A recent decision from a federal magistrate judge in Virginia highlights the need for businesses—and their attorneys—to understand the technology their employees use and the risks associated with that technology, especially when confidential information is involved. The plaintiff in Harleysville Ins. Co. v. Holding Funeral Home, Inc., No. 1:15 cv 00057, 2017 U.S. Dist. LEXIS 18714 (W.D. Va. Feb. 9, 2017), used an online file-sharing service to exchange files with multiple users (including its counsel) at different times. Because the plaintiff did not limit access to the files by means of a password requirement or other control, opposing counsel was able to obtain the plaintiff’s confidential legal files. Describing the plaintiff’s actions as equivalent to publishing the files on the Internet, U.S. Magistrate Judge Pamela Meade Sargent held that both the attorney-client privilege and work-product doctrine had been waived. The court also sanctioned the defendant’s counsel for improperly accessing the unsecured files and not notifying opposing counsel of their privileged nature.

Notably, the Harleysville court indicated that both the plaintiff and its counsel should have recognized that the files were unprotected and acted sooner to preserve confidentiality. Indeed, an unintended disclosure like that in Harleysville is highly avoidable. With respect to file-sharing technology specifically, businesses should implement effective controls, such as password protections and file-availability time limits, to prevent unauthorized disclosure of confidential information. With respect to technology generally, businesses should adopt and enforce a comprehensive program of information-security policies, and then train employees on those policies. Law firms would also do well to adopt these practices, as they will enable attorneys to better meet their own confidentiality obligations and to identify risks in their clients’ practices.

Harleysville’s Failure to Limit Access to Files Results in Inadvertent Disclosure

In Harleysville, Harleysville Insurance Company (Harleysville) sought a declaratory judgment that it did not have to cover the claim of Holding Funeral Home, Inc. (Holding) for a 2014 funeral-home fire. An investigator for Nationwide Insurance Company (Nationwide), which owns Harleysville, uploaded a video about the fire damage to the file-sharing service of Box, Inc. (Box). On September 22, 2015, the Nationwide investigator sent an e-mail to a contact at the National Insurance Crime Bureau (NICB) with a hyperlink to the Box site. Although that e-mail contained a “confidentiality notice” indicating the e-mail contained privileged and confidential information and was subject to restrictions on its unauthorized disclosure or use, the file placed in the Box site was not password protected and was accessible by anyone who used the hyperlink.

Several months later, in April 2016, the Nationwide investigator used the same Box site to upload Harleysville’s entire claims file and Nationwide’s entire investigation file relating to the fire loss for the purposes of providing those files to Harleysville’s counsel. The investigator then sent an e-mail to Harleysville’s counsel with the same hyperlink he previously gave to the NICB contact.

In May 2016, the NICB responded to a subpoena from Holding by producing documents received from Harleysville, including the Nationwide investigator’s e-mail with the Box hyperlink. Holding’s counsel then used the hyperlink to access the Box site, which at that point contained the entire claims files of Harleysville and Nationwide. Holding’s counsel downloaded and reviewed those materials without providing any notice to Harleysville’s counsel.

Harleysville’s counsel did not discover the disclosure of the files on the Box site until October 27, 2016, after reviewing a thumb drive of discovery that Holding had produced in August 2016. In its initial review of that production, Harleysville’s counsel discovered it contained materials that were potentially privileged that the defendant had inadvertently produced. After contacting defense counsel and upon their request, Harleysville’s counsel destroyed the privileged documents that had been produced by the defense. For some reason, Harleysville’s counsel did not discover that the thumb drive also contained its own client’s claims file until late October. On November 2, 2016, Harleysville’s counsel requested that Holding’s counsel destroy its copy of the claims file, but by that time Holding and all of its counsel had reviewed the materials that were posted to Box. At some point thereafter, the plaintiff finally disabled the Box site.

