SUBJECT: General Comments on the Legislative
Proposals posted to http://jcots.state.va.us/Legislation/05_comments.htm
Dear Joint Commission on Technology and Science:
1. The
|
|
|
|
2. Executive Recommendation: FCPC recommends that the General Assembly adopt all of the proposals subject to two necessary modifications:
a. Ensure that NO PORTION of any Social Security Number (“SSN”) is permitted to be published in a public record.
b. Ensure that personal dates of birth ARE PRECLUDED from publication in public records.
3. After much thought and discussion, we offer the following comments to the Commission and General Assembly.
a. General: FCPC supports all legislators’ efforts to
help citizens secure their natural right of personal privacy within the
commonwealth. All of the legislative
proposals presented have great merit, however, we are greatly concerned that
several of the proposals fail to secure personal dates of birth from
publication in public records, and/or seek to establish a convention permitting
the creation of public records containing the last four digits of a person’s
Social Security Number (“SSN”). This
would countermand the general trend in government and private industry of
securing the full SSN and date of birth, thus establishing a dangerous “2d best
privacy standard” in
a. SSNs: SSNs are inherently confidential pursuant to Title 26 of US Code and the Federal Privacy Act of 1974. In Russell v. Bd. of Plumbing Exam'rs, 74 F. Supp. 2d 339, 347 (S.D.N.Y. 1999), a case regarding a plumber who sued to stop the unlawful collection of SSNs by a government agency under a scheme in which the SSNs were then subsequently published on their licenses which were required to be displayed to the public on demand. The court noted “…the independent confidentiality [emphasis added] of federal income tax returns and tax return information [emphasis added]… See generally 26 USC 6103…[and held that] the Board being unable to get the copies [of federal IRS forms W2] directly from the Treasury should not be permitted to do so indirectly by coercion.” The federal Freedom of Information Act (“FOIA”) and the Help America Vote Act of 2002 (“HAVA”) clarify that all portions of the SSN are confidential, including the last four digits. Frankly, the last four digits are the most sensitive portion of the SSN, and often used as a commercial account PIN or other password.
b. The courts agree with the notion of SSN confidentiality on Constitutional grounds independent of statutory requirements. Fundamental Ninth Amendment and common law rights to privacy are well known to extend to the control and use of one’s SSN, if any; see Krebs v. Rutgers, D.N.J., 1992, 797 F.Supp. 1246 (release of an SSN may cause “irreparable harm”); Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993) (Commonwealth of Virginia must comply with Section 7 of the Federal Privacy Act, and also may not publicly disclose SSNs on voter lists); Sheet Metal Workers International Association, Local Union No. 19 v. US Department of Veterans Affairs, Third Circuit (1998) (“…both the common law and the literal understandings of privacy encompass the individual's control of information concerning his or her person”); Arakawa, v. Sakata, 133 F. Supp. 2d 1223 (2001) ("the release of a SSN potentially rises to the level of a federal constitutional violation, especially when considering the amount of highly personal information that can be recovered as a result of its release").
c. Personal
Dates of Birth: Dates of Birth (“DOBs”) are also recognized in federal law as confidential
under federal FOIA, the Privacy Act, and other laws. Consumer credit is often extended based upon
merely a person’s name and DOB only, so disseminating DOBs
through public records exposes the citizenry to identity theft and other invasions
of privacy. In the digital age, a DOB
when combined with a full legal name of a person is as valuable to criminals,
stalkers, identity thieves, and perhaps even terrorists as obtaining the
person’s SSN. A person's date of birth
provides a key to unlocking, aggregating, and tracking the private and
sensitive data about every airline passenger for life. In recognition of these realities, the US
Military Academy Association of Graduates halted publication of West Graduate
dates of birth in its alumni publications in 2003, including its annual “Register
of Graduates.” The courts agree that the
citizen has a fundamental privacy interest in keeping confidential her DOB that
outweighs the public’s “right to know.” Scottsdale
Union School District no. 48 v. KPNX Broadcasting Company, 955 P. 2d
534 (1998) held that that disclosure of DOBs threaten
individual privacy, quoting Oliva v.
US, 756 f. supp. 105 (1991) where the court held that disclosing a DOB
can be "...an unwarranted invasion
of privacy [emphasis added]..."
4. Specific comments directed at each of the 6 sets of proposals have been sent to JCOTS by email as directed in the JOCOTS request for public comments (see Enclosure).
5. Conclusion: FCPC looks forward to the adoption of as many of these legislative proposals provided that the proposals extend public record privacy protection to all portions of the SSN and personal DOBs. In regard to the SSN, we feel that the danger of establishing a 2d best privacy standard for SSNs is so dangerous that we oppose all legislation that incorporates any “last four protocol.” It would be better to not adopt any legislative that contains a “last four protocol” because it will invite private and public actors to begin, resume, or continue the recording of partial SSNs on public documents.
