Chapter 1: Electronic Government
Prevent Disclosure of Credit Card Numbers under the Texas Public Information Act
Summary
As more citizens turn to the Internet to complete business and government transactions, state and local agencies will begin acquiring credit and debit card numbers from both citizens and organizations. This will create a potential for fraud unless government can prevent public disclosure of these numbers. While individuals’ credit card numbers can be withheld from disclosure under the Public Information Act, state law is unclear as to whether the credit card numbers of organizations can be withheld as well. State law should be amended to make all credit and debit card numbers held in governmental records confidential.
Background
Businesses across the US are cutting costs by automating transactions using Internet-based purchasing systems. The value of credit card transactions made over the Internet rose to an estimated $8 billion to $10 billion in 1999, and nearly 95 percent of all consumer purchases made on the Internet are made with credit cards.[1] As this trend continues, state agencies will be expected to accept credit cards for the payment of fees and services.
Many state and local governments are already authorized to accept credit cards as payment for fees and services, including the Secretary of State’s Office, Comptroller’s office, Texas Parks and Wildlife Department, Texas Department of Transportation, and Texas Department of Public Safety.[2] The growth in Internet transactions guarantees that state agencies will possess an increasing number of credit card numbers for citizens and businesses as part of their records.
The possession of citizens’ credit card numbers by state government presents an opportunity for fraud by those who obtain the numbers. Since its inception in May 2000, the FBI’s Internet Fraud Complaint Center has received 1,200 complaints each week, or more than 62,000 complaints a year. Kevin DiGregory, a deputy assistant attorney general in the US Department of Justice, has said that “the migration of criminality to cyberspace accelerates with each passing day and the threat to public safety is becoming increasingly significant.”[3]
According to the National Journal, at a recent hearing on stolen Social Security numbers, US Senator Dianne Feinstein said that identity fraud is the fastest-growing crime in America.[4] Unfortunately, the state’s public information laws may provide an easy avenue for criminals to gain access to credit card numbers belonging to businesses and other organizations.
The Texas Public Information Act says that public information held by state agencies must be made available to the public during normal business hours, at a minimum.[5] Under the law, public information includes any data collected, assembled, or maintained by a governmental body under a law or ordinance or in connection with the transaction of official business.[6] That includes the media on which public information is recorded, including magnetic, optical, or solid state devices that can store an electronic signal, or voice, data, or video representations held in computer memory.[7]
Information held by state agencies is considered public information, subject to disclosure upon request, unless the information falls within one of the narrow exceptions specified in law. None of the statutory exceptions to disclosure specifically addresses credit card numbers. However, the law exempts from required public disclosure information considered to be confidential by the constitution, state law, or a judicial decision.[8] The state’s Office of the Attorney General (OAG), however, has held that information regarding a financial transaction between an individual and a governmental entity is a matter of legitimate public interest and therefore is not protected from required public disclosure.[9]
Although the OAG has held that an individual’s credit card number is protected from disclosure because of the expectation of privacy, the protection does not necessarily extend to an organization’s credit card numbers.[10] OAG has issued conflicting opinions as to whether credit card numbers belonging to businesses and organizations are exempt from public disclosure. For example, OAG has held that a corporation’s financial information is not protected by the doctrine of common law privacy.[11] In a 1999 letter ruling, OAG held that a school district’s credit card information was not confidential by law because a governmental entity does not have a common-law privacy interest to protect. OAG also concluded that the credit card information could not be withheld from disclosure as a trade secret.[12]
On the other hand, a June 14, 2000 informal letter ruling from OAG concluded that, while the Texas Department of Mental Health and Mental Retardation was required to release copies of credit card billing statements, it could hide the credit card numbers and expiration dates, because such information was protected.[13]
A separate e-Texas issue paper recommends that Texas consider adopting a Privacy Act to protect broad categories of information. Even if Texas were to adopt a Privacy Act, credit and debit card numbers still need express statutory protection because Privacy Acts normally protect only information about individuals (who have a privacy interest) and not information about organizations.
Recommendation
State law should be amended to expressly provide that all credit and debit card numbers are confidential by law, and thus are exempt from public disclosure.
Fiscal Impact
This recommendation can be implemented using existing resources.
Endnotes
[1] Charles M. Abbey, “Merchants, Issuers Must Address Internet Card Fraud,” Card News (September 6, 2000), p. 1.
[2 ] See for instance V.T.C.A., Local Government Code §130.002 and 130.0045 (county tax assessor-collectors); 132.002, 132.003 (commissioners court, county and precinct officers); V.T.C.A., Tax Code §111.062 (Comptroller); V.T.C.A., Government Code §405.031(e) (Secretary of State); V.T.C.A., Parks & Wildlife Code §11.027(d), (e) (Texas Parks & Wildlife Department); V.T.C.A., Transportation Code §§ 201.208(c), 502.352(c), 621.356, 623.081(c), 645.002(b), 646.003(d) (Texas Department of Transportation); and V.T.C.A., Transportation Code § 521.427(b) (Texas Department of Public Safety).
[3] Testimony of Kevin DiGregory, deputy assistant attorney general, US Department Of Justice, before the House Committee on the Judiciary, Subcommittee on the Constitution, on HR 5018 and HR 4987, reported in Federal News Service (Washington, DC, September 6, 2000).
[4 ] Michael Posner, “Can Congress Keep Up?” The National Journal (September 2, 2000), p. 2712.
[5 ] V.T.C.A., Government Code §552.021.
[6 ] V.T.C.A., Government Code §552.002(a).
[7] V.T.C.A., Government Code §552.002(b)(3), (c).
[8 ] V.T.C.A., Government Code §552.101.
[9] See Office of the Attorney General, Open Records Decision Nos. 590, p. 3 (1991), 523, pp. 3-4 (1989).
[10 ] See Office of the Attorney General, Open Records OR99-2096 (1999), p. 1 (holding that a public employee’s personal credit card number was confidential and must be withheld from disclosure under sections 552.101 and 552.102 of the Government Code); OR99-2167 (1999) at fn. 3 (noting that “an individual’s credit card number could be excepted from disclosure on the basis of that individual’s common-law privacy interests”); and OR2000-2519 (2000), pp. 2-3 (concluding that an individual’s bank account and credit card number is information that is highly intimate and of no legitimate interest to the public).
[11 ] See Office of the Attorney General, Open Records Decision No. 620, p. 4 (1993) (concluding that background financial information submitted by a corporation is not excepted from disclosure under section 552.101 as information confidential by law, because corporations do not have a right of privacy).
[12 ] See Office of the Attorney General, OR99-2167 (1999) at fn. 3 (holding that a school district’s credit card number could not be protected from disclosure under section 552.101, because a governmental body has no common-law privacy interest to protect).
[13 ] See Office of the Attorney General, OR2000-2329 (2000), pp. 1-2 (concluding that government credit card numbers and expiration dates “are protected by section 552.101 and common law privacy and must be withheld” but that the credit card bills themselves must be released).
|