Harleysville filed a motion to disqualify Holding’s counsel, arguing that defense counsel had improperly used the hyperlink to gain unauthorized access to Harleysville’s privileged materials. Holding opposed the motion, countering that Harleysville’s placement of the materials on Box, where it could be accessed by anyone, waived any claim of privilege or confidentiality. Although it conceded the files had been intentionally uploaded to Box, Harleysville argued that it had not waived privilege because it never authorized or intended disclosure of the files to anyone other than the NICB and its own counsel.

Failure to Limit Access to Files Available on the Internet Waived Privilege

Applying Virginia state law and precedent, the court found that, although Harleysville’s disclosure was inadvertent, it nonetheless waived the attorney-client privilege. The evidence showed that Harleysville failed to take “any precautions” to prevent disclosure of the information uploaded to Box. The court noted that the Nationwide employee had previously used the Box site and therefore knew or should have known that the information was unprotected. The disclosure was “vast” because the information was available to anyone who had access to the Internet. In addition, because Harleysville’s counsel used the unprotected hyperlink to access the information in April 2016, the court found that they knew or should have known the information was accessible on the Internet (but failed to take any remedial action until access to the site was finally blocked six months later). For similar reasons, the court also held that Harleysville had waived the work-product privilege under federal law.

Significantly, the court described the failure to password-protect the materials on Box as “the cyber world equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.” The court found it “hard to imag[ine] an act that would be more contrary to protecting the confidentiality of information than to post that information to the world wide web.”

As a matter of public policy, the court urged businesses to exercise caution when using “rapidly evolving” technology to share information. Because a company controls the decision on whether to use new technology, it “should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.”

Defense Counsel Acted Improperly by Accessing Files Despite Privilege Flags

The court also criticized the conduct of Holding’s counsel, finding they acted improperly in accessing the Harleysville materials. The court assigned significance to the fact that the e-mail that contained the Box hyperlink had included a confidentiality notice that “should have provided sufficient notice to defense counsel that the sender was asserting that the information was protected from disclosure.” According to the court, Holding’s counsel should have realized, based on the confidentiality notice in the e-mail, as well as the extent of the materials on the Box site, that the materials were subject to privilege or other protection. Accordingly, they should have notified Harleysville’s counsel and sought a determination from the court regarding privilege and other protections before using or disseminating the information. Holding’s counsel had even consulted the state bar ethics hotline about the access, undermining their claims that they believed the access was proper.

Harleysville sought disqualification of Holding’s counsel, but the court found it not warranted because substitute counsel would have access to the same information in light of the privilege/protection waiver. Instead, the appropriate sanction was for Holding’s counsel to bear Harleysville’s costs to seek the court’s ruling on the matter.

Technology Provides the Problem but Also the Solution

Although Harleysville involves the pitfalls of file-sharing services, the case offers lessons that are applicable to the use of any new technology. Simple precautions can avoid, or at least mitigate the damages from, the risks that technology poses to confidential information.

To begin with, a business would be wise to require its employees to use only technology that the company has vetted and approved. The company should consider whether the service has the security features and other criteria that the business deems appropriate in light of the sensitivity of the information at issue and the threats to it as identified by the company. Because many file-sharing services operate in the Cloud, with respect to that particular technology this may include analysis of such questions as: What security protections are utilized, and how frequently are they tested and updated? Where will the service provider store the company’s information? Who will have access to the files and under what conditions? How long will the provider retain the data? How and when are backups conducted?

In addition to requiring that employees use only a company-approved file-sharing service, the company may also determine that employees’ use should be subject to certain security controls available within the service. For example, as Harleysville demonstrates, access to confidential files should be restricted (and perhaps tracked) by requiring the authorized users to enter a password or log-in information to obtain the files. Access can be further restricted by requiring multifactor authentication by which a second user-identifying factor beyond a password is necessary to gain access.

Another potential security control is to limit access to folders within the service to persons designated as authorized users. Separate folders can be established for specific target users. As to external users, this can limit permitted users to viewing only that information to which they are intended to have access. On an internal basis, limited access can serve to enforce ethical walls and need-to-know policies within the company. As a further precaution, the business can require that confidential information be encrypted before it is placed in a file-sharing service. That way, only intended recipients who have been given both access to the folder within the file-sharing service and the encryption key can access the sensitive information.

