Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
26 ACRP LRD 42 While these First and Fourteenth Amendment privacy chal- lenges are less obvious than ones predicated on the Fourth Amendment, they remain a concern for government entities seeking to capture and use data. This concern is particularly pronounced where data is collected regarding the travel habits of individuals traveling together or traveling to attend events or meetings. V. SURVEY OF FEDERAL STATUTORY PROVISIONS AND FEDERAL AGENCY ACTIONS A. Early Federal Statutory Efforts to Address Privacy Understanding two particular 1970s statutes is critical to understanding the U.S. legal approach to protecting privacy. Though not controlling on all privacy issues, the Fair Credit Re- porting Act (FCRA)120 and the Privacy Act of 1974121 represent the two most mature federal statutory efforts in the privacy field. While some privacy advocates would like to see the introduction of federal measures expanding data protection as a fundamental right, the U.S. Congress has not taken that approach. Instead of imposing universal privacy standards, Congress has imple- mented a âsectoral approachâ122 meaning that only information gathered for certain purposes or by certain organizations is pro- tected by mandated privacy requirements. Some examples of regulated sectors include financial and health data. The development of early federal legislation to address indi- vidual privacy provides an example of likely future statutory and regulatory enactments at the federal, state, and local levels. The FCRA and the Privacy Act originated as a result of the private background check database industryâs rise123 and public concern at the time about informational privacy.124 These statutes also created a framework for understanding the concepts of individ- ual interest in informational privacy and the measures necessary to protect those interests. These early efforts have shaped the U.S. approach to protecting privacy. Interestingly, the billion- dollar private database industry has both spurred and worked to circumvent federal efforts and protections of indi vidual privacy through the FCRA and the Privacy Act.125 120 15 U.S.C. Â§ 1681, et seq. 121 5 U.S.C. Â§ 552a, et seq. 122 Daniel J. Solove & Chris Jay Hoofnagle, A Model Regime of Pri- vacy Protection (Version 3.0). 2006 Univ. of Ill. L. Rev. 357, at 357 (2006),Â https://ssrn.com/abstract=881294. 123 The scope of the private industry that has grown up around the collection of personal information (including criminal history informa- tion) is well cataloged. See James Jacobs & Tamara Crepet, The Expand- ing Scope, Use, and Availability of Criminal Records, 11 N.Y.U. J. of Intâl Law & Policy 177 (2008), http://www.nyujlpp.org/wp-content/ uploads/2012/10/Jacobs-Crepet-The-Expanding-Scope-Use-and- Availability-of-Criminal-Records.pdf. 124 Daniel J. Solove & Chris Jay Hoofnagle, A Model Regime of Pri- vacy Protection (Version 3.0). Univ. of Ill. L. Rev. 357, 357 (2006),Â https://ssrn.com/abstract=881294. 125 Id. For airports, as governmental entities, the Supreme Court decisions on the constitutional protections for privacy under the Fourth Amendment should result in an examination of how surveillance systems like CCTV and tracking technologies are used. This includes both uses for law enforcement and for commercial services. In the absence of express consent from individuals, the capture and use of this data may raise Fourth Amendment concerns. 5. Constitutional Protections for Collected Data Based on First and Fourteenth Amendment Theories In addition to Fourth Amendment-based privacy protec- tions, the First and Fourteenth Amendments also offer theories of protecting information associated with individuals. For ex- ample, the Supreme Court in NAACP v. Alabama,114 found that the compelled disclosure of membership in an organization was a violation of the constitutional protection of the right to free association and political expression. In instances where data collections held by government are seen to impact the ability of individuals to associate for cultural, religious, or political rea- sons, the ability of government to collect and maintain that data might be challenged under both First and Fourteenth Amend- ment theories. Roberts v. U.S. Jaycees.115 Potential concern with respect to associational freedom under Roberts could clearly arise when technology captures videos, images, or audio from demonstrations or other events at airports. The applicability of First Amendment activity in airports is well established.116 While First Amendment rights may be more limited at an airport than at a traditional public forum, the use of data collection may nevertheless present First Amendment concerns. In addition to protections afforded to more extended social relationships, the Court has also recognized associational pro- tections under the Fourteenth Amendment for intimate rela- tionships as well. Where collection of data exposes information in the âzones of privacyâ117 of these intimate relations (marriage, intimate family, and friendship relations), challenges to gov- ernment activity under the Fourteenth Amendment may still exist.118 Those restrictions can even apply to intimate relation- ships occurring in a public context.119 114 357 U.S. 449 (1957). 115 468 U.S. 609 (1984). 116 Regulations Affecting the Exercise of First Amendment Activities at Airports, Natâl Acads of Scis., Engâg, & Med. (2015), https://doi. org/10.17226/22099. 117 See Griswold v. Conn., 381 U.S. 479, 514-15 (1965). 118 See Roe v. Wade, 410 U.S. 113 (1973). 119 See City of Dallas v. Stanglin, 490 U.S. 19 (1989). While rejecting a challenge to dance hall restrictions based in part on claims of pro- tected intimate social association, the Stanglin Court noted the vitality of those protections. Citing a prior decision in Roberts, supra, footnote 115, it observed âthe Court has concluded that choices to enter into and maintain certain intimate human relationships must be secured against undue intrusion by the State because of the role such relationships have played in safeguarding the individual freedom that is central to our con- stitutional scheme.â 490 U.S. at 24 (quotations omitted).
