My company CSID is based in Austin, Texas, and we're in the midst of an extreme drought. The City and our citizens take water conservation very seriously as we've been under Stage 2 watering restrictions for most of the last two years, limiting outdoor watering to one day per week. In Austin, a lush, green lawn raises a few eyebrows.
So, it's in this environment that a local TV station recently posted a list of the top 10 residential and commercial water users in Austin from 2013. "As Central Texas enters yet another summer drought, we wanted to know which residences and businesses are using the most water in Austin. We filed a public records request to get the data below," the story read. The list of water users included the owners' names, service address and actual water usage. This is public information that anyone could obtain with a records request, but when published openly and in a negative light, how is this different from a breach and what is the responsibility of our media to protect citizen's personally identifiable information (PII)?
From a legal standpoint, this is not considered "a big deal." This information was obtained legally and is not considered protected PII under Texas law. A quick search shows that FOX, Google, the Austin American-Statesman and several other blogs have published top water user lists over the last few years. This is nothing new and they aren't breaking any laws in posting it. The United States has fragmented PII/privacy laws with different states defining PII in different ways. For instance, California's constitution declares privacy an inalienable right and a 2011 California State Supreme Court ruled that a person's ZIP code is PII. In 2013, the Massachusetts Supreme Court ruled the same for its citizens. The definition of PII also varies greatly across government entities. For example, the National Institute for Standards and Technology (NIST) classifies a person's name and address as PII as well.
While these water usage listings did not include ZIP codes, they did include name and street address in the context of the city these contacts live or do business in, which is far more exposure than just a ZIP code. Services such as Spokeo and other "Directory Lookup Agents" offer users the ability to do searches on names that will return back associated address and in some cases even masked Social Security number details. Further, doing so regarding a very controversial topic could arguable put a target on these peoples' backs.
This is clearly legal practice -- everything these sites shared was public record and unprotected by law -- but it raises a question of the ethical role of the media to not just inform the public, but to also balance the very real threat of identity theft and misuse. This type of exposure could do a lot more harm to these individuals and businesses than a bit of public embarrassment.
I believe relatively soon we will all agree -- and write into national law -- that PII includes more than your Social Security number, and that name, address and ZIP should be not be shared on media sources or other public forums without extreme cause. The United States has made privacy a top priority and I see movement towards a national standard for protection that trumps the patchwork state laws we have today.