Beyond the need for password protections, Harleysville also illustrates the risk in making files accessible for a longer period than necessary. That risk can be reduced by ensuring the online file-sharing service does not become a long-term repository for sensitive information. A business can implement policies that prescribe how long files can remain posted in a file-sharing service, or even impose settings that automatically delete files after a specified period. The person sharing the file can implement security controls within the service to limit the time the file is accessible to designated users, as well as the number of times a file can be downloaded. Some services will also permit an organization to claw back documents after having been downloaded, so that a person accessing the file has only a temporary copy of the document.

Policies and Training Are Also Important in Data Protection

Although technology is certainly an important component of a company’s overall data-protection program, having effective policies in place is another key element. A company should strive to have a comprehensive scheme of policies that is tailored to address its specific needs in terms of protecting confidential information. Depending upon the company’s goals and the categories of information at issue, the policies may address such matters as limiting access to information based upon an employee’s need to know for his or her job role, mobile-device use and bring-your-own-device programs, remote network access, secure destruction of data kept in electronic and paper format, and monitoring of employee activity within the company’s network (including infiltration and exfiltration of data to and from the network and via other technology platforms, such as file-sharing services).

However, it does little good to adopt policies if the company does nothing to enforce them. A strong first step toward enforcement is education. Employees must be trained on the company’s policies. Ideally, this will be accomplished through a company-wide program that provides security-awareness training for employees at all levels of the company, from the executive suite to the lowest-ranking staff. A company may find it is effective to have different types of events and outreach, from in-person presentations by outside consultants, to e-mails with information-security tips, to online training exercises. It is also important that employees know who to contact with questions or concerns about policies and information protection. The goal is to ensure that employees know how the company expects them to handle confidential information and to enable them to identify and respond appropriately to matters that threaten the preservation of confidentiality.

Technology controls and security training could have gone a long way toward avoiding the Harleysville scenario. The opinion did not discuss whether the Nationwide employee was authorized to use Box as a file-sharing service, with or without password protections or other controls. Nor did it discuss the Nationwide employee’s previous use of Box in detail, although the court assumed that his previous use meant he was familiar with the site and the features available to protect information on it. That may have been true (or not), depending on how often he utilized the site and how frequently it underwent updates that changed its features. In any event, the opinion suggests there were less than adequate controls and training in place. In addition, the waiver of privilege surely has a detrimental effect on Harleysville’s success in the underlying coverage litigation, but a company could find itself in a worse position if the information improperly disclosed by an employee includes that of third parties who have entrusted it with their sensitive or legally protected information. In that instance, the company may find itself having to comply with federal or state laws that require notification when certain personally identifiable information is disclosed and potentially may face litigation over the disclosure.

Harleysville informs us that law firms likewise would bode well to employ technology controls and training programs. The court signified that plaintiff’s counsel should have realized the unprotected status of its client’s files because counsel itself used the unprotected link to access the files. In doing so, the court struck at the heart of an attorney’s ethical obligation of competency, which as adopted in most states includes having knowledge concerning the risks and benefits of relevant technology. Unless Harleysville’s attorneys had previous exposure to file-sharing services and their features, the attorneys likely would not have appreciated that access controls were not in place. Likewise, if the attorneys had a subordinate employee (such as a paralegal) access the files, the attorneys would be dependent on the subordinate to realize the risk to confidentiality and raise it with the supervising attorney. A firm-wide training program could help both attorneys and staff develop their technology competence and skills in spotting vulnerabilities that threaten the confidentiality of their clients’ sensitive information.

The Harleysville court afforded great significance to the confidentiality notice in the e-mail that was used to initially forward the Box hyperlink, but the case demonstrates how ineffective that type of notice is for protecting sensitive information. It is common for businesses (attorneys especially) to include a confidentiality notice at the bottom of their e-mails. Typically, such notices are boilerplate, automatically appended at the very end of an e-mail, following the confidential message they are meant to protect, and often ignored as part of the “wallpaper effect.” Technology provides much more effective methods for protecting confidential information, such as password protection and encryption. As a lesson from Harleysville, businesses and attorneys would be well served to educate themselves about those alternatives and the pitfalls of and best practices for using them.