Thank you for the opportunity to comment on these proposals.
Sincerely,
Mike Stollenwerk
Mike Stollenwerk
Chairman
www.FairfaxCountyPrivacyCouncil.org
Enclosure (Specific Proposal Comments)
1. Social Security Number Misuse:
2. Unique Identifying Numbers on Public
Records: Fairfax County Privacy
Council Supports these proposals only if privacy protection is extended to ALL
portions of Social Security Numbers, as well as personal dates of birth.
a. SSNs: SSNs are inherently confidential pursuant to Title 26 of US Code and the Federal Privacy Act of 1974. In Russell v. Bd. of Plumbing Exam'rs, 74 F. Supp. 2d 339, 347 (S.D.N.Y. 1999), a case regarding a plumber who sued to stop the unlawful collection of SSNs by a government agency under a scheme in which the SSNs were then subsequently published on their licenses which were required to be displayed to the public on demand. The court noted “…the independent confidentiality [emphasis added] of federal income tax returns and tax return information [emphasis added]… See generally 26 USC 6103…[and held that] the Board being unable to get the copies [of federal IRS forms W2] directly from the Treasury should not be permitted to do so indirectly by coercion.” The federal Freedom of Information Act (“FOIA”) and the Help America Vote Act of 2002 (“HAVA”) clarify that all portions of the SSN are confidential, including the last four digits. Frankly, the last four digits are the most
b. The courts agree with the notion of SSN confidentiality on Constitutional grounds independent of statutory requirements. Fundamental Ninth Amendment and common law rights to privacy are well known to extend to the control and use of one’s SSN, if any; see Krebs v. Rutgers, D.N.J., 1992, 797 F.Supp. 1246 (release of an SSN may cause “irreparable harm”); Greidinger v. Davis, 988 F.2d 1344 (4th Cir. 1993) (Commonwealth of Virginia must comply with Section 7 of the Federal Privacy Act, and also may not publicly disclose SSNs on voter lists); Sheet Metal Workers International Association, Local Union No. 19 v. US Department of Veterans Affairs, Third Circuit (1998) (“…both the common law and the literal understandings of privacy encompass the individual's control of information concerning his or her person”); Arakawa, v. Sakata, 133 F. Supp. 2d 1223 (2001) ("the release of a SSN potentially rises to the level of a federal constitutional violation, especially when considering the amount of highly personal information that can be recovered as a result of its release").
c. Personal
Dates of Birth: Dates of Birth (“DOBs”) are also recognized in federal law as confidential
under federal FOIA, the Privacy Act, and other laws. Consumer credit is often extended based upon
merely a person’s name and DOB only, so disseminating DOBs
through public records exposes the citizenry to identity theft and other
invasions of privacy. In the digital
age, a DOB when combined with a full legal name of a person is as valuable to
criminals, stalkers, identity thieves, and perhaps even terrorists as obtaining
the person’s SSN. A person's date of
birth provides a key to unlocking, aggregating, and tracking the private and
sensitive data about every airline passenger for life. In recognition of these realities, the US
Military Academy Association of Graduates halted publication of West Graduate
dates of birth in it’s alumni publications in 2003,
including it’s annual Register of Graduates.”
The courts agree that the citizen has a fundamental privacy interest in
keeping confidential her DOB that outweighs the public’s “right to know.” Scottsdale Union School District no. 48 v.
KPNX Broadcasting Company, 955 P. 2d 534 (1998) held that that
disclosure of DOBs threaten individual privacy,
quoting Oliva v. US, 756 f. supp. 105
(1991) where the court held that disclosing a DOB can be "...an unwarranted invasion of privacy
[emphasis added]..."
3. Negotiable Instruments: Fairfax County Privacy Council supports these
proposals but recommends that a date of birth be redefined as a full date of
birth (not just "month and day of birth") at Va. Code §
59.1-443.1(A)(s)(i).
4. Sale of Purchaser Information: Fairfax County Privacy Council Supports these
proposals.
5. Notice of Security Breaches: Fairfax County Privacy Council supports these proposals but urges that Va. Code Section 59.1-444(A) be modified so to ensure that the $100 penalty does NOT require proof of "actual damages." As the Commission is aware, the damage to loss of personal privacy is inherently prospective - the policy interest lies substantially in deterring the breaching of confidential information, and less so in "making people whole." The US Supreme Court recently construed language very similar to the proposed “Va. Code Section 59.1-444(A)” in the Federal Privacy Act to require "actual damages" to trigger the $1,000 minimum penalty in the Federal Privacy Act for violations of the act with regard to the handling of personal information - see Doe v. Chao, (2004) ("Held: Plaintiffs must prove some actual damages to qualify for the minimum statutory award"). See further legal analysis regarding Doe v. Chao by the Electronic Privacy Council at http://www.epic.org/privacy/chao.
6. Social Security Numbers on Land Records: