Digital payments are the default for millions of women of childbearing age. So what will their credit and debit card issuers and financial app providers do when prosecutors seek their transaction data during abortion investigations?
It’s a hypothetical question that’s almost certainly an inevitable one in the wake of the overturning of Roe v. Wade last week. Now that abortion is illegal in several states, criminal investigators will soon begin their hunt for evidence to prosecute those they say violated the law.
Medical records are likely to be the most definitive proof of what now is a crime, but officials who cannot get those may look for evidence elsewhere. The payment trail is likely to be a high priority.
For banks and other payments companies on the receiving end of criminal inquiries, this appears to be fairly new territory. Card issuers have grown used to requests for user data in terrorism, money-laundering and illegal-trafficking investigations. None of those have provoked the kind of political, legal and emotional pushback that abortion investigations are likely to.
The Fourth Amendment provides individuals with protections against governmental intrusion. But those protections weaken once individuals voluntarily share information with a third party, legal experts said. That means law enforcement officials can generally ask financial institutions to hand over customer data with a simple subpoena.
Even sensitive health and medical details can be fair game. The Health Insurance Portability and Accountability Act, known as HIPAA — which governs the privacy of a patient’s health records — permits medical and billing records to be released in response to a warrant or subpoena.
“There is a very broad exception to the HIPAA protections for law enforcement,” said Marcy Wilder, a partner and co-head of the global privacy and cybersecurity practice at Hogan Lovells, a law firm. But Ms. Wilder added that the information shared with law enforcement officials could not be overly broad or unrelated to the request. “That is why it matters how companies and health plans are interpreting this.”
Card issuers and networks like Visa and Mastercard generally do not have itemized lists of everything that people pay for when they shop for prescription drugs or other medications online, or when they purchase services at health care providers. But evidence of patronage of, say, a pharmacy that sells only abortion pills could give someone away.
At the same time, according to lawyers and privacy experts, if an investigator has collected other data on a person’s travels, then a charge at, for example, an out-of-state Planned Parenthood for an amount that’s much higher than a standard checkup would be useful evidence, depending on the laws in play and how they evolve in the coming months. The same goes for a patient living in a state where abortion pills are illegal who seeks them out via a tele-health visit with an out-of-state doctor.
Some financial institutions are preparing to push back on requests for this data.
Amalgamated Bank, based in New York, is one.
“Amalgamated Bank will carefully scrutinize any subpoenas for information related to the prosecution of women for exercising their right to choose and object to the fullest extent possible,” the bank said in a statement. It plans to notify customers of these subpoenas, unless investigators succeed in forcing the bank not to disclose the existence of the subpoena.
Law enforcement officials could also pursue subpoenas of companies that issue debit cards on which flexible spending account dollars are loaded. Many employers provide such health care spending accounts.
HealthEquity, a leading administrator of these accounts, said it was reluctant to give up transaction data. The company “does not comply with requests for medical expense data — including from law enforcement and other governmental entities — unless we are specifically compelled by law to do so,” Jon Kessler, its chief executive, said in an email. “We seek to apply the narrowest possible interpretation of what is required and would vigorously oppose any request to broadly search member data.”
The New York Times contacted roughly two dozen large financial firms — including several that have announced plans to reimburse employees for abortion-related expenses — to ask how they would approach data privacy around abortion.
American Express, Citigroup, Coinbase, Frost Bank, JPMorgan Chase, Mastercard, 1199 SEIU Federal Credit Union, Visa and USAA declined to comment.
“I’m not able to speculate about the situations you describe,” said Bill Day, a spokesman for Frost, which is based in San Antonio and is among the 50 biggest banking companies in the United States. “They’re all hypothetical at this point.”
June 29, 2022, 6:50 p.m. ET
USAA also declined to discuss how or if it is instructing bank employees to handle conversations with customers. It is based in Texas, where a new state law authorizes residents to file lawsuits against anyone who helped facilitate an abortion.
“With the ruling only coming down late last week, it’s premature to understand the full impact at the state level,” Brad Russell, a USAA spokesman, said via email. “However, USAA will always comply with all applicable laws.”
American Airlines Credit Union, Bank of America, Capital One, Discover, Goldman Sachs, Prosperity Bank USA, Navy Federal Credit Union, US Bank, University of Wisconsin Credit Union, Wells Fargo and Western Union did not return at least two messages seeking comment.
American Express, Bank of America, Goldman Sachs, JPMorgan and Wells Fargo have all announced their intentions to reimburse employees for expenses if they travel to other states for abortions. So far, none have commented about how they would respond to a subpoena seeking the transaction records of the very employees who would be eligible for employer reimbursement.
The fact that so many financial services companies are silent isn’t surprising. Like nearly everyone else, they’re scrambling to navigate a landscape that has changed entirely. The American Bankers Association also declined to comment.
Then there are the digital payments services that straddle the line between technology and finance: Apple Pay; PayPal and its Venmo offering; and Square and its Cash app.
None of the companies responded to at least two messages seeking comment.
Alejandra Caraballo, a clinical instructor at Harvard Law School’s Cyberlaw Clinic, read these companies’ user agreements with her students for a recent course. “We came to the realization that essentially all of them are bad,” she said. “They’ve all said they will comply with the legal process and will turn over documents either through warrants or a subpoena.”
Tech companies have more experience with deliberating over whether to stand up to subpoenas for users’ private data. By comparison, financial services companies generally haven’t faced that much complexity, because new forms of payment don’t come along nearly as frequently as new forms of communication, many of which introduce novel legal questions and the possibility of outrage from consumers and others.
Abortion rights and privacy activists are preparing for the fight.
“I think everyone, including these companies, is trying to figure out what, if anything, can be done,” said Dana Sussman, acting executive director at the National Advocates for Pregnant Women. “One thing we are hoping to do is apply public pressure to fight these subpoenas. If they do, it will make it a lot harder for these prosecutors, who have limited resources and a lot of work to do in their communities with other issues.”
Amie Stepanovich, vice president of U.S. policy at the Future of Privacy Forum, a nonprofit focused on data privacy and protection, said warrants and subpoenas can be accompanied by gag orders, which can prevent companies from even alerting their customers that they’re being investigated.
“They can choose to battle the use of gag orders in court,” she said. “Sometimes they win, sometimes they don’t.”
In other instances, prosecutors may not say exactly what they’re investigating when they ask for transaction records. In that case, it’s up to the financial institution to request more information or try to figure it out on its own.
Paying for abortion services with cash is one possible way to avoid detection, even if it isn’t possible for people ordering pills online. Many abortion funds pay on behalf of people who need financial help.
But cash and electronic transfers of money are not entirely foolproof.
“Even if you are paying with cash, the amount of residual information that can be used to reveal health status and pregnancy status is fairly significant,” said Ms. Stepanovich, referring to potential bread crumbs such as the use of a retailer’s loyalty program or location tracking on a mobile phone when making a cash purchase.
In some cases, users may inadvertently give up sensitive information themselves through apps that track and share their financial behavior.
“The purchase of a pregnancy test on an app where financial history is public is probably the biggest red flag,” Ms. Stepanovich said.
Other advocates mentioned the possibility of using prepaid cards in fixed amounts, like the kinds that people can buy off a rack in a drugstore. Cryptocurrency, they added, usually does leave enough of a trail that achieving anonymity is challenging.
One thing that every expert emphasized is the lack of certainty. But there is an emerging gut feeling that corporations will be in the spotlight at least as much as judges.
“Now, these payment companies are going to be front and center in the fight,” Ms. Caraballo said.