Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

By Elizabeth Litten

The widely publicized pre-Christmas breach of confidential data held by Stratfor Global Intelligence Service (“Stratfor”), a company specializing in data security, reminded me that very little (if any) electronic information is truly secure. If Stratfor’s data can be hacked into, and the health information of nearly 5 million military health plan (TRICARE) members maintained by multi-billion dollar Department of Defense contractor Science Applications International Corporation (SAIC) (the subject of a five-part series of blog postings found on Fox Rothschild’s HIPAA, HITECH and HIT Blog. Parts 1, 2,3, 4 and 5 ) can be accessed, can we trust that any electronically transmitted or stored information is really safe?  

I had the pleasure of having lunch with my friend Al yesterday, an IT guru who has worked in hospitals for years. Al understands and appreciates the need for privacy and security of information, and has the technological expertise to know where and how data can be hacked into or leaked out. Perhaps not surprisingly, Al does not do his banking on-line, and tries to avoid making on-line credit card purchases. 

Al and I discussed the proliferation of the use of iPhones and other mobile technology by physicians and staff in hospitals and other settings, a topic recently discussed in a newsletter published by the American Medical Association. Quick access to a patient’s electronic health record (EHR) is convenient and may even be life-saving in some circumstances, but use of these mobile devices creates additional portals for access to personal information that should be protected and secured. Encryption technology and, perhaps most significantly, use of this technology, barely keeps pace with the exponential rate at which we are creating and/or transmitting data electronically.  

On the other hand, trying to reverse the exponential growth of electronic communications and transactions would be futile and probably counter-productive. The horse is out of the gate, and expecting it to stop mid-stride and retreat back with a false-start call is irrational. The horse will race ahead just as surely as my daughter will text and check her Facebook page, my son will recharge his iPad, and I will turn around and head back to my office if I forget my iPhone. We want and need technology, but seem to forget or fail to fully understand the vast, unprotected and ever-expanding universe into which we send information when we use this technology. 

If we expect breaches or, at least, question our assumptions that personal information will be protected, perhaps we will get better at discerning how and when we disclose our personal information. An in-person conversation or transaction (for example, when Al goes to his bank in person or when a physician speaks directly to another physician about a patient’s care) is less likely to be accessed and used inappropriately than an electronic one. We can better assess the risks and benefits of communicating information electronically when we appreciate the security frailties inherent in electronic communication and storage. 

Perhaps Congress should take the lead in enacting laws that will help protect against data breaches that could compromise “critical infrastructure systems” (as proposed in the “PRECISE Act” introduced by Rep. Daniel E. Lungren (R-CA)), but more comprehensive, potentially expensive, and/or use-impeding cybersecurity laws might have the effect of tripping the racehorse mid-lap rather than controlling its pace or keeping it safely on course.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Smart Money just ran a story about the top five data breaches of 2011.  While I do not necessarily agree that these are the top five (students, students, NYC hospital patients, not to mention the Stratfor breach), the takeaway is interesting: none of them have the same source for the breach:

1.  Epsilon.  What more needs to be said to keep contract attorneys up at night than "Epsilon"?  This data breach involved a third party losing data about its customers' customers.  Stated another way, the owner of the information did nothing wrong...other than hiring a contractor that mishandled information.  Indemnification mean more to you now?  The takeaway from this breach: come clean, come clean, come clean.  

2.  Sony.  Massive breach of the online gaming network.  Lots of data lost, lots of downtime for pasty, sun-adverse gamers.  Hackers targeting the network to blame.  The takeaway from this breach: do not handle it the way Sony handled it.

3.  Tricare.  A Science Applications International Corp. has data backup tapes stolen from a car.  SAIC is a defense contractor for the military.  Approximately 4.9 million veterans affected.  Hackers targeting lax security to blame.  The takeaway from this breach: don't leave the data tapes in the car (come on, people!).

4.  Sutter.  A simple stolen desktop computer containing information about possibly 3.3 million patients goes missing.  The takeaway from this breach: encrypt!  Chances are they had zero intention to stealing the actual information, but you can be sure it was still a breach notification scenario.

