Transcript Document
Consumer Privacy & Protection
Joanna Acocella
May 22, 2007
What’s the big deal?
Sensitive information is required to meet the
customers’ demands for services and products.
Consumers have an expectation that their
information will not be shared without their
consent.
Identity theft and data breaches are on the rise.
Consumers, investors, public policy-makers & the
media have taken notice of these trends.
We have legal and ethical obligations to protect customers’ privacy.
Honoring that commitment enhances the consumers’ experience.
Why is privacy a hot topic for us?
Demographics
Dramatic increase in credit based products
Role of schools and lenders as credit
counselors
Federal program requirements
Security breaches of school networks
Fines, fees and fallout
Social Security Number Fundamentals
Intended to track individual earnings
Technically authorized for use only by IRS, banks
and state governments
Not illegal for private industry to use as an
identifier
Most commonly used identifier for record keeping
systems and data exchanges in the US
Legal to refuse services to customers who refuse to
provide it
Highly effective in predictive modeling for fraud
prevention
Only way to access credit information
Federal Laws
Gramm-Leach-Bliley Act (GLB)
Obligates financial institutions to protect the confidentiality
of consumers’ non-public personal information (NPI)
Establishes standards for security, protection and
confidentiality of NPI
Privacy Act of 1974
Restricts the use and disclosure of SSNs by federal agencies
Fair Credit Reporting Act (FCRA)
Restricts disclosure of consumer reports except for specified
permissible purposes
Federal Laws
Fair and Accurate Credit Transactions Act (FACT Act)
Enhances identity-theft prevention
Further restricts information sharing and reuse
provisions of the FCRA
Bills Introduced in the 110th Congress
11 deal with cyber security
93 address security of personal information
56 propose new rules for information security
18 tackle data security
Potential Federal Measures
Implementing uniform national notification
standards to preempt more than 30 current state
laws
Granting primary authority over data providers and
privacy matters to a single federal agency
Requiring company officers to certify adequate data
security measures
Creating standard credentialing procedures for
customers of data information providers
Prohibiting use of SSNs as identifiers and/or
authenticators in private industry
Banning the sale of SSNs
Potential Federal Measure ….
Leahy-Specter Personal Data Privacy and Security Act of 2007:
Applies to companies that have personal information on 10,000
or more U.S. persons
Requires a data privacy and security program, including:
controlling risks, employee training, vulnerability testing,
service provider contractual accountability, and periodic
assessment against current threats
Imposes a fine of $5,000/day up to a total of $35,000/day
while violations persist (more for “willful violations”)
Mandates GSA evaluation of Government contractor security
Don’t Forget the States …..
California’s SB-1386
“Any person or business that conducts business
in California, and that owns or licenses
computerized data that includes personal
information, shall disclose any breach of the
security of the system following discovery or
notification of the breach in the security of
the data to any resident of California whose
unencrypted personal information was, or is
reasonably believed to have been, acquired
by an unauthorized person.”
Don’t Forget the States …..
More than 30 states and at least one local jurisdiction have passed
similar bills
Arkansas – proactive as well as reactive; destroy information no
longer needed to be retained and “implement and maintain
reasonable security procedures”
Florida – administrative fines each day after breach and prior to
disclosure
Montana – breach must be one that “materially compromises
the…personal information”; also, SSN and driver’s license number
included in definition
New York – person or business shall notify the state attorney
general, the consumer protection board, and the state office of
cyber security and critical infrastructure coordination
North Dakota – broader definition of personal information, to
include mother’s maiden name, DOB, and “the individual’s digitized
or other electronic signature”
The Privacy Policy Notice
Explains an institution’s information collection and
privacy practices
Should include:
the types of information collected
the 3rd-parties with whom it is shared
the reasons why it is shared
the safeguards in place to protect it
the opt-out or opt-in choices available to the
consumer, if applicable
the ways a consumer can request further information
about the privacy practices
The Privacy Policy Notice
Make available on the web in addition to paper copies
When and how often should a copy of the PPN be
provided to a borrower?
when each new loan funds
annually thereafter
when privacy practices change
upon request
Workplace vs. Customer Privacy
Employers often have Total Information Awareness
Health insurance plans
Payroll and benefits information
Web monitoring
Background checks
Cell phones
Meaningful consequences
Databases are open to federal government parties
Risk of breach – fiscal, reputational, political
Common law duties
Litigation
Security & Confidentiality Practices
state-of-the-art technology
protection
physical protection
procedural protection
People -- not computers -- are often the
weakest link in a security program.
Privacy Best Practices À La NCHELP
Cover privacy and security policies during new
employee orientation.
Require employees to secure paper containing customer
information whenever the documentation is not in use.
Require all passwords which contain upper and lower
case letters, numbers and special characters. Require
they be changed regularly.
Utilize encryption on all external email that contains
customer information.
Allow employee access to information on a need to
know basis.
Privacy Breach vs. Identity Theft
Breach does not always lead to identity theft nor to
legal liability
Guin v. Brazos Higher Ed. Service Corp.
Insufficient evidence for the court to determine that Brazos failed
to comply with the GLB Act. … “Brazos had written security
policies, current risk assessment reports, and proper safeguards for
its customers’ personal information as required by the GLB Act.”
“Furthermore, the GLB Act does not prohibit someone from working
with sensitive data on a laptop computer in a home office. Despite
Guin’s persistent argument that any nonpublic personal information
stored on a laptop computer should be encrypted, the GLB Act does
not contain any such requirement.”
Recovering from Identity Theft
Get organized
File a police report with local, state or federal
authorities
Place a fraud alert on your credit file
“Freeze” your credit report
Contact creditors
Close affected accounts
Complete an FTC ID theft affidavit
www.consumer.gov/idtheft/
Consider moving to online bill payment
Monitor your credit report
www.annualcreditreport.com