemic.196 The Guidance specifically states that modify the HIPAA Enforcement Rule207 in response to a public it will not be a violation of the Americans with Disabilities Act health crisis. This ability of the Government to adapt its regula- (ADA) and the Rehabilitation Act if an employer asks an em- tory schema is something that airports should note and account ployee who reports feeling ill whether he or she is experienc- for in their planning. ing symptoms consistent with the coronavirus infection.197 The EEOC also clarified that during a pandemic, employers will not violate the ADA by requiring employees to submit to non-inva- 199   Enforcement Guidance for Recording Cases of Coronavirus Dis- sive temperature testing, which is considered a medical exami- ease 2019 (COVID-19), Office of Occupational Safety & Health nation and would not be allowed under other circumstances.198 Admin., U.S. Dep’t of Labor (Apr. 10, 2020), https://www.osha.gov/ memos/2020-04-10/enforcement-guidance-recording-cases-­ coronavirus-disease-2019-COVID-19. 190   HIPAA Privacy and Novel Coronavirus, Office for Civil 200   Revised Enforcement Guidance for Recording Cases of Corona­ Rights, U.S. Dep’t of Health & Human Services (Feb. 2020), virus Disease 2019 (COVID-19) Office of Occupational Safety & https://www.hhs.gov/sites/default/files/February-2020-hipaa-and- Health Admin., U.S. Dep’t of Labor (May 19, 2020), https://www. novel-coronavirus.pdf. osha.gov/memos/2020-05-19/revised-enforcement-guidance-­ 191   COVID-19 and HIPAA: Disclosures to law enforcement, para- recording-cases-coronavirus-disease-2019-covid-19. medics, other first responders, and public Health Authorities, Office for 201   Id. Civil Rights, U.S. Dep’t of Health & Human Servs. (Ma. 24, 2020), 202   See 29 C.F.R. § 1904.29(b)(7)(vi). https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first- responders.pdf. 203   See 29 U.S.C. § 666(a). 192   45 C.F.R. Part 160 & Subparts A, E of Part 164. 204   In late April 2020, Republican senators introduced a bill called the COVID-19 Consumer Data Protection Act of 2020, S 3663, 116th 193   45 C.F.R. § 160.103(4). Cong. (2020). In May 2020, Democrats introduced the Public Health 194   45 C.F.R. § 160.103(4). Emergency Privacy Act, S. 3749, 116th Cong. (2020). On June 1, 2020, 195   Pandemic Preparedness in the Workplace and the Americans with a bipartisan bill called the Exposure Notification Privacy Act (ENPA), S. Disabilities Act, U.S. Equal Emp’t Opportunity Comm’n (Mar. 21, 3861, 116th Cong. (2020), was introduced in the Senate.  The ENPA 2020), https://www.eeoc.gov/laws/guidance/pandemic-preparedness- makes clear that violations will be treated as unfair or deceptive prac- workplace-and-americans-disabilities-act. tices under Section 5 of the Federal Trade Commission Act (FTC Act).  196   Id. 205   45 C.F.R. Part 160 & Subparts A, E of Part 164. 197   Id. at question-and-answer 6. 206   45 C.F.R. Part 160 & Subparts A, C of Part 164. 198   Id. at question-and-answer 7. 207   45 C.F.R. Subparts C, D, E of Part 160. 

