Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
26 ââ ACRP LRD 42 For airports, as governmental entities, the Supreme Court While these First and Fourteenth Amendment privacy chal- decisions on the constitutional protections for privacy under lenges are less obvious than ones predicated on the Fourth the Fourth Amendment should result in an examination of Amendment, they remain a concern for government entities how surveillance systems like CCTV and tracking technologies seeking to capture and use data. This concern is particularly are used. This includes both uses for law enforcement and for pronounced where data is collected regarding the travel habits commercial services. In the absence of express consent from of individuals traveling together or traveling to attend events or individuals, the capture and use of this data may raise Fourth meetings. Amendment concerns. V. SURVEY OF FEDERAL STATUTORY 5. Constitutional Protections for Collected Data Based on First and Fourteenth Amendment Theories PROVISIONS AND FEDERAL AGENCY ACTIONS In addition to Fourth Amendment-based privacy protec- A. Early Federal Statutory Efforts to Address Privacy tions, the First and Fourteenth Amendments also offer theories Understanding two particular 1970s statutes is critical to of protecting information associated with individuals. For ex- understanding the U.S. legal approach to protecting privacy. ample, the Supreme Court in NAACP v. Alabama,114 found that Though not controlling on all privacy issues, the Fair Credit Re- the compelled disclosure of membership in an organization was porting Act (FCRA)120 and the Privacy Act of 1974121 represent a violation of the constitutional protection of the right to free the two most mature federal statutory efforts in the privacy field. association and political expression. In instances where data While some privacy advocates would like to see the introduction collections held by government are seen to impact the ability of of federal measures expanding data protection as a fundamental individuals to associate for cultural, religious, or political rea- right, the U.S. Congress has not taken that approach. Instead sons, the ability of government to collect and maintain that data of imposing universal privacy standards, Congress has imple- might be challenged under both First and Fourteenth Amend- mented a âsectoral approachâ122 meaning that only information ment theories. Roberts v. U.S. Jaycees.115 gathered for certain purposes or by certain organizations is pro- Potential concern with respect to associational freedom tected by mandated privacy requirements. Some examples of under Roberts could clearly arise when technology captures regulated sectors include financial and health data. videos, images, or audio from demonstrations or other events The development of early federal legislation to address indi at airports. The applicability of First Amendment activity in vidual privacy provides an example of likely future statutory and airports is well established.116 While First Amendment rights regulatory enactments at the federal, state, and local Âlevels. The may be more limited at an airport than at a traditional public FCRA and the Privacy Act originated as a result of the private forum, the use of data collection may nevertheless present First background check database industryâs rise123 and public concern Amendment concerns. at the time about informational privacy.124 These statutes also In addition to protections afforded to more extended social created a framework for understanding the concepts of individ- relationships, the Court has also recognized associational pro- ual interest in informational privacy and the measures necessary tections under the Fourteenth Amendment for intimate rela- to protect those interests. These early efforts have shaped the tionships as well. Where collection of data exposes information U.S. approach to protecting privacy. Interestingly, the billion- in the âzones of privacyâ117 of these intimate relations (marriage, dollar private database industry has both spurred and worked to intimate family, and friendship relations), challenges to gov- circumvent federal efforts and protections of indiÂvidual privacy ernment activity under the Fourteenth Amendment may still through the FCRA and the Privacy Act.125 Âexist.118 Those restrictions can even apply to intimate relation- ships occurring in a public context.119 114 â 357 U.S. 449 (1957). 120 â 15 U.S.C. § 1681, et seq. 115 â 468 U.S. 609 (1984). 121 â 5 U.S.C. § 552a, et seq. 116 â Regulations Affecting the Exercise of First Amendment Activities 122 â Daniel J. Solove & Chris Jay Hoofnagle, A Model Regime of Pri- at Airports, Natâl Acads of Scis., Engâg, & Med. (2015), https://doi. vacy Protection (Version 3.0). 2006 Univ. of Ill. L. Rev. 357, at 357 org/10.17226/22099. (2006), https://ssrn.com/abstract=881294. 117 â See Griswold v. Conn., 381 U.S. 479, 514-15 (1965). 123 â The scope of the private industry that has grown up around the 118 â See Roe v. Wade, 410 U.S. 113 (1973). collection of personal information (including criminal history informa- 119 â See City of Dallas v. Stanglin, 490 U.S. 19 (1989). While rejecting tion) is well cataloged.â See James Jacobs & Tamara Crepet, The Expand- a challenge to dance hall restrictions based in part on claims of pro- ing Scope, Use, and Availability of Criminal Records, 11 N.Y.U. J. of Intâl tected intimate social association, the Stanglin Court noted the vitality Law & Policy 177 (2008), http://www.nyujlpp.org/wp-content/ of those protections. Citing a prior decision in Roberts, supra, footnote uploads/2012/10/Jacobs-Crepet-The-Expanding-Scope-Use-and- 115, it observed âthe Court has concluded that choices to enter into and Availability-of-Criminal-Records.pdf. maintain certain intimate human relationships must be secured against 124 â Daniel J. Solove & Chris Jay Hoofnagle, A Model Regime of Pri- undue intrusion by the State because of the role such relationships have vacy Protection (Version 3.0). Univ. of Ill. L. Rev. 357, 357 (2006), played in safeguarding the individual freedom that is central to our con- https://ssrn.com/abstract=881294. stitutional scheme.â 490 U.S. at 24 (quotations omitted). 125 â Id.
