Privacy Protection in Court Filings

PROTECTING CLIENT DATA IN COURT FILINGS

There is sufficient personal and private data revealed in a majority of court pleadings for a thief to hijack a individual’s identity and use it to commit identity frauds. These can take many forms, from simple larceny to complex identity crimes. An individual may not find out about the identity theft until they review their credit report or they are contacted by a debt collector. Although you can’t really steal someone’s identity, you can only use it, identity theft has become the commonly accepted term for this type of crime and fraud. The Federal Trade Commission estimates that each year up to 9 million Americans have their identities stolen. While some identity theft victims can resolve their problems quickly, others spend thousands of dollars and years repairing the damage to their good name and credit record. Victims of identity fraud lose out on job opportunities, are denied loans and pay more for credit because of negative information on their credit reports. They may also be arrested for crimes they did not commit. Experts say terrorism and identity theft go hand in hand. The al-Qaida training manual includes provisions for trainees to leave camp with five fake personas, says Judith Collins, an identity theft expert and a professor at Michigan State University. Terrorists are regularly schooled in the art of subsisting off credit card fraud while living in the United States, Collins said.

Crimes and fraud resulting from the unauthorized use of personal identifying information, like full names, Social Security numbers, credit card numbers and medical records, can be divided into five categories:
Financial Identity Theft, using another’s identity to obtain goods and services;
Criminal Identity Theft, posing as another when apprehended for a crime;
Identity Cloning, using another’s information to assume his or her identity in daily life;
Business/Commercial Identity Theft, using another’s business name to obtain credit;
Medical Identity Theft, accessing medical information for insurance fraud or to obtain medical care or drugs.
Medical identity theft and misuse of medical information doesn’t get the national attention that other types of identity theft receive, but it can wreak havoc on an individual’s health insurance and there is the added danger that an individual’s medical records may become altered and lead to mis-diagnosis and life threatening treatment. When medical records, statements of medical procedures and detailed bills or statements of account are not protected a number of abuses take place, such as: unauthorized secondary use of medical records, inaccuracies that are not corrected, discovery and disclosure of medical records by hackers and vendors, use of medical records by employers for employment decisions, and disclosure of medical records by and to individuals who do not have medical training.

Privacy Protection For Court Filings

Protection of individual personal, sensitive and private data in court filings is not a new or novel concept. The E-Government Act of 2002, 44 U.S.C. §§ 3500, et seq., contains provisions governing privacy of case file information. Federal courts were formally directed to immediately conform their local rules and practices to the Act by the Committee on Court Administration and Case Management, Judicial Conference of the United States. On May 16, 2003, the Uniform Local Rules of the United States District Courts for the Northern and Southern Districts of Mississippi enacted the Standard Operating Procedure Governing Protection of Personal and Sensitive Information and Public Access to Court Files in Accordance with the E-government Act of 2002.

These rules provided in part that personal identifiers are prohibited. The categories of information that were deemed by statute to be “personal identifiers” are not to be stated in pleadings or other court-filed documents, including exhibits, except as provided by the standard operating procedure. The rules also describe the Judicial Conference’s policy that certain other personal data identifiers must be partially redacted from the case file or pleading whether it is filed traditionally or electronically. Specifically listed as examples of “personal data identifiers”are:
1. Social Security Numbers;
2. Financial Account numbers;
3. Birth Dates.
The policy and local rules also contain cautions and restrictions on the disclosure of Sensitive Information and Data. The following categories of information were deemed “sensitive information” or “sensitive data”:
1. Personal identifying numbers, such as driver license numbers;
2. Medical records, treatments, and diagnoses;
3. Employment histories;
4. Personal financial information;
5. Proprietary or trade secret information.
The cautions, prohibitions and restrictions pertaining to personal identifiers presented in the standard operating procedure are equally applicable to this sensitive information and data.