32    ACRP LRD 42 4. The Health Information Technology for Economic and possessed a warrant, court order, or a customer’s consent.215 Sec- Clinical Health Act (HITECH)208 tion 212 of the PATRIOT Act permitted communications ser- vice providers to disclose either customer records or the content The basis for HITECH is to create a “meaningful use” of of their customers’ communications to authorities in any emer- interoperable Electronic Health Records (EHR) on a national gency situation that involved an immediate danger of physical level. HITECH requires entities covered by HIPAA to report injury.216 The Homeland Security Act repealed Section 212’s data breaches affecting more than 500 persons to the U.S. provision governing content disclosure in emergency situations Depart­ment of HHS, to the news media, and to the persons af- and recast it as a separate statute without a sunset provision.217 fected. HITECH extends the Security and Privacy Provisions of However, Section 212’s provision governing record disclosure in HIPAA to the business associates of covered entities.209 emergency situations expired on December 31, 2005.218 HHS published its rules regarding HITECH’s breach notifi- With respect to airports and stakeholders in the airport cation requirements in the Federal Register on August 24, 2009. space, the changes in the PATRIOT Act suggest caution should The FTC published its rules on the same issue on August 25, be exercised in fulfilling any request for documents or data con- 2009. While these rules only directly apply to HIPAA covered tent in the absence of appropriate process, including a warrant, entities and their business associates, they may provide a source court order, or a properly executed consent from the customer. for policy development regarding responses to data security. Legal counsel should always be consulted before responding to In March, 2020, the Office of the National Coordinator for requests for information. Health Information Technology (ONC) of the HHS announced a final rule to implement certain provisions of the 21st Century 6. The Federal Information Security Modernization Act Cures Act210 designed to enhance interoperability and support of 2014 (FISMA2014)219 access to and exchange of health information.211 The ONC final FISMA2014 replaced the Federal Information Security rule prohibits “information blocking” of electronic health in- Management Act of 2002 (FISMA).220 FISMA2014 requires that formation (EHI) with certain exceptions.212 Although the ONC federal agencies, the NIST and the Office of Management and final rule does not require disclosure of EHI in a manner not Budget (OMB) coordinate to strengthen information security permitted by HIPAA or other laws, the access, exchange, or systems. In particular, FISMA2014 creates a model for manag- use of EHI may be required to avoid information blocking.213 ing information security that is defined by standards developed Therefore, covered entities and their business associates should by NIST. evaluate their business associate agreements. However, as with FISMA2014 requires that federal government agencies and the provisions of HIPAA, this requirement would only apply their contractors follow a framework for managing informa- where the airport or any of the airport stakeholders would act tion security. While FISMA2014 may not govern airport data as a covered entity. systems that are not operated by a federal agency or its contrac- 5. The Uniting and Strengthening America by Providing tors, the statute provides a number of useful metrics for policy Appropriate Tools Required to Intercept and Obstruct development. Terrorism Act (PATRIOT Act)214 FISMA2014 first requires that agencies have an informa- tion systems inventory in place that determines what consti- Title II of the PATRIOT Act entitled “Enhanced Surveillance tutes the boundaries of the information system at issue.221 Next, Procedures” covers surveillance of suspected terrorists, and FISMA2014 requires that the information system should be cat- particularly, those suspected of engaging in computer fraud or egorized based on the objectives of providing appropriate levels abuse. The law governing obligatory and voluntary disclosure of of information security according to a range of risk levels.222 The customer communications by cable companies was amended to process of selecting the appropriate security controls and assur- allow federal agencies to demand such communications under ance requirements for organizational information systems to U.S.C. Title 18 relating to disclosure of electronic communica- achieve adequate security is a multifactorial, risk-based activity tions (chapter 119) and stored communications (chapter 121), for management and operational personnel. but it excluded disclosure of cable subscriber viewing habits. To assist in the management, operational and technical Prior law limited the circumstances under which service pro- develop­ment of compliant information systems the National viders could disclose the content of their customers’ transaction Institute of Standards and Technology has issued a series of re- records or communications to those where the Government ports. NIST Special Publication 800-53 (rev. 4) provides both a 208   42 U.S.C. § 17921. 215   18 U.S.C. §§ 2702, 2703. 209   See 42 U.S.C. §§ 17931,17934. 216   Pub. L. No. 107-56, § 212(a)(1)(D). 210   Pub. L. No. 114-255, 130 Stat. 1033 (2016). 217   18 U.S.C. § 2702(b)(7). 211   85 FR 25642 (Eff. June 30, 2020). 218   18 U.S.C. § 2703(c)(4). 212   Id. 219   44 U.S.C. § 3551. 213   Id. 220   44 U.S.C. § 3541. 214   Pub. L. No. 107-56 (codified as amended in scattered sections of 221   44 U.S.C. § 3554(b). 18 U.S.C and 50 U.S.C.). 222   44 U.S.C. § 3554(b)(1). 