ACRP LRD 42ââ 27 1. The FCRA advises that the FCRA specifically provides individuals, among other protections, the following:138 The FCRA was developed and enacted in response to con- cerns over the expansion and power of credit reporting agen- ⢠The right to review information; cies (CRAs). Initially formed in the 1950s and 1960s, these ⢠The right to know if information has been used against firms collect and report individualsâ financial data. The advent you; of computers streamlined this processing for the industry and, ⢠The right to dispute inaccurate information (inaccurate combined with demand, facilitated the industryâs growth.126 The information is required to be corrected); FCRA sought to bring clarity to these practices and protect indi ⢠The right to have access to your information limited; vidualsâ privacy rights. ⢠The right to have your information released to prospec- The FCRA requires consumer reporting agencies,127 or other tive employers only upon written consent; and entities that prepare consumer reports,128 to maintain proce- ⢠The ability to bring an action for damages if your rights dures that give consumers access to the data maintained about are violated. them, ensure accuracy of data reporting agencies submit and regulates collection, maintenance, dissemination, and use of These concepts of limited use, transparency, consent, indi consumer reports.129 vidual access, and right of correction are ones that are com Some government entities have limited rights to seek FCRA monly found in other privacy protection frameworks. The covered information.130 But generally, information sought for Âability to seek damages against data holders who fail to meet law enforcement investigative purposes will require some legal those standards is also a common feature. process requirement like a court order.131 Exceptions exist for access related to counterterrorism and national security. 2. Privacy Act of 1974 Government enforcement of the FCRA is principally con- Congress passed the Privacy Act of 1974 in response to the ducted by the FTC. Although, in certain cases involving spe- HEW Commission Report referenced in Section III. The report cific industries other federal agencies have FCRA enforcement outlined concerns about large, computerized data collections of authority.132 For example, violations by airlines and other com- the federal government on personal privacy. The Privacy Act mon carriers are enforced by the U.S. Department of Transpor- of 1974 provides individuals with the right to access, the right to tation.133 The FCRA also recognizes and makes allowances for a request changes, and protection from unauthorized exposure of number of instances where similar state laws may apply.134 There government records that contain information about them. The is also a private right of action for FCRA violations.135 act places obligations on the federal government to ensure that Because the focus of the FCRA is limited to the consumer individual privacy rights are respected. This safeguarding is ac- reporting agencies defined in the FCRA using consumer re- complished though requirements that each federal agency only ports for credit, insurance, or employment related evaluations136 maintain individual information relevant to its governmental using consumer reports defined in the statute,137 it is unlikely purpose and maintain those records with accuracy, relevance, that most data use by airports will implicate FCRA provisions. timeliness, and completeness to ensure fairness in decision- However, the focus of the FCRA on promoting consumer ac- making.139 Agencies must publish notice regarding the infor- cess to records affecting them and affording them the ability to mation systems they maintain.140 Additionally, agencies are re- correct data errors is something that airports or airport stake- quired to promulgate rules for individual access and correction holders should address in their policies governing the use of of records.141 The clear purpose is to create an understanding consumer data. In that regard, consideration should be given to of the records being kept about individuals so individuals can the FTCâs Consumer Financial Protection Bureau. The Bureau intelligently exercise their access rights. Where individuals identify violations of their rights, the Pri- vacy Act of 1974 provides a private cause of action for redress in the form of injunctive relief to enforce compliance.142 Successful 126 â Mark J. Furletti, An Overview and History of Credit Reporting (June litigants can also seek attorneyâs fees.143 2002), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=927487. This statute was the first of its kind designed to limit govern- 127 â 15 U.S.C. § 1681a(f). mental establishment and use of databases of personal informa- 128 â 15 U.S.C. § 1681a(d). tion. The statute limits government collection, dissemination 129 â 15 U.S.C. § 1681, et seq. 130 â 16 C.F.R. § 608. 138 â Summary of Your Rights Under the Fair Credit Reporting Act, 131 â Id. at § 604(1). Consumer Finance Protection Bureau, https://files.consumerfinance. 132 â 15 U.S.C. § 1681s(b). gov/f/documents/bcfp_consumer-rights-summary_2018-09.pdf. 133 â 15 U.S.C. § 1681s(b)(1)(c). 139 â Id. § 552a(e). 134 â 15 U.S.C. §§ 1681s(c), 1681t. 140 â Id. 135 â 15 U.S.C. §§ 1681n, 1681o. 141 â Id. § 552a(f). 136 â 15 U.S.C. § 1681a(d). 142 â Id. at § 552a(g). 137 â Id. 143 â Id.
28 ââ ACRP LRD 42 and use of personal information. It also imposes penalties for credit card number and the expiration date for a period of over improper disclosure of personal information as well as afford- four months. The court approved certification over an argument ing individuals, access to files maintained by governmental enti- by the defendant that certifying a class action where the likely ties. Its terms specifically apply only to data maintained by the plaintiffs would have no actual damages and only an entitlement federal government, but those provisions have been used as a to statutory awards would result in an unreasonable penalty for model by state and local entities seeking to provide their own failure to comply with FACTA. data protections. These cases demonstrate that while small failures to enforce requirements concerning statutorily protected data, even when 3. Limitations of FCRA and Privacy Act Protections the release of that data does not create actual harm, can result Since the enactment of these protections there is increasing in substantial penalties. This fact is particularly true for finan- evidence of their inadequacy in addressing the issue of infor- cial data. If airports or airport stakeholders are involved in the mational privacy. While both statutes provide some protections, collection of covered data, then they must be careful to comply they are limited by their very terms in what they protect. For with these statutory requirements. Failure can result in substan- example, the Privacy Act of 1974 is limited to information gen- tial liability even in the absence of actual injury to individuals. erated and maintained by the federal government. However, the In some instances, the FCRA may be implicated where in- federal government has made extensive use