Consumer's Handheld Guide to Privacy Protections

ABOUT THIS BOOK

The original Compilation of State and Federal Privacy Laws published by privacy journal includes citations and descriptions of all of the laws affecting privacy, surveillance, and data collection that the researchers of privacy journal can find.

In 2010 we created a revised edition of this reference book to serve consumers who need instant information about privacy protections, through a handheld device that they will have with them when confronted by demands for personal information.

By subscribing to our monthly newsletter, privacy journal, you will learn immediately about new laws enacted in this field. A yearly subscription is available by calling or writing privacy journal.

privacy journal’s survey of state and federal laws affecting the confidentiality of personal information is a continuing project, just as the development of fair information standards is an on-going process in each of the state capitals and in Washington.

Our hope is to provide a readable tool that will give citizens interested in privacy are way to discover what protections have been enacted by Congress and state legislatures in the 50 states.

Each statute has been cited by title, article (art.), chapter (ch.), paragraph (para.) and/or section (sec.) so that you may look it up in a statute book or online, in a revised (rev.) or annotated (ann.) version. You may visit a law library or write to the state capitol for a copy of a law or search on the Internet. Many times you can enter the statute number in a search engine and find the full text. Or you can use a search engine to find the laws of a particular state; then you can search or browse the text of the state’s code. Any county or state law library can help you find the texts of the laws if you have the citation. Many public libraries have state laws on file or can find them online.

We have not included the boiler plate language requiring confidentiality in many state laws on specific topics, like drug treatment or adoption. And because of the universal nature of the husband-wife and attorney-client privilege, only a few were included in the category on privileges.

All states have constitutional provisions similar to the First Amendment and Fourth Amendment of the United States Constitution; some have written into their state constitutions specific language protecting the right to privacy.

privacy journal’s Consumer’s Handheld Guide to Privacy Protections is written and edited by Robert Ellis Smith, publisher of privacy journal, a lawyer, and author of Ben Franklin’s Web Site: Privacy and Curiosity From Plymouth Rock to the Internet.

Chisheng Li, a graduate student at the University of Michigan, contributed to the editing of this consumer’s edition.

Robert Ellis Smith

May 2011

With additional editorial assistance by ChiSheng Li

Based on Compilation of State and Federal Privacy Laws,

published by Privacy Journal regularly since 1975.

ABOUT PRIVACY JOURNAL

privacy journal, an independent newsletter, has been published monthly since it was founded in Washington in November 1974. The Washington Post called it "the most talked about Washington newsletter since I. F. Stone’s Weekly."

Since 1986, privacy journal has been based in Providence, R.I.

privacy journal maintains an extensive research collection of materials about privacy, in each of the areas cited in this book. Newsletter subscribers may take advantage of this research service and receive materials as they need them.

You should also call or write us to reserve a copy of a future edition of our supplement to this edition of the Compilation of State and Federal Privacy Laws. If you wish to know when new editions of the supplement or the book are published, simply send us a note now or call, and we’ll notify you when a new edition is published.

For a list of privacy journal’s other publications and/or a sample copy of the newsletter, please call or write. privacy journal, PO Box 28577, Providence RI 02908, 401/274-7861, fax 401/274-4747, [email protected], www.privacyjournal.net.

Contents

State and Federal Laws Described

Bank and Financial Records

Computer Crime

Credit reporting and Investigations (including ‘Credit Repair,’

‘Credit Clinics,’ Check-Cashing and Credit Cards

Electronic Surveillance (including Wiretapping, Telephone Monitoring,

and Video Cameras)

Employment Records

Government Information on Individuals

Identity Theft

Insurance Records (including use of Genetic Information)

Library Records

Mailing Lists (including Video rentals and ‘Spam’)

Medical Records (including HIV Testing)

Miscellaneous (including Breast-Feeding and Non-Electronic Visual Surveillance)

Polygraphing in Employment

Social Security Numbers

Student Records

Telephone Services (including Telephone Solicitation and Caller ID)

Testing in Employment (including Urinalysis, Genetic and Blood Tests)

Tracking Technologies

BANK AND FINANCIAL RECORDS

Alabama–A bank shall disclose financial records of its customers pursuant to a lawful subpoena, summons, warrant, or court order issued by or at the request of a government agency. No bank shall be held civilly liable or criminally responsible for disclosure of financial records pursuant to such legal process when it appears on its face to be valid. A note to the law says that customer records should be disclosed only upon legal process. Ala. Code sec. 5-5A-43.

Alaska–All books and records of savings and loan associations pertaining to accounts and loans of members shall be kept confidential. Alaska Stat. sec. 06.30.120. Bank records are confidential and shall not be made public except by court order, as required by state or federal law, when authorized, or to holder of negotiable instrument. When disclosure is required, the depositor must be notified unless disclosure is made under a search warrant. Sec. 06.05.175.