ACRP LRD 42 27 advises that the FCRA specifically provides individuals, among other protections, the following:138 â¢ The right to review information; â¢ The right to know if information has been used against you; â¢ The right to dispute inaccurate information (inaccurate information is required to be corrected); â¢ The right to have access to your information limited; â¢ The right to have your information released to prospec- tive employers only upon written consent; and â¢ The ability to bring an action for damages if your rights are violated. These concepts of limited use, transparency, consent, indi- vidual access, and right of correction are ones that are com- monly found in other privacy protection frameworks. The ability to seek damages against data holders who fail to meet those standards is also a common feature. 2. Privacy Act of 1974 Congress passed the Privacy Act of 1974 in response to the HEW Commission Report referenced in Section III. The report outlined concerns about large, computerized data collections of the federal government on personal privacy. The Privacy Act of 1974 provides individuals with the right to access, the right to request changes, and protection from unauthorized exposure of government records that contain information about them. The act places obligations on the federal government to ensure that individual privacy rights are respected. This safeguarding is ac- complished though requirements that each federal agency only maintain individual information relevant to its governmental purpose and maintain those records with accuracy, relevance, timeliness, and completeness to ensure fairness in decision- making.139 Agencies must publish notice regarding the infor- mation systems they maintain.140 Additionally, agencies are re- quired to promulgate rules for individual access and correction of records.141 The clear purpose is to create an understanding of the records being kept about individuals so individuals can intelligently exercise their access rights. Where individuals identify violations of their rights, the Pri- vacy Act of 1974 provides a private cause of action for redress in the form of injunctive relief to enforce compliance.142 Successful litigants can also seek attorneyâs fees.143 This statute was the first of its kind designed to limit govern- mental establishment and use of databases of personal informa- tion. The statute limits government collection, dissemination 138 Summary of Your Rights Under the Fair Credit Reporting Act, Consumer Finance Protection Bureau, https://files.consumerfinance. gov/f/documents/bcfp_consumer-rights-summary_2018-09.pdf. 139 Id. Â§ 552a(e). 140 Id. 141 Id. Â§ 552a(f). 142 Id. at Â§ 552a(g). 143 Id. 1. The FCRA The FCRA was developed and enacted in response to con- cerns over the expansion and power of credit reporting agen- cies (CRAs). Initially formed in the 1950s and 1960s, these firms collect and report individualsâ financial data. The advent of computers streamlined this processing for the industry and, combined with demand, facilitated the industryâs growth.126 The FCRA sought to bring clarity to these practices and protect indi- vidualsâ privacy rights. The FCRA requires consumer reporting agencies,127 or other entities that prepare consumer reports,128 to maintain proce- dures that give consumers access to the data maintained about them, ensure accuracy of data reporting agencies submit and regulates collection, maintenance, dissemination, and use of consumer reports.129 Some government entities have limited rights to seek FCRA covered information.130 But generally, information sought for law enforcement investigative purposes will require some legal process requirement like a court order.131 Exceptions exist for access related to counterterrorism and national security. Government enforcement of the FCRA is principally con- ducted by the FTC. Although, in certain cases involving spe- cific industries other federal agencies have FCRA enforcement authority.132 For example, violations by airlines and other com- mon carriers are enforced by the U.S. Department of Transpor- tation.133 The FCRA also recognizes and makes allowances for a number of instances where similar state laws may apply.134 There is also a private right of action for FCRA violations.135 Because the focus of the FCRA is limited to the consumer reporting agencies defined in the FCRA using consumer re- ports for credit, insurance, or employment related evaluations136 using consumer reports defined in the statute,137 it is unlikely that most data use by airports will implicate FCRA provisions. However, the focus of the FCRA on promoting consumer ac- cess to records affecting them and affording them the ability to correct data errors is something that airports or airport stake- holders should address in their policies governing the use of consumer data. In that regard, consideration should be given to the FTCâs Consumer Financial Protection Bureau. The Bureau 126 Mark J. Furletti, An Overview and History of Credit Reporting (June 2002), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=927487. 127 15 U.S.C. Â§ 1681a(f). 128 15 U.S.C. Â§ 1681a(d). 129 15 U.S.C. Â§ 1681, et seq. 130 16 C.F.R. Â§ 608. 131 Id. at Â§ 604(1). 132 15 U.S.C. Â§ 1681s(b). 133 15 U.S.C. Â§ 1681s(b)(1)(c). 134 15 U.S.C. Â§Â§ 1681s(c), 1681t. 135 15 U.S.C. Â§Â§ 1681n, 1681o. 136 15 U.S.C. Â§ 1681a(d). 137 Id.
