Legal Report June 2005
U.S. JUDICIAL DECISIONS
Identity theft. A Michigan appeals court has ruled that a union had a special duty to protect the personal information of a member. In the case, a third party committed identity theft against union members after stealing union rolls.
In late 1999, 13 employees of the City of Detroit were victims of identity theft. All of the employees worked as 911 operators and all were members of the same union. An investigation into the theft revealed that union rolls, containing members’ Social Security numbers and drivers’ licenses among other personal information, had been compromised.
Dentry Berry, whose mother was the union treasurer, was arrested in 2000 for stealing the employees’ information. At the time of her arrest, Berry was found with a list of the victims’ names, personal information, and the goods that were illegally purchased. Berry was convicted on criminal charges, but she denied taking the list from her mother.
The investigating officer in the case testified at Berry’s trial that the police could not establish how she obtained the names. However, it was common knowledge that the treasurer regularly took the rolls home, often having Berry pick them up for her.
The employees sued the union, claiming that it was negligent in protecting their personal information. A jury found in favor of the plaintiffs and awarded them a shared sum of $275,000. The union appealed, arguing that it had no special relationship to its members and no responsibility to protect them from the criminal acts of third parties.
The Michigan Court of Appeals found that such a special duty did exist and that the union failed to take steps to protect its members’ personal information. The court based its decision on two factors. First, the protection expected by union members was reasonable, and second, the crime was foreseeable.
The court found that the relationship between the union and its members was a fiduciary one. Members trusted the union with their personal and financial information, ruled the court, so the union had the duty to act for the benefit of the members. Part of this duty was to protect members’ private information.
The union argued that Berry’s actions were not foreseeable. The court rejected that argument, ruling that the union should have foreseen the possibility of harm if the records weren’t protected, rather than the possibility of the specific incident that occurred. Thus, the union should have anticipated the risk of identity theft.
The evidence in the case, ruled the court, showed that the union had no procedures or safeguards in place to protect against identity theft and no way to ensure that confidential information was not available to unauthorized individuals.
One dissenting judge wrote that premises liability standards should be applied to the case, meaning that a security standard must exist for the union to take steps to protect members from harm and that no standard existed to protect against identity theft. However, the majority noted that premises liability standards apply to the physical property of the union and not to information. Instead, general principles of negligence should be applied, they said.
The court made it clear that it was not attempting to set a broad precedent, however. Instead, it was only interpreting the facts in this case. In its written opinion of the case, the court noted that “We do not intend our holding to be construed as imposing a duty in every case where a third party obtained identifying information and subsequently uses that information to commit the crime of identity theft. Each case is unique, and the determination must be made only after considering the relevant factors, which have been delineated in case law, and the circumstances of a particular case.”
While this state-level case does not set a binding legal precedent for other states, the case is one of the first to address this issue and may provide guidance to other courts, according to attorney Frank Rudewicz, managing director of UHY Advisors. Rudewicz, the past chairman of ASIS Information Assets Protection Council, specializes in legal and investigative issues pertaining to information theft and protection of proprietary data.
Two factors indicate that this will be an important case, he says. One, the court found that a special relationship exists between the union and its members, meaning that the union has a duty to protect the confidential information of members. Two, the court ruled that the possibility of identity theft is commonplace and foreseeable; thus, the union should have known that removing confidential information from the office put it at risk.
This case appears to put caretakers of personal information, including corporations of all kinds, on notice that they could be responsible for the criminal acts of a third party if they know that information is vulnerable and do nothing to protect it, says Rudewicz. (Audrey Bell et al v. Michigan Council 25 of the American Federation of State, County, and Municipal Employees, Michigan Court of Appeals, No. 246684, 2005)
Medical testing. A federal appeals court has ruled that an employer violated the Americans with Disabilities Act (ADA) by basing a hiring decision on a medical test before the applicants had completed the rest of the hiring process. The court also allowed the applicants’ invasion of privacy claim to proceed to trial because the employer could not prove that its extensive blood testing procedure was standard in the industry.