California–A bank customer is entitled to a ten-day notice before a state investigator can obtain records about the customer’s financial affairs from the bank. Notice not required if a judge determines that law or state regulation has been or is about to be violated. Cal. Govt. Code sec. 7460.

The Financial Information Privacy Act prohibits financial institutions from sharing or selling personally identifiable non-public information without obtaining a consumer's consent (opt-in). It provides for a plain-language notice of the privacy rights it confers. Consumers must be given the opportunity to opt out of sharing with a financial institution’s affiliates. Fin. Code sec. 4050.

Connecticut–A customer’s records may not be disclosed by a financial institution without legal process or other specifically listed circumstances. Conn. Gen. Stat. Ann. 36a-41 through 45. The disclosure provisions of the federal Financial Modernization Act of 1999 are incorporated into state law applicable to banks, credit unions, and out-of-state trust companies.

Florida–The state may require banks operating electronic funds transfer systems to inform customers of their protection policies including protection against wrongful or accidental disclosures of confidential information. In its annual report a bank must disclose procedures for the protection of a customer’s privacy and confidentiality of account information and discuss who has access to a customer’s account information and under what circumstances. In addition, a customer’s Social Security number may not be used as a personal identifying number in electronic systems. Fla. Stat. Ann. sec. 659.062.

Illinois–Bank disclosure of customer information is prohibited without customer authorization, a subpoena or regulatory agency request, or credit exchange. $1000 fine. 205 ILCS 5/48.1.

Iowa–Satellite terminals or data processing centers are not to permit any person to obtain information concerning the account of any person with a financial institution, unless such information is essential to complete or prevent the completion of a transaction then being engaged in through the use of that facility. Iowa Code Ann. sec. 527.10.

Louisiana–A financial institution or credit card company may not release personal credit or financial information except under subpoena with advance notice to the customer, except for exchanges among credit grantors and other businesses and for non-tax law enforcement investigations. La. Rev. Stat. Ann. sec. 9:3571.

Maine–Bank records are confidential, except for matching of government records, for supervisory audit, with consent of the individual, or by legal process. Me. Rev. Stat. Ann. title 9-B, sec. 161.

Maryland–A fiduciary institution may not disclose any financial records unless customer has authorized disclosure or unless records are subpoenaed; subpoena must be directed to institution and customer at least 21 days prior to disclosure. Md. Fin. Inst. Code Ann. sec. 1-302. See also Credit Reporting.

Massachusetts–No person may (1) condition the extension of credit on participation in an electronic funds transfer system, (2) require a consumer to accept an electronic fund transfer service or establish an account as a condition of employment or receipt of government benefits, or (3) condition the sale of goods or services on a customer’s paying by electronic means. Mass. Gen. Laws Ann. ch. 167B, sec. 7.

A provider of electronic banking services may not disclose customer information except to the customer or with his authorization, to a party to the transaction, to government regulators, to auditors, to a consumer reporting agency, to the representative of a collection agency, or pursuant to legal process. There must be reasonable procedures to prevent unauthorized disclosure. Ch. 167B, sec. 16.

Banks are required to disclose, when requested by the state, the amount of deposits held by a recipient of, or an applicant for, public assistance. Ch. 18, sec. 15.

Minnesota–All banks must report quarterly the Social Security number, address, and all account information on any non-custodial parent owing child support. A bank may comply by providing the state a list of all its account holders and identifying numbers. Minn. Stat. Ann. Sec. 13B.06.

New Hampshire–No state or local investigator may get financial or credit information about an individual from a financial institution or credit reporting agency unless described with particularity and consistent with the scope and requirements of the investigation. N.H. Rev. Stat. Ann. sec. 359-C.

New Mexico–All financial services and insurance companies must receive permission (opt-in) from customers before disclosing account information to unaffiliated entities. Customer data may be disclosed to process a transaction or to comply with a legal process, according to a rule issued by the Public Regulation Commission. N. M. Stat. Ann. sec. 59A-4-3.

North Carolina–It is the policy of this state that financial records should be treated as confidential and that no financial institution may provide to any government authority and no government authority may have access to any financial records . . . unless the financial record is described with reasonable specificity and access is sought pursuant to . . . customer authorization or 12 U.S. C. 3401 or court order. There are other exceptions. N.C. Gen. Stat. 53B-1.

North Dakota–Banks may not disclose personal information to anyone (even the government) if a customer opts out, unless there is valid legal process or other specific conditions are met. N. D. Cent. Code sec. 6-08.1-03, amended in 2001.

