Digital payments are the default for millions of women of childbearing age. So what will their credit and debit card issuers and financial app providers do when prosecutors seek their transaction data during abortion investigations?
This is a hypothetical question that is almost certainly unavoidable in the wake of the overturning of Roe v. Wade last week. Now that abortion is illegal in several states, criminal investigators will soon begin their hunt for evidence to prosecute those they believe have violated the law.
Medical records are probably the most definitive proof of what is now a crime, but officials who can’t get them may look for evidence elsewhere. The payment trail is likely to be a high priority.
For banks and other payment companies receiving criminal investigations, this seems like relatively new territory. Card issuers have become accustomed to requests for user data as part of investigations into terrorism, money laundering and illegal trafficking. None of these have provoked the kind of political, legal and emotional backlash that abortion investigations are likely to provoke.
The Fourth Amendment provides individuals with protections against government intrusion. But those protections weaken once individuals voluntarily share information with a third party, legal experts have said. This means that law enforcement officials can usually ask financial institutions to hand over customer data with a simple subpoena.
Even sensitive medical and health details can be fair game. The Health Insurance Portability and Accountability Act, known as HIPAA — which governs the privacy of a patient’s medical records — allows the release of medical and billing records in response to a warrant or a subpoena.
“There is a very broad exception to HIPAA protections for law enforcement,” said Marcy Wilder, partner and co-lead of the global privacy and cybersecurity practice at Hogan Lovells, a law firm. But Ms Wilder added that the information shared with law enforcement officials could not be too broad or irrelevant to the request. “That’s why it’s important to know how companies and health plans interpret this.”
Card issuers and networks like Visa and Mastercard generally don’t have detailed lists of everything people pay when they buy prescription drugs or other drugs online, or when they buy services from of health care providers. But proof of patronage from, say, a pharmacy that only sells abortion pills might give someone away.
At the same time, according to attorneys and privacy experts, if an investigator has collected other travel data from a person, then a charge to, say, an out-of-state Planned Parenthood for an amount much higher than a standard health check would be useful evidence, depending on the laws at play and how they change in the coming months. The same goes for a patient living in a state where abortion pills are illegal and seeking them through a telehealth visit with an out-of-state doctor.
Some financial institutions are preparing to push back on requests for this data.
Amalgamated Bank, based in New York, is one.
“Amalgamated Bank will carefully consider any subpoenas for information related to the prosecution of women for exercising their right to choose and to object to the fullest extent possible,” the bank said in a statement. She plans to notify customers of these subpoenas unless investigators are successful in forcing the bank not to disclose the existence of the subpoena.
Law enforcement officials could also seek subpoenas from companies that issue debit cards loaded with flexible spending account dollars. Many employers provide such health care spending accounts.
HealthEquity, one of the main administrators of these accounts, said it was reluctant to give up transaction data. The company “does not comply with requests for medical expense data — including from law enforcement and other government entities — unless we are specifically required by law to do so,” Jon said. Kessler, its chief executive, in an email. “We seek to apply the narrowest possible interpretation of what is required and will vigorously oppose any request for a broad search of member data.”
The New York Times contacted about two dozen major financial firms — several of which have announced plans to reimburse employees for abortion-related expenses — to ask how they would approach abortion data privacy.
American Express, Citigroup, Coinbase, Frost Bank, JPMorgan Chase, Mastercard, 1199 SEIU Federal Credit Union, Visa and USAA declined to comment.
“I am not in a position to speculate on the situations you describe,” said Bill Day, a spokesman for Frost, which is based in San Antonio and is one of the 50 largest banking companies in the United States. “They are all hypothetical at this point.”
The USAA also declined to discuss how or if it asks bank employees to handle conversations with customers. He is based in Texas, where a new state law allows residents to sue anyone who helped facilitate an abortion.
“With the ruling only released late last week, it is premature to understand the full impact at the state level,” Brad Russell, a USAA spokesperson, said by email. “However, USAA will always comply with all applicable laws.”
American Airlines Credit Union, Bank of America, Capital One, Discover, Goldman Sachs, Prosperity Bank USA, Navy Federal Credit Union, US Bank, University of Wisconsin Credit Union, Wells Fargo and Western Union failed to return at least two messages soliciting comments.
American Express, Bank of America, Goldman Sachs, JPMorgan and Wells Fargo have all announced plans to reimburse employee expenses if they travel to other states for abortions. So far, none have commented on how they would respond to a subpoena asking for records of transactions from employees who would be eligible for employer reimbursement.
It’s no surprise that so many financial services companies are keeping quiet. Like almost everyone, they scramble to navigate a landscape that has completely changed. The American Bankers Association also declined to comment.
Then there are the digital payment services that sit on the border between technology and finance: Apple Pay; PayPal and its Venmo offer; and Square and its Cash app.
None of the companies responded to at least two messages seeking comment.
Alejandra Caraballo, a clinical instructor at Harvard Law School’s Cyberlaw Clinic, read through these companies’ user agreements with her students for a recent class. “We realized that basically they’re all bad,” she said. “They all said they would comply with legal process and deliver documents either through warrants or a subpoena.”
Tech companies have more experience deliberating on whether to resist subpoenas for users’ private data. By comparison, financial services companies have generally not faced such complexity, as new forms of payment are not as common as new forms of communication, many of which introduce new legal issues and the possibility of outrage from consumers and others. .
Abortion rights and privacy activists are preparing for battle.
“I think everyone, including these companies, is trying to figure out what can be done, if anything,” said Dana Sussman, acting executive director of the National Advocates for Pregnant Women. “One thing we hope to do is exert public pressure to fight these subpoenas. If they do, it will make it much harder for these prosecutors, who have limited resources and a lot of work to do in their communities with other issues.
Amie Stepanovich, vice president of US policy at the Future of Privacy Forum, a nonprofit focused on privacy and data protection, said warrants and subpoenas can be accompanied by gag orders. , which can prevent companies from even alerting their customers that they are under investigation. .
“They can choose to fight the use of gag orders in court,” she said. “Sometimes they win, sometimes they don’t.”
In other cases, prosecutors may not say exactly what they are investigating when requesting transaction records. In this case, it is up to the financial institution to request more information or try to figure it out for themselves.
Paying cash for abortion services is a possible way to avoid detection, although it is not possible for people ordering pills online. Many abortion funds pay on behalf of people who need financial help.
But cash and electronic money transfers aren’t completely foolproof.
“Even if you pay cash, the amount of residual information that can be used to reveal health status and pregnancy status is quite significant,” Ms. Stepanovich said, referring to potential breadcrumbs such as using a retailer’s loyalty program or location tracking on a mobile phone when making a cash purchase.
In some cases, users may inadvertently disclose sensitive information themselves through apps that track and share their financial behavior.
“Purchasing a pregnancy test on an app where the financial history is public is probably the biggest red flag,” Ms Stepanovich said.
Other proponents mentioned the possibility of using prepaid cards in fixed amounts, like the ones people can buy on a rack in a pharmacy. Cryptocurrency, they added, usually leaves enough traces that it is difficult to achieve anonymity.
One thing that every expert pointed out is the lack of certainty. But there is an emerging gut feeling that companies will be in the spotlight at least as much as judges.
“Now these payment companies are going to be at the center of the fight,” Ms. Caraballo said.