28 ACRP LRD 42 credit card number and the expiration date for a period of over four months. The court approved certification over an argument by the defendant that certifying a class action where the likely plaintiffs would have no actual damages and only an entitlement to statutory awards would result in an unreasonable penalty for failure to comply with FACTA. These cases demonstrate that while small failures to enforce requirements concerning statutorily protected data, even when the release of that data does not create actual harm, can result in substantial penalties. This fact is particularly true for finan- cial data. If airports or airport stakeholders are involved in the collection of covered data, then they must be careful to comply with these statutory requirements. Failure can result in substan- tial liability even in the absence of actual injury to individuals. In some instances, the FCRA may be implicated where in- formation is gathered and marketed for a usage that may be covered under the FCRA. Consider Spokeo v. Robins,147 where the Supreme Court addressed the question of an individualâs standing to bring suit against an open-source data mining com- pany whose data mining services were allegedly being used to evaluate the conduct of prospective employees. The Plaintiff alleged he was injured because the false information collected by Spokeo was used to deny him employment opportunities. While Spokeo represents an expansion of FCRA into the realm of internet activity and online search, it does not change the underlying limitation of FCRA applicability to âconsumer reportsâ as defined in the statute. That definition limits the ap- plicability of the FCRA to narrowly defined categories of infor- mation usage. It is because the Spokeo reports were allegedly inaccurate and shared with prospective employers that Robins could proceed with his claim. While Spokeo will likely have little direct impact for airports (unless they are using social media search services as part of their hiring process), the decision should raise concern over the fact that subsequent use of collected data may result in liability. This is true even if the prohibited or improper use is done by a third-party. This case should serve as a reminder that if an air- port or airport stakeholder collects data and shares data with a third party, the third-partyâs use of data in a way that is incon- sistent with the purpose for which the data was collected may cause liability. 4. Lessons of FCRA and Privacy Act While the FCRA and Privacy Act are the oldest federal at- tempts at privacy protection, they are not alone. Congress has passed other statutes that protect privacy and ensure data security in several other contexts. However, these statutes do not provide a comprehensive framework to address individual pri- vacy concerns across multiple domains. Instead, these statutes address relatively narrow spheres of individual privacy applying only to certain types of information and data usage. And many of these legislative enactments have only tangential relevance in an airport context. However, these laws form a part of the overall legislative approach to data privacy in the United States. 147 136 S. Ct. 1540 (2016). and use of personal information. It also imposes penalties for improper disclosure of personal information as well as afford- ing individuals, access to files maintained by governmental enti- ties. Its terms specifically apply only to data maintained by the federal government, but those provisions have been used as a model by state and local entities seeking to provide their own data protections. 3. Limitations of FCRA and Privacy Act Protections Since the enactment of these protections there is increasing evidence of their inadequacy in addressing the issue of infor- mational privacy. While both statutes provide some protections, they are limited by their very terms in what they protect. For example, the Privacy Act of 1974 is limited to information gen- erated and maintained by the federal government. However, the federal government has made extensive use of private databases to circumvent the protections of the Privacy Act. The extensive use of these private databases escapes regulation. The narrow statutory definition of the FCRA allows for unregulated use of data for a large range of other activities. Recognizing the weakness of the FCRA in regulating the use of information that could result in identity theft, Congress amended the FCRA with the passage of the Fair and Accurate Credit Transactions Act (FACTA).144 FACTA was designed to strengthen protections against identity theft. It offers indi viduals the opportunity to receive a free annual credit report from each of the major credit reporting companies. It requires notice to consumers and credit scores in the event of denials or offers of less favored credit. It provides individuals the opportunity to place fraud alerts into their credit histories. Lastly, it imposes additional safeguards with respect to transactions designed to combat identity theft, including limiting the number of digits that can be publicly viewable on transaction receipts. Airports and airport facilities have been involved in litiga- tion brought under FACTA. In Garland v. Memphis-Shelby County Airport Authority, the district court approved a class ac- tion settlement of a FACTA claim, brought in connection with the issuance of credit card receipts for parking at the airport.145 The receipts issued for parking had more than five digits of the credit card listed on the receipt in violation of the limits set in FACTA. While the Plaintiff admittedly suffered no injury, he brought a class action suit seeking statutorily provided damages. The result of the suit was the award of $275,000 in attorneyâs fees to the Plaintiff âs lawyer and the creation of a $1,005,000 settle- ment fund. In Beringer v. Standard Parking Corp.,146 customers from the parking facility at OâHare International Airport sought class certification in a dispute over parking charges. The court granted certification for a class of over 15,300 members. The OâHare parking facility, like the facility in Garland was accused of issuing parking receipts with more than five digits of the 144 15 U.S.C. Â§ 1681j. 145 No. 09-2749, 2011 U.S. LEXIS 159344 (W.D. Tenn. July 19, 2011). 146 No. 07 C 5027, 2008 U.S. Dist. LEXIS 72873 (N.D. Ill. Sept. 4, 2008).