5.  Texas Comptroller.  This is number three in my book.  Personal information of 3.5 million people left publicly available for over one year.  Information about persons required to hand over that information, not information voluntarily handed over.  Total disaster.  Anyone could have found this information, given its availability.  The takeaway from this breach: hire IT staff that is security conscious and, more importantly, give those people the budget to do their jobs.

BONUS: not a data breach, but a significant ruling this year.  Corporations have no right to privacy.  This Supreme Court ruling impacts corporate decisions on so many levels...or it should.

Happy New Year to our readers.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

According to a press release issued yesterday, November 29, 2011, by the Federal Trade Commission, Facebook settled charges that Facebook “deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public.”

The complaint (PDF link) lists a litany of bad practices by Facebook. One allegation that stands out, largely because of the media firestorm that it created at the time, was Facebook’s change in privacy settings to users’ accounts in December 2009. The foregoing settings change was, in the FTC’s opinion, particularly egregious because Facebook undertook the changes without any notice or consent from users.

Another allegation that stands out, again both because of the media firestorm and the falsehood, was Facebook’s assertion that information from deactivated user accounts would not be accessible.

And what grueling punishment must Facebook endure for its privacy-related bad acts? According to Jon Leibowitz, Chairman of the FTC, "Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users." Rough justice.

In all seriousness, there is some substance to the settlement. Facebook must not make any further deceptive privacy claims. Facebook must also get consumers' approval before it changes the way it shares their data. Finally, Facebook must obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years.

Frankly, the foregoing requirements on Facebook are all steps that a company like Facebook, if not substantially all companies handling consumer personal information, should be undertaking.

Specifically, under the proposed settlement, Facebook is:

• barred from making misrepresentations about the privacy or security of consumers' personal information;
• required to obtain consumers' affirmative express consent before enacting changes that override their privacy preferences;
• required to prevent anyone from accessing a user's material more than 30 days after the user has deleted his or her account;
• required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers' information; and
• required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers' information is protected.

The proposed order also contains standard record-keeping provisions to allow the FTC to monitor compliance with its order.

The proposed settlement is not yet final. The proposed settlement will be open to public comment for thirty days, ending on December 30, 2011. The terms of the proposed settlement is published in the Federal Register shortly. After the close of the comment period, the FTC will decide whether to make the proposed consent order final.

Interested in submitting your comments to the FTC? According to the press release: Interested parties can submit comments online or in paper form by following the instructions in the "Invitation To Comment" part of the "Supplementary Information" section. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Computer Crime and Intellectual Property Section of the U.S. Department of Justice compiled a summary in August 2010 of the retention periods of major cellular service providers of data transmitted to and from users' mobile devices.  The report is here. (PDF link)  The American Civil Liberties Union (ACLU) obtained a copy of the foregoing report through a Freedom of Information Act (FOIA) request.  The contents of the report are interesting, to say the least.

As reported by Cory Doctorow on the terrific Boing Boing in this article, and by David Kravets of Wired.com in this article titled "Which Telecoms Store Your Data the Longest? Secret Memo Tells All," it is unclear which major cellular carrier treats our usage data with the most respect.  On the one hand, Verizon stores text message details (just the transmission receipt details, such as recipient and time) only one year, compared to as long as 5-7 years for post-paid subscribers of AT&T.  On the other hand, AT&T, Sprint and T-Mobile store none of the contents of text messages, whereas Verizon stores that information for 3-5 days.  The IP Session information may be the most interesting, because of the additional information that can be gleaned from the raw data, the question of why it is stored (billing disputes?) and the disparity in length of storage.  One of the excellent infographics posted on Wired's web site is posted here, but a full Wired article is a must read.

Besides this information being eye opening on a personal level, it can be crucial evidence in the case of a corporate data breach.  While we all hope that law enforcement will use all tools available to it when investigating a corporate crime, knowing the tight time constraints under which businesses investigating a potential crime is crucial.  To be clear, I am referring to use of these tools as an option for ethical investigations into criminal activity through law enforcement.  These are not tools to assist a company in sacking an employee that is surfing the web on her mobile phone while on the clock.  In any event, these time frames should be considered when investigating a suspected data breach.