Three people applied for flight attendant positions with American Airlines. Though all three applied at different times, their experiences were the same so the three lawsuits were combined into one.
In each case, American interviewed the applicants at its headquarters in Dallas and issued conditional offers of employment pending background screening and medical tests. Before ordering the background checks, American sent the applicants to its on-site medical facility to complete the medical examination.
The applicants were asked to sign a permission form indicating that they understood a urine sample would be tested for signs of alcohol and drug abuse. Applicants were also asked whether they had any of 56 listed medical conditions, one of which was “blood disorder or HIV/AIDS.” They were then required to provide a blood sample.
The medical officials did not request a permission form for the blood sample. When asked what the sample was tested for, the officials said “anemia.”
Each of the applicants had previously tested HIV positive and were on medications. They did not disclose this information.
The plaintiffs’ tests revealed an abnormality in the blood cells that could result from several conditions including HIV. After receiving the blood tests, American wrote to the applicants and asked them to explain the blood test results. The applicants each then disclosed their HIV status. American rescinded their job offers, citing a failure to disclose information during the medical examination.
The applicants filed a lawsuit against the airline, claiming that it violated the ADA by considering their medical information before the completion of the background checks. They also claimed that American violated their privacy rights by testing for HIV without notification or consent.
American requested summary judgment—a ruling based on the facts of a case without a trial. The U.S. District Court for the Northern District of California granted the summary judgment, ruling that the airline had not violated the ADA or the plaintiffs’ right to privacy.
The plaintiffs appealed the decision. The U.S. Court of Appeals for the Ninth Circuit reversed the summary judgment. The court found that American had violated the ADA and that plaintiffs could proceed to trial on their claims for violation of privacy.
The ADA prohibits medical examinations and inquiries until after the employer has made a real job offer to the applicant. The ADA allows medical examinations to determine whether an applicant can perform certain jobs safely and effectively. The only stipulation is that such examinations be conducted as a separate, second step of the hiring process after all other job prerequisites have been met. Based on ADA rules, the court determined that American had violated the act by conducting the medical examinations prematurely.
On the issue of privacy, the court found that by consenting to preemployment blood tests, the plaintiffs did not consent to any and all medical tests that American wanted to conduct. Under California state law, an applicant has a reasonable expectation that an employer will not retrieve private medical information by conducting tests that are outside of the “ordinary or accepted medical practice regarding general or preemployment medical exams.”
The court ruled that the circumstances surrounding the plaintiffs’ blood tests gave them little reason to believe that American would perform extensive scans on their blood. Also, noted the court, American offered no evidence that conducting these blood tests without notice or consent is standard practice in a preemployment medical examination. The court allowed the issue to proceed to a trial, where a jury could decide the merits of the case. (Leonel v. American Airlines, Inc., U.S. Court of Appeals for the Ninth Circuit, No. 03-15890, 2005)
INTERNATIONAL JUDICIAL DECISIONS
ID cards. The United Kingdom’s House of Commons has approved a bill to establish a national ID card system. The Identity Cards Bill sets out a system under which each citizen would have a compulsory ID card embedded with a computer chip by 2012. The chip will hold personal information such as names and addresses as well as a biometric identifier such as a facial scan or iris scan. All of this information will also be stored in a national database.
The bill had little problem passing in the House of Commons with a vote of 224 to 64. However, it faces a greater challenge in the House of Lords, according to public comments from its sponsor, Secretary of State for the Home Department Charles Clark.
The full text of the bill is available at Security Management Online.
U.S. REGULATORY ISSUES
Hazardous materials. The Transportation Security Administration (TSA) has announced that it will begin the final phase of its Hazmat Threat Assessment Program. Commercial truck drivers applying for a license to carry hazardous materials will be fingerprinted and will have to pass a criminal records check and an immigration status check before they are issued a license. (The drivers were already subjected to a background check to determine any terrorist affiliation during phase one of the program.)
