What is legal and what is wise often are two different things. Given the rapid advance in technology, it is likely that laws to protect against abuses will not be able to keep up. However, there are existing laws that apply in specific situations, and IS professionals must be aware of these. Sadly, many of these issues are not brought up in formal IS education and training. It is important to remember that ignorance of the law does not constitute a defense in a court of law. Therefore, IS professionals must educate themselves concerning existing laws, and be aware of potential future regulation so that they not only prepare their systems for such regulation, but also do not contribute to the social pressure for further government-imposed restrictions, as shown previously in Figure 1.
Lawmakers show little interest in passing a comprehensive privacy law but rather legislate each information source separately. Table 3 provides a brief overview of U.S. Federal regulations that both protect privacy and provide circumstances under which it may be invaded. An interesting point to make is that, prior to September 11, 2001, if the USA Patriot Act of 2001 had been before Congress, it would have probably been considered too invasive. However, the 9/11 attacks have changed that perception and the need for privacy in terms of balancing it with the ability to eliminate terrorism. In the following section, a representative sample of Federal acts is discussed. A complete and thorough discussion of all regulations concerning data collection and use is beyond the scope of this chapter. We begin our examination of U.S. Federal regulations with the Fair Credit Reporting Act and end with a brief discussion of the USA Patriot Act of 2001. Afterwards, we briefly explore legal issues in jurisdiction outside of the United States.
Fair Credit Reporting Act
Many people are concerned about using their credit card online for fear that their card information will be stolen. Another fear with the Internet is that a person's credit history can be easily accessed or obtained. With data mining, consumers are scared that their credit card information and credit history will become even more vulnerable. However, the Fair Credit Reporting Act (FCRA) of 1970 already protects consumers against illegal use of credit information:
The FCRA applies to situations other than the loan or credit-application process, such as employer background checks, court records, and motor vehicle reports, anytime the data was provided in a consumer report by a consumer-reporting agency as defined by the Act.
Just about every aspect of the FCRA and the amendment (which went into effect in October 1997) can apply to data mining. If a company participates in data-mining activities, it must carefully review how it uses the information in regards to the FCRA or face potential lawsuits. A company must also be careful that the information it obtains through data mining is accurate. Privacy is protected by the FCRA to a certain degree. This act affects data mining when the organization selling or obtaining the information can be defined as a credit-reporting agency according the FCRA. The entire Fair Credit Reporting Act may be obtained at http://www.ftc.gov/os/statutes/fcra.htm.
Right to Financial Privacy Act
An individual's rights in guarding his or her financial information are protected by The Right to Financial Privacy Act of 1978. Most people are concerned about their financial privacy and believe it is imperative that federal law protects it. Because of this law, procedures must be followed by banks, credit unions, credit card companies, savings and loan associations, and other financial institutions before any information about you is given to a Federal agency. Protecting their financial information is probably one of the areas about which individuals are most concerned. They do not want others to store and/ or analyze this type of data. As technology becomes increasingly more sophisticated, data-mining techniques will challenge this privacy act and threaten the protection it currently provides.
Electronic Funds Transfer Act
The Electronic Funds Transfer (EFT) Act of 1978 was designed to give customers protection by assigning liability to banks that allowed electronic access to customer accounts. There are many benefits to both the bank and individuals from the use of EFT. This act also states that customers must be notified about third-party access to their information on electronic funds transfer, either at the time that the consumer contracts for electronic funds transfer or before the first transfer is made. ATM and debit cards have since flourished, and the flow of data and access to your finances worldwide has increased. By taking the liability off of the consumer, the Electronic Funds Act made it possible for consumers to feel comfortable using ATM, debit cards, and, more recently, electronic funds transfer to pay almost any type of bill.
Electronic Communications Privacy Act
The Electronic Communications Privacy Act (ECPA) addresses the legal privacy issues involved with the use of computers and other new technology in electronic communications. This act updated 1968 legislation that clarified invasion of privacy with the use of electronic surveillance. This law was primarily aimed at preventing invasions of privacy by government. However, it has not been updated to reflect the technological advancements made possible through widespread use of the Internet. Technologies such as Carnivore collect more information than protected under the authority of this law.
