WASHINGTON — Major U.S. carriers are scrambling to create disclosure policies that inform customers they might share personal data with the federal government, in response to two highly publicized cases in which airlines secretly handed over private passenger information.
The airlines are working swiftly to alert passengers and protect themselves from liability as the U.S. government is poised to force the carriers as early as next month to turn over data as part of a computerized passenger screening program called CAPPS II.
"We have a lot of work to do here," one airline industry source said. "Everyone agrees there’s a sense of urgency because the government wants to get going on CAPPS II as soon as possible."
The airlines are under pressure because of the disclosure last week that Northwest Airlines failed to inform customers that it gave the government records on millions of passengers for a secret security project. In September, JetBlue also admitted it handed over records for a separate project.
Angry passengers have filed class-action lawsuits against both airlines, privacy groups have lodged complaints with government agencies and members of Congress are sending letters with sharp questions to airlines and government agencies involved in the projects.
More than 20 chief operating officers of the nation’s largest airlines met Thursday to discuss, for the first time, the possibility of adopting similar privacy policies to cooperate with the CAPPS II program. Airline executives plan to schedule more meetings with officials from the Department of Homeland Security. The industry hopes to hammer out procedures that will allow the carriers to turn over passenger records while protecting consumer privacy and limiting airline liability.
Legal experts said there are no laws against companies sharing information with the government or other companies. But companies that do not disclose under what conditions they share the information and who gets it could face suits from consumers for deception and breach of privacy. They could also face fines or investigations by government agencies, such as the Federal Trade Commission.
The CAPPS II program is designed to compare passenger reservation records with commercial databases that hold records such as home mortgage loans and credit reports to verify passengers’ identity. The passengers’ names then will be checked against criminal and suspected terrorist databases and travelers will be given risk scores of red, yellow or green. The color determines the level of screening a passenger will receive. Passengers who rate a red score will be met by police at the airport.
Once CAPPS II begins this summer, airlines and reservation companies will turn over records to the Transportation Security Administration where it will be screened and scored. The TSA said it intends to keep the data, which include passenger name, address, telephone number and date of birth, for a number of days.
"Given this new paradigm — with need for increased information sharing between private and public sectors — this raises a new issue for which we all have a responsibility," said Nuala O’Connor Kelly, the Department of Homeland Security’s chief privacy officer. "There are some responsibilities for both sides in getting it right."
Lawyers, consultants and privacy advocates said the industry has been too slow to inform customers when it shares data with the government even though airlines have clear policies explaining how they might share customer information with travel-related companies.
"Airlines, for the most part, have not put a lot of dollars into privacy compliance," said Larry Ponemon, chairman of the Ponemon Institute, a privacy think tank in Tucson and former senior partner of compliance risk at PricewaterhouseCoopers. Ponemon said airlines are aggressive marketers and use many vendors to help target certain customers.
"That same mindless sharing of information very liberally exists in the culture of the airlines. They aren’t doing things designed to reduce our civil liberties. They wanted to help the government."
Ponemon estimated that it would cost an airline at least $5 million to prepare for CAPPS II and that the cost of installing privacy policies throughout the industry could easily run into "hundreds of millions" of dollars.
Talk to us
> Give us your news tips.
> Send us a letter to the editor.
> More Herald contact information.