ACRP LRD 42   33 foundational level of security and guidance on tailoring baseline directives, and guidance from NIST. State, local, and Tribal security controls.223 NIST Special Publication 800-18 (rev.1) in- ­Authorities may implement stricter policies. troduces the concepts of a System Security Plan and the devel- The CJIS Security Policy Resource Center231 contains a down- opment of system security planning process.224 This publication loadable version of the CJIS Security Policy (Policy),232 which provides a template for use in information system planning.225 has very detailed information on developing a data s­ecurity Previously it was thought that information security planning policy and highlights the CJIS Security Policy approach. was completed with system accreditation through the certifica- Section 4.1 of the Policy233 defines CJI to include the follow- tion and accreditation process defined in NIST Special Publi- ing data sets housed by the FBI CJIS architecture: cation 800-837.226 However, that guidance was subsequently revised to recognize the reality of rapid information system 1. Biometric Data change and continually shifting cyber threats. The revised 2. Identity History Data Special Publication 800-837 (rev. 2) outlines a complete Risk 3. Biographic Data Management Framework (RMF) for continuous protection.227 4. Property Data Under this approach all systems are required to monitor a set of 5. Case/Incident History security controls and the system documents are required to be updated to reflect changes and modifications to the system.228 The stated intent of the Policy is to ensure protection of CJI Appendix E provides a summary of tasks and responsibilities until the information is released to the public via authorized dis- across the seven step RMF process. The appendix also indicates semination (e.g., within a court system) or purged or destroyed administrative, organizational, and technical measures to meet in accordance with record retention rules.234 process requirements. 229 Section 4.2 of the Policy235 describes the requirements for the access, use, and dissemination of various files. In particu- 7. The Criminal Justice Information System (CJIS) lar, for airport purposes, it is noteworthy that the Policy ex- Security Policy pressly states that “non-restricted files shall not be disseminated All commercial airports are required to be supported by commercially.”236 Section 4.3 of the Policy237 defines PII, and law enforcement,230 and many airports have law enforcement Section 5.1 of the Policy covers information exchange agree- operating within their organizational structure. Those law en- ments.238 Relevant to airports, the Policy states that the policies forcement agencies, whether internal or external, may access for information handling and protection also apply to using CJI information covered by CJIS. Airports must realize that CJIS shared with or received from FBI CJIS for noncriminal pur­ information has special regulations that limit use and impose poses.239 It describes noncriminal purposes as including, but not defined information security requirements. limited to, employment suitability, licensing determinations, The CJIS Security Policy provides Criminal Justice ­Agencies immigration and naturalization matters, and national security (CJA) and Noncriminal Justice Agencies (NCJA) with mini- clearances.240 mum security requirements to access Federal Bureau of Inves- Airport use of CJIS covered data happens routinely in con- tigation (FBI) CJIS Division systems and information and to nection with the badging process.241 The Criminal History protect Criminal Justice Information (CJI). The CJIS Security ­Record Check (CHRC)242 information received is CJIS covered Policy integrates presidential directives, federal statutes, FBI data. Additionally, CJIS covered data may be generated as a re- sult of law enforcement investigative activity. Airports should 223   Security and Privacy Controls for Federal Information Systems and be mindful of segregating and properly limiting the use of CJIS Organizations, Rev. 4, Nat’l Inst. of Standards & Tech. (Apr. 2013), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4. pdf. 224   Guide for Developing Security Plans for Federal Information Sys- 231   CJIS Security Policy Resource Center, https://www.fbi.gov/ tems, Rev.1, Nat’l Inst. of Standards & Tech. (Feb. 2006) https:// services/cjis/cjis-security-policy-resource-center (last visited Aug. 3, nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1. 2020). pdf. 232   Criminal Justice Information Services (CJIS) Security Policy, CJIS 225   Id., app. A at 27. Sec. Policy Resource Ctr. (June 1, 2020), https://www.fbi.gov/­file- 226   Guide for the Security Certification and Accreditation of Federal Infor- repository/cjis_security_policy_v5-9_20200601.pdf/view. mation Systems, Nat’l Inst. of Standards & Tech. (May 2004), https:// 233   Id. § 4.1. nvlpubs.nist.gov/nistpubs/Legacy/SP/­nistspecialpublication800-37.pdf. 234   Id. 227   Risk Management Framework for Information Systems and Orga- 235   Id. § 4.2. nizations, Nat’l Inst. of Standards & Tech. (Dec. 2018), https://­ 236   Id. § 4.23.2. nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf (this version of the Special Publication supersedes two previous drafts 237   Id. § 4.3. of this Special Report the original issued in 2004 and Revision 1 issued 238   Id. § 5.1. in 2010). 239   Id. § 5.1.1.1. 228   Id. at 76-83. 240   Id. 229   Id., app. E at 126-139. 241   49 C.F.R. § 1542. 230   49 C.F.R. § 1542. 242   Id. 