of private databases formation is gathered and marketed for a usage that may be to circumvent the protections of the Privacy Act. The extensive covered under the FCRA. Consider Spokeo v. Robins,147 where use of these private databases escapes regulation. the Supreme Court addressed the question of an individualâs The narrow statutory definition of the FCRA allows for standing to bring suit against an open-source data mining com- unregulated use of data for a large range of other activities. pany whose data mining services were allegedly being used to Recognizing the weakness of the FCRA in regulating the use evaluate the conduct of prospective employees. The Plaintiff of information that could result in identity theft, Congress Âalleged he was injured because the false information collected amended the FCRA with the passage of the Fair and Accurate by Spokeo was used to deny him employment opportunities. Credit ÂTransactions Act (FACTA).144 FACTA was designed to While Spokeo represents an expansion of FCRA into the Âstrengthen protections against identity theft. It offers indiÂviduals realm of internet activity and online search, it does not change the opportunity to receive a free annual credit report from each the underlying limitation of FCRA applicability to âconsumer of the major credit reporting companies. It requires notice to reportsâ as defined in the statute. That definition limits the ap- consumers and credit scores in the event of denials or offers of plicability of the FCRA to narrowly defined categories of infor- less favored credit. It provides individuals the opportunity to mation usage. It is because the Spokeo reports were allegedly place fraud alerts into their credit histories. Lastly, it imposes inaccurate and shared with prospective employers that Robins additional safeguards with respect to transactions designed to could proceed with his claim. combat identity theft, including limiting the number of digits While Spokeo will likely have little direct impact for airports that can be publicly viewable on transaction receipts. (unless they are using social media search services as part of Airports and airport facilities have been involved in litiga- their hiring process), the decision should raise concern over the tion brought under FACTA. In Garland v. Memphis-Shelby fact that subsequent use of collected data may result in liability. County Airport Authority, the district court approved a class ac- This is true even if the prohibited or improper use is done by a tion settlement of a FACTA claim, brought in connection with third-party. This case should serve as a reminder that if an air- the issuance of credit card receipts for parking at the airport.145 port or airport stakeholder collects data and shares data with a The receipts issued for parking had more than five digits of the third party, the third-partyâs use of data in a way that is incon- credit card listed on the receipt in violation of the limits set in sistent with the purpose for which the data was collected may FACTA. While the Plaintiff admittedly suffered no injury, he cause liability. brought a class action suit seeking statutorily provided damages. The result of the suit was the award of $275,000 in attorneyâs fees 4. Lessons of FCRA and Privacy Act to the Plaintiff âs lawyer and the creation of a $1,005,000 settle- While the FCRA and Privacy Act are the oldest federal at- ment fund. tempts at privacy protection, they are not alone. Congress In Beringer v. Standard Parking Corp.,146 customers from has passed other statutes that protect privacy and ensure data the parking facility at OâHare International Airport sought Âsecurity in several other contexts. However, these statutes do not class certification in a dispute over parking charges. The court provide a comprehensive framework to address individual pri- Âgranted certification for a class of over 15,300 members. The vacy concerns across multiple domains. Instead, these statutes OâHare parking facility, like the facility in Garland was accused address relatively narrow spheres of individual privacy applying of issuing parking receipts with more than five digits of the only to certain types of information and data usage. And many of these legislative enactments have only tangential relevance 144 â 15 U.S.C. § 1681j. in an airport context. However, these laws form a part of the 145 â No. 09-2749, 2011 U.S. LEXIS 159344 (W.D. Tenn. July 19, 2011). overall legislative approach to data privacy in the United States. 146 â No. 07 C 5027, 2008 U.S. Dist. LEXIS 72873 (N.D. Ill. Sept. 4, 2008). â 136 S. Ct. 1540 (2016). 147
ACRP LRD 42ââ 29 In this sense, while they are not controlling, they do offer some electronically by Delta.160 The court held that Plaintiffs failed to guidance for internal controls that practitioners might consider. state a Section 2701 claim because â[t]he Court would have to accept the conclusion that Delta, in unlawfully accessing its own B. Additional Federal Statutory Provisions servers, did not have Deltaâs own authorization.â161 The court There are several additional federal statutory provisions concluded that âPlaintiffsâ argument defies common sense.â162 regarding data collection, storage, access, and dissemination. The court also held that Plaintiffs failed to state a Section 2702 While a number of the federal statutes listed below are not claim finding that âthe Court cannot conclude that Delta is an Âdirectly governing, they may provide airports with templates for entity providing either an âelectronic communication serviceâ or policy creation in the data privacy context. âremote computing service.ââ163 In reaching this conclusion, the court in Pica relied on In re JetBlue Airways Corporation Privacy 1. The Stored Communications Act (SCA)148 Litigation,164 which explained that âa company such as JetBlue Contained at Title II of the omnibus Electronic Commu- does not become an âelectronic communication serviceâ pro- nications Privacy Act of 1986 (ECPA),149 the SCA addresses vider simply because it maintains a website that allows for the both voluntary and compelled disclosure of âstored wire and transmission of electronic communications between itself and electronic communications and transactional recordsâ held by its customers.â165 third-party internet service providers (ISPs). The SCA contains In McGarry v. Delta Air Lines, Inc.,166 the U.S. District Court criminal penalties150 and provides for a civil cause of action.151 for the Central District of California again dismissed another In In re Am. Airlines, Inc. Privacy Litigation,152 the U.S. Dis- nationwide putative class action claim filed under the SCA trict Court for the Northern District of Texas, Dallas Division, against a company called â24/7â167 for the same malware attack dismissed a nationwide putative class action claim filed under in the Pica case, but used different grounds for its decision.168 As the SCA against American Airlines (American).153 The com- to the Section 2701 claim, the court found that âPlaintiff âs con- plaint asserted that the putative class was allegedly injured when sumer data is not a âfacilityâ (i.e., servers and databases) through American authorized a corporation to disclose highly confiden- which an electronic communication service is provided.