460

DENVER LAW JOURNAL

74

[Vol. 60:3 lege physician that her mother had been treated by a psychiatrist.72 The college was precluded from releasing this information under the Family Educational Rights and Privacy Act (Act)73 without Brown's consent. This Act, however, does not provide a private remedy; it merely permits the Secretary of Education to terminate federal funds to the institution. Brown does have a remedy against the credit reporting agency for continuing to carry the doctor's report. The agency is precluded from disclosing the information because it is more than seven years old.7 75 If the agency refuses to both delete the information and inform the insurance company of this action, the agency may be liable for actual and punitive damages.76 If the agency changes its report, Brown should be issued her policy.

Richard White, a forty-year-old small businessman who owns his own hardware store, was denied a credit card. The credit card company showed White his file, with the exception of his credit report, and gave him the name of the credit reporting agency. The file at the credit reporting agency revealed that shortly after graduating from college twenty years ago, White was adjudicated as bankrupt and received welfare for a year.

Under the terms of the Fair Credit Reporting Act, bankruptcies that occurred over ten years prior to a report may not be disclosed.?? The agency is required to delete the information and inform the credit card company or be subject to actual and punitive damages. 78 Other types of adverse information may be subject to a seven-year limitation on disclosure." The agency may not, therefore, report that White received public assistance.

The more interesting question is how the credit reporting agency obtained this information since these records are subject to strict requirements of confidentiality.81 It is possible that White's social security number was obtained when he received public assistance82 or when he applied for the

72. This is another actual case reported to the Privacy Commission in 1978. A young woman was refused employment as a public school teacher because she had reportedly told her school doctor her mother had once seen a psychiatrist. See Diamond, How to Protect Your Privacy, MCCALL'S, Feb. 1980, at 51.

73. 20 U.S.C. § 1232g(b)(i) (1976).

74. See, eg, Girardier v. Webster College, 563 F.2d 1267, 1276 (8th Cir. 1977) (a former student could not use the Family Educational Rights and Privacy Act to force a college to release his transcript after he had defaulted on his National Defense Student Loan and was discharged in bankruptcy).

75. 15 U.S.C. § 1681c(a) (6) (1976).

76. Id. § 168In.

77. Id. § 1681c(a)(1). The credit report is used in connection with a transaction or life insurance policy involving an amount in excess of $49,999 or employment at a salary of $20,000 or more. There are no time restrictions placed on reporting bankruptcies

78. Id. § 1681c.

79. Id. § 1681c(2)-(6).

80. Id. U.S.C. § 1681c(a)(6).

81. 42 U.S.C. § 602(a)(9) (Supp. IV 1980). In Colorado, information on individuals who applied for public assistance since 1972 is in computer files Printouts of these files contain a note that the recipient is responsible for the confidentiality of the files. See 6 Colorado Department of Social Services Manual, §§ 6.210-6.220 (effective June 1, 1983).

82.. Chambers v. Klein, 419 F. Supp. 569 (D. N J. 1976), aff'd, 564 PIANO

1983]

COMPUTERS AND PRIVACY

461

credit card. A computer search for information based on White's social security number might reveal such information. In any case, the agency must delete this information from its files and notify the credit card company, which then has the discretion to issue a card based upon this changed information.83

These three cases suggest the pervasive impact that computer storage and retrieval of personal information can have on an individual's life. The burden of correcting inaccurate information or deleting dated material rests most often with the individual rather than the agency. This is because in many computerized databanks the cost to delete data is significantly higher than the cost to store it perpetually 84 The real threat to privacy, therefore, may not be the fact that computers can collect and store facts about individuals, but rather that inaccurate or dated information can be repeatedly used to evaluate the character, reputation, employability, or credit-worthiness of an individual. That person may never know what information was used in the evaluation or from where the information was derived.

III. LEGAL PROTECTION OF PRIVACY in the United States

A. The Judicial Response

Although the word "privacy" does not appear in the text of the Constitution, in the mid-1900's the Court found that such a right could be implied from its various amendments. In NAACP v. Alabama,85 the Court found a "vital relationship between the freedom to associate and privacy in one's associations,"86 ruling that the “right of the [NAACP] members to pursue their lawful private interests. . . privately" was protected by the first and fourteenth amendments.87

tion. Davis, A Technologist's View of Privacy and Security in Automated Information Systems, 4 Rutgers L.J. OF COMPUters and the L. 264, 273 (1975).