ACRP LRD 42 29 electronically by Delta.160 The court held that Plaintiffs failed to state a Section 2701 claim because â[t]he Court would have to accept the conclusion that Delta, in unlawfully accessing its own servers, did not have Deltaâs own authorization.â161 The court concluded that âPlaintiffsâ argument defies common sense.â162 The court also held that Plaintiffs failed to state a Section 2702 claim finding that âthe Court cannot conclude that Delta is an entity providing either an âelectronic communication serviceâ or âremote computing service.ââ163 In reaching this conclusion, the court in Pica relied on In re JetBlue Airways Corporation Privacy Litigation,164 which explained that âa company such as JetBlue does not become an âelectronic communication serviceâ pro- vider simply because it maintains a website that allows for the transmission of electronic communications between itself and its customers.â165 In McGarry v. Delta Air Lines, Inc.,166 the U.S. District Court for the Central District of California again dismissed another nationwide putative class action claim filed under the SCA against a company called â24/7â167 for the same malware attack in the Pica case, but used different grounds for its decision.168 As to the Section 2701 claim, the court found that âPlaintiff âs con- sumer data is not a âfacilityâ (i.e., servers and databases) through which an electronic communication service is provided.â169 As to the Section 2702 claim, the court concluded that Plaintiff failed to state a claim because she failed to allege that 24/7 knowingly divulged her customer data.170 Enacted in 1986, the SCA was not amended until March, 2018, and its provisions have not anticipated many, if not most, of the advancements in modern-day technology.171 The amend- ment to the SCA in 2018 was the Clarifying Lawful Overseas Use of Data Act (CLOUD Act),172 which expressly allows U.S. 160 2019 U.S. Dist. LEXIS 65985 at **3-4. 161 2019 U.S. Dist. LEXIS 65985 at *18. 162 2019 U.S. Dist. LEXIS 65985 at *18. 163 2019 U.S. Dist. LEXIS 65985 at *19. 164 379 F. Supp. 2d 299 (E.D.N.Y. 2005). 165 379 F. Supp. 2d at 307. 166 No. cv 18-9827-MWF (Ex), 2019 U.S. Dist. LEXIS 106236 (C.D. Cal. June 18, 2019). 167 The court described â24/7â as a âcustomer experience software and services companyâ that provides online chat services and collects end user data for Delta.â 2019 U.S. Dist. LEXIS 106236 at *2 (citations omitted). 168 2019 U.S. Dist. LEXIS 106236 at **22-24. 169 2019 U.S. Dist. LEXIS 106236 at *22. For a thorough explanation of what constitutes a âfacilityâ under Section 2701 of the SCA, see In re Google, No. 19-cv-04286-BLF, 2020 U.S. Dist. LEXIS 80971 (N.D. Cal. May 6, 2020) (noting that âCourts in this Circuit and others have inter- preted âfacilityâ to exclude usersâ personal devicesâ and further stated that âit was skeptical that software could properly be considered a facilityâ). 170 2019 U.S. Dist. LEXIS 106236 at **22-23. 171 See e.g., Gabriel R. Schlabach, Privacy in the Cloud: The Mosaic Theory and the Stored Communications Act, 67 Stan. L. Rev. 677, 693- 94 (2015) (discussing inter alia five main problems with the SCA including its basis in 1980s technology and dated terminology). 172 18 U.S.C. Â§ 2713. In this sense, while they are not controlling, they do offer some guidance for internal controls that practitioners might consider. B. Additional Federal Statutory Provisions There are several additional federal statutory provisions regarding data collection, storage, access, and dissemination. While a number of the federal statutes listed below are not directly governing, they may provide airports with templates for policy creation in the data privacy context. 1. The Stored Communications Act (SCA)148 Contained at Title II of the omnibus Electronic Commu- nications Privacy Act of 1986 (ECPA),149 the SCA addresses both voluntary and compelled disclosure of âstored wire and electronic communications and transactional recordsâ held by third-party internet service providers (ISPs). The SCA contains criminal penalties150 and provides for a civil cause of action.151 In In re Am. Airlines, Inc. Privacy Litigation,152 the U.S. Dis- trict Court for the Northern District of Texas, Dallas Division, dismissed a nationwide putative class action claim filed under the SCA against American Airlines (American).153 The com- plaint asserted that the putative class was allegedly injured when American authorized a corporation to disclose highly confiden- tial passenger information to the TSA without the passengersâ consent.154 The court found that Plaintiffs relied on a theory of unauthorized disclosure of information, not of access that exceeded authorization.155 Thus, the court held that Plaintiffs failed to state a Section 2701 claim because that section âdoes not proscribe unauthorized use or disclosure of information obtained from authorized access to a facility.â156 The court also held that Plaintiffs failed to state a Section 2702 claim because they alleged that they conveyed personal information to Ameri- can, and therefore, American was an intended recipient of such communication, and Section 2702(b)(3) permits disclosure of electronic communications âwith the lawful consent ofâ¦an . . . intended recipient of such communication . . . .â157 In Pica v. Delta Airlines, Inc.,158 the U.S. District Court for the Central District of California dismissed a nationwide puta- tive class action claim filed under the SCA against Delta Airlines (Delta).159 The complaint asserted that the putative class was allegedly injured by malware that gained unauthorized access to Plaintiffsâ identities and debit and credit card information stored 148 18 U.S.C. Â§Â§ 2701-2712. 149 18 U.S.C. Â§Â§ 2701 et seq. 150 18 U.S.C. Â§Â§ 2701-2702. 151 18 U.S.C. Â§ 2707(a). 152 370 F. Supp. 2d 552 (N.D. Tex. 2005). 153 370 F. Supp. 2d at 568. 154 370 F. Supp. 2d at 555. 155 370 F. Supp. 2d at 558. 156 370 F. Supp. 2d at 559. 157 370 F. Supp. 2d at 560. 158 No. CV 18-2876-MWF (Ex), 2019 U.S. Dist. LEXIS 65985 (C.D. Cal. Feb. 14, 2019). 159 2019 U.S. Dist. LEXIS 65985 at *21.
