Since writing our initial posting on the EDRM/FERC/Enron PII disclosures, we have learned more information about the PII disclosures that may be of interest to those who use or discuss this collection. This posting reviews FERC’s actions in the light of what was technically possible at the time and comments on Enron’s appeal of the disclosure decision to the Fifth Circuit of the U.S. Court of Appeals.
FERC. In most data breach cases, the party holding the PII of others has some sort of lapse in security or procedures that leads to the disclosure of other people’s PII through theft or accidental loss. However, since our first posting, we’ve learned that FERC actually knew ahead of time that PII was going to be disclosed. In FERC’s view the privacy interests of those people was outweighed by the need to provide transparency into FERC’s Enron proceedings. There ought to be some sort of eminent domain proceeding where those whose PII has been appropriated “for the common good” could obtain compensation.
Here are the details:
“While the Commission would usually be inclined to protect the privacy of company employees in this regard, the current extraordinary situation calls for unusual action. [Footnote] 43”
“[Footnote] 43: If there is personnel information, such as identification numbers (e.g., social security numbers) and benefits plans, that is completely unrelated to the investigation and that if released could cause an individual serious harm, the companies should submit documents to the Commission no later than March 24, 2003, with the individual’s personal information redacted. …”
“The broad requests here that personnel information be withheld with nothing more is insufficient for the Commission to undertake the overwhelming task of combing the collectively massive records to cull out this type of information” [page 13]
When FERC first released the emails it did so in text-only versions of the emails, not the attachments. This is significant because even in 2003 there was well-known and widely available text editing software that could have looked for text strings that looked like social security numbers and then identified those messages for exclusion from being made public or could have globally replaced the SSAN’s with, e.g. 123-45-6789 or XXX-XX-XXXX. The wholesale disclosure of SSAN’s was completely unnecessary. This would have taken a very short time to process. See the Wikipidia entry on GREP giving its first release date as 1973 https://en.wikipedia.org/wiki/Grep
FERC could have provided very significant transparency by releasing only files that were text-searchable. If documents weren’t searchable they weren’t contributing much to transparency anyway. This could be another example of the HLIC (Head Lawyers In Charge) not talking to the STPs (Smartest Technical People – in this case probably technical people at Aspen).
Later when EDRM came knocking to get the attachments, the time pressure asserted by the FERC in its March 21, 2003 order was no longer applicable – it had the time to do things right.
The three days given by FERC in its March 21, 203 for those concerned about their PII to step forward was completely inadequate notice. Considering the bandwidth available at the time, few individuals would have been able to even download the data set in that time, much less figure out how to work with it.
EDRM. Apparently, George Socha, Craig Ball, and others also knew about the PII in the EDRM Enron Email Data Set v2 from the outset, but evidently felt that another public good, this time the research value of the data set, once again outweighed whatever privacy rights the victims might have left. See “Tech Circuit: Enron’s Toxic Sandbox Edition“, by Monica Bay, Law Technology News.
Court sanction defense…
We have also learned that on April 4, 2003, Enron appealed FERC’s decision to publish the documents gathered in the investigation to the Fifth Circuit Court of Appeals. The Fifth Circuit denied Enron’s application for a writ of mandamus but granted a temporary stay. See the docket sheet for Enron Corp. v. FERC, Docket # 03-60295.
When viewing the appeal on Pacer, it appears it was filed under seal so we can’t see specifically the relief Enron was seeking or Enron’s basis for the appeal. FERC never did file a reply so we are also unable to see the basis upon which FERC claimed to have the authority to divulge PII. On April 24, 2003, Enron filed a motion to withdraw its petition to review without prejudice and on April 30, 2003, the court granted the motion.
We’re not First Amendment lawyers, but this seems to be just another case where a court declined to impose a prior restraint on publication – although it did grant a temporary stay. By shielding the documents Enron cared about, FERC was able to get Enron to drop the appeal before any substantive decision was ever entered or even briefed. With the appellant withdrawing, there would have been no remaining case or controversy.