This is the third article in a three-part series exploring Europe’s Right to be Forgotten in the context of an American Right to Dispute Personally Identifiable Information directly with private entities, such as consumer reporting agencies or search engines. It reaches the conclusion that based on the magnitude of consumer-specific data in the possession of such private entities, the debate has shifted from the inherent fairness of generating temporary “snapshots” of creditworthiness or moral character to the fundamental control of one’s identity in light of the “commoditization of the individual.”

***

The Commoditization of the Individual: Who Legally Controls Information Equating to One’s Identity?

Data, particularly consumer data, has been officially labeled “the new oil.” This metaphor characterizes the observation or notation of one’s personally identifiable information (PII), such as one’s biometrics, DNA, geolocation history, Internet browsing history, or character, as a commodity, and commodities may be “exploited.” In one sense, the exploitation of a commodity involves the process by which a raw material is processed to serve a more valuable purpose. In another sense, such an exploitation may infer the receipt of an unfair benefit at the expense of another. The Digital Age is set to experience the production of more than 163 zettabytes (i.e., one-trillion gigabytes) of data per year by 2025, much of which will be consumer-specific. Andrew Cave, What Will We Do When The World’s Data Hits 163 Zetabytes in 2025?, Forbes.com (Apr. 13, 2017). How will such massive quantities of consumer data be used? The FTC has found that within large companies known as data brokers, individual profiles have been created on nearly every U.S. consumer for the purpose of discriminating between them. Edith Ramirez, et. al., “Data Brokers: A Call for Transparency and Accountability,” FTC Rep. 8, 46 (2014). Data brokers do not generate consumer reports, however, and are subsequently not regulated by existing U.S. consumer-protection or privacy laws limiting who and for how long one may see negative information prior to being “forgotten.” Thus, any exploitation of such data remains unregulated. This article will explore existing exploitations of PII that are resulting in the consolidation of massive troves of comprehensive, consumer-specific PII that may equate to the commoditization of one’s identity.

The Existing Exploitation of PII in Relation to Individual Liberty

Automobiles need oil to function. Petroleum requires refinement for an automobile to operate as expected. The exploitation of crude oil serves an important purpose in allowing individuals to travel according to their needs or desires. Such an exploitation enhances individual autonomy and liberty. Servitude, on the other hand, allows one individual to take unfair advantage of the fruits of the labor of another individual. Such exploitations significantly diminish individual autonomy and liberty. Meanwhile, slavery and indentured servitude facilitate a mechanism of empowering one individual to comprehensively control another individual’s person. Such exploitations decimate individual autonomy and liberty. Consequently, the spectrum for interpreting the meaning of an exploitative act—in terms of liberty—is one of degrees ranging from augmentation to annihilation. Perhaps George Orwell was right about the notion of “doublespeak” in that no term is more fitting to describe existing collection and consolidation efforts of PII than the term “exploitation.” Current collection efforts have both the power to enhance individual liberty or extinguish it. The key will be determining the core purpose for which PII is collected.

PII is primarily gathered and aggregated for marketing and predictive analytics, people-search functions, risk mitigation, and predictive voting models.

