Discovering & Protecting Personally Identifying Information: The Basics

By Michael P. Lowry

With the increasing digitization of the world’s information, it is becoming easier and easier for personally identifying information to be inadvertently disclosed. State courts are also implementing digitization programs, such as e-filing, to manage increasing caseloads and store documentation. Anyone with a Wiznet or PACER password can search these public documents for the information they contain, creating potential problems for counsel who file documentation containing personally identifying information. How may attorneys obtain the personally identifying information needed while protecting it, and themselves, from the risk of disclosure?

Nevada’s definition of personally identifying information
NRS 239B.030(4) provides discretionary authority for governmental agencies, including courts, to require from a person who “records, files or otherwise submits any document to the governmental agency to provide an affirmation that the document does not contain personal information about any person or, if the document contains any such personal information, identification of the specific law, public program or grant that requires the inclusion of the personal information.” Personal information covered by this affirmation includes:

[A] natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

1. Social security number.
2. Driver’s license number or identification card number.
3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
   ~The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.
   NRS 603A.040.

It is unclear what the consequences of a breach of the above might be, but an example of the importance of protecting personally identifying information is the 2011 Nevada Legislature’s enactment of SB 282. The bill appears primarily targeted at various forms of advertising. A violation is not only a misdemeanor offense, but also creates a private cause of action for the person whose social security number was “willfully and intentionally” disclosed. In pursuing a private cause of action, “[t]he court may award actual damages, reasonable attorney’s fees and costs to the person whose social security number has been willfully and intentionally posted or displayed in violation of this section.” Although not directly applicable to an attorney, it is not beyond imagination that inadvertently disclosing a social security number of an adverse party could complicate the litigation.

Federal courts have implemented a requirement similar to NRS 239B.030(4). FRCP 5.2(a) provides specific privacy protections for such information:

Unless the court orders otherwise, in an electronic or paper filing with the court that contains an individual’s social‑security number, taxpayer-identification number, or birth date, the name of an individual known to be a minor, or a financial‑account number, a party or nonparty making the filing may include only:

1. the last four digits of the social‑security number and taxpayer‑identification number;
2. the year of the individual’s birth;
3. the minor’s initials; and
4. the last four digits of the financial‑account number.

FRCP 5.2(b) provides certain exemptions and FRCP 5.2(h) provides a waiver for when the person seeking the protections of the rule has already filed such information without redaction. Again, however, the impact of a breach is not stated.

Producing and using documents containing personal information
Attorneys routinely handle personal information of this nature and must utilize it as part of their practice. In civil practice this occurs most frequently in discovery and motion practice.

How do I obtain this information from an adverse party?
Personally identifying information is routinely important in many cases. Understandably, however, some parties and their counsel are reluctant to provide it. When can personally identifying information be obtained in litigation?

The test in discovery is whether the information is relevant. Federal courts confronted with discovery motions have refused to permit the discovery of social security numbers based upon the motion before them, but the courts have not categorically ruled out the possibility that the social security numbers could be discovered if the need can be justified and other avenues to obtain the information sought through the use of social security numbers have failed.

In McDougal‑Wilson v. Goodyear Tire & Rubber Co., the court determined that a request for social security numbers from potential witnesses was not a request for relevant information because the witnesses could be located through other means. 232 F.R.D. 246, 252 (E.D.N.C. 2005). The Court reasoned that “Goodyear legitimately redacted social security numbers from documents it produced out of concern for its employees’ and former employees’ privacy.” Because plaintiff received last known contact information (e.g., last known address and phone number), the production of social security numbers was not compelled.

In another case, a court again concluded that a request for certain personally identifying information sought information not relevant to the case. Scaife v. Boenne arose from a section 1983 claim wherein the plaintiff sought the defendant officers’ “social security numbers, their current home addresses, their residences for the past ten years, and information about any children the defendants may have.” 191 F.R.D. 590, 592 (N.D. Ind. 2000). Examining the requests in the context of the complaint, the court concluded that “[t]here is no relevancy in the defendants’ addresses, social security numbers, and facts about the defendants’ children to the allegations raised in plaintiff’s complaint. Nor is there any basis on which to conclude that the sought after information would lead to the discovery of admissible evidence.” Id. at 592–93. A court in Chavez v. DaimlerChrysler Corp. reached a similar conclusion in the context of a disparate treatment employment claim. 206 F.R.D. 615, 622 (S.D. Ind. 2002).