Those disqualified under the program can appeal the decision. Drivers who give up their current hazardous-materials license will not be required to undergo the final phase of the program.
Drivers who pass the screening are required to be recertified at least every five years.
The TSA’s announcement and details of the program are available at SM Online.
Baggage screening. A new report by the Government Accountability Office (GAO) assesses the effectiveness of explosives detection systems (EDS) and explosives trace detection (ETD) systems installed in airports around the country by the Transportation Security Administration (TSA).
The EDS and ETD machines were in place in most airports by the end of 2003. At the time, airport officials—especially those at small regional airports— expressed concern that the systems were too large to be incorporated into the baggage screening process and were installed as standalone devices in lobbies or other large areas. (See “Flying in the Danger Zone,” June 2003.)
In the new report, the GAO tracks this issue of space and concludes that the interim solutions have resulted in inefficient screening practices and led to hiring of more screeners than necessary. Of the 130 airports studied by the GAO for the report, 86 are planning to integrate the EDS machines into baggage conveyor systems.
However, the funding for such projects is limited and is beyond the reach of many airports.
In the report, the GAO faulted the TSA for failing to conduct an overall analysis of the problem. According to the report, some airports have proven that they could make up the cost in long-term savings and through increased efficiency.
To read the GAO report, visit Security Management Online.
U.S. CONGRESSIONAL LEGISLATION
Port security. The 2006 U.S. Government budget (H. Con. Res. 95) proposed by the Bush administration does not include funding for the port security grant program. The program, which has distributed $565 million since its inception in 2002, would be replaced by the Targeted Infrastructure Protection program. The new program would offer a total of $600 million in grants.
Under the Targeted Infrastructure Protection program, ports would compete with other transit systems, railroads, and buses for funding. The Coast Guard, along with container security initiatives and trade partnership programs, would, however, see an increase in funding from 2005.
Details of the budget, which had passed both houses at press time and awaited the President’s signature, are available at SM Online.
Privacy. Two bills (H.R. 1069 and H.R. 1263), introduced by Rep. Melissa Bean (D-IL) and Rep. Cliff Stearns (RFL) respectively, would require that data collection organizations notify consumers when their personal information has been compromised. The bills were drafted in response to recent high-profile electronic data breaches at large corporations.
H.R. 1069 would require that any organization or person engaged in interstate commerce notify consumers of any security breach that compromises their personal information. The bill would require that financial institutions promptly notify each customer and each consumer reporting agency affected by the breach. Under the provision, these financial institutions would be required to contact law enforcement agencies in any case where the suspected breach affects a large number of customers.
Under the provision, consumer reporting agencies would be required to maintain a fraud alert file on any consumer who reports that his or her personal information has been compromised by an electronic security breach.
H.R. 1069 has 18 cosponsors and has been referred to the House Energy and Commerce Committee and the House Government Reform Committee. It has also been referred to the House Financial Services Committee.
Under H.R. 1263, companies would be required to establish a privacy policy regarding the collection, sale, disclosure, or use of a customer’s information. The bill would also require that companies prepare and implement an information security policy to prevent the unauthorized disclosure or release of consumer information.
The bill has one cosponsor and has been referred to the House Energy and Commerce Committee and the House International Relations Committee.
Cargo security. A bill (S. 376) introduced by Sen. Kay Bailey Hutchison (R-TX) would require that the government develop a system to increase the number of shipping containers physically inspected, monitored, and tracked within the United States. The bill would require that at least 50 percent of all ocean-borne shipping containers be inspected by 2007.
The bill also stipulates that the Department of Homeland Security submit to Congress a strategic plan for integrating security for all modes of transportation through which intermodal shipping containers move. The department would also be required to develop a system to share threat and vulnerability information with all of the industries in the supply chain and to increase the number of U.S. Customs inspectors assigned to inspect shipping containers shipped to the United States. Under the bill, those who change container manifests would be subject to civil penalties.
S. 376 has no cosponsors. The legislation has been referred to the Senate Commerce, Science, and Transportation Committee.