Bank customer information may not be disclosed for marketing and other purposes unless a customer provides consent (opt-in). Cent. Code secs. 6-08.1-01 to 6-08.1-08.

Oklahoma–A financial institution is prohibited from giving, releasing or disclosing any financial record to any [state] government authority unless it has written consent from the customer for the specific record requested; or it has been served with a subpoena and a copy of the subpoena is served on the customer before it is served on the financial institution. The customer has 14 days to challenge the demand for his or her financial records. Okla. Stat. title 6, sec. 2201-2206.

Oregon–A financial institution is prohibited from disclosing customer information to a state or local agency, unless there is a suspected violation of law, unless the customer consents, or unless the government follows procedures similar to those in the federal Right to Financial Privacy Act. Or. Rev. Stat. sec. 192.550.

Utah–Any bank may report to any other bank or credit reporting agency in the state that an unsatisfactory demand deposit account has been closed out. There is no liability for any error or omission in such reports. Utah Code Ann. sec. 7-14-1.

Vermont–There is a limitation on disclosure of personal information by financial institutions, except to certain governmental agencies, credit bureaus, or check-authorization services. 8 Vt. Stat. Ann. 10203.

Federal law–Financial institutions and their service organizations must provide customers a clear and conspicuous description of their disclosure policies and provide a means for customers to opt out of such disclosures. But institutions may disclose customer information to an outside marketing firm if it promises not to re-disclose it. And the 1999 law permits free exchanges of customer data within a corporate family (affiliate sharing). Under the law, states may enact stiffer restrictions. 15 U.S.C. 6801-6809.

Nearly all federal investigators must present proper legal process or formal written requests to inspect the financial records of an individual kept by a financial institution, including a credit card company. The federal agent must give simultaneous notice to the individual, who then has an opportunity to challenge the access, under the federal Right to Financial Privacy Act of 1978. 12 U.S.C. 3401.

Within 120 hours, banks and credit-card companies must give the government access to any account information demanded in any investigation into money laundering. 31 U.S.C. 5318.

Banks must conduct due diligence to report transactions that look suspiciously like money laundering. Financial institutions must know your customer and report unusual or suspicious patterns by customers. Sec. 314(b) of PL 207-56.

Any person engaged in a trade or business must file a government report if a customer spends $10,000 or more in cash. 31 U.S.C. 5331.

Financial institutions must meet minimum standards set by the Department of Treasury for identifying any person opening a new bank account. 31 U.S.C. 5318.

The Internal Revenue Service must provide a customer 14 days’ notice when it issues an administrative summons to see records at a bank or other financial institution. After receiving this notice, the customer then has a right to intervene in any proceeding with respect to enforcing the summons and may suspend compliance with the summons if he notifies the IRS and the bank within the 14-day period. In that case, a federal district judge will decide on whether to enforce the summons. The court may allow IRS to waive the notice requirement in exceptional circumstances. The law also requires IRS to notify a court when it seeks the financial records of a class of persons under a John Doe summons without specific names. Credit unions, consumer reporting agencies, credit card companies, brokers, attorneys and accountants are subject to these same provisions when they are holders of a third party’s business records. 26 U.S.C. 7609.

Intentionally accessing a computer without authority and thereby obtaining information from a financial institution, card issuer, or consumer reporting agency is a crime. 18 U.S.C. 1030. See Computer Crime.

The Electronic Funds Transfer Act requires institutions operating electronic banking services to inform customers of the circumstances under which automated-banking account information will be disclosed to third parties in the ordinary course of business. 15 U.S.C. 1693c(a)(9). See also 12 Code of Federal Regulations 205.10.

Amendments to the Fair Credit Reporting Act in 2003 allow financial institutions to disclose account information for marketing purposes to affiliated companies only if they offer an opt-out opportunity. 15 U.S.C. 6801-68-9.

A 2005 regulation states that the Financial Modernization Act, 15 U.S.C. 6801-6809, requires financial institutions to make security-breach notifications to customers.

COMPUTER CRIME

Including ‘Security-Breach Notifications’

Alabama–The Computer Crime Act punishes offenses against intellectual property – accessing, communicating, examining, modifying, or destroying computer data without authorization. Unauthorized disclosure of data is a crime. Ala. Code 13A-8-101.

Alaska–Property in the state’s criminal code includes intangible personal property including data or information stored in a computer program, system, or network. Alaska Stat. sec. 11.81.900(b)(48). Sec. 11.46.200(a)(3) defines the unauthorized use of computer time as theft of services.

An entity must report to an individual affected any losses of personal data unless it determines that no harm will result. Stat. sec. 45.48.010.

Arizona–State law defines types of crimes using computers and makes them punishable as felonies. Ariz. Rev. Stat.