• Marketing and Predictive Analytics. The FTC recognized that large data brokers consolidate aggregate PII for the purpose of utilizing predictive analytics to discriminate among consumers regarding their race, economic status, age, credit worthiness, health status, familial status, and propensity to default to or engage in a crime, etc. Ramirez at 19–21, App’x B. Marketing purposes include thousands of data points designed to consolidate an individual’s prior actions for the purpose of predicting future behavior (i.e., predictive analytics). Id. For example, Cambridge Analytica has created profiles consisting of: (i) demographics/geographics (e.g., age, gender, ethnicity, race, income); (ii) “psychographics” (i.e., advertising resonance, consumer data, lifestyle data, political engagement, cellular/mobile opinions); and (iii) personality to predict how an individual will act when confronted with a specific purchasing decision or an opportunity to vote. Alexander Nix, The Power of Big Data and Psychographics, Concordia Summit (Sept. 27, 2016), available at https://www.youtube.com/watch?v=n8Dd5aVXLCc.
• People Search. Data brokers are engaged in consolidating broad data sets for the purpose of tracking and locating specific individuals. According to the FTC, these products allow users to “research corporate executives and competitors, find old friends, look up a potential love interest or neighbor, network, or obtain court records or other information about consumers.” Ramirez at 34.
• Risk Mitigation. Data brokers engaged in risk mitigation provide services that allow users to conduct identity verification and fraud prevention. For example, financial institutions utilize these services to comply with “know your customer” identity verification requirements pursuant to the USA PATRIOT Act. Ramirez at 32–33 (e.g., knowledge-based authentication (KBA) and fraud detection).
• Predictive Voting Models. Data brokers engaged in predictive voting models aggregate thousands of types of PII for the express purpose of predicting how an individual will react to voting advertisements or propaganda. See, for example, Nix (discussing the “OCEAN” Paradigm (i.e., Openness, Conscientiousness, Extraversion, Agreeableness, and Neuroticism)).

These efforts have both the power to increase individual liberty or suffocate it. On the one hand, individuals may receive enhanced product offerings with expedited purchasing options, increased social connectivity, better searchablity of public or private figures, enhanced digital security when engaging in sensitive online financial transactions, or more relevant political information during elections. On the other hand, all such records containing aggregate PII in possession of these entities—by virtue of existing—are discoverable by government authorities, exposed to significant risks of unauthorized access or theft, and may be used in illegally discriminatory ways to limit, inter alia, the individual’s ability to access credit (i.e., mortgage, educational loans or auto loans) or procure certain types of employment. Consequently, existing exploitations are in need of effective regulation to ensure that such information is not misused.

Scope of Collection Efforts

Data brokers acquire PII not from the individuals themselves, but from other businesses or government entities. Ramirez at iv, 49. Consequently, data brokers afford no choice or consent options to the individuals impacted by the collection of such data. There are both government and private actors, such as administrative agencies like the NSA, data brokers, search engines, social media giants, and consumer reporting agencies, that have feasible and independent capacities to collect and store vast quantities of data on each of the approximately 8 billion people presently living on this planet. See, for example, Utah Data Center (last visited Aug. 25, 2017) (stating that one facility has the capacity to store one yottabyte of data). For example, Facebook alone has confirmed that it has consumer-specific data on nearly one-quarter of the entire global population. Jack Flemming, Facebook reaches 2 billion users, L.A. Times (June 27, 2017). The FTC has confirmed that individual data brokers each house billions of consumer transactions. This information is consolidated into profiles on nearly every U.S. consumer and used to generate millions to billions of dollars for these entities. Ramirez at 8, 23; IAB Internet Advertising Revenue Report, IAB.com (2017). There are approximately 2,500 to 4,000 data brokers in the United States alone. E.g., Paul Boutin, The Secretive World of Selling Data About You, Newsweek (May 30, 2016). Thus, existing collection efforts have the technological capacity to collect and store consumer-specific data on every human being on Earth.

Furthermore, each data broker has the capacity to consolidate PII and categorize it for discriminatory purposes based on thousands of criteria, ranging from household size, personal relationships, societal memberships, personal preferences, medical-related purchases, employment activity, educational opportunities, and political and religious leanings, to name a few. See Ramirez at App’x B. Such PII may include government IDs, biometrics, account numbers, purchase histories, etc. See, for example, Ramirez at 11–15; Adam Schwartz, End Biometric Border Screening, EFF.org (Aug. 9, 2017). In fact, the power now exists to create independent registries that may be synonymous with the power to control one’s actual identity within society. Such entities have converted the intangible nature of one’s existence into intellectual property that may be purchased and sold without any regard to the choice or the consent of the individual. Thus, private and public entities have power to commoditize one’s identity.

