Passenger Privacy Rights and Airlines: Lessons Learned
In the past year, several domestic airlines have successfully defended class action lawsuits brought by passengers claiming that their privacy rights were violated as a result of the airlines’ disclosure of passenger information to government agencies or contractors.1 Following September 11, the government had asked certain airlines to provide passenger name record (PNR) data2 to government contractors and agencies that were preparing national security studies related to aviation.
Soon after the public learned of the disclosure of PNR data, passengers sued the airlines claiming that the sharing of PNR data with third parties violated the airlines’ express privacy policies and harmed the passengers.3 Plaintiffs brought statutory and common law claims against the airlines, alleging, inter alia, violations of the Electronic Communications Privacy Act (ECPA) of 1986,4 the Fair Credit Reporting Act (FCRA),5 and state consumer protection and unfair business practices statutes; breach of contract; trespass to property; invasion of privacy; unjust enrichment; and various other state law claims. The complaints sought undefined damages, punitive damages and injunctive relief to the extent that damages were unavailable.
Of particular concern to the airlines was the ECPA claim since each violation could result in a minimum of $1,000 in damages along with punitive damages for a willful violation. ECPA, originally intended as an anti-hacking statute, establishes a cause of action for unlawful disclosure of electronic communications by a person or entity that provides to the public an “electronic communication service” or “remote computing service.”6 Providers of these services generally are Internet service providers (ISPs), such as America Online.
Plaintiffs attempted to expand ECPA to include airlines that operate an online passenger reservation system, but the courts rejected this argument and held that ECPA does not apply to online merchants and service providers, such as airlines, that offer their traditional products and services online through a Web site. Rather, the courts determined that online merchants are simply consumers of electronic communication services.
The courts also unanimously dismissed claims brought under the various state consumer protection statutes, holding that the Airline Deregulation Act (ADA) expressly preempts these statutory claims since they “relate to” an airline “price, route or service.” To permit lawsuits under these statutes would allow states to improperly regulate how airlines manage personal information and communicate with their customers in connection with their ticketing and reservation services.
While most courts dismissed the various state common law and breach of contract claims, they did so on different legal grounds. For example, in litigation against American Airlines, the district court in Texas held that the ADA not only preempted the statutory deceptive trade practice claim, but also the claims of trespass to property, invasion of property and unjust enrichment because these claims “have a connection at least with American’s ticketing service, including the reservation component.”7
Courts also were persuaded by the fact that plaintiffs could not articulate any damages sustained as a result of any alleged breach of contract. Only one court has permitted the passengers’ breach of contract claim to proceed based on an amended complaint, which now states that plaintiffs were “denied the economic value of their personal information and have lost additional economic value should their information be shared with additional persons or entities.”8
Overall, the decisions have provided enormous relief to the airlines, but also serve as an important wake-up call on the potential liability exposure for unauthorized disclosure of personal identity information to third parties. This is particularly true in light of the recent wave of state legislation addressing identity theft and requiring notification of inadvertent and unauthorized disclosure of personal information.9 While there may be an argument that these state statutes do not apply to airlines because of DOT preemption in this field, the following procedures and policies reflect good business practices for all companies that regularly collect, handle and store computerized customer data.
• Review the notices that are given to, and consents obtained from, customers and other individuals whose personal information is being collected. Confirm that individuals have the option to prohibit the use of their personal information for any purpose other than that specific inquiry or transaction.
• Take an inventory of the type of data that the company collects, transfers, stores and accesses. Assess the vulnerabilities in the company’s methods for entering, transferring, storing and accessing this data.
• Develop comprehensive data storage handling and destruction procedures that will safeguard against the inadvertent or unauthorized disclosure of personal data to third parties.
• Limit employees with access to confidential personal data by establishing firewalls and install intrusion detection software to detect and track unauthorized conduct on system networks. Adopt special access controls and authentication procedures.
• Implement encryption technologies that prevent outside sources from accessing or pirating data. Maintain the encryption keys separately from the encrypted data.
• Educate employees on the risks of security breaches to the company and their customers and the need for diligence on security procedures, including simple tasks as properly logging off a computer.
• Coordinate among information technology, security and public relations/media departments to develop proper protocols for the notification of customers, public authorities, executives and employees of any breach of security. Create a public relations plan to address negative publicity. Conduct date breach emergency response drills.
• Identify third-party contractors who may have access to or maintain the company’s databases and perform appropriate vulnerability assessments of their networks. Investigate whether these third parties have privacy policies and notification procedures in place in case of a breach. Examine the third-party contracts to ensure they contain language regarding security standards, notification procedures and indemnity for damages resulting from any contractor breaches.
• Confirm that the company’s security breach notification procedures comply with state and federal laws. Determine the most efficient and compliant way to notify customers of a breach of security.
• Investigate the availability of insurance for cyber risks.
• Retain professionals to conduct security audits of the company’s policies and programs.
• Stay apprised of federal and state laws (particularly of each state in which a company does business) regarding privacy, identity theft prevention and notification of security breaches.10
• Be aware that other countries where your company conducts business may have privacy, theft prevention and notification laws that may conflict with U.S. laws but nonetheless must be complied with.
1 In re JetBlue Airways Privacy Litig., 379 F. Supp. 2d 299 (E.D.N.Y. 2005); In re Am. Airlines Privacy Litig., 370 F. Supp. 2d 552 (N.D. Tex. 2005); Copeland v. Northwest Airlines Corp., No. 04-2156 M1/V (W.D. Tenn. Feb. 28, 2005); Dyer v. Northwest Airlines Corporation, 334 F. Supp. 2d 1196 (D.N.D. 2004); In re Northwest Airlines Privacy Litig., No. Civ. 04-126, 2004 WL 1278459 (D. Minn. June 6, 2004), appeal pending but stayed, No. 04-2703 (8th Cir.).
2 PNR data generally contains a passenger name, address, contact information and travel itinerary.
3 Disclosure of PNR data to the Transportation Security Administration (TSA) should no longer present a privacy problem for the airlines as the TSA, acting pursuant to its statutory powers, has issued an order requesting certain specified PNR data from airlines for use in testing its “Secure Flight” system – a passenger pre-screening program designed to identify passengers known or reasonably suspected to be engaged in terrorist activity.
4 18 U.S.C. § 2701 et seq.
5 15 U.S.C. § 1681 et seq.
6 An “electronic communication service” is defined as “any service which provides to users the ability to send or receive wire or electronic communications.” 18 U.S.C. § 2510 (15). The legislative history of the statute identifies such providers as “existing telephone companies and electronic mail companies.” Electronic Communication Privacy Act of 1986, S. Rep. No. 99-541, 99th Cong. (1986), reprinted in 1986 U.S.C.C.A.N. at 3555, 3568.
7 Am. Airlines Privacy Litig., 370 F. Supp. 2d at 564.
8 In re Am. Airlines Privacy Litig., No. 3:04-MD-1627-D, 2005 WL 3323028, at *1-2 (N.D. Tex. Dec. 7, 2005).
9 Notification laws have been passed in over 20 states, including Arkansas, California, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas, Utah, Washington and Wisconsin.
10 In addition to state legislation, federal identity theft prevention and consumer notification bills are currently pending in both the House and the Senate and any new federal law may preempt all, or inconsistent, state law in this area. See, e.g., Specter-Leahy Personal Data Privacy and Security Act of 2005 (S.1789).