Video Privacy Protection Act
The Video Privacy Protection Act of 1988 states that video store owners cannot divulge information about the videos rented or personal information about the consumers who rent them to the general public. This law was enacted to protect the privacy of consumers, in particular so that they would not be ashamed about or prosecuted for renting videos considered adult material. The beneficial result of this law is that people feel free to rent whatever they would like, without fear. Without this act, for example, homosexuals who are not public about their sexuality could fear that friends or employers could find out they are renting gay materials. This law protects them from such discrimination or public ridicule. Without this Act, individuals in high-profile jobs could reasonably fear their renting habits might be released.
Health Insurance Portability and Accountability Act (HIPAA)
The ability to compile, store and cross-reference personally identifiable health information easily is becoming technologically feasible. Unfortunately, patients must worry, and rightly so, about confidentiality. Furthermore, the healthcare industry is so competitive and medical information so valuable that information that should be shared often is not.
On August 21, 1996, U.S. President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is designed to reduce inefficiencies in the healthcare industry by reducing paperwork, controlling abuse in the system, providing privacy protection for individuals, and ensuring health care coverage for even those with pre-existing conditions. A provision of HIPAA required Congress to enact medical privacy protections by August of 1999. The law also included a provision that gave the Secretary of the U.S. Department of Health and Human Services (HHS) the authority to write medical privacy regulations if Congress missed its self-imposed deadline (Leahy, 2001).
Concerned about the loss of personal privacy and fear that if medical records were not protected from unauthorized disclosure, it would deter people from seeking medical treatment, Senator Patrick Leahy of Vermont, in March of 1999, introduced comprehensive medical privacy legislation entitled, the Medical Information Privacy and Security Act (MIPSA). However, it was not enacted and Congress missed the August, 1999 deadline specified in HIPAA. Therefore, in October 1999, President Clinton and Secretary Donna Shalala unveiled their medical privacy proposal.
The final ruling for the HIPAA was in April 2001 under President George Bush. Most covered entities have two years (until April 2003) to comply with the final revisions of this law. This final law requires that all health organizations including health care providers, insurers, and transaction processors come into compliance with HIPAA by the April 2003 date. . However, it does not cover health-oriented websites that may collect personal data.
Under this law, patients have the right to control how their personal health information is used and must be able to get access to their own medical records if desired. Of course, patients must sign a release before records can be given to any party. However, patients do have the right to limit or withdraw this release of information. Health care organizations are required to have written privacy procedures detailing how information is used and disclosed and are required to provide this information to patients upon request.
The Gramm-Leach-Bliley Act of 1999
The Gramm-Leach-Bliley Act became federal law in November 1999, and states were ordered to comply (although the law did not preempt states from adopting more strict privacy standards). In general, this law states that financial institutions can only share information with affiliates and nonaffiliated companies after giving customers the option to "opt-out" of certain disclosures. Personal information can only be shared only after a consumer has had an opportunity to opt-out. Therefore, organizations must notify individuals when they are planning to share private information outside the scope of typical financial transactions; e.g., selling it to others who plan on using it for data-mining purposes. Enforcement began July 1, 2001. When financial institutions sent out federally mandated privacy notices in the summer of 2001, only 2% to 3% of all consumers opted out (Thibodeau, 2002).
The privacy provisions of Title V of the Act apply only to non-public personal information about individuals who obtain financial products or services for personal, family, or household purposes, and not to companies or individuals obtaining products or services for business purposes (Hirsch, 2000). In addition, this law requires that both stored and transmitted information be encrypted if security cannot be guaranteed. The following federal agencies have responsibility for enforcing the Act: the Federal Trade Commission (FTC), the Department of the Treasury, the Comptroller of the Currency, the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Securities and Exchange Commission. "Because the Gramm-Leach-Bliley Financial Services Act opened the door for banking and insurance markets to enter one another's business, both industries were compelled to gain more information about their customers to cross-sell banking, investment and insurance services" (Ruquet, 2000).
