Headlines alleging that three telecom companies voluntarily turned customer call records over to the National Security Agency cast a spotlight on an issue facing growing numbers of corporate counsel: What do you do when the government asks for customer or employee information?
How the phone companies answered that question remains in dispute, with two of the three denying specifics of the story published in USA Today and all three asserting they acted within the law. But there is no question the government is compiling massive databases in its attempt to thwart terrorists--and, in the process, seeking data from companies ranging from airlines to ISPs.
After the September 11 attacks, Congress expanded the government's powers to compel production of information in its anti-terrorism investigations. But the telecom companies allegedly turned over records voluntarily, based on informal requests.
Such requests put corporate counsel in a tight spot: Say yes, and your customers may file suit asserting their privacy has been violated. Say no, and your company may stand accused of impeding the war on terrorism.
"Companies can be between a rock and a hard place," says Tom Smedinghoff, partner in Wildman Harrold. "They don't want to facilitate the next terrorist attack, but they need to consider their obligations to the people they got data from."
Just Say No
Several attorneys who advise clients on dealing with government demands for information agreed that an informal request for customer or employee data should be rebuffed.
"Almost inevitably, whether it is the FBI or some other agency, they will seek the easiest way to get the information, so they just ask for it," says Michael Levy, partner at McKee Nelson in Washington, D.C. "But you need to make them go through the formal steps to protect yourself and your customers. We have those procedures in place for a reason, to make sure the government interest is balanced against the individual interest in maintaining privacy."
The corporation's interest is also at stake. Failure to require the government to obtain authorization in the form of a subpoena, civil investigative demand (CID) or National Security Letter (NSL), can generate crippling class action suits and bad publicity.
"There is very little upside to informally turning over information to the government," says Philip Kircher, member of Cozen O'Connor in Philadelphia. "No good can come of it and a lot of bad can come in the form of class action lawsuits."
That certainly has been the case for the telecom companies. Immediately after publication of the USA Today story, plaintiffs' attorneys rushed into federal courts around the country, seeking massive damages from Verizon, AT&T and Bell South for alleged violations of privacy rights guaranteed by the Telecommunications Act, The Electronic Communications Privacy Act (ECPA) and the U.S. Constitution. One suit filed in U.S. District Court in Manhattan seeks $200 billion in damages. Suits also were filed in California state courts, citing violations of privacy provisions of the state constitution and the California Public Utilities Code.Industry Variations
While attorneys advise against voluntary disclosure of customer data by any company, some industries are more vulnerable to litigation than others because, like telecommunications, they are governed by specific privacy laws. Health information is protected under the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) and financial information under Gramm-Leach-Bliley Act and the Financial Privacy Act.
Specific privacy laws, though, don't govern all industries. Northwest Airlines faced seven class action suits for voluntarily transferring passenger records to the government for a secret air security project. In June 2004 a federal judge in Minnesota denied the plaintiffs' claim that Northwest was covered by the ECPA because the information it turned over was stored on its Web site. "Defining electronic communications service providers to include online merchants or service providers like Northwest stretches the ECPA too far," the judge said.
In July 2005 a federal judge in New York dismissed on similar grounds several cases against JetBlue, which gave passenger records to a data-mining company at the request of the Transportation Security Administration. The court also rejected claims for damages because the plaintiffs failed to establish that personal information collected for airline reservations had any compensable value.
Some experts believe the telecom cases may never see the inside of a courthouse. There's a possibility the government will invoke its "state secrets" privilege, as it did recently in New York and Michigan where the government asked federal judges to dismiss a pair of lawsuits filed over the NSA's domestic eavesdropping program. Justice Department lawyers said defending the suits would reveal classified information that could be of value to terrorists--an argument that presumably could be extended to the data mining project as well.
But even if there is a good chance of winning a lawsuit, there are other considerations that should discourage voluntary data disclosure, says Philip Gordon, head of the privacy practice at Littler Mendelson.
"Having to defend such a lawsuit is costly and generates bad press," he says. "In addition, the risk of liability increases as standards in this area evolve."
He advises that privacy policies include the right to disclose information "if a law enforcement agency asks for it, if you get a subpoena or if you feel you need to protect yourselves or your customers from an imminent threat. "Smedinghoff recommends developing a crisis plan to deal with possible PR fallout. "The phone companies are getting beat up in the press," he says. "If they had done some planning, they may have had something ready to go" when the release of customer data hit the news.
Finally, explain to senior management that it is not unpatriotic to require the government to obtain authorization for a data transfer. While companies don't want to be portrayed as an impediment to catching terrorists, they should understand that the government can obtain the information simply by going through the process. "It is necessary in this time to be vigilant and patriotic," says James Holmes, partner in Sedgwick, Dert, Moran and Arnold in Los Angeles, "but there is a mechanism for the government to obtain authorization for the customer information they need."