83. Credit card companies are a major source of information on millions of individuals. To obtain a credit card, the applicant must provide a significant amount of financial, credit, and personal information. When he uses his card, information concerning items purchased, travel movements, and financial status are posted to his account. By 1976, Master Card had 40.6 million cardholders. N. Penney & D.I. Baker, The Law of Electronic FUND TRANSFER SYSTEMS § 1.01[3] (1980). Credit card companies such as American Express, VISA, and Master Card contain specific instructions on their applications that the information requested, and information from later transactions, will be used and exchanged by other companies. This information is then sold to generate further profits for the credit card companies. One startling example of how information can be used occurred when a laboratory which tested women for pregnancy, sold its list of pregnant women to a diaper service. The diaper service mailed advertisements to the names on the list. One husband learned of his wife's pregnancy from the cheerful greeting and congratulations on the cover of the advertisement. See, Comment, The Privacy Side of the Credit Card, 23 AM. U.L. Rev. 183, 187 (1973). In Denver, Colorado, banks seem to be concerned about protecting the confidentiality of their customers' files. Most banks keep only customer's balance, available credit line, and the past few months' transactions on computer files. The rest of the customer's information is stored by month, not by name, on microfiche, which is stored under tight security in the bank's vault. Interview with Jack D. Molloy, Law Department of Colorado National Bankshares, Inc., in Denver, Colo. (Dec. 14, 1982).

84. Interview with James R. Young, Advisory Engineering Manager of Storage Technol

enneneinn in Iouisvilla Cola (Same 23 10821

462

DENVER LAW JOURNAL

[Vol. 60:3

In holding that a constitutional right of privacy exists, Griswold v. Connecticut 38 struck down a state statute that made it a crime to prescribe or use contraceptive devices.89 Justice Douglas found a right of privacy emanating from the penumbras of the first, third, fourth, fifth, and ninth amendments.9 90

The Court, however, has been reluctant to hold that a similar right to privacy exists for individuals in commercial settings. In 1976, the Court in United States v. Miller 91 held that a bank depositer has no "reasonable expectation of privacy" as to copies of checks, financial statements, and other documents that the bank depositer had supplied to the bank.92 The Court reasoned that because such records were merely business records, rather than private papers, and because the depositor voluntarily revealed personal affairs to the bank by surrendering these records, he took the risk that this information might be conveyed to others.93

In 1972, the Court in Laird v. Tatum 94 avoided the issue of whether the existence of a broad system of domestic surveillance by the United States Army "chilled" the first amendment rights of those who were the targets of such surveillance.95 Information concerning the activities of the plaintiffs in this class action had been stored in a computer at Fort Holabird, Maryland. This information was freely disseminated to numerous military and civilian intelligence officials throughout the country.97 The Court's holding was limited to a finding that the mere existence of broad governmental investigative and data-gathering activities was insufficient to constitute a justiciable claim.98 Writing for the majority, Chief Justice Burger added that the ruling intimated “no view with respect to the propriety or desirablity, from a policy standpoint, of the challenged activities. . . ."99 The dissent pointed out that danger exists as long as computer files are kept on the membership, ideology, and policies of any political activist group in the United States. 100

The latest Court decision dealing directly with this question of privacy occurred in 1977. In Whalen v. Roe,101 the Court held that as long as the security of the computer is adequate and the information stored therein is only passed to appropriate officials, sensitive information may be stored and

88. 381 U.S. 479 (1965).

89. Id. at 485.

90. Id. at 484. See also Roe v. Wade, 410 U.S. 113 (1973) (right of privacy includes the right to have an abortion); Katz v. United States, 389 U.S. 347 (1967) (overruling Olmstead v. United States, 277 U.S. 438 (1928)). Katz held that wiretaps without a warrant or the permission of at least one of the communicating parties was an illegal search, because the wiretap constituted an invasion of a reasonable expectation of privacy. 389 U.S. at 350-53.

91. 425 U.S. 435 (1976).

92. Id at 442. See also California Bankers Ass'n v. Shultz, 416 U.S. 21 (1974).

93. 425 U.S. at 440-43.

94. 408 U.S. 1 (1972).

95. Id. at 3.

96.. Id. at 6.

97. Id

98. Id. at 10.

99. Id at 15.

1983]

COMPUTERS AND PRIVACY

103

463

retrieved without an invasion of a person's right to privacy.102 Justice Stevens, writing for the majority, stated that the right to collect personal information "is typically accompanied" by a duty to avoid disclosure, and that the proper concern and duty were shown in this case. Justice Brennan, concurred, recognizing that databanks increase the opportunity for abuse of privacy and that future developments in computer technology may necessitate a judicial curb on that technology, 104

Although a number of privacy and computer-related cases have arisen since Whalen, none have gone beyond the court of appeals level.105 Consequently, the Court has yet to take up the issues foreseen by Justice Brennan.