â169 As to tial passenger information to the TSA without the passengersâ the Section 2702 claim, the court concluded that P  laintiff failed consent.154 The court found that Plaintiffs relied on a theory to state a claim because she failed to allege that 24/7 knowingly of unauthorized disclosure of information, not of access that divulged her customer data.170 exceeded authorization.155 Thus, the court held that Plaintiffs Enacted in 1986, the SCA was not amended until March, failed to state a Section 2701 claim because that section âdoes 2018, and its provisions have not anticipated many, if not most, not proscribe unauthorized use or disclosure of information of the advancements in modern-day technology.171 The amend- obtained from authorized access to a facility.â156 The court also ment to the SCA in 2018 was the Clarifying Lawful Overseas held that Plaintiffs failed to state a Section 2702 claim because Use of Data Act (CLOUD Act),172 which expressly allows U.S. they alleged that they conveyed personal information to Ameri- can, and therefore, American was an intended recipient of such 160 â 2019 U.S. Dist. LEXIS 65985 at **3-4. communication, and Section 2702(b)(3) permits disclosure of 161 â 2019 U.S. Dist. LEXIS 65985 at *18. electronic communications âwith the lawful consent ofâ¦an 162 â 2019 U.S. Dist. LEXIS 65985 at *18. . . . intended recipient of such communication . . . .â157 163 â 2019 U.S. Dist. LEXIS 65985 at *19. In Pica v. Delta Airlines, Inc.,158 the U.S. District Court for 164 â 379 F. Supp. 2d 299 (E.D.N.Y. 2005). the Central District of California dismissed a nationwide puta- 165 â 379 F. Supp. 2d at 307. tive class action claim filed under the SCA against Delta Airlines 166 â No. cv 18-9827-MWF (Ex), 2019 U.S. Dist. LEXIS 106236 (C.D. (Delta).159 The complaint asserted that the putative class was Cal. June 18, 2019). Âallegedly injured by malware that gained unauthorized access to 167 â The court described â24/7â as a âcustomer experience software and services companyâ that provides online chat services and collects Plaintiffsâ identities and debit and credit card information stored end user data for Delta.â 2019 U.S. Dist. LEXIS 106236 at *2 (citations omitted). 148 â 18 U.S.C. §§ 2701-2712. 168 â 2019 U.S. Dist. LEXIS 106236 at **22-24. 149 â 18 U.S.C. §§ 2701 et seq. 169 â 2019 U.S. Dist. LEXIS 106236 at *22. For a thorough explanation 150 â 18 U.S.C. §§ 2701-2702. of what constitutes a âfacilityâ under Section 2701 of the SCA, see In re 151 â 18 U.S.C. § 2707(a). Google, No. 19-cv-04286-BLF, 2020 U.S. Dist. LEXIS 80971 (N.D. Cal. 152 â 370 F. Supp. 2d 552 (N.D. Tex. 2005). May 6, 2020) (noting that âCourts in this Circuit and others have inter- 153 â 370 F. Supp. 2d at 568. preted âfacilityâ to exclude usersâ personal devicesâ and further stated that âit was skeptical that software could properly be considered a 154 â 370 F. Supp. 2d at 555. Âfacilityâ). 155 â 370 F. Supp. 2d at 558. 170 â 2019 U.S. Dist. LEXIS 106236 at **22-23. 156 â 370 F. Supp. 2d at 559. 171 â See e.g., Gabriel R. Schlabach, Privacy in the Cloud: The Mosaic 157 â 370 F. Supp. 2d at 560. Theory and the Stored Communications Act, 67 Stan. L. Rev. 677, 693- 158 â No. CV 18-2876-MWF (Ex), 2019 U.S. Dist. LEXIS 65985 (C.D. 94 (2015) (discussing inter alia five main problems with the SCA Cal. Feb. 14, 2019). including its basis in 1980s technology and dated terminology). 159 â 2019 U.S. Dist. LEXIS 65985 at *21. 172 â 18 U.S.C. § 2713.
30 ââ ACRP LRD 42 law enforcement through a warrant, subpoena, or court order to International Airport Centers v. Citrin,179 the U.S. Court of Ap- access electronically-stored communications data located out- peals for the Seventh Circuit held that an employer stated a civil side the U.S. by an electronic communication service or remote claim under CFAA against an employee who before departing computing service subject to U.S. jurisdiction, which includes employment downloaded all of his employerâs data from his all major U.S. cloud computing companies.173 employee laptop so that he could start a competing business.180 The court decisions under the SCA seem to leave it unlikely that an airport or other stakeholder in the airport space would 3. The Health Insurance Portability and Accountability have liability under the SCA. In cases where the airport or other Act (HIPAA)181 airport stakeholder is the lawful recipient of data, any alleged Congress enacted Title II of HIPAA, and its Administra- misuse would likely not be actionable under the SCA. tive Simplification (AS) provisions, to streamline the flow of healthcare information and to mandate how the healthcare 2. The Computer Fraud and Abuse Act (CFAA)174 and h ealthcare insurance industries should maintain Protected The CFAA prohibits accessing a computer without authori- Health Information (PHI) to be protected from fraud and theft. zation, or in excess of authorization. Like the SCA, the CFAA Under Title II, the U.S. Department of HHS has promulgated was enacted in 1986 and contains both criminal and civil en- five rules regarding AS: (1) the Privacy Rule;182 (2) the Trans- forcement mechanisms, but unlike the SCA, the CFAA has been actions and Code Sets Rule;183 (3) the Security Rule;184 (4) the amended a number of times.175 Unique Health Identifiers Rule;185 and (5) the Enforcement The U.S. Supreme Court, in April 2020, agreed to hear Van Rule.186 The Privacy Rule contains a provision that specifically Buren v. United States, a case that will determine whether it is a addresses the wrongful disclosure of individually identifiable federal crime for someone authorized to access information on health information with penalties including both fines and im- a computer system to access that information for an unauthor- prisonment.187 ized purpose.176 In Van Buren, a police sergeant was convicted HIPAA also contains a provision that states its effect on state under the CFAA for selling license plate information obtained law as it relates to public health issues.188 In this regard, HIPAA from a police database, and the U.S. Court of Appeals for the states that nothing âshall be construed to invalidate or limit the Eleventh Circuit upheld the conviction and held that misusing authority, power, or procedures established under any law pro- a database that the defendant may lawfully access may still con- viding for the reporting of disease or injury, child abuse, birth, stitute computer fraud.177 The CFAA makes it a crime to âinten or death, public health surveillance, or public health investiga- tionally access a computer without authorization or exceed tion or intervention.â189 Therefore, even with the COVID-19 Âauthorized access, and thereby obtain . . . information from any pandemic, it is clear that HIPAA would allow state agencies to protected computer.