30 ACRP LRD 42 International Airport Centers v. Citrin,179 the U.S. Court of Ap- peals for the Seventh Circuit held that an employer stated a civil claim under CFAA against an employee who before departing employment downloaded all of his employerâs data from his employee laptop so that he could start a competing business.180 3. The Health Insurance Portability and Accountability Act (HIPAA)181 Congress enacted Title II of HIPAA, and its Administra- tive Simplification (AS) provisions, to streamline the flow of healthcare information and to mandate how the healthcare and healthcare insurance industries should maintain Protected Health Information (PHI) to be protected from fraud and theft. Under Title II, the U.S. Department of HHS has promulgated five rules regarding AS: (1) the Privacy Rule;182 (2) the Trans- actions and Code Sets Rule;183 (3) the Security Rule;184 (4) the Unique Health Identifiers Rule;185 and (5) the Enforcement Rule.186 The Privacy Rule contains a provision that specifically addresses the wrongful disclosure of individually identifiable health information with penalties including both fines and im- prisonment.187 HIPAA also contains a provision that states its effect on state law as it relates to public health issues.188 In this regard, HIPAA states that nothing âshall be construed to invalidate or limit the authority, power, or procedures established under any law pro- viding for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investiga- tion or intervention.â189 Therefore, even with the COVID-19 pandemic, it is clear that HIPAA would allow state agencies to enact investigative and reporting requirements that would cer- tainly affect airport operations for tenants governed by HIPAA requirements. In response to the COVID-19 pandemic, the OCR at HHS has issued both Bulletins and Guidance that detail its regulatory priorities under HIPAA. In February, 2020, the OCR issued a Bulletin reiterating that the HIPAA Privacy Rule permits a cov- ered entity to disclose certain patient health information with- out the individualâs authorization to support to a public health authority such as the CDC or a state or local health department, that is authorized to collect or receive such information, for the purpose of preventing or controlling disease, injury, or dis- 179 440 F.3d 418 (7th Cir. 2006). 180 Id. at 420. 181 42 U.S.C. Â§ 1320d. 182 45 C.F.R. Part 160 & Subparts A, E of Part 164. 183 45 C.F.R. Subpart J of Part 162. 184 45 C.F.R. Part 160 & Subparts A, C of Part 164. 185 45 C.F.R. Subparts A, D, E, F, I of Part 162. 186 45 C.F.R. Subparts C, D, E of Part 160. 187 42 U.S.C. Â§ 1320d-6 (addressing wrongful disclosure of individ- ually identifiable health information). 188 42 U.S.C. Â§ 1320d-7(b) Public health. 189 Id. law enforcement through a warrant, subpoena, or court order to access electronically-stored communications data located out- side the U.S. by an electronic communication service or remote computing service subject to U.S. jurisdiction, which includes all major U.S. cloud computing companies.173 The court decisions under the SCA seem to leave it unlikely that an airport or other stakeholder in the airport space would have liability under the SCA. In cases where the airport or other airport stakeholder is the lawful recipient of data, any alleged misuse would likely not be actionable under the SCA. 2. The Computer Fraud and Abuse Act (CFAA)174 The CFAA prohibits accessing a computer without authori- zation, or in excess of authorization. Like the SCA, the CFAA was enacted in 1986 and contains both criminal and civil en- forcement mechanisms, but unlike the SCA, the CFAA has been amended a number of times.175 The U.S. Supreme Court, in April 2020, agreed to hear Van Buren v. United States, a case that will determine whether it is a federal crime for someone authorized to access information on a computer system to access that information for an unauthor- ized purpose.176 In Van Buren, a police sergeant was convicted under the CFAA for selling license plate information obtained from a police database, and the U.S. Court of Appeals for the Eleventh Circuit upheld the conviction and held that misusing a database that the defendant may lawfully access may still con- stitute computer fraud.177 The CFAA makes it a crime to âinten- tionally access a computer without authorization or exceed authorized access, and thereby obtain . . . information from any protected computer.â178 The U.S. Courts of Appeals for the First, Fifth, Seventh and Eleventh Circuits have each adopted a broad interpretation of the statute. In contrast, the U.S. Courts of Ap- peals for the Second, Fourth, and Ninth Circuits do not consider mere misuse of information that an individual is authorized to access a violation of the statute. The Courtâs decision in Van Buren will undoubtedly both guide prosecution efforts and in- fluence civil litigation under the CFAA. Because of the broad ranging applicability of this issue, any employer, including air- ports, should follow this case. The CFAA should convince airports and stakeholders in the airport space to ensure that security safeguards are in place to mitigate possible fraudulent use of systems by employees. Fail- ure can result in potential CFAA violations. Employees need to be reminded that improper access to and use of data can result in criminal penalties as well as civil liability. For example, in 173 18 U.S.C. Â§ 2713. 174 18 U.S.C. Â§ 1030. 175 The CFAA has been amended in 1989, 1994, 1996, in 2001 by the USA PATRIOT Act, 2002, and in 2008 by the Identity Theft Enforce- ment and Restitution Act. 176 Van Buren v. U.S., 206 L.Ed.2d 822 (2020) (granting petition for certiorari). 177 U.S. v. Van Buren, 940 F.3d 1192 (11th Cir. 2019). 178 18 U.S.C. Â§ (a)(2)(C).