If you are getting that "eye in the sky is watching me" feeling, I will be sure not to mention the warrantless GPS and triangulation tracking capabilities of the major mobile carriers available to law enforcement.

Source: BoingBoing.net; Wired.com

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Purdue University informed 7,093 former students on Monday that their Social Security numbers may have been stolen from servers at the University on April 5, 2010.  The notification comes 16 months after the discovery of the breach.

According to the (Indiana) Journal & Courier, the server contained 6.6 million nine-digit numbers in the accessed files.  After spending six months analyzing those numbers, Purdue determined that approximately 65,000 of those number combinations could be Social Security numbers.  An additional four months was spent reanalyzing the numbers and performing forensic analysis.  Based on those efforts, the University had matched 7,093 of those number combinations to Social Security numbers of former students. 

The breach was discovered only three days after it occurred, approximately April 8, 2010.  Fourteen months after discovery of the breach, Purdue notified the Office of the Indiana Attorney General.  Now, approximately two months later, the affected former students were notified.

Purdue did not offer any sort of credit monitoring and, instead, recommended to those affected to be vigilant and keep and eye on their credit activity.

The announcement by Purdue comes on the heals of an announcement by The University of Wisconsin-Milwaukee on August 10th that 75,000 of its students had been exposed to a hacking incident in May 2011, as reported earlier here. 

While the delay of three months may have seemed excessive last week, at least UWM beat Purdue's delay by almost 14 months.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Boing Boing has an excellent how-to located here on how to opt out of being included in LinkedIn's social media advertising.  Briefly, LinkedIn assumes that you consent to LinkedIn's use of your image in the adverstising of its sponsor's products.  If you recommend your CPA firm, and your CPA firm purchases advertising on LinkedIn, your photo may appear in that advertising.

This approach may be fine in certain cases. However, besides just the general creepiness of it, employers should be aware that it creates a potential association between your company (not just the individual) and that third party. I can imagine a scenario where a company is suing its former CPA firm and an advertisement appears with the Controller's image in a LinkedIn advertisement for the same CPA firm.

If your company's social media policy allows employees to participate in LinkedIn and other social media sites, consider whether the policy needs an update to require opting-out of this social media advertising.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The University of Wisconsin-Milwaukee (“UWM”) announced on Wednesday that a malware-infected, university server was discovered on May 25th that allowed hackers, apparently seeking research data, to access several types of scanned documents. Included in the potentially accessed documents were student applications from past and present students, which applications contained Social Security numbers.

At this time, UWM has not been able to confirm that any of the documents were actually taken by the hackers. UWM reports that “[t]he university learned of the installation of malware on May 25, and immediately shut down the system and began to investigate. During the course of the investigation, on June 30, 2011, we discovered that the database containing social security numbers was included in the compromised system.”

UWM wants to assure students that although names and Social Security numbers were possibly taken, the potentially accessed documents did not contain any financial data or academic information such as student grades. At least students don’t have to worry about having embarrassing grades posted.

The announcement asks “[s]houldn’t the university be offering free credit monitoring?” After all, free credit monitoring is expected these days, although certainly no required. The response? “We have no evidence that anyone’s personal information was retrieved or that any information was misused. However, it is recommended that everyone should monitor their financial information by:

• Reviewing bank and credit card statements regularly, and looking for unusual or suspicious activities.
• Contacting appropriate financial institutions immediately upon noticing any irregularity in a credit report or account.
• Request a free credit report and carefully inspect your own credit scores.

That is one approach, I suppose.  It is certainly different.

While the details of the investigation by this public institution remains under wraps, it does raise interesting questions. To be clear, there may be excellent bases for not making the disclosure earlier. However, we have seen more and more experts commenting on how huge delays in public announcements are justified. Sure, delays in notification can sometimes be justified where only an intrusion is known and it is unclear whether personal information is accessible through that intrusion.

We have come to the point where using the “ongoing internal investigation” excuse is habitually abused. In this case, based on facts known, it took 35 days for a “national computer security consultant” to determine the source and extent of the breach. In other words, it took experts 35 day to conclude that if a certain port on a server was exposed, then access to a certain, non-encrypted database was possible. I asked our network guys about this, and they said it should take about 30 minutes to determine what was exposed if a port was left open.