â178 The U.S. Courts of Appeals for the First, enact investigative and reporting requirements that would cer- Fifth, Seventh and Eleventh Circuits have each adopted a broad tainly affect airport operations for tenants governed by HIPAA interpretation of the statute. In contrast, the U.S. Courts of Ap- requirements. peals for the Second, Fourth, and Ninth Circuits do not consider In response to the COVID-19 pandemic, the OCR at HHS mere misuse of information that an individual is Âauthorized to has issued both Bulletins and Guidance that detail its regulatory access a violation of the statute. The Courtâs decision in Van priorities under HIPAA. In February, 2020, the OCR issued a Buren will undoubtedly both guide prosecution efforts and in- Bulletin reiterating that the HIPAA Privacy Rule permits a cov- fluence civil litigation under the CFAA. Because of the broad ered entity to disclose certain patient health information with- ranging applicability of this issue, any employer, including air- out the individualâs authorization to support to a public health ports, should follow this case. authority such as the CDC or a state or local health department, The CFAA should convince airports and stakeholders in the that is authorized to collect or receive such information, for airport space to ensure that security safeguards are in place to the purpose of preventing or controlling disease, injury, or dis- mitigate possible fraudulent use of systems by employees. Fail- ure can result in potential CFAA violations. Employees need to be reminded that improper access to and use of data can result in criminal penalties as well as civil liability. For example, in 179 â 440 F.3d 418 (7th Cir. 2006). 180 â Id. at 420. 181 â 42 U.S.C. § 1320d. 173 â 18 U.S.C. § 2713. 182 â 45 C.F.R. Part 160 & Subparts A, E of Part 164. 174 â 18 U.S.C. § 1030. 183 â 45 C.F.R. Subpart J of Part 162. 175 â The CFAA has been amended in 1989, 1994, 1996, in 2001 by the 184 â 45 C.F.R. Part 160 & Subparts A, C of Part 164. USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforce- 185 â 45 C.F.R. Subparts A, D, E, F, I of Part 162. ment and Restitution Act. 186 â 45 C.F.R. Subparts C, D, E of Part 160. 176 â Van Buren v. U.S., 206 L.Ed.2d 822 (2020) (granting petition for 187 â 42 U.S.C. § 1320d-6 (addressing wrongful disclosure of individ- certiorari). ually identifiable health information). 177 â U.S. v. Van Buren, 940 F.3d 1192 (11th Cir. 2019). 188 â 42 U.S.C. § 1320d-7(b) Public health. 178 â 18 U.S.C. § (a)(2)(C). 189 â Id.
ACRP LRD 42ââ 31 ability.190 In March, 2020, the OCR issued Guidance concern- This is particularly salient information in the airport space given ing COVID-19 and HIPAA and disclosures of protected health that a significant number of employees may be exposed to large information of an individual who has been infected with or ex- numbers of persons for extended periods of time. posed to COVID-19 to law enforcement, paramedics, other first Additionally, on April 10, 2020, the U.S. Department of responders, and public health authorities with the individualâs ÂLaborâs Office of Occupational Safety and Health Administra- HIPAA authorization under certain circumstances.191 tion (OSHA) issued interim Guidance that classified COVID-19 It is important to emphasize that the HIPAA Privacy Rule192 as a recordable illness, making it reportable to OSHA if the em- applies only to covered entities or their business associates. ployeeâs work environment exposed him or her to the virus.199 ÂCovered entities are defined as health plans, health care clearing On May 19, 2020, the OSHA interim Guidance issued on April houses, and those health care providers that conduct one or 10, 2020 was revised.200 The interim Guidance issued on May 19, more covered health care transactions electronically, such as 2020, notes that an employer determining if a COVID-19 case transmitting health care claims to a health plan.193 Business asso is âwork-relatedâ under OSHA standards may pose a risk to the ciates are persons or entities (other than members of the work- employeeâs privacy, and thus, an employee can request that his force of a covered entity) that perform functions or activities on or her name be excluded from an employerâs Form 300 (log of behalf of, or provide certain services to, a covered entity that in- work-related injuries and illnesses).201 Failure to comply with an volve creating, receiving, maintaining, or transmitting protected employeeâs request202 can result in penalties.203 OSHA record- health information.194 Thus, in the airport space, HIPAA may keeping requirements are a concern for every employer whether have limited applicability. However, airport tenants that provide at an airport or not. physical therapy or massage therapy may be covered entities and, Because the reach of HIPAA extends only to statutorily- therefore, subject to HIPAA requirements. AddiÂtionally, where defined covered entities and their business associates and other an airport offers emergency medical Âservices, it would be subject acts apply only to employees, there have been a number of to HIPAA requirements for that activity. federal legislative initiatives to address more generalized data For entities not covered by HIPAA, other federal laws may privacy concerns generated by the COVID-19 pandemic.204 apply. For example, the Equal Employment Opportunity Com- While the HIPAA Privacy Rule205 and Security Rule206 may not mission (EEOC) issued updated Guidance for a 2009 publica- be expressly applicable to airports, they still provide a model tion to address its application to the COVID-19 pandemic.195 for consideration in addressing various and increasing data The Guidance enumerates questions and answers for employers information concerns. Additionally, the events surrounding regarding employees and what actions are specifically permit- the COVID-19 pandemic have demonstrated a willingness to ted during a pandemic.196 The Guidance specifically states that modify the HIPAA Enforcement Rule207 in response to a public it will not be a violation of the Americans with Disabilities Act health crisis. This ability of the Government to adapt its regula- (ADA) and the Rehabilitation Act if an employer asks an em- tory schema is something that airports should note and account ployee who reports feeling ill whether he or she is experienc- for in their planning. ing symptoms consistent with the coronavirus infection.197 The EEOC also clarified that during a pandemic, employers will not violate the ADA by requiring employees to submit to non-inva- 199 â Enforcement Guidance for Recording Cases of Coronavirus Dis- sive temperature testing, which is considered a medical exami- ease 2019 (COVID-19), Office of Occupational Safety & Health nation and would not be allowed under other circumstances.198 Admin., U.S. Depât of Labor (Apr. 10, 2020), https://www.osha.gov/ memos/2020-04-10/enforcement-guidance-recording-cases- coronavirus-disease-2019-COVID-19. 190 â HIPAA Privacy and Novel Coronavirus, Office for Civil 200 â Revised Enforcement Guidance for Recording Cases of Corona Rights, U.S. Depât of Health & Human Services (Feb. 2020), virus Disease 2019 (COVID-19) Office of Occupational Safety & https://www.hhs.gov/sites/default/files/February-2020-hipaa-and- Health Admin., U.S. Depât of Labor (May 19, 2020), https://www. novel-coronavirus.pdf. osha.gov/memos/2020-05-19/revised-enforcement-guidance- 191 â COVID-19 and HIPAA: Disclosures to law enforcement, para- recording-cases-coronavirus-disease-2019-covid-19. medics, other first responders, and public Health Authorities, Office for 201 â Id. Civil Rights, U.S. Depât of Health & Human Servs. (Ma. 24, 2020), 202 â See 29 C.F.R. § 1904.29(b)(7)(vi). https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first- responders.pdf. 203 â See 29 U.S.C. § 666(a). 