Is the OFAC SDN List the New Playground for Identity Thieves?
Last month, the United States Court of Appeals for the D.C. Circuit issued an opinion in Chichakli v. Tillerson. For those of you unfamiliar with the litigation, Mr. Chichakli–who was formerly designated pursuant to E.O. 13348 (Liberia)–brought suit against the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) and the U.S. Department of State for violations of the Privacy Act arising from those agencies’ disclosures of Mr. Chichakli’s personal identifying information. Chichakli asserted that as a result of OFAC and the State Department’s pubic disclosures he was a victim of identify theft with fraudulent bank accounts opened, and tax returns filed, in his name. Such activity led to the loss of thousands of dollars, and damaged his credit to a point where he is unable to engage in routine transactions in which a credit check is necessary–i.e., renting a residence, obtaining employment, buying insurance, etc. The disclosures at issue involved the online publication of Mr. Chichakli’s name, Social Security Number, date of birth, aliases, residential and business addresses, country of origin, and Australian Driver’s License Number. In addition, the State Department transmitted Mr. Chichakli’s information to the United Nations (“UN”) in support of the UN imposing sanctions targeting Mr. Chichakli pursuant to relevant U.N. Security Council Resolutions.
The lower court decision–which the D.C. Circuit affirmed–held that Mr. Chichakli failed to state a claim because the use of the information fell into the routine use exception of the Privacy Act, as such disclosure was consistent with OFAC’s mission to implement and enforce economic sanctions. The routine use exception permits the disclosure of personal identifying information to the extent that the disclosure of a record is 1) compatible with the purpose for which it was collected; and 2) within the scope of a routine use notice published by the agency.
Although, the D.C. Circuit did not offer a definition of compatibility, they did agree that the disclosures of Mr. Chichakli’s personal identifying information were compatible with the purposes for which each agency collected the information; namely, “to investigate whether to designate him for economic sanctions and to implement sanctions.” Further, the opinion held that such purpose of collection was aligned with the purpose of disclosure, insofar as it would be necessary to publish the information in order to implement the sanctions.
With respect to the State Department disclosures, the D.C. Circuit found that such disclosures were published pursuant to a routine use notice published in 2005 that “covers the publication of personal identifying information to foreign entities and “other ‘public authorities’ for law enforcement purposes.” In examining OFAC’s disclosures, the opinion addressed them in two parts: 1) those occurring prior to 2010; and 2) those occurring before 2010. As to the pre-2010 disclosure–where the routine use notice contained in the regulations did not cover publication of personal information–the D.C. Circuit held that the argument was forfeited because it wasn’t raised before the lower court. After 2010, the Court found that OFAC had a routine use notice that covered disclosures to the general public of personal identifying information of those persons whose property and interests in property are affected by sanctions programs administered by OFAC.
In short, this opinion states that OFAC can disclose any information it collects in determining whether or not to investigate a party for designation. Thus for example, the OFAC SDN List contains email addresses, telephone numbers, tax ID numbers, social security numbers, dates of birth, etc. This appears to all be eligible for disclosure in light of the D.C. Circuit’s opinion. While I can understand why some of that information needs to be disclosed for purposes of identification–how else would parties be able to make sure they are not dealing with an SDN if they don’t have multiple personal identifiers–it’s not clear to me that all of that information needs to be disclosed publicly in order to still have the compliance effect such disclosures aim to achieve. For example, if you already have the party’s name, date of birth, and location of birth, do you also need their tax ID number? Or if you have their name, address, and email address, do you really need their date of birth? It seems to me that as long as there are multiple identifiers–a minimum of three is preferable–that inclusion of certain, more sensitive categories of information just becomes overkill and can do more harm than good. Of course, those in the compliance community may disagree with me, as the more information they have the better they can do their job. However, it’s not hard to imagine that Mr. Chichakli, and others like him, may suffer financial harm from identify theft due to so much of their information being publicly broadcast via the OFAC SDN List.
The author of this blog is Erich Ferrari, an attorney specializing in OFAC matters. If you have any questions please contact him at 202-280-6370 or ferrari@falawpc.com