ACRP LRD 42 31 This is particularly salient information in the airport space given that a significant number of employees may be exposed to large numbers of persons for extended periods of time. Additionally, on April 10, 2020, the U.S. Department of Laborâs Office of Occupational Safety and Health Administra- tion (OSHA) issued interim Guidance that classified COVID-19 as a recordable illness, making it reportable to OSHA if the em- ployeeâs work environment exposed him or her to the virus.199 On May 19, 2020, the OSHA interim Guidance issued on April 10, 2020 was revised.200 The interim Guidance issued on May 19, 2020, notes that an employer determining if a COVID-19 case is âwork-relatedâ under OSHA standards may pose a risk to the employeeâs privacy, and thus, an employee can request that his or her name be excluded from an employerâs Form 300 (log of work-related injuries and illnesses).201 Failure to comply with an employeeâs request202 can result in penalties.203 OSHA record- keeping requirements are a concern for every employer whether at an airport or not. Because the reach of HIPAA extends only to statutorily- defined covered entities and their business associates and other acts apply only to employees, there have been a number of federal legislative initiatives to address more generalized data privacy concerns generated by the COVID-19 pandemic.204 While the HIPAA Privacy Rule205 and Security Rule206 may not be expressly applicable to airports, they still provide a model for consideration in addressing various and increasing data information concerns. Additionally, the events surrounding the COVID-19 pandemic have demonstrated a willingness to modify the HIPAA Enforcement Rule207 in response to a public health crisis. This ability of the Government to adapt its regula- tory schema is something that airports should note and account for in their planning. 199 Enforcement Guidance for Recording Cases of Coronavirus Dis- ease 2019 (COVID-19), Office of Occupational Safety & Health Admin., U.S. Depât of Labor (Apr. 10, 2020), https://www.osha.gov/ memos/2020-04-10/enforcement-guidance-recording-cases- coronavirus-disease-2019-COVID-19. 200 Revised Enforcement Guidance for Recording Cases of Corona- virus Disease 2019 (COVID-19) Office of Occupational Safety & Health Admin., U.S. Depât of Labor (May 19, 2020), https://www. osha.gov/memos/2020-05-19/revised-enforcement-guidance- recording-cases-coronavirus-disease-2019-covid-19. 201 Id. 202 See 29 C.F.R. Â§ 1904.29(b)(7)(vi). 203 See 29 U.S.C. Â§ 666(a). 204 In late April 2020, Republican senators introduced a bill called the COVID-19 Consumer Data Protection Act of 2020, S 3663, 116th Cong. (2020). In May 2020, Democrats introduced the Public Health Emergency Privacy Act, S. 3749, 116th Cong. (2020). On June 1, 2020, a bipartisan bill called the Exposure Notification Privacy Act (ENPA), S. 3861, 116th Cong. (2020), was introduced in the Senate. The ENPA makes clear that violations will be treated as unfair or deceptive prac- tices under Section 5 of the Federal Trade Commission Act (FTC Act). 205 45 C.F.R. Part 160 & Subparts A, E of Part 164. 206 45 C.F.R. Part 160 & Subparts A, C of Part 164. 207 45 C.F.R. Subparts C, D, E of Part 160. ability.190 In March, 2020, the OCR issued Guidance concern- ing COVID-19 and HIPAA and disclosures of protected health information of an individual who has been infected with or ex- posed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities with the individualâs HIPAA authorization under certain circumstances.191 It is important to emphasize that the HIPAA Privacy Rule192 applies only to covered entities or their business associates. Covered entities are defined as health plans, health care clearing- houses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan.193 Business asso- ciates are persons or entities (other than members of the work- force of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that in- volve creating, receiving, maintaining, or transmitting protected health information.194 Thus, in the airport space, HIPAA may have limited applicability. However, airport tenants that provide physical therapy or massage therapy may be covered entities and, therefore, subject to HIPAA requirements. Addi tionally, where an airport offers emergency medical services, it would be subject to HIPAA requirements for that activity. For entities not covered by HIPAA, other federal laws may apply. For example, the Equal Employment Opportunity Com- mission (EEOC) issued updated Guidance for a 2009 publica- tion to address its application to the COVID-19 pandemic.195 The Guidance enumerates questions and answers for employers regarding employees and what actions are specifically permit- ted during a pandemic.196 The Guidance specifically states that it will not be a violation of the Americans with Disabilities Act (ADA) and the Rehabilitation Act if an employer asks an em- ployee who reports feeling ill whether he or she is experienc- ing symptoms consistent with the coronavirus infection.197 The EEOC also clarified that during a pandemic, employers will not violate the ADA by requiring employees to submit to non-inva- sive temperature testing, which is considered a medical exami- nation and would not be allowed under other circumstances.198 190 HIPAA Privacy and Novel Coronavirus, Office for Civil Rights, U.S. Depât of Health & Human Services (Feb. 2020), https://www.hhs.gov/sites/default/files/February-2020-hipaa-and- novel-coronavirus.pdf. 191 COVID-19 and HIPAA: Disclosures to law enforcement, para- medics, other first responders, and public Health Authorities, Office for Civil Rights, U.S. Depât of Health & Human Servs. (Ma. 24, 2020), https://www.hhs.gov/sites/default/files/covid-19-hipaa-and-first- responders.pdf. 192 45 C.F.R. Part 160 & Subparts A, E of Part 164. 193 45 C.F.R. Â§ 160.103(4). 194 45 C.F.R. Â§ 160.103(4). 195 Pandemic Preparedness in the Workplace and the Americans with Disabilities Act, U.S. Equal Empât Opportunity Commân (Mar. 21, 2020), https://www.eeoc.gov/laws/guidance/pandemic-preparedness- workplace-and-americans-disabilities-act. 196 Id. 197 Id. at question-and-answer 6. 198 Id. at question-and-answer 7.