192 â 45 C.F.R. Part 160 & Subparts A, E of Part 164. 204 â In late April 2020, Republican senators introduced a bill called the COVID-19 Consumer Data Protection Act of 2020, S 3663, 116th 193 â 45 C.F.R. § 160.103(4). Cong. (2020). In May 2020, Democrats introduced the Public Health 194 â 45 C.F.R. § 160.103(4). Emergency Privacy Act, S. 3749, 116th Cong. (2020). On June 1, 2020, 195 â Pandemic Preparedness in the Workplace and the Americans with a bipartisan bill called the Exposure Notification Privacy Act (ENPA), S. Disabilities Act, U.S. Equal Empât Opportunity Commân (Mar. 21, 3861, 116th Cong. (2020), was introduced in the Senate.â The ENPA 2020), https://www.eeoc.gov/laws/guidance/pandemic-preparedness- makes clear that violations will be treated as unfair or deceptive prac- workplace-and-americans-disabilities-act. tices under Section 5 of the Federal Trade Commission Act (FTC Act).â 196 â Id. 205 â 45 C.F.R. Part 160 & Subparts A, E of Part 164. 197 â Id. at question-and-answer 6. 206 â 45 C.F.R. Part 160 & Subparts A, C of Part 164. 198 â Id. at question-and-answer 7. 207 â 45 C.F.R. Subparts C, D, E of Part 160.
32 ââ ACRP LRD 42 4. The Health Information Technology for Economic and possessed a warrant, court order, or a customerâs consent.215 Sec- Clinical Health Act (HITECH)208 tion 212 of the PATRIOT Act permitted communications ser- vice providers to disclose either customer records or the content The basis for HITECH is to create a âmeaningful useâ of of their customersâ communications to authorities in any emer- interoperable Electronic Health Records (EHR) on a national gency situation that involved an immediate danger of physical level. HITECH requires entities covered by HIPAA to report injury.216 The Homeland Security Act repealed Section 212âs data breaches affecting more than 500 persons to the U.S. provision governing content disclosure in emergency situations DepartÂment of HHS, to the news media, and to the persons af- and recast it as a separate statute without a sunset provision.217 fected. HITECH extends the Security and Privacy Provisions of However, Section 212âs provision governing record disclosure in HIPAA to the business associates of covered entities.209 emergency situations expired on December 31, 2005.218 HHS published its rules regarding HITECHâs breach notifi- With respect to airports and stakeholders in the airport cation requirements in the Federal Register on August 24, 2009. space, the changes in the PATRIOT Act suggest caution should The FTC published its rules on the same issue on August 25, be exercised in fulfilling any request for documents or data con- 2009. While these rules only directly apply to HIPAA covered tent in the absence of appropriate process, including a warrant, entities and their business associates, they may provide a source court order, or a properly executed consent from the customer. for policy development regarding responses to data security. Legal counsel should always be consulted before responding to In March, 2020, the Office of the National Coordinator for requests for information. Health Information Technology (ONC) of the HHS announced a final rule to implement certain provisions of the 21st Century 6. The Federal Information Security Modernization Act Cures Act210 designed to enhance interoperability and support of 2014 (FISMA2014)219 access to and exchange of health information.211 The ONC final FISMA2014 replaced the Federal Information Security rule prohibits âinformation blockingâ of electronic health in- Management Act of 2002 (FISMA).220 FISMA2014 requires that formation (EHI) with certain exceptions.212 Although the ONC federal agencies, the NIST and the Office of Management and final rule does not require disclosure of EHI in a manner not Budget (OMB) coordinate to strengthen information security permitted by HIPAA or other laws, the access, exchange, or systems. In particular, FISMA2014 creates a model for manag- use of EHI may be required to avoid information blocking.213 ing information security that is defined by standards developed Therefore, covered entities and their business associates should by NIST. evaluate their business associate agreements. However, as with FISMA2014 requires that federal government agencies and the provisions of HIPAA, this requirement would only apply their contractors follow a framework for managing informa- where the airport or any of the airport stakeholders would act tion security. While FISMA2014 may not govern airport data as a covered entity. systems that are not operated by a federal agency or its contrac- 5. The Uniting and Strengthening America by Providing tors, the statute provides a number of useful metrics for policy Appropriate Tools Required to Intercept and Obstruct development. Terrorism Act (PATRIOT Act)214 FISMA2014 first requires that agencies have an informa- tion systems inventory in place that determines what consti- Title II of the PATRIOT Act entitled âEnhanced Surveillance tutes the boundaries of the information system at issue.221 Next, Proceduresâ covers surveillance of suspected terrorists, and FISMA2014 requires that the information system should be cat- particularly, those suspected of engaging in computer fraud or egorized based on the objectives of providing appropriate levels abuse. The law governing obligatory and voluntary disclosure of of information security according to a range of risk levels.222 The customer communications by cable companies was amended to process of selecting the appropriate security controls and assur- allow federal agencies to demand such communications under ance requirements for organizational information systems to U.S.C. Title 18 relating to disclosure of electronic communica- achieve adequate security is a multifactorial, risk-based activity tions (chapter 119) and stored communications (chapter 121), for management and operational personnel. but it excluded disclosure of cable subscriber viewing habits. To assist in the management, operational and technical Prior law limited the circumstances under which service pro- developÂment of compliant information systems the National viders could disclose the content of their customersâ transaction Institute of Standards and Technology has issued a series of re- records or communications to those where the Government ports. NIST Special Publication 800-53 (rev. 4) provides both a 208 â 42 U.S.C. § 17921. 215 â 18 U.S.C. §§ 2702, 2703. 209 â See 42 U.S.C. §§ 17931,17934. 216 â Pub. L. No. 107-56, § 212(a)(1)(D). 210 â Pub. L. No. 114-255, 130 Stat. 1033 (2016). 217 â 18 U.S.C. § 2702(b)(7). 211 â 85 FR 25642 (Eff. June 30, 2020). 218 â 18 U.S.C. § 2703(c)(4). 212 â Id. 219 â 44 U.S.C. § 3551. 213 â Id. 220 â 44 U.S.C. § 3541. 214 â Pub. L. No. 107-56 (codified as amended in scattered sections of 221 â 44 U.S.C. § 3554(b). 18 U.S.C and 50 U.S.C.). 222 â 44 U.S.C. § 3554(b)(1).