The Fifth Circuit Court of Appeals recognized in Sherman v. U.S. Dept. of Army, 244 F.3d 357, C.A.5 (Tex.), 2001, “…that individual citizens have a substantial informational privacy right to limit the disclosure of their SSNs, and consequently reduce the risk that they will be affected by various identity fraud crimes.” The court spoke at length about privacy concerns, stating “the harm that can be inflicted from the disclosure of a social security number to an unscrupulous individual is alarming and potentially financially ruinous.”

Rules for Redacted Filings

Rule 5.2 of the Federal Rules of Civil Procedure and Rule 9037 of the Federal Rules of Bankruptcy Procedure are equivalent and contain, among others, sections on redacting, filing under seal, protective orders, and waiver. The most pertinent sections of the rules for this article are the Redacted Filings and Waiver of Protection of Identifiers.
(a) Redacted Filings.
Unless the court orders otherwise, in an electronic or paper filing with the court that contains an individual’s social-security number, taxpayer-identification number, or birth date, the name of an individual known to be a minor, or a financial-account number, a party or nonparty making the filing may include only:
(1) the last four digits of the social-security number and taxpayer-identification number;
(2) the year of the individual’s birth;
(3) the minor’s initials; and (4) the last four digits of the financial-account number.
(h) Waiver of Protection of Identifiers.
A person waives the protection of the Rule as to the person’s own information by filing it without redaction and not under seal.

The Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA), was designed to prohibit the disclosure of nonpublic personal information, finding that it is the policy of Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information. The GLBA includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and Pretexting Provisions.

The GLBA gives authority to eight federal agencies and the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. These two regulations apply to “financial institutions,” which include not only banks, securities firms, and insurance companies, but also companies providing many other types of financial products and services to consumers. Among these services are lending, brokering or servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts and an array of other activities. Such non-traditional “financial institutions” are regulated by the Federal Trade Commission.

The Financial Privacy Rule governs the collection and disclosure of customers’ personal financial information by financial institutions. It also applies to companies who receive such information, whether or not they are financial institutions. The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies to financial institutions that collect information from their own customers and to financial institutions “such as credit reporting agencies” that receive customer information from other financial institutions. The Pretexting Provisions protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as “pretexting.”

The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA), was enacted by the U.S. Congress in1996. The Administrative Simplification provisions, Title II of HIPAA, establish the national standards for the security and privacy of health data. These regulations create the appropriate standard of care for the protection of Individually Identifiable Health Information and were designed to prohibit the disclosure of Individually Identifiable Health Information, finding that it is the policy of Congress that medical information of individuals be protected, secure and confidential.

The shift of medical records from paper to electronic formats has increased the potential for individuals to access, use, and disclose sensitive personal health data. Although protecting individual privacy is a long-standing tradition among health-care providers and public health practitioners in the United States, previous legal protections at the federal, tribal, state, and local levels were inconsistent and inadequate. The Privacy Rule section, which took effect on April 14, 2003, established regulations and standards for the use and disclosure of Protected Health Information. Protected Health Information is any information about health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. A covered entity may disclose protected health information to facilitate treatment, payment, or health care operations or if the covered entity has obtained authorization from the individual. However, when a covered entity discloses any protected health information it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose. HIPAA also provides that the standards, regulations and requirements established by the Secretary may not supersede any contrary State law that imposes more stringent privacy protections.

The Fair and Accurate Credit Transactions Act

The Fair and Accurate Credit Transaction Act of 2003 (FACTA) is most familiar for the required redaction of credit card numbers and expiration dates on credit card receipts, along with the $100 to $1,000 statutory penalties, punitive damages, attorneys’ fees and the absence of a cap on the total recovery. But FACTA also added new sections to the Fair Credit Reporting Act that were intended to help consumers fight identity theft. Privacy, accuracy, limits on the sharing of financial and medical information and new consumer rights to disclosure are included in FACTA. A careful reading of FACTA may yield violations and claims that can be used against parties who reveal private and personal data in court pleadings, filings and exhibits.

No Private Right of Action under The GLBA or HIPAA.