After confirmation of the possibility that the sensitive documents could have been accessed, it too another 41 days to make a public announcement.

Okay, so maybe law enforcement delayed the notification. Certainly possible. These comments are not meant to be an indictment of UWM specifically, but of the new approach to data breach notification that is occurring more often than not.

In the cases where delay notification is grossly delayed, it is more often that company executives and their counsel decide that if the breach was announced, and it was later determined that access to the potentially accessed documents did not occur, then the “bad press” would be worse than delaying notification for 77 days.  Stated another way, they don't want to unnecessarily worry potentially affected persons.

Again, we do not know all the facts. In all likelihood the sensitive documents were not accessed.  However, more and more we all are seeing HUGE delays in notifying those affected. If I received a breach notification 77 days after discovery I would be mad as hell. That is 77 days when identity theft could have occurred and I was not being vigilant because I was unaware of a breach. This is the exploding Pinto approach to data breaches.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The breaches about which we normally hear have to do with retailers and service providers.  Those businesses are the ones that do not appreciate the importance of protecting data, feel they could use the money necessary to create good security in better ways and are the easy targets for hackers.  Thankfully, what we generally do not hear about are data breaches at large financial institutions.  

Citigroup announced yesterday that its servers were hacked into in early May and the names, addresses account numbers and other account information of 200,000 credit card customers were stolen.  Citigroup further reported that social security numbers, CVV security codes and dates of birth were NOT stolen.  This data breach affects approximately 1% of all of Citigroup's customers.

There is no information about how the hackers were able to access Citigroup's servers.  It is unclear whether information on this security breakdown will ever be released, but the occurrence is a stark contrast to the normal data loss involving systems that are not as well-protected as financial company systems.  Generally speaking, retailers are easy targets, financial institutions are not.

The current delay in notifying affected individuals may be the result of Citigroup's cooperation with law enforcement, considering that Citigroup is otherwise required to notify those affected individuals almost immediately.  Some are speculating that the delay may (finally) result in federal legislation detailing data breach response guidelines.  You know, because the massive prior data breaches were not enough to make federal legislation a priority.

In any event, if you are a Citigroup customer you should keep your eyes out of an email notifying you of the breach.  That being said, it would not be surprising to see a phishing effort undertaken to have unsuspecting Citigroup customers that may or may not actually be affected by the breach click on links in email in order to steal usernames and passwords.  In other words, if you do receive a notice from Citigroup about the breach, make sure that the email really is from Citigroup by confirming the links take you to a genuine Citigroup web site or navigating to the Citigroup web site manually and looking for information on the data breach.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Sony announced yesterday that its PlayStation Network and Qriocity services were compromised by an "unauthorized" person.  What was the haul?  According to Sony, the "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID" and the "profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers" of 77 million individuals.

That's right, 77 million people.  This is one of the largest Internet data losses in history.  We can assume that the data was not encrypted, otherwise we would hear little or nothing about the data loss (most states exempt encrypted data from disclosure requirements), or else Sony would be screaming "Don't fret too much, the data was encrypted and we did not lose the decryption key."  Sony is not making either claim at this time.

Well, data breaches happen, you may be thinking.  We have seen companies with best practices still suffer at the hands of hackers or rogue employees.  Sony is taking the most heat not from the data loss, but from the timing of the disclosure to those affected.  The disclosure of the data breach to customers directly was on April 26th.  The data breach apparently occurred between April 17 and April 19.  It has been reported that Sony discovered the breach on April 20th.  There was a gap of six days between discovery and disclosure.  Six days may be an eternity when you are a gamer and your network is down (there are likely millions of teenagers with fresh sunburns), but how long is six days in the data breach world?

Six days between discovery and disclosure may be acceptable, especially to the extent that Sony was working with law enforcement and was requested/told not to make a public announcement.  To clarify the preceding sentence, six days may not be too long when working with law enforcement as long as Sony was truly working with law enforcement and the delay had a genuine purpose.  However, Sony did not explain that law enforcement cooperation was the reason for the delay.  It is not likely that Sony ran afoul of any state statute timing requirements, which have quite a bit of leeway built in. 

