Airlines Secretly Sold Your Travel And Payment Data To The IRS And FBI — Now They’re Being Sued

by Gary Leff

The federal government isn’t spposed to have access to all of your travel itineraries and payment details without a good reason. They need to put their requests in writing or even have a subpeona. Some information is available to TSA for checking against terror lists, but it isn’t supposed to be made available to the IRS and other agencies.

However, the airlines own the company that handles payment clearing for travel agencies – brick and mortar agencies, and online agencies alike. And that company started selling all the data to government agencies – fully searchable.

When it came out, this was embarrassing, and they’ve stopped. But now there’s a lawsuit against that company, and against their bank as well, because your payment details were exposed too.

A proposed class action lawsuit has been filed against TD Bank and the Airlines Reporting Corporation. ARC is the company that provides settlement services between airlines and travel agencies, processing about $100 billion in travel bookings a year.

  • They facilitate financial transactions between the airline industry and U.S.-based travel agencies.
  • They generate a real-time database of airline ticket purchases.
  • And they sold access to this database to the IRS, FBI, Department of Homeland Security, ATF, SEC, and TSA.

Their “Travel Intelligence Program” let users search by passenger name, itinerary, fare details, payment method, and credit card number. The database held more than 1 billion records. This new suit claims it’s a violation of the Right to Financial Privacy Act.

  • A federal agency cannot get a customer’s financial records from a financial institution without customer authorization, administrative subpoena, search warrant, judicial subpoena, or at a minimum a formal written request.

  • It also bars a financial institution from giving the government access outside that framework. And the law defines a “financial record” broadly enough to include information derived from a record held by a financial institution about the customer’s relationship with that institution.

  • So a credit card-linked airfare purchase is a protected financial record, and they built a workaround so agencies could buy what they would otherwise would have to compel.

The Gramm-Leach-Bliley Act Financial Services Modernization Act of 1999 generally requires financial institutions to explain how they share nonpublic personal information and (with some exceptions) meet notice and opt-out rules before sharing with third parties.

Giving the federal government direct access was was outside what consumers were told to expect under Graham-Leach-Bliley and impermissible under the Right to Financial Privacy Act.

The problem with this lawsuit, it seems to me, is that the law restricts government access to records held by a financial institution. So that’s TD Bank’s records, not ARC’s. And it’s ARC’s records that were sold. TD just did payment processing, which wasn’t hidden. But it’s tricky.

A ticket sale created both a travel record and a payment record. The law says the government generally can’t get a customer’s financial records from a financial institution unless it uses one of the approved legal routes. That includes information “derived from” a record held by a financial institution about the customer’s relationship with that institution.

And TD Bank was part of the chain that processed and held transaction information, and Airlines Reporting Corporation’s government product included that transaction stream. So the government got bank-derived purchase information without going through the formal legal process.

The government did not ask TD Bank for anyone’s records. It bought reports from Airlines Reporting Corporation. So they’ll claim this was a purchase from a separate commercial database. Is this bank-derived data or travel industry transaction data? It was an end-run around the law – but that doesn’t tell us whether it violated the law. The airline consortium seems to have breached trust – but with whom? Passengers aren’t its customers.

About Gary Leff

Gary Leff is one of the foremost experts in the field of miles, points, and frequent business travel - a topic he has covered since 2002. Co-founder of frequent flyer community InsideFlyer.com, emcee of the Freddie Awards, and named one of the "World's Top Travel Experts" by Conde' Nast Traveler (2010-Present) Gary has been a guest on most major news media, profiled in several top print publications, and published broadly on the topic of consumer loyalty. More About Gary »

More articles by Gary Leff »

Comments

  1. Meaningful privacy protections can and should be bipartisan… however, it’s basically bipartisan that our elected representatives allow our personal data to be sold to the highest bidder, often without our informed consent, and also, thanks to magic-words like ‘national security,’ collected and abused by our and foreign governments. The US has become like the freakin’ CCP in more ways than we ever should ever have been… *sigh*

Leave a Reply

Your email address will not be published. Required fields are marked *