Can PII Ever Equate to an Individual’s Identity?

PII has been defined as any information about an individual, such as data that can “distinguish or trace an individual’s identity” (e.g., name, Social Security number, date and place of birth, mother’s maiden name, or biometric records) or that is “linkable to an individual” (e.g., medical, educational, financial, and employment information). NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), ¶2.1 (2010). The U.S. Constitution was drafted in a day when an individual’s “papers and effects” were physical tangible pieces of property. U.S. Const. amend. IV. The Founders’ intent on codifying this natural right likely had little to do with protecting the intrinsic value of the actual paper or effect in question, and everything to do with protecting the information or content contained thereon. Consequently, it was the information that might be revealed via an illegal search or seizure that was protected. Thus, the right to control one’s personal information has always been a protected Constitutional interest.

In the 21st century, property has been transferred into bits and bytes of data that may seamlessly and instantaneously flow across intercontinental land masses via satellite or Internet transmission. An individual’s “person” in terms of character, creditworthiness, thoughts, desires, geolocation, biometrics, DNA, expenditures, business ventures, religious, political, or social preferences may now be gathered, processed, consolidated, sold, purchased, and transferred into registries that have the potential of defining who they are, what their potential is, and what their social desirability is without ever physically entering their home or their land or without coming into contact with their physical person. These essential elements of a person, having been reduced to bits and bytes of data, have effectively transformed the person into property.

In isolation, PII is a reproduction, a writing, or a record of a physical object, characteristic, attribute, behavior, or action of an identifiable human being extant in the tangible world. In its simplest form, PII is merely the annotation of data like a name or address. When aggregated, however, PII has the potential of becoming the digital equivalent of a living person’s identity. If an unauthorized third party spied on another person and collected saliva samples containing DNA, fingerprints, faceprints, complete lists of past addresses, employers, educational institutions attended, and close relationships, journals, thoughts, ideas, desires, innovations, writings, wants, purchase histories, vacation destinations, acts of religious observance, political statements and leanings, and economic status, would the law grant a superior property right to that individual in relation to the person to whom the data related? The answer lies in whether aggregated PII may become something more than property: a right to control one’s identity.

Does an Enforceable Cause of Action Exist to Safeguard the Right to Control One’s Identity?

Currently, many scholars and practitioners most closely categorize the harm associated with an unauthorized collection of PII with protections afforded by the fundamental right to privacy. The harm, however, transcends right to privacy precedence because the control of one’s identity is fundamental to liberty. When analyzing government actors, the Supreme Court has bifurcated the fundamental right to privacy subjecting data privacy to rational basis review, thus allowing government actors to easily subvert such privacy rights. See Whalen v. Roe, 429 U.S. 589, 598 (1977). With regard to private actors, the FTC observed that data brokers are not currently regulated under the Fair Credit Reporting Act (FCRA) or other federal consumer-protection laws because data brokers do not generate “consumer reports.” Given that there is no direct relationship with a consumer, UDAAP laws, Dodd-Frank, and Gramm-Leach-Bliley arguably do not apply. Thus, analyzing the unauthorized collection of PII pursuant to existing right to privacy precedence equates to analyzing the harm associated with this conduct in a laissez-faire economy or deregulated environment. The individual is thus subject to the will of those with far greater resources to track or acquire their PII. See Mark T. Andrus, Not without My Consent: Preserving Individual Liberty in Light of the Comprehensive Collection and Consolidation of PII, 20 J. Internet L. 9 (Mar. 2017).