Courts are also protective of employee personnel files that contain similar information. The subjects of such files are often non‑parties to the litigation. Those files commonly contain addresses, phone numbers, income information, medical histories, employment discipline, criminal records, and other sensitive, personal information having little or no relevancy to the issues in litigation. To permit wide dissemination of personnel files would result in a clearly defined, serious, and unnecessary injury to the privacy of the employee who is not a party to the lawsuit. Revelation of such information could cause economic or emotional harm. The files could also contain embarrassing material and they commonly contain confidential material. Raddatz v. Standard Register Co., 177 F.R.D. 446, 447 (D. Minn. 1997) (citing an unpublished decision); see also, Whittingham v. Amherst College, 164 F.R.D. 124, 127 (D. Mass. 1995) (“[P]ersonnel files contain perhaps the most private information about an employee within the possession of an employer.”). The court in Raddatz even stated that unhindered production of these materials should not be permitted under a confidentiality order as “the very act of disclosing an employee’s sensitive and personal data is a highly, and frequently, an unnecessarily intrusive act—whether or not that disclosure is governed by the terms of a Confidentiality Order.” 177 F.R.D. at 447–48.

Federal courts appear hesitant to force the disclosure of “personal information,” at least as defined in Nevada, absent relevancy or necessity. Even when relevant and necessary, production of this information may be highly restricted. If your client is producing documentation containing such information, redaction and privilege logs are likely necessary.

How do I use this information?
If relevant and obtained, how do you use this information? Carefully. As noted, it is unclear what the consequences of a breach of either NRS 239B.030(4) or FRCP 5.2(a) might be. The rules must factor, however, into both discovery responses and many routine deposition questions. They should also be taken into account in what might be considered innocuous tasks such as submitting medical records in support of a petition to compromise a minor’s claim as required by NRS 41.200(3). Taking steps to protect identifying information as required by statute and rule is not only respectful of the nature of the information and the adverse party’s privacy interests, but may also be a prudent step for the attorney to protect himself from the risks of disclosure.

Handling and protecting personally identifying information is an integral part of the work performed by many attorneys. It may be the make-or-break information for your client’s litigation. As emphasized by the Nevada Legislature and federal court system, handling that information appropriately is becoming increasingly important.

Michael P. Lowry is a civil litigation associate at the Las Vegas office of Thorndal Armstrong Delk Balkenbush & Eisinger.

The 20-Year Itch: FTC Creation and Enforcement of National Privacy Policy

By Christopher Mathews and Ryan Andersen

What do we mean when we talk about “privacy?” In the common use of the term, we mean the ability to keep away from others information about ourselves and the things we do. The notion that people should be free from governmental intrusion into our private lives is enshrined in the Fourth Amendment and, over the years, has been elaborated on by the United States Supreme Court and expanded by acts of Congress.

The right to keep information away from the government is important, but it is not the only form of privacy. Every transaction generates data about our behavior, preferences, and status that may be very valuable in a commercial context. Surrendering control over such information arguably is the price we pay for a modern economy. But not everyone is comfortable with this notion. Some would argue, as one member of the Federal Trade Commission recently put it, that

exacting such a toll is just bad business: no market can function if consumers feel unsafe participating in it—if they believe they have no decisions about how their information is used, or their decisions about what information to share and what to keep private are not respected.

Julie Brill, Commissioner, Fed. Trade Comm’n, Prepared Remarks to the National Cyber Security Alliance (Jan. 26, 2012).