There is no private right of action for individuals under The Gramm-Leach-Bliley Act or The Health Insurance Portability and Accountability Act. Any allegation for violation of GLBA or HIPAA should refer to the statute as the appropriate standard of care for the protection, security and confidentiality of the nonpublic personal information and private data of the defendant’s customers or patients. Once the particular statute is asserted as the standard to which the defendant should adhere, you can use common law and tort claims such as invasion of privacy, intentional or negligent infliction of emotional distress, or enablement of identity theft as the means to enforce the standard. All businesses, corporations and entities subject to the GLBA and HIPAA are required to have their own privacy policy. Any disclosure of personal, financial or medical information would also be a failure to comply with their own privacy policy.

Claims and Damages

The recognition of the cause of action for invasion of privacy was explicitly recognized in Mississippi in Deaton v. Delta Democrat Publishing Co., 326 So.2d 471, 473 (Miss.1976), and in Young v. Jackson, 572 So.2d 378, 382 (Miss.1990), in which the Court adopted the Restatement (Second) of Torts § 652 D, which covers the public disclosure of private facts:
One who gives publicity to a matter concerning the private life of another is subject to liability to the other for invasion of his privacy, if the matter publicized is of a kind that (a) would be highly offensive to a reasonable person, and (b) is not of legitimate concern to the public.
An individual’s Social Security Number and other private nonpublic information are of no use and not legitimate concerns of the public. Interfering with the private concerns or affairs of a individual by disclosing this type of sensitive and personal information intrudes upon his or her right to privacy and creates an increased risk of identity theft. In addition to the financial chaos, this highly offensive conduct can be unhealthy to an individual’s mental and emotional well being. In many of these cases an award of punitive damages may be warranted.

A plaintiff who has suffered an increased exposure to identity theft is entitled to damages. These damages may consist of future credit monitoring, fees for security freezes and obtaining periodic credit reports and civil contempt and sanctions for violating the established policies, rules and orders of the court, injunctive relief to render the offending document inaccessible to the general public and compensatory and punitive damages, attorney fees, expenses and suit money. In collection type cases and bankruptcy cases you would want the underlying debt canceled as part of a settlement or judgment, thereby insuring additional claims and a future lawsuit when the creditor sells the debt to a new debt buyer or collector. The new lawsuit would include claims against the old creditor for violation of the settlement agreement or judgment and the new collector for Fair Debt Collection Practices Act violations in trying to collect the canceled debt.

A consent judgment in an Ohio lower court case ordered a law firm filing collection suits on behalf of a credit union to pay $350.00 per year to the plaintiff for a period of 10 years for credit monitoring. The plaintiff’s attorney found pattern and practice evidence that the law firm had revealed the private data of individuals in 57 other cases in the same court. The law firm was required to notify individuals in all 57 cases of the exposure of their private data and to redact the disclosures at their own expense.

Conclusion

There are free public access computers available in every federal clerk’s office. Pleadings are available on the internet through search engines and to anyone with a PACER account. State court paper files are open to the public and the Chancery Clerk’s office is a genuine treasure chest of identity information. Mississippi has no civil or consumer protection statutes for the safeguard of personal and private information. As plaintiff and consumer representatives we must be vigilant in protecting our clients’ information. Just think about how many people have access to a deponent’s Social Security number and other private data at a deposition and later when it is printed in a deposition transcript. We must be meticulous and defend against disclosure of this private data by the other side. It is no longer safe to put this information in pleadings or to automatically provide it to the other side in response to discovery requests.

About the Editor Frank Coxwell is a partner at Coxwell & Associates PLLC, in Jackson, MS., where he concentrates on consumer protection, consumer bankruptcy and predatory mortgage lending and servicing. He presents topics on bankruptcy, mortgages and foreclosure, consumer issues and technology at seminars across the country.

Disclaimer: This blog is intended as general information purposes only, and is not a substitute for legal advice. Anyone with a legal problem should consult a lawyer immediately.

Contact Information