There exists another relevant aspect of the right to privacy that goes beyond a “right to be let alone” to a right “to not be harmed.” Cf. Samuel D. Warren & Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890); Thomas McIntyre Cooley, A Treatise on the Law of Torts or the Wrongs Which Arise Independent of Contract 29 (2d ed. 1888) (expounding a right of complete immunity to be free from injury). William Prosser propounded that the right to privacy was rooted—in relevant part—in the tort of appropriation. He defines an “appropriation” as the “exploitation of attributes of a plaintiff’s identity.” William L. Prosser, Privacy, 48 Cal. L. Rev. 383, 401 (1960). The Supreme Court later affirmed this definition. See, for example, Zacchini v. Scripps-Howard Broad. Co., 433 U.S. 562, 571 (1977). The Restatement Second of Torts requires “the appropriation [i.e., taking] of another’s name or likeness for the use or benefit [i.e., gain] of the defendant.” Restatement (Second) of Torts § 652C. The right is designed to protect a person against the harm of forfeiting something of value (i.e., profit) associated with the individual’s identity. The harm is rooted in a lack of consent. Prosser notes that it is the plaintiff’s attribute “as a symbol of his identity” that creates an appropriation action. Prosser at 403.

Furthermore, the U.S. Supreme Court has recognized “right to publicity” laws in which an individual possesses rights that protect their interest to reap benefits from proprietary interests in any rewards from their endeavors, which include the unauthorized use of characteristics of their identity. See, for example, Zacchini, 433 U.S. at 562. The Restatement Third of Unfair Competition defines the right of publicity as “one who appropriates the commercial value of a person’s identity by using without consent the person’s name, likeness, or other indicia of identity for purposes of trade.” Restatement (Third) of Unfair Competition § 46 (emphasis added). Thus, rights to control a benefit associated with one’s identity are currently extant.

Although these causes of action are rarely utilized and would be matters of first impression in a data acquisition case, they provide a framework that goes beyond trespass, intentional torts, or intellectual property, which are areas of law not well suited to address the potential harm involved in amassing troves of aggregate PII. The harm is not one associated with an interference preventing an individual from using his or her own PII, but rather in empowering an unauthorized third party with the ability to control and profit from that individual’s identity. The harm is wholly distinct from mere interference or invasion.

Is There Actual Harm When an Unauthorized Third Party Collects PII on an Individual?

Historically the element of actual injury required a tangible harm. For example, trespass laws allowed courts to remediate harm associated with unauthorized physical invasions of land and chattel. Trespass to an individual’s person was governed based on harm associated with an unconsented touching, fear, apprehension, or confinement through battery, assault, and false imprisonment laws. When analyzing the modern acquisition of PII, there is often no physical invasion, no confiscation of actual property, and no physical touching, apprehension, or confinement. Physical invasion is no longer relevant. One series of cases has attempted to analyze harm associated with the unauthorized acquisition of PII as a trespass to chattel. This analysis requires actual interference with the physical functionality to the tangible computer system. Intel v. Hamidi, 71 P.3d 296 (Cal. 2003); see also eBay, Inc., v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000). Unfortunately, the root harm has been largely overlooked.

The lesser yet substantial harm associated with an unauthorized comprehensive collection of PII is an unconsented and forfeited benefit from the value of such property through the appropriation of the individual’s identity. The greater and more compelling harm associated with these acts is a loss of liberty and autonomy, particularly if biometrics (i.e., facial profiles, fingerprints, DNA, etc.) are involved. See, for example, Amy Korte, Federal Court in Illinois Rules Biometric Privacy Lawsuit Against Google Can Proceed, IllinoisPolicy.org (Mar. 8, 2017). Comprehensive PII profiles may literally include not only preferences and consumer’s past dealings with businesses, but also one’s biology and genetic makeup. If used for malevolent purposes (e.g., eugenics-based sterilization), one’s aggregate PII, or identity, could be manipulated or abused by those in possession of such data. Could an individual in such a society be denied educational, employment, or familial opportunities based on predictive analytics? If so, such a harm would be more akin to servitude or slavery than a lost wallet. Some harms truly are irreparable.

