Transcript Document

Consumer Privacy & Protection
Joanna Acocella
May 22, 2007
What’s the big deal?
 Sensitive information is required to meet the
customers’ demands for services and products.
 Consumers have an expectation that their
information will not be shared without their
consent.
 Identity theft and data breaches are on the rise.
 Consumers, investors, public policy-makers & the
media have taken notice of these trends.
We have legal and ethical obligations to protect customers’ privacy.
Honoring that commitment enhances the consumers’ experience.
Why is privacy a hot topic for us?
 Demographics
 Dramatic increase in credit based products
 Role of schools and lenders as credit
counselors
 Federal program requirements
 Security breaches of school networks
 Fines, fees and fallout
Social Security Number Fundamentals
 Intended to track individual earnings
 Technically authorized for use only by IRS, banks
and state governments
 Not illegal for private industry to use as an
identifier
 Most commonly used identifier for record keeping
systems and data exchanges in the US
 Legal to refuse services to customers who refuse to
provide it
 Highly effective in predictive modeling for fraud
prevention
 Only way to access credit information
Federal Laws
Gramm-Leach-Bliley Act (GLB)
 Obligates financial institutions to protect the confidentiality
of consumers’ non-public personal information (NPI)
 Establishes standards for security, protection and
confidentiality of NPI
Privacy Act of 1974
 Restricts the use and disclosure of SSNs by federal agencies
Fair Credit Reporting Act (FCRA)
 Restricts disclosure of consumer reports except for specified
permissible purposes
Federal Laws
Fair and Accurate