ACRP LRD 42ââ 33 foundational level of security and guidance on tailoring baseline directives, and guidance from NIST. State, local, and Tribal security controls.223 NIST Special Publication 800-18 (rev.1) in- ÂAuthorities may implement stricter policies. troduces the concepts of a System Security Plan and the devel- The CJIS Security Policy Resource Center231 contains a down- opment of system security planning process.224 This publication loadable version of the CJIS Security Policy (Policy),232 which provides a template for use in information system planning.225 has very detailed information on developing a data sÂecurity Previously it was thought that information security planning policy and highlights the CJIS Security Policy approach. was completed with system accreditation through the certifica- Section 4.1 of the Policy233 defines CJI to include the follow- tion and accreditation process defined in NIST Special Publi- ing data sets housed by the FBI CJIS architecture: cation 800-837.226 However, that guidance was subsequently revised to recognize the reality of rapid information system 1. Biometric Data change and continually shifting cyber threats. The revised 2. Identity History Data Special Publication 800-837 (rev. 2) outlines a complete Risk 3. Biographic Data Management Framework (RMF) for continuous protection.227 4. Property Data Under this approach all systems are required to monitor a set of 5. Case/Incident History security controls and the system documents are required to be updated to reflect changes and modifications to the system.228 The stated intent of the Policy is to ensure protection of CJI Appendix E provides a summary of tasks and responsibilities until the information is released to the public via authorized dis- across the seven step RMF process. The appendix also indicates semination (e.g., within a court system) or purged or destroyed administrative, organizational, and technical measures to meet in accordance with record retention rules.234 process requirements. 229 Section 4.2 of the Policy235 describes the requirements for the access, use, and dissemination of various files. In particu- 7. The Criminal Justice Information System (CJIS) lar, for airport purposes, it is noteworthy that the Policy ex- Security Policy pressly states that ânon-restricted files shall not be disseminated All commercial airports are required to be supported by commercially.â236 Section 4.3 of the Policy237 defines PII, and law enforcement,230 and many airports have law enforcement Section 5.1 of the Policy covers information exchange agree- operating within their organizational structure. Those law en- ments.238 Relevant to airports, the Policy states that the policies forcement agencies, whether internal or external, may access for information handling and protection also apply to using CJI information covered by CJIS. Airports must realize that CJIS shared with or received from FBI CJIS for noncriminal pur information has special regulations that limit use and impose poses.239 It describes noncriminal purposes as including, but not defined information security requirements. limited to, employment suitability, licensing determinations, The CJIS Security Policy provides Criminal Justice ÂAgencies immigration and naturalization matters, and national security (CJA) and Noncriminal Justice Agencies (NCJA) with mini- clearances.240 mum security requirements to access Federal Bureau of Inves- Airport use of CJIS covered data happens routinely in con- tigation (FBI) CJIS Division systems and information and to nection with the badging process.241 The Criminal History protect Criminal Justice Information (CJI). The CJIS Security ÂRecord Check (CHRC)242 information received is CJIS covered Policy integrates presidential directives, federal statutes, FBI data. Additionally, CJIS covered data may be generated as a re- sult of law enforcement investigative activity. Airports should 223 â Security and Privacy Controls for Federal Information Systems and be mindful of segregating and properly limiting the use of CJIS Organizations, Rev. 4, Natâl Inst. of Standards & Tech. (Apr. 2013), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4. pdf. 224 â Guide for Developing Security Plans for Federal Information Sys- 231 â CJIS Security Policy Resource Center, https://www.fbi.gov/ tems, Rev.1, Natâl Inst. of Standards & Tech. (Feb. 2006) https:// services/cjis/cjis-security-policy-resource-center (last visited Aug. 3, nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1. 2020). pdf. 232 â Criminal Justice Information Services (CJIS) Security Policy, CJIS 225 â Id., app. A at 27. Sec. Policy Resource Ctr. (June 1, 2020), https://www.fbi.gov/Âfile- 226 â Guide for the Security Certification and Accreditation of Federal Infor- repository/cjis_security_policy_v5-9_20200601.pdf/view. mation Systems, Natâl Inst. of Standards & Tech. (May 2004), https:// 233 â Id. § 4.1. nvlpubs.nist.gov/nistpubs/Legacy/SP/Ânistspecialpublication800-37.pdf. 234 â Id. 227 â Risk Management Framework for Information Systems and Orga- 235 â Id. § 4.2. nizations, Natâl Inst. of Standards & Tech. (Dec. 2018), https:// 236 â Id. § 4.23.2. nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf (this version of the Special Publication supersedes two previous drafts 237 â Id. § 4.3. of this Special Report the original issued in 2004 and Revision 1 issued 238 â Id. § 5.1. in 2010). 239 â Id. § 5.1.1.1. 228 â Id. at 76-83. 240 â Id. 229 â Id., app. E at 126-139. 241 â 49 C.F.R. § 1542. 230 â 49 C.F.R. § 1542. 242 â Id.