Exclusive Rights and the Right to Control One’s Identity

Owners of real property may bring trespass actions based on their exclusive rights for the use and enjoyment of the property. Existing intellectual property rights, such as copyright, trademark, and patent laws grant an owner exclusive rights to any benefit derived from such property. The U.S. Constitution expressly grants exclusive rights to “authors and inventors” to their respective “writings and discoveries.” U.S. Const. I. sec. 8 cl. 8. Such “writings” include the act of converting such content to bits and bytes of digital data. See, for example, The Digital Millennium Copyright Act, Pub. L. No. 105-304, 112 Stat. 2860. In articulating a right to privacy, Louis Brandeis and Samuel Warren argued that any individual desiring to make “public” private sentiments (e.g., with paintings or words) had exclusive rights to limit any disclosure. Consequently, publication was prohibited absent consent. Which is more worthy of exclusive rights: a painting or an individual’s right to control their identity? No third party should have a greater right to control aggregated data equating to the identity of another.

Regulating the Acquisition and Consolidation of Aggregated PII: Consumer Reporting v. Social Control

The FCRA was primarily enacted to govern and regulate private parties engaged in gathering, storing, and transferring consumer-specific data for the purpose of improving the effective interest rate or premium that the consumer would be offered based on the consumer’s risk of nonrepayment or filing an insurance claim. In theory, the collection and processing of this data increased the efficiency of the banking and insurance markets, thus increasing the likelihood that consumers would have access to credit or insurance products when needed. The overall regulatory scheme was constructed to exploit consumer data for the purposes of increasing consumer access to credit and arguably liberty. Furthermore, the consumer-specific data was limited to only those parties with a valid permissible purpose, and negative information was required to be deleted, or “forgotten,” no later than seven to ten years from the first date of delinquency.

Existing data-collection efforts by private parties such as data brokers, search engines, and social media giants far exceed anything that Congress attempted to regulate in consumer-protection statutes such as the FCRA or other consumer-protection laws. Such efforts go beyond consumer reporting and have the potential to create new mediums for social control. Current data-collection efforts go beyond liens, late payments, and bankruptcy filings by including biometrics, DNA reports or analyses, geolocation records, browsing history, vast records of social relations, public commentaries, and political, religious, or social leanings. Yet, consumer records that consolidate these types of data are not classified as “consumer reports.” See Ramirez at 7–10. Thus, they are not regulated by consumer-protection laws.

The entire data-gathering/consumer-reporting process must be revisited and redefined in light of the harm inherent within aggregated PII, such as a loss of liberty, both in terms of consent to benefit from the economic use of the individual’s indicia of identity and in terms of a forfeiture of the control of one’s identity. The key will be in regulating PII in a way that allows for the positive exploitation of such data while minimizing the comprehensive consolidation of aggregated PII that may allow a third party to control the identity of another. These objectives will be best achieved by applying underlying principles associated with the separation of powers doctrine (e.g., a sectoral mandate, such as a prohibition on consolidating medical/genetic PII with consumer financial PII), by requiring the eventual anonymization of PII (e.g., businesses may continue to benefit from generalized statistics and analytics involving PII; however, PII itself could only be possessed for a set period of time), and by recognizing an exclusive or inalienable right to control aggregated PII equating to one’s identity. The U.S. Constitution is founded on “Creator-created” inalienable rights (i.e., granted by “Nature and Nature’s God”) as opposed to man-made or man-revoked civil rights. See Andrus at 18–23. Such rights may not be legally transferred. No third-party entity should have a superior right to control aggregated PII equating to one’s identity.

Conclusion

A right to control one’s identity in light of existing exploitations of PII rests on the degree of control a third party has by virtue of possessing aggregate PII. Possession is ninth-tenths of the law of ownership. No third party should have an ownership interest in an individual’s comprehensive PII, particularly when such data may reasonably equate to the ability to control one’s identity. Although the “new oil” may be exploited for purposes that benefits the consumer and enhances liberty, the risks associated with the existence of individual profiles on societal-wide populations are significant. Regulation is required to ensure that existing data-collection efforts properly safeguard and protect liberty interests. Although there is currently no official recognition of a right to control one’s identity, torts of appropriation and rights of publicity protect an individual’s right to control their identity. The right to control one’s identity is fundamental to liberty and should be recognized as inalienable. Absent such recognition or regulation, data gatherers will continue to commoditize the individual by converting the tangible person into intangible property that may be bought or sold at will, regardless of the consent of the individual.