The lack of a comprehensive national privacy policy
Information about individual behavior may be of great value to merchants and others seeking to tailor their products and services to certain demographic groups or even, now, to the individual level. Arguably, this benefits both the merchant and the consumer, allowing merchants to focus on people most likely to want their products and helping consumers avoid being subjected to ads for things they don’t want. But such information may be used in other ways not to the consumer’s liking. Before his Senate confirmation vote, for example, the video rental history of United States Supreme Court nominee Robert Bork was published by a Washington, D.C. publication in an apparent effort to embarrass him. Adam Clark Estes, Why Robert Bork (Indirectly) Kept Netflix Off Facebook, The Atlantic Wire (July 26, 2011). The Bork incident prompted Congress in 1988 to pass the Videotape Privacy Protection Act (18 U.S.C. § 2710), imposing civil liability for the unauthorized disclosure of certain video rental data.

In similar fashion, key support for the privacy protections in the Gramm-Leach-Bliley Act (Pub. L. No. 106-102, 113 Stat. 1338) came from

Congressman Joe Barton, who said his credit union sold his name and address (along with the information of other customers of the credit union) to the Victoria’s Secret catalog company—something he thought might cause conflict with his wife, who would wonder what interest he had in such products and for whom he was buying them. Chris Jay Hoofnagle and Emily Honig, Victoria’s Secret and Financial Privacy, Electronic Privacy Information Center (Jan. 25, 2005). The development of privacy law in the United States has been propelled in part by reaction to such anecdotal incidents.

Efforts to enact broader privacy protections, however, have met with limited success. Regulations like the Health Insurance Portability and

Accountability Act of 1996 (HIPAA) Privacy Rule (45 CFR §§ 160.101–.552; 45 CFR §§ 164.102–.106; 45 CFR §§ 164.500-.534) have been enacted for specific industry segments, and many states have taken steps to protect certain forms of data from unauthorized disclosure. Nevada, for example, requires safeguarding of certain forms of personal information, including credit card and bank account data. NRS 603A.010–920. But attempts to establish a comprehensive framework for privacy protections have repeatedly died in Congress. The latest such attempt, the Commercial Privacy Bill of Rights Act of 2011 (S. 799, 112th Congress), would have established broadly-applicable rules on the handling of sensitive data and opt-in policies to protect consumers. The bill went to committee last year and never emerged.

The Federal Trade Commission fills the void
Faced with Congress’s inability to craft a comprehensive policy, the Federal Trade Commission has stepped in to address privacy concerns. In 2006, the commission filed suit against ChoicePoint, Inc., a national data collection bureau that provides individuals’ credit and other information to its subscribers. United States v. ChoicePoint, Inc., No. 1:06-vc-00198 (N.D. Ga. 2006). The commission alleged that between 2001 and 2005, ChoicePoint repeatedly disclosed data “to persons who did not have a lawful purpose to obtain the information.” About 163,000 individuals’ records were compromised, the commission claimed, because ChoicePoint did not implement “reasonable procedures to verify or authenticate the identities and qualifications” of its subscribers. ChoicePoint’s failure to put such procedures in place led to over 800 cases of identity theft, according to the commission. The commission claimed ChoicePoint engaged in unfair trade practices in violation of Section 5(a) of the Federal Trade Commission Act (15 U.S.C. § 45(a))(“the Act”), because ChoicePoint’s published privacy policies falsely assured consumers and others the company had reasonable and adequate safeguards to protect consumer information.

ChoicePoint ultimately agreed to pay a $10 million civil fine and to deposit an additional $5 million in a victims’ compensation fund administered by the commission. Consent Order, United States v. ChoicePoint, Inc., No. 1:06-vc-00198 (N.D. Ga. 2006). It was the largest civil penalty ever imposed by the commission.

Included in the ChoicePoint settlement was a requirement largely overshadowed by the gaudy monetary penalty: that the company adopt data security procedures and programs spelled out in the settlement and submit to independent audits of its compliance every two years for the next 20 years. Whether intended at the time or not, this provision soon became a standard part of Commission actions in privacy cases.