34    ACRP LRD 42 covered data. It should be noted that a claim of improperly used ship is established and annually thereafter.255 The privacy notice CJIS data may constitute a violation of the CFAA.243 must explain the information collected about the consumer, where that information is shared, how that information is used, 8. The Children’s Online Privacy Protection Act of 1998 and how that information is protected.256 The notice must also (COPPA)244 identify the consumer’s right to opt-out of the information COPPA applies to the online collection of personal informa- being shared with unaffiliated parties pursuant to the provisions tion by persons or entities under U.S. jurisdiction about chil- of the FCRA.257 dren under 13 years of age including children outside of the The GLBA Safeguards Rule requires financial institutions to United States if the company is U.S. based.245 COPPA requires develop a written information security plan that describes how that websites and online services operated for commercial pur- the company is prepared for, and plans to continue to protect poses that are either directed toward children under 13 or have clients’ nonpublic personal information.258 The Safeguards Rule actual knowledge that children under 13 are providing informa- must include (1) designating at least one employee to manage tion online, provide notice of their information practices and the safeguards, (2) constructing a thorough risk analysis on each obtain parental consent before collecting data from children.246 department handing the nonpublic information, (3) develop- While the applicability of COPPA to airport websites may be ing, monitoring and testing a program to secure the informa- fairly limited, it is something airports should consider address- tion, and (4) changing the safeguards as needed.259 ing. For example, Mitchell International Airport in Milwaukee, Pretexting occurs when someone tries to gain access to per- Wisconsin has listed a COPPA policy on its website.247 More- sonal nonpublic information without proper authority to do over, airlines and tenants in the airport may operate websites so.260 Through its Pretexting Protection Provision, the GLBA that need to be reviewed regularly for COPPA compliance. encourages covered organizations to implement safeguards against pretexting. These safeguards would include training em- 9. Gramm-Leach-Bliley Act (GLBA)248 ployees to recognize and deflect inquiries made under pretext.261 Enacted in 1999, the GLBA removed barriers that prohibited The GLBA provisions and rules provide stringent and com- any one institution from acting as a combination of an invest- prehensive requirements for dealing with nonpublic informa- ment bank, a commercial bank, and an insurance company.249 tion that may provide insights for developing data collection and Key provisions under GLBA include the Financial Privacy data sharing policies in the airport space. Given the fact that the Rule,250 the Safeguards Rule,251 and Pretexting Protection.252 GLBA Privacy Rule and Safeguard Rule are authored by the FTC, The GLBA Financial Privacy Rule defines what constitutes which is principally responsible for privacy enforcement across a “financial institution.”253 The FTC has published advice that a range of activities, airports should familiarize themselves with retailers offering credit directly to consumers by issuing its own them as they prepare their privacy policies and practices to safe- credit card are considered to be significantly engaged in finan- guard data, particularly data relating to financial matters. cial activities and covered by the GLBA.254 Hence, there may be a number of airport tenants affected by the GLBA. The Financial C. Federal Agency Actions Privacy Rule requires financial institutions to provide each con- On July 2, 2020, the U.S. Departments of Transportation, sumer with a privacy notice at the time the consumer relation- Homeland Security, and HHS issued a joint Guidance Docu- ment titled “Runway to Recovery – the United States Framework for Airlines and Airports to Mitigate the Public Health Risks of 243   See U.S. v. Van Buren, 940 F.3d 1192 (11th Cir. 2019). Coronavirus.”262 The Guidance Document states that it “identi- 244   15 U.S.C. §§ 6501-6506. fies measures that airports and airlines should implement across 245   Complying with COPPA, Frequently Asked Questions, FTC, all operations and all phases of travel to, from, and within the https://www.ftc.gov/tips-advice/business-center/guidance/complying- United States, along with a roadmap explaining how those mea- coppa-frequently-asked-questions. 246   15 U.S.C. §§ 6501-6506. 255   16 C.F.R. § 313. 247   Privacy Policy and Security Statement of Mitchell International 256   Id. Airport, Mitchell Int’l Airport, https://www.mitchellairport.com/ 257   Id. privacy. 258   16 C.F.R. § 314.4. 248   Pub. L. No. 106-102 (codified at various sections of 12 U.S.C. Banks and Banking). 259   Id. 249   Id. 260   15 U.S.C. § 6821(a)-(b). 250   15 U.S.C. §§ 6801-6809. 261   How to Comply with the Privacy of Consumer Financial Informa- tion Rule of the Gramm-Leach-Bliley Act, F.T.C. (July 2002), https:// 251   Id. www.ftc.gov/tips-advice/business-center/guidance/how-comply-­ 252   15 U.S.C. §§ 6821-6827. privacy-consumer-financial-information-rule-gramm. 253   16 C.F.R. § 313. 262   Runway to Recovery: The United States Framework for Airlines 254   How to Comply with the Privacy of Consumer Financial Informa- and Airports to Mitigate the Public Health Risk of Coronavirus, U.S. tion Rule of the Gramm-Leach-Bliley Act, F.T.C. (July 2002), https:// Dep’ts Of Transp., Homeland Sec., Health & Human Servs., www.ftc.gov/tips-advice/business-center/guidance/how-comply-­ (July 2020), https://www.Transportation.gov/sites/dot.gov/files/2020- privacy-consumer-financial-information-rule-gramm. 07/Runway_to_Recovery_07022020.pdf.