If you or your children are on one of these services, you need to pay particular attention to this story as it develops.  You (the keyword being "you") need to monitor your bank accounts and credit cards - frankly, any account into which a third party can back into knowing your security question or your password on this service (remember, if you use the same password for your email account AND this service, somebody may have both of those right now).  For now, Sony has not offered any type of monitoring service, so your financial/credit monitoring is currently your responsibility.

Hopefully Sony will continue to come out with more information, or we will learn that the data is in "safe" hands (think Matthew Broderick in War Games - almost nothing went wrong in that movie).  In any event, your children that go to business school will enjoy reading the future case study on this one.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The cost per customer record in a data breach increased $10 over the 2009 average to $214 per customer record compromised in a data breach, which is $12 more than the 2008 average of $202 per customer record. The Poneman Institute, which conducts independent research on privacy, data protection and information security policy, released its sixth Annual Study: U.S. Cost of Data Breach (Available Here - PDF link), declaring that the average cost per compromised customer record rose to $214.  The report is sponsored by Symantec Corporation.  Excellent materials such as an infographic, summaries, blog entries, a podcast and slide presentation can be found on Symantec's web site here.

Before getting into the numbers, you should note that Symantec is offering a Data Breach Risk Calculator.  The foregoing calculator is NOT for the feint of heart, so consider yourself warned.  That being said, the calculator is a powerful tool that considers several factors when estimating data breach costs to businesses.

The report is based on 51 reported data breaches in the United States (other country reports are also published) in 2010, ranging from 4,200 to approximately 105,000 records in 15 different industries. Of the breaches studied, organizations paid a low of $780,000 ($750,000 in 2009), and a high of $35.3 Million ($31 Million in 2009) in connection with the breach response. The average cost to an organization from a data breach increased from $6.65 Million in 2008, and $6.75 Million in 2009, to $7.2 Million in 2010 (Summary).

The cost breakdown for breach response among lost business, ex-post response, notification and detection & escalation is eye-opening and, if nothing else, should be motivational to businesses to address problems before they arise.

Source: Poneman Institute/Symantec Corporation

According to the report and infographic that was published, the source of the data breach was related to negligence in 41% of the cases. 31% of the data breaches were the cause of intentional and malicious attacks, up seven percent from 2009.  Breaches due to third party mistakes dropped three percent to 39%.  Encryption as a post-breach remedy remained the most popular, up three percent to 61%

As in prior years, those organizations that move quickly tend to experience a higher cost per record for the data response. Organizations that move quickly tend to do so in a disorganized manner with little efficiency (e.g., they do not have a breach response plan in place), and spend on average $268 per record, up significantly from the 2009 average of $219 per record. Those organizations that took longer to respond paid $174 per record on average.

The news regarding data breach costs and impacts continues to worsen and shows no sign of improving or slowing.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Much ado has been made in recent weeks about the FTC’s Do Not Track proposal, the push from Congress to protect consumers, and the response from Google, Microsoft and Mozilla, as well as the online ad industry, about the risks and rewards of self-regulation. But what has seemed to be missing from the debate is the public’s own outcry. Amidst the churning discussions there has not been a sense that the general online population is overly concerned about whether an advertiser can track their preferences... at least until the information they share leads to a distinct invasion of privacy with repercussions.

All in all, this debate remains self-contained, and raises more questions than it answers.

From the political front, the Congressional proposals present an issue that is easy to support. Who is “against” privacy? Perhaps the same people who want to bring down apple pie and stop Veterans Day parade...

Technology executives and startups being buffeted about by the concern of over impending government regulation, agreeing on a self-implemented system, and monetizing so -called "privacy assets" for those opting to share more. But how much of the genie is already out of the bottle? Is it possible to truly claw back or sanitize people’s data that is already out there?

There is certainly cause for public concern, though it seems that is not the case until an actual situation occurs. If a website, social forum or third party advertiser holding your personal information is hacked or breached, the potential invasion of privacy on personal preferences could be huge. Finances, sexual preference, and many items that could lead to identity theft are all put at risk. Yet we continue to "like" and "share" and post pictures because living online has become an extension to daily life.