34 ââ ACRP LRD 42 covered data. It should be noted that a claim of improperly used ship is established and annually thereafter.255 The privacy notice CJIS data may constitute a violation of the CFAA.243 must explain the information collected about the consumer, where that information is shared, how that information is used, 8. The Childrenâs Online Privacy Protection Act of 1998 and how that information is protected.256 The notice must also (COPPA)244 identify the consumerâs right to opt-out of the information COPPA applies to the online collection of personal informa- being shared with unaffiliated parties pursuant to the provisions tion by persons or entities under U.S. jurisdiction about chil- of the FCRA.257 dren under 13 years of age including children outside of the The GLBA Safeguards Rule requires financial institutions to United States if the company is U.S. based.245 COPPA requires develop a written information security plan that describes how that websites and online services operated for commercial pur- the company is prepared for, and plans to continue to protect poses that are either directed toward children under 13 or have clientsâ nonpublic personal information.258 The Safeguards Rule actual knowledge that children under 13 are providing informa- must include (1) designating at least one employee to manage tion online, provide notice of their information practices and the safeguards, (2) constructing a thorough risk analysis on each obtain parental consent before collecting data from children.246 department handing the nonpublic information, (3) develop- While the applicability of COPPA to airport websites may be ing, monitoring and testing a program to secure the informa- fairly limited, it is something airports should consider address- tion, and (4) changing the safeguards as needed.259 ing. For example, Mitchell International Airport in Milwaukee, Pretexting occurs when someone tries to gain access to per- Wisconsin has listed a COPPA policy on its website.247 More- sonal nonpublic information without proper authority to do over, airlines and tenants in the airport may operate websites so.260 Through its Pretexting Protection Provision, the GLBA that need to be reviewed regularly for COPPA compliance. encourages covered organizations to implement safeguards against pretexting. These safeguards would include training em- 9. Gramm-Leach-Bliley Act (GLBA)248 ployees to recognize and deflect inquiries made under pretext.261 Enacted in 1999, the GLBA removed barriers that prohibited The GLBA provisions and rules provide stringent and com- any one institution from acting as a combination of an invest- prehensive requirements for dealing with nonpublic informa- ment bank, a commercial bank, and an insurance company.249 tion that may provide insights for developing data collection and Key provisions under GLBA include the Financial Privacy data sharing policies in the airport space. Given the fact that the Rule,250 the Safeguards Rule,251 and Pretexting Protection.252 GLBA Privacy Rule and Safeguard Rule are authored by the FTC, The GLBA Financial Privacy Rule defines what constitutes which is principally responsible for privacy enforcement across a âfinancial institution.â253 The FTC has published advice that a range of activities, airports should familiarize themselves with retailers offering credit directly to consumers by issuing its own them as they prepare their privacy policies and practices to safe- credit card are considered to be significantly engaged in finan- guard data, particularly data relating to financial matters. cial activities and covered by the GLBA.254 Hence, there may be a number of airport tenants affected by the GLBA. The Financial C. Federal Agency Actions Privacy Rule requires financial institutions to provide each con- On July 2, 2020, the U.S. Departments of Transportation, sumer with a privacy notice at the time the consumer relation- Homeland Security, and HHS issued a joint Guidance Docu- ment titled âRunway to Recovery â the United States Framework for Airlines and Airports to Mitigate the Public Health Risks of 243 â See U.S. v. Van Buren, 940 F.3d 1192 (11th Cir. 2019). Coronavirus.â262 The Guidance Document states that it âidenti- 244 â 15 U.S.C. §§ 6501-6506. fies measures that airports and airlines should implement across 245 â Complying with COPPA, Frequently Asked Questions, FTC, all operations and all phases of travel to, from, and within the https://www.ftc.gov/tips-advice/business-center/guidance/complying- United States, along with a roadmap explaining how those mea- coppa-frequently-asked-questions. 246 â 15 U.S.C. §§ 6501-6506. 255 â 16 C.F.R. § 313. 247 â Privacy Policy and Security Statement of Mitchell International 256 â Id. Airport, Mitchell Intâl Airport, https://www.mitchellairport.com/ 257 â Id. privacy. 258 â 16 C.F.R. § 314.4. 248 â Pub. L. No. 106-102 (codified at various sections of 12 U.S.C. Banks and Banking). 259 â Id. 249 â Id. 260 â 15 U.S.C. § 6821(a)-(b). 250 â 15 U.S.C. §§ 6801-6809. 261 â How to Comply with the Privacy of Consumer Financial Informa- tion Rule of the Gramm-Leach-Bliley Act, F.T.C. (July 2002), https:// 251 â Id. www.ftc.gov/tips-advice/business-center/guidance/how-comply- 252 â 15 U.S.C. §§ 6821-6827. privacy-consumer-financial-information-rule-gramm. 253 â 16 C.F.R. § 313. 262 â Runway to Recovery: The United States Framework for Airlines 254 â How to Comply with the Privacy of Consumer Financial Informa- and Airports to Mitigate the Public Health Risk of Coronavirus, U.S. tion Rule of the Gramm-Leach-Bliley Act, F.T.C. (July 2002), https:// Depâts Of Transp., Homeland Sec., Health & Human Servs., www.ftc.gov/tips-advice/business-center/guidance/how-comply- (July 2020), https://www.Transportation.gov/sites/dot.gov/files/2020- privacy-consumer-financial-information-rule-gramm. 07/Runway_to_Recovery_07022020.pdf.