CLOSING THE FINANCIAL PRIVACY LOOPHOLE: DEFINING 'ACCESS' IN THE RIGHT TO FINANCIAL PRIVACY ACT.

• Author: McElroy, W. Faith

INTRODUCTION

There is a hole in Fourth Amendment protection that is teetering on the verge of rapid expansion. The omnipresence of technology in the 21st century has made the use of intermediaries necessary for fully participating in society. From sending messages through Facebook to driving past cellular phone towers, many everyday activities involve sharing information about ourselves with the third parties who give us access to new technology. The scope of privacy law, however, has not advanced at a similar pace. In the 1976 case United States v. Miller, (1) the Supreme Court punctured the Fourth Amendment privacy protections set forth in Katz v. United States. (2) In Katz, the Court had extended protection from unreasonable searches and seizures to areas in which a person has a "reasonable expectation of privacy." (3) Nine years later in Miller, the Court decided that there is no legitimate expectation of privacy in information handed over to third parties (in that case, a bank). (4) The Court asserted that "the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities." (5) Smith v. Maryland widened this gap in Fourth Amendment protection to include communication information. (6) The Court stated that there is no reasonable expectation of privacy in numbers dialed into phones, since the dialer is aware that the "phone company has facilities for recording this information" and that it does, in fact, record it. (7)

Miller and Smith have come to stand for the legal theory of the "third party doctrine." Professor Daniel Solove, a leading expert on privacy law, summarized the theory:

This doctrine provides that if information is possessed or known by third parties, then, for purposes of the Fourth Amendment, an individual lacks a reasonable expectation of privacy in the information. In the Information Age, much of what we do is recorded by third parties. The third-party doctrine therefore places an extensive amount of personal information outside the protection of the Fourth Amendment. (8) Since this information lies outside the scope of Fourth Amendment protection, the showing that the government must make to access a citizen's personal information from a trusted third party is an open question.

Most of the academic commentary on third-party doctrine has focused only on communications privacy. (9) This is surprising because the Court originally formulated the third-party exception from Fourth Amendment protection in the context of an individual's financial records held by a bank. (10) In the age of the data breach, financial privacy and security are as important as communications privacy. One reason for the scholarly avoidance of the financial privacy issue could be that Congress, alarmed by the Court's finding in Miller, passed the Right to Financial Privacy Act (11) ("RFPA") to remedy the hole in Fourth Amendment protection left by Miller. (12)

Today, however, the privacy of financial records from unwarranted government intrusion is under siege. First, financial records are not protected by the Fourth Amendment. (13) Second, a case making its way through the federal judiciary is asserting a cramped interpretation of the RFPA, which, if adopted by the majority of circuits, would create a loophole allowing banks to release customer information into the public record. (14) Third, in deciding Spokeo, Inc. v. Robins, the Supreme Court left open the possibility of lower courts deciding that statutory violations are not injuries at all--an outcome that would strip a customer of his ability to sue under the RFPA if a bank releases his information. (15) Thus, despite Congress's attempt to safeguard financial records from unwarranted government intrusion, the financial privacy of Americans is being threatened in multiple levels of the judiciary.

The problem culminating from these attacks is the weakening of financial privacy protection for records in the hands of trusted third parties. The solution is this: the Supreme Court's reversal of Miller. The Supreme Court created a hole in Fourth Amendment protection in its Miller opinion and the remedy offered by Congress is now under siege because of the open-ended Spokeo decision and the judiciary's cramped interpretation of the RFPA. (16) Now, it is up to the Supreme Court to reverse Miller and stop the erosion of financial privacy.