Is this public acceptance? Maybe we won’t know until there is a problem that draws attention on a national scale. The public has control over their own activity online, and the amount of information they wish to share.

If the public is truly concerned about online privacy, it is a matter of self-regulation on a personal level. In the meantime, the government and the industry will continue to swirl in a cycle that perhaps will only end with a set of regulations and authorizations that create more unenforceable layers than there were before. Data thieves will always find ways to game the system, there will always be a risk when sharing personal information online, and advertising will not stop being the fuel that runs much of the internet.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On February 10, 2011, the New York City public hospital system filed a lawsuit against its records management contractor over allegations that the contractor permitted the theft of unencrypted data tapes storing health information and other personal data on some 1.7 million patients and staff. The New York City hospital system disclosed the breach, which occurred on December 23, 2010, for the first time in a February 11, 2011, statement. The complaint alleges that six data tapes, storing HIPAA protected information and other personal data for approximately 1.7 million patients at three facilities, as well as for employees, vendors, contractors and other service providers, were stolen from a van left unlocked in Manhattan by the hospital system's records management contractor. In a statement, the hospital system said that, while the stolen tapes have not been found, no fraud has been reported and the tapes are protected by a proprietary system that makes the data difficult to access.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Supreme Court of the United States has ruled in Federal Communications Commission, et al. v. AT&T Inc., et al. (slip opinion - PDF link) that business entities have no personal privacy rights under the Freedom of Information Act (FOIA) (PDF link).  The ruling was unanimous and arose from a Third Circuit decision.

There are several exemptions built into the FOIA, whereby federal agencies do not have to make certain information available when requested.  Exemption 7(C) pertains to law enforcement records that, if disclosed, “could reasonably be expected to constitute an unwarranted invasion of personal privacy.” 5 U. S. C. §552(b)(7)(C).  The issue addressed was whether corporations have "personal privacy" for purposes of exemption 7(C).

AT&T was investigated by the Federal Communications Commission in connection with AT&T's participation in the FCC's E-Rate (Education-Rate) program for schools and libraries.  As a result, AT&T disclosed to the FCC that it may have overcharged the Government for its services in connection with the E-Rate program.  During the resulting investigation, AT&T disclosed various information to the Government, including billing information, name and job descriptions of employees involved and AT&T's conclusion regarding wrongdoing by its own employees.  The matter was resolved in December 2004 and AT&T paid $500,000 and instituted a plan to ensure the incorrect billing did not occur again.

CompTel, "a trade association representing some of AT&T's competitors," submitted a FOIA request in connection with the E-Rate program investigation.  The FCC's Enforcement Bureau did withhold some competitive information, as well as names and other personal information related to AT&T's employees.  However, the Enforcement Bureau did not apply exemption 7(C) to AT&T itself because "businesses do not possess 'personal privacy' interests as required by the exemption."

AT&T took the position the root term “person” in the phrase "personal privacy" refers to "persons" as defined under the Administrative Procedures Act. The definition of "person" under the Administrative Procedures Act includes several types of business entities, specifically, corporations.  The FCC concluded that AT&T's position that it is “a ‘private corporate citizen’ with personal privacy rights that should be protected from disclosure that would ‘embarrass’ it . . . within the meaning of Exemption 7(C) . . . at odds with established [FCC] and judicial precedent,” and concluded that “Exemption 7(C) has no applicability to corporations such as [AT&T].”

The Court of Appeals for the Third Circuit agreed with AT&T, and the FCC petitioned the United States Supreme Court for review, and the Third Circuit holding was overturned.

Chief Justice Roberts delivers a thoughtful analysis of why the terms "person" and "personal" should not be read to give business entities "personal privacy rights," which you can read in detail in the opinion (PDF link).  In a final wink, nudge and affirmation of his reasoning, Chief Justice Roberts concludes the analysis by stating that "[w]e trust that AT&T will not take it personally." 

• Email This
• Print
• Comments
• Trackbacks
• Share Link