32 ACRP LRD 42 possessed a warrant, court order, or a customerâs consent.215 Sec- tion 212 of the PATRIOT Act permitted communications ser- vice providers to disclose either customer records or the content of their customersâ communications to authorities in any emer- gency situation that involved an immediate danger of physical injury.216 The Homeland Security Act repealed Section 212âs provision governing content disclosure in emergency situations and recast it as a separate statute without a sunset provision.217 However, Section 212âs provision governing record disclosure in emergency situations expired on December 31, 2005.218 With respect to airports and stakeholders in the airport space, the changes in the PATRIOT Act suggest caution should be exercised in fulfilling any request for documents or data con- tent in the absence of appropriate process, including a warrant, court order, or a properly executed consent from the customer. Legal counsel should always be consulted before responding to requests for information. 6. The Federal Information Security Modernization Act of 2014 (FISMA2014)219 FISMA2014 replaced the Federal Information Security Management Act of 2002 (FISMA).220 FISMA2014 requires that federal agencies, the NIST and the Office of Management and Budget (OMB) coordinate to strengthen information security systems. In particular, FISMA2014 creates a model for manag- ing information security that is defined by standards developed by NIST. FISMA2014 requires that federal government agencies and their contractors follow a framework for managing informa- tion security. While FISMA2014 may not govern airport data systems that are not operated by a federal agency or its contrac- tors, the statute provides a number of useful metrics for policy development. FISMA2014 first requires that agencies have an informa- tion systems inventory in place that determines what consti- tutes the boundaries of the information system at issue.221 Next, FISMA2014 requires that the information system should be cat- egorized based on the objectives of providing appropriate levels of information security according to a range of risk levels.222 The process of selecting the appropriate security controls and assur- ance requirements for organizational information systems to achieve adequate security is a multifactorial, risk-based activity for management and operational personnel. To assist in the management, operational and technical develop ment of compliant information systems the National Institute of Standards and Technology has issued a series of re- ports. NIST Special Publication 800-53 (rev. 4) provides both a 215 18 U.S.C. Â§Â§ 2702, 2703. 216 Pub. L. No. 107-56, Â§ 212(a)(1)(D). 217 18 U.S.C. Â§ 2702(b)(7). 218 18 U.S.C. Â§ 2703(c)(4). 219 44 U.S.C. Â§ 3551. 220 44 U.S.C. Â§ 3541. 221 44 U.S.C. Â§ 3554(b). 222 44 U.S.C. Â§ 3554(b)(1). 4. The Health Information Technology for Economic and Clinical Health Act (HITECH)208 The basis for HITECH is to create a âmeaningful useâ of interoperable Electronic Health Records (EHR) on a national level. HITECH requires entities covered by HIPAA to report data breaches affecting more than 500 persons to the U.S. Depart ment of HHS, to the news media, and to the persons af- fected. HITECH extends the Security and Privacy Provisions of HIPAA to the business associates of covered entities.209 HHS published its rules regarding HITECHâs breach notifi- cation requirements in the Federal Register on August 24, 2009. The FTC published its rules on the same issue on August 25, 2009. While these rules only directly apply to HIPAA covered entities and their business associates, they may provide a source for policy development regarding responses to data security. In March, 2020, the Office of the National Coordinator for Health Information Technology (ONC) of the HHS announced a final rule to implement certain provisions of the 21st Century Cures Act210 designed to enhance interoperability and support access to and exchange of health information.211 The ONC final rule prohibits âinformation blockingâ of electronic health in- formation (EHI) with certain exceptions.212 Although the ONC final rule does not require disclosure of EHI in a manner not permitted by HIPAA or other laws, the access, exchange, or use of EHI may be required to avoid information blocking.213 Therefore, covered entities and their business associates should evaluate their business associate agreements. However, as with the provisions of HIPAA, this requirement would only apply where the airport or any of the airport stakeholders would act as a covered entity. 5. The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (PATRIOT Act)214 Title II of the PATRIOT Act entitled âEnhanced Surveillance Proceduresâ covers surveillance of suspected terrorists, and particularly, those suspected of engaging in computer fraud or abuse. The law governing obligatory and voluntary disclosure of customer communications by cable companies was amended to allow federal agencies to demand such communications under U.S.C. Title 18 relating to disclosure of electronic communica- tions (chapter 119) and stored communications (chapter 121), but it excluded disclosure of cable subscriber viewing habits. Prior law limited the circumstances under which service pro- viders could disclose the content of their customersâ transaction records or communications to those where the Government 208 42 U.S.C. Â§ 17921. 209 See 42 U.S.C. Â§Â§ 17931,17934. 210 Pub. L. No. 114-255, 130 Stat. 1033 (2016). 211 85 FR 25642 (Eff. June 30, 2020). 212 Id. 213 Id. 214 Pub. L. No. 107-56 (codified as amended in scattered sections of 18 U.S.C and 50 U.S.C.).