Part I of this Note will discuss the Miller decision and the hole it left in the Fourth Amendment's protection of financial information left in the hands of trusted third parties. Part II will discuss Congress's response to Miller in the RFPA. Part III will discuss the cramped interpretation of the RFPA affirmed by the Sixth Circuit, its misapplication of the statute, and policy problems arising from the acceptance of the court's interpretation. Part IV will discuss statutory injuries and how the ambiguous outcome of the Spokeo case could threaten financial privacy protections generally and those specifically provided by the RFPA. Part V will discuss the proposed solution to the problem

1. FINANCIAL PRIVACY AND THE MILLER DECISION

   A flurry of privacy laws, especially those related to safeguarding financial information, were enacted in the 1970s in response to the general distrust of government after the Vietnam War and the growing cache of customer records being stored on computers. (17) This sense of unease was exacerbated when the Supreme Court upheld the Bank Secrecy Act of 1970, which required banks to maintain financial records of customers so the federal government would be able to "enforce the myriad criminal, tax, and regulatory provisions of laws"--a function that had been impaired by shoddy recordkeeping. (18) An important limitation on these required records, however, was that they would "not be made automatically available for law enforcement purposes [but could] only be obtained through existing legal process." (19) To address growing concerns about how new technologies could lead to widespread data collection, Congress enacted the Privacy Act of 1974. (20) The purpose of the Privacy Act was "to promote governmental respect for the privacy of citizens" by increasing accountability and legislative oversight with respect to the use of personal information collected by the government. (21) The Act's purpose of increasing customer privacy was thwarted by the 1976 decision in United States v. Miller. (22)

   Two weeks after deputies in Houston County, Georgia found a "7,500-gallon-capacity distillery, 175 gallons of non-tax-paid whiskey, and related paraphernalia" on his property, Mitchell Miller was charged with conspiring to defraud the government of tax revenues. (23) Alcohol, Tobacco, and Firearms agents found evidence of Miller's untaxed income by issuing subpoenas to the presidents of Miller's bank, requesting his financial records. (24) Copies of Miller's checks obtained from his bank were used as evidence in his trial and he was ultimately convicted. (25) The Court of Appeals for the Fifth Circuit, however, found that the subpoenas were defective and reversed the admission of the checks, finding that their admittance would violate his Fourth Amendment rights. (26) The Supreme Court reversed, reasoning that the financial records of Miller were outside his "zone of privacy" as they were not his private papers but were instead business records owned by the bank. (27) With this reasoning, the third-party doctrine was created. Justice Powell, delivering the opinion of the Court, wrote:

   The depositor takes the risk, in revealing his affairs to another, that the information will be conveyed by that person to the Government. This Court has held repeatedly that the Fourth Amendment does not prohibit the obtaining of information revealed to a third party and conveyed by him to Government authorities.... (28) Concerned about the Miller decision's implication that the Internal Revenue Service could ask for any (or every) citizen's records without recourse, Congress began crafting the RFPA. (29) In a House Report on the Financial Institutions Regulatory Act of 1978, (30) Congress stated, "[W]hile the Supreme Court found no constitutional right of privacy in financial records, it is clear that Congress may provide protection of individual rights beyond that afforded in the Constitution." (31) Thus, Congress enacted the RFPA to "strike a balance between customers' right of privacy and the need for law enforcement agencies to obtain financial records pursuant to legitimate investigations." (32)

2. A RESPONSE TO MILLER: THE RIGHT TO FINANCIAL PRIVACY ACT

   The RFPA provides two layers of protection for bank customers' privacy. (33) The first layer forbids the government from obtaining customer information without following a set protocol. (34) In order to provide citizens with a blanket of privacy, the RFPA states that, limited exceptions aside, (35) "no Government authority may have access to or obtain copies of, or the information contained in the financial records of any customer from a financial institution" unless such records are "reasonably described" and either the customer has authorized the disclosure, or such records are disclosed pursuant to a legitimate legal process, as listed in the statute. (36) The RFPA further reinforces the protection of customer privacy within the government by limiting interagency transfers of the information. (37) In the House Report describing this section of the RFPA, the writers explain, "This section provides that information obtained under the title may not be used or retained for any purpose other than the specific statutory purpose for which the information was originally obtained, and that the information may not be transferred to another government agency without specific statutory authorization." (38) Thus, once a government agency obtains a customer's information, it is not only prohibited from sharing such...