B. The Legislative Response: Federal Statutory Developments

As a result of growing public concern about perceived abuses of privacy through computerized databanks and in response to the Supreme Court's reluctance to find constitutional violations of privacy in areas such as personal credit information, Congress enacted several statutes creating remedies for dealing with privacy violations.

1. Fair Credit Reporting Act of 1970

The first major legislation concerning credit data was the Fair Credit Reporting Act (Act). 106 The main provisions of the Act are intended to protect individuals from inaccurate reports and to prevent invasions of privacy. 107 The applicability of the Act is limited to reports for credit, employment, insurance, and related benefits. 108 To guard against inaccuracies, the Act gives the individual the right to access and to challenge data that a credit reporting agency may have in its data files. The statute also mandates procedural requirements for imposing civil penalties on credit reporting agencies if they fail to correct inaccurate information. 109 The Act allows the individual access to both the data and its source. If an individual is either completely or partially denied credit based on the credit report, the Act requires the creditor to disclose both the reason for the rejection and the

102. Id at 601-02.

103. Id at 605. Information in the databank included the names and addresses of everyone in New York who had acquired narcotic drugs such as opium and cocaine with a doctor's prescription. Id. at 591-93. The computer's security system included a locked wire fence, an alarm system, and off-line reading of the data files and tapes such that no computer terminal outside the computer could read or record the information. Id. at 594. The plaintiffs argued that the availability of their names and addresses from the databank created a concern that people in need of such drugs would refuse to seek medical assistance for fear of being discovered and stigmatized as drug addicts. Id. This argument was rejected. Id. at 603-04.

104. Id. at 607 (Brennan, J., concurring).

105. See, eg, United States v. Westinghouse Elec. Corp., 638 F.2d 570 (3d Cir. 1980); Ash v. United States, 608 F.2d 178 (5th Cir. 1979), cert. denied, 445 U.S. 965 (1980); Doe v. Webster, 606 F.2d 1226 (D.C. Cir. 1979); United States v. Choate, 576 F.2d 165 (9th Cir.), cert. denied, 439 U.S. 953 (1978); United States v. Roberto Benlizer, 459 F. Supp. 614 (D.D.C. 1978). 106. 15 U.S.C. §§ 1681-1681t (1976).

107. Id. § 1681a.

100

C. ORGANIZATION FOR ECONOMIC COOPERATION And DeveloPMENT, supra note 42,

110

[Vol. 60:3

The Act requires that an individual be notified within six months that a credit report has been requested. The scope and nature of the request and the name of the creditor requesting the information must also be divulged. Perhaps the most important provision in the Act gives an individual the right to challenge the accuracy of information contained in the credit reporting databank files. 112 As long as the challenge is neither frivolous nor irrelevant, the agency must reinvestigate and delete information found to be unverifiable. If the dispute is not resolved, the individual may file an account of the supposed inaccuracy with the credit reporting agency. This account must be included in all subsequent reports that the agency passes on to requesting creditors.

The Act also requires that reasonable procedures be followed by agencies in assuring the accuracy and proper use of credit information.113 If an agency is negligent in this area, an individual who is harmed may recover actual damages, costs, and attorney's fees.114 If the agency's action is willful, punitive damages may be awarded. 115 Criminal penalties, including fines up to $5,000 and/or imprisonment up to one year, may be rendered for the willful misappropriation or unauthorized disclosure of credit information. 116 Federal courts have jurisdiction over violations without regard to the amount in controversy. 117 To guard against invasion of an individual's privacy, the Act restricts the purposes for which credit reporting agencies may provide information. Proper uses include determining eligibility for additional credit and disclosure pursuant to a court order. 118 Limitations are imposed on the length of time certain derogatory information may be retained by the credit reporting agency. For example, bankruptcy information can be retained only fourteen years. 119 Arrest records, indictments, and convictions can be retained for only seven years.

120

The Act has certain weaknesses. It lacks a formal procedure to ensure that an individual be given due process and it provides a haphazard approach to deal with disputes about the accuracy of information in an individual's file.121 For example, objections and accounts by an individual in unresolved disputes concerning the accuracy of credit information are not reported retroactively to prior recipient-creditors of the individual's file. Further, the Act only mandates that a credit reporting agency provide the individual with an oral report of the contents of the credit files. The agency