ACRP LRD 42 33 directives, and guidance from NIST. State, local, and Tribal Authorities may implement stricter policies. The CJIS Security Policy Resource Center231 contains a down- loadable version of the CJIS Security Policy (Policy),232 which has very detailed information on developing a data security policy and highlights the CJIS Security Policy approach. Section 4.1 of the Policy233 defines CJI to include the follow- ing data sets housed by the FBI CJIS architecture: 1. Biometric Data 2. Identity History Data 3. Biographic Data 4. Property Data 5. Case/Incident History The stated intent of the Policy is to ensure protection of CJI until the information is released to the public via authorized dis- semination (e.g., within a court system) or purged or destroyed in accordance with record retention rules.234 Section 4.2 of the Policy235 describes the requirements for the access, use, and dissemination of various files. In particu- lar, for airport purposes, it is noteworthy that the Policy ex- pressly states that ânon-restricted files shall not be disseminated commercially.â236 Section 4.3 of the Policy237 defines PII, and Section 5.1 of the Policy covers information exchange agree- ments.238 Relevant to airports, the Policy states that the policies for information handling and protection also apply to using CJI shared with or received from FBI CJIS for noncriminal pur- poses.239 It describes noncriminal purposes as including, but not limited to, employment suitability, licensing determinations, immigration and naturalization matters, and national security clearances.240 Airport use of CJIS covered data happens routinely in con- nection with the badging process.241 The Criminal History Record Check (CHRC)242 information received is CJIS covered data. Additionally, CJIS covered data may be generated as a re- sult of law enforcement investigative activity. Airports should be mindful of segregating and properly limiting the use of CJIS 231 CJIS Security Policy Resource Center, https://www.fbi.gov/ services/cjis/cjis-security-policy-resource-center (last visited Aug. 3, 2020). 232 Criminal Justice Information Services (CJIS) Security Policy, CJIS Sec. Policy Resource Ctr. (June 1, 2020), https://www.fbi.gov/ file- repository/cjis_security_policy_v5-9_20200601.pdf/view. 233 Id. Â§ 4.1. 234 Id. 235 Id. Â§ 4.2. 236 Id. Â§ 4.23.2. 237 Id. Â§ 4.3. 238 Id. Â§ 5.1. 239 Id. Â§ 22.214.171.124. 240 Id. 241 49 C.F.R. Â§ 1542. 242 Id. foundational level of security and guidance on tailoring baseline security controls.223 NIST Special Publication 800-18 (rev.1) in- troduces the concepts of a System Security Plan and the devel- opment of system security planning process.224 This publication provides a template for use in information system planning.225 Previously it was thought that information security planning was completed with system accreditation through the certifica- tion and accreditation process defined in NIST Special Publi- cation 800-837.226 However, that guidance was subsequently revised to recognize the reality of rapid information system change and continually shifting cyber threats. The revised Special Publication 800-837 (rev. 2) outlines a complete Risk Management Framework (RMF) for continuous protection.227 Under this approach all systems are required to monitor a set of security controls and the system documents are required to be updated to reflect changes and modifications to the system.228 Appendix E provides a summary of tasks and responsibilities across the seven step RMF process. The appendix also indicates administrative, organizational, and technical measures to meet process requirements. 229 7. The Criminal Justice Information System (CJIS) Security Policy All commercial airports are required to be supported by law enforcement,230 and many airports have law enforcement operating within their organizational structure. Those law en- forcement agencies, whether internal or external, may access information covered by CJIS. Airports must realize that CJIS information has special regulations that limit use and impose defined information security requirements. The CJIS Security Policy provides Criminal Justice Agencies (CJA) and Noncriminal Justice Agencies (NCJA) with mini- mum security requirements to access Federal Bureau of Inves- tigation (FBI) CJIS Division systems and information and to protect Criminal Justice Information (CJI). The CJIS Security Policy integrates presidential directives, federal statutes, FBI 223 Security and Privacy Controls for Federal Information Systems and Organizations, Rev. 4, Natâl Inst. of Standards & Tech. (Apr. 2013), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4. pdf. 224 Guide for Developing Security Plans for Federal Information Sys- tems, Rev.1, Natâl Inst. of Standards & Tech. (Feb. 2006) https:// nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1. pdf. 225 Id., app. A at 27. 226 Guide for the Security Certification and Accreditation of Federal Infor- mation Systems, Natâl Inst. of Standards & Tech. (May 2004), https:// nvlpubs.nist.gov/nistpubs/Legacy/SP/ nistspecialpublication800-37.pdf. 227 Risk Management Framework for Information Systems and Orga- nizations, Natâl Inst. of Standards & Tech. (Dec. 2018), https:// nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf (this version of the Special Publication supersedes two previous drafts of this Special Report the original issued in 2004 and Revision 1 issued in 2010). 228 Id. at 76-83. 229 Id., app. E at 126-139. 230 49 C.F.R. Â§ 1542.