In 2008, the Federal Trade Commission brought a complaint against TJX, the parent company of T.J. Maxx, Marshalls, and other retail stores. In the Matter of The TJX Companies, Inc., FTC File No. 072-3055. According to the commission, TJX failed to use “reasonable and appropriate security measures”—such as encryption, strong password protection, firewalls, and antivirus software—to protect consumer credit card and checking account data. According to the commission, this allowed hackers to access TJX’s computers and compromise over 450,000 consumer records, leading to tens of millions of dollars in fraudulent transactions.

Significantly, the commission did not allege that TJX made any false claims about its privacy policies. Instead, the commission argued that TJX’s lax security procedures caused and were likely to cause “substantial injury to consumers … not offset by countervailing benefits to consumers or competition,” which consumers could not reasonably avoid. This, the commission alleged, was itself an unfair trade practice under section 5(a) of the Act. The subsequent settlement again included a 20-year requirement for biennial outside audits of the company’s security procedures.

In 2011, the Federal Trade Commission alleged that the social media giant Facebook retained and shared user data the company had falsely claimed would be kept private or would be deleted. In the Matter of Facebook, Inc., FTC File No. 092-3184. The commission also brought a complaint against Google, claiming that company’s “Buzz” social media product made information designated as private by Google users accessible to others by default. In the Matter of Google Inc., FTC File No. 102-3136. These were not inadvertent disclosures, as with TJX, or disclosures to persons who misrepresented who they were, as with ChoicePoint. According to the commission, Facebook and Google knowingly shared information in ways the companies told their users they would not. In so doing, the commission alleged, Facebook and Google too were engaging in unfair trade practices under the Act.

Both companies denied the commission’s claims, but settled with the commission late last year. Facebook and Google agreed not to misrepresent how they collect, use, or share information collected “from or about” their users, including, but not limited to, the individual’s name; their physical, email, and IP addresses; home and mobile phone numbers; contact lists; and physical locations. Both companies must not only safeguard the data they currently collect, they must also create “comprehensive privacy program[s]” to manage risks related to the development of new products. The programs must be in writing and will be subject to outside audits. The auditors and the audits must be approved by the commission in its “sole discretion.” The audits will commence this year and continuing every two years until 2032. Although the commission did not impose fines on either company, the costs of the audits will likely be substantial and will only grow as the decades pass and as social networking becomes an increasingly large part of more and more people’s daily lives.

The FTC’s future role in privacy policy
The Federal Trade Commission considers itself “a major contributor” to the development of privacy policy. Julie Brill, Commissioner, Fed. Trade Comm’n, Prepared Remarks to the National Cyber Security Alliance (Jan. 26, 2012). In litigation from ChoicePoint to Facebook, the commission has shown it will act aggressively to protect consumer privacy against what it deems to be lax practices or outright deception.

The commission has offered three principles it believes should guide businesses in protecting privacy. Id.; see also Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers (2010). The first is “privacy by design.” Businesses should build privacy and security protections into new products, examining the information they collect about consumers and determining whether they really need to collect it. Businesses should also determine how long they are retaining data and how long they really need to keep it. The second principle is “simpler choice”—the creation and implementation of mechanisms to allow consumers to select what data they share, and to ensure their choices are honored. The final principle is “greater transparency”—allowing individuals to see what information about them the businesses possess and to correct it as necessary. Unless and until Congress creates a comprehensive privacy regime, these principles are likely to shape the Federal Trade Commission’s enforcement actions, and, thereby, the level of privacy individuals may expect when sharing information with business, for the foreseeable future.

Christopher Mathews is a shareholder at Lionel Sawyer & Collins and a member of that firm’s litigation department. A 1988 graduate of the Georgetown University Law Center, he was a prosecutor and an appellate judge in the U.S. Air Force prior to his retirement from the service in 2007.

Ryan Andersen is an associate at Lionel Sawyer & Collins and a member of that firm’s litigation department. A 2010 graduate of the University of Iowa, he was a law clerk to the Honorable Bruce A. Markell, District of Nevada Bankruptcy Judge, prior to joining the firm.