ID cards. A bill (H.R. 418) that would require states to incorporate specific security measures into drivers’ licenses and would restrict illegal immigrants from obtaining them has been approved by the House of Representatives. The measure, also called the Real ID Act, is now pending in the Senate Judiciary Committee, which is expected to pass it and send it to the full Senate for a vote.
The bill’s provisions, which were originally in an early House version of the comprehensive intelligence reform law approved last year, would require that states comply with federal standards when issuing drivers’ licenses. The bill requires that the licenses include a digital photograph, incorporate anticounterfeiting features, and be machine readable. The cards could also include RFID or magstripe technology.
To reduce abuse of licenses by illegal aliens, those applying for a license would have to prove that they are lawfully in the United States.
Civil liberties groups oppose the bill because of its potential to infringe upon individual privacy rights with a federal-government-imposed “national ID card.” Similarly, groups advocating rights for immigrants, such as the nonprofit American Immigration Lawyers Association, have announced their opposition to the bill claiming that it would punish those immigrants seeking legitimate work and could fuel the market for fraudulent identification. These groups also argue that the state drivers’ license information provides valuable data on immigrant populations and that this information would be lost if H.R. 418 becomes law.
For these reasons, the bill faced some opposition in the Senate. But before sending the bill to the Senate, the House voted to attach it to the President’s emergency spending bill for the wars in Iraq and Afghanistan and the Senate acquiesced with some modifications. That bill seems likely to pass.
Insurance. A bill (S. 467) introduced by Sen. Christopher Dodd (D-CT) would extend the Terrorism Risk Insurance Act of 2002 (TRIA) for three more years. The TRIA, which expires at the end of this year, would keep the program in place while a commission develops a transitional system to take its place. Without the TRIA, a government program that keeps insurance for terrorist attacks affordable, proponents of the bill argue that terrorism insurance would become unaffordable for most businesses.
Though introduced in the last session, the measure was not taken up in committee. This incarnation of the bill has bipartisan support, as does a companion bill (H.R. 1153) in the House of Representatives. S. 467 has 17 cosponsors and has been referred to the Committee on Banking, Housing, and Urban Affairs.
U.S. STATE LEGISLATION
Texas
Firearms. A bill (H.B. 896) currently under consideration in the Texas Legislature would make it illegal for employers to ban firearms from their parking areas. Employers could not establish, maintain, or enforce any policy or rule that constitutes such a ban. The provision would allow employees who have a concealed-weapons permit to bring the guns to the workplace so long as they are kept in a locked vehicle.
ASIS International has announced its opposition to such legislation, noting that employers have an obligation to provide a safe workplace and that bills such as H.B. 896 make accomplishing this impossible.
Washington
Fingerprinting. A bill (S.B. 5157) that would allow state agencies to purchase different fingerprinting systems has been approved by the Washington Senate and is now pending in the House Criminal Justice and Corrections Committee. The bill would allow state agencies, including various law enforcement groups, to purchase any brand of fingerprinting system so long as the systems are interoperable. The bill would overturn a 1996 law that required all state agencies to purchase the same system.
Another bill (S.B. 5553), which would require fingerprint background checks for purposes not related to criminal activity to be submitted electronically, has been approved by the Senate Health, Services, and Corrections Committee. The proposed legislation is currently awaiting action in the Washington State House Ways and Means Committee.
The bill, which would have a significant effect on fingerprint background checks conducted during the hiring process, would provide $270,000 to help upgrade the current system. The proposed legislation also requires that the electronic fingerprints, such as those obtained by employers, be destroyed after the background check is complete.
Illinois
Weapons. The Illinois House Human Services Committee has approved a bill (H.B. 1098) that would prohibit the manufacture, sale, or possession of .50 caliber sniper rifles in the state. The bill, which is awaiting a vote in the full House, is designed to prevent a terrorist from using the rifle to shoot down a civilian aircraft during takeoff or landing. Violating the law would be a felony under the new measure.
This column should not be construed as legal or legislative advice.
