MORE COHERENT, LESS SUBJECTIVE, AND OPERATIONAL  31

           financial institutions’ ability to share “any record [. . .] pertaining to a cus-
                                                     58
           tomer’s relationship with the financial institution.”  Several other spe-
           cific kinds of information have been deemed sensitive enough to protect
           through federal law. Records of video rentals were protected, for example,
           through the Video Privacy Protection Act of 1988 following the revela-
           tion of a list of movies rented by the family of Supreme Court nominee
                        59
           Robert H. Bork.  Additional types of information entitled to a higher
           level of protection include education records (Family Educational Rights
           and Privacy Act), genetic information (the federal Genetic Information
                                    60
           Nondiscrimination Act of 2008 ), and journalistic sources (Privacy Pro-
                          61
           tection Act of 1980 ). The FTC has issued guidelines indicating that sen-
           sitive data includes five categories of information: financial information,
           health information, Social Security numbers, information collected from
           children, and geo-location information such as the information gleaned
                                62
           from cell phone tracking.  Legislation has been advanced—but not yet
           passed—to grant this status to information about race and ethnicity,
           religious and political beliefs, sexual orientation, and “unique biometric
               63
           data.”  In all these cases, the kinds of information considered sensitive
           were denoted rather than defined. That is, lists of examples rather than
           defining attributes defined each category. To illustrate with a more con-
           crete example, listing the names of all qualifying cities would constitute
           denotation, whereas stating that any population center with more than
           100,000 people would constitute definition.
             When Congress seeks to classify particular types of personal infor-
           mation as more sensitive than others, it often relies on the rationale that
           privacy law should prevent economic or physical harm; that is, sensitive
           information is defined as information the unauthorized disclosure of
           which could cause tangible harm. 64
             Sensitivity has also been operationalized through enumeration of the
           specific kinds of information that are or are not sensitive rather than
           through the articulation of a defining attribute. HIPAA, for example,
           defines protected healthcare information as that which “is maintained
           or transmitted in any form . . . and relates to the past, present, or future
           physical or mental condition of an individual; provision of health care to
           an individual, or payment for that health care; and identifies or could be
                                     65
           used to identify the individual.”  The Fair Credit Reporting Act of 1970
           likewise regulates the disclosure of “consumer reports,” which encompass
           any information “that bears on a consumer’s credit worthiness or personal
           characteristics when used to establish the consumer’s eligibility for credit,
           insurance, or for a limited set of other purposes.” 66
             The courts have also contributed to the categorization of sensitive infor-
           mation. In United States v. Jones, Justice Sotomayor joined the majority