The state of Vermont has taken a much stronger position than the Federal statute by requiring (as of February 15, 2002) financial institutions to acquire affirmative customer consent (opt-in) of its citizens before personal data about customers from Vermont can be shared with others. Insurance trade groups retaliated by filing suit on January 30, 2002, and threatening price increases (Thibodeau, 2002). In response to industry complaints, Elizabeth Costle, Commissioner of the Vermont Department of Banking, Insurance, Securities, and Health Care Administration, stated, "The industry can just assume that everyone with a Vermont ZIP code has opted out. That's the easy way to fix your computers" (Thibodeau, 2002, p. 16). Vermont's rules are a broader application of the state's existing banking privacy laws and not a result of legislature action (Thibodeau, 2002, p. 16). The insurance industry argues in its suit that the banking commission usurped legislative authority. Opt-in requires companies to convince consumers of the benefits of sharing their personal information with others. Vermont is not alone concerning "opt-in." According to the Internet Alliance, 13 states have pending opt-in privacy bills: Arkansas, California, Florida, Hawaii, Illinois, Iowa, Massachusetts, Minnesota, Missouri, North Dakota, New Hampshire, New Jersey and New York (Thibodeau, 2002). New Mexico is considering regulatory action similar to Vermont's. When acquiring data to mine, differences in state laws and regulations like Vermont's opt-in policy will play a role in acquiring data that can be legally used.
Children's Online Privacy Protection Act (COPPA)
In addition, operators are prohibited from conditioning a child's participation in an online activity on the child providing more information than is reasonably necessary to participate in that activity.
After a three-year effort by the FTC to identify and educate the industry and the public about privacy issues, the FTC recommended that Congress enact legislation protecting children. A March 1998 survey of 212 commercial children's websites found that "while 89% of the sites collected personal information from children, only 24% posted privacy policies, and only 1% required parental consent to the collection or disclosure of children's information" (FTC, 1999).
Ignorance of the law is not a defense in a court of law. If you are caught violating COPPA, you can be fined up to $11,000 per child per incident. Non-profit organizations, however, are exempt from COPPA. For more information about COPPA, you can visit the following sites: http://www.ftc.gov/kidzprivacy, http://www.kidsprivacy.org/, and http://www.cdt.org/.
USA Patriot Act of 2001
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA Patriot) Act of 2001 is not a single new law but rather an omnibus piece of legislation that amends dozens of existing laws (Fausett, 2001, p. 10). Hence, if you read the text of the Act without a copy of the United States Code close at hand, it will make no sense whatsoever. According to M. Scott (2001), the act:
Unlike the Electronic Communications Privacy Act that requires a subpoena or search warrant, Section 212 of the Patriot Act "lets a system operator voluntarily disclose customer information along with the content of stored e-mail messages to a governmental entity if the provider reasonably believes that an emergency involving immediate danger of death, or serious physical injury to any person justifies disclosure." (M. Scott, 2001, p. 82). Section 210 of the Act requires an e-mail system operator to disclose the means or source of payment for the provider's services, records of session times and durations, and any temporarily assigned network addresses. The hope is that such information may help locate terrorists and those who fund them. This Act can provide a wealth of information on suspected criminals and terrorists that law enforcement agencies can merge with other data overlays to data mine in order to better identify candidates for intense scrutiny.
Many nations have data protection laws that attempt to ensure an individual's privacy rights. These include but are not limited to:
The Electronic Privacy Information Center (EPIC) and Privacy International reviewed the state of privacy in over fifty countries around the world ("Privacy & Human Rights, 2000," 2000). The report found many countries around the world are enacting comprehensive data protection laws.
Other nations, such as China and India, have no general data protection laws enacted, although data privacy is referred to in a few regulations in both countries. Interestingly, however, the Chinese Constitution proclaims citizens have limited rights to privacy even though few laws limit government actions. For example, Article 37 of its constitution provides that the freedom of citizens of the People's Republic of China is inviolable, and Article 40 states: "Freedom and privacy of correspondence of citizens of the People's Republic of China are protected by law." However, whenever technological advancements seem on the brink of loosening the government's grip over its citizens, the Chinese government uses all its power to either suppress the technology or mold it to fit its own political agenda. For readers who are interested in exploring international laws pertaining to privacy and data protection, see http://www.privacyinternational.org/survey/.
Laws and Data Mining
The majority of laws that safeguard the privacy of consumers are positive for society because they make people feel comfortable providing information as well as purchasing or renting material, and this helps the economy. However, the downside of any database is that it is never totally secure from "the outside." Many of these laws pertain to the collection and dissemination of data. Companies interested in data mining must respect these restrictions. Despite these legal developments, there are still questions that remain open for debate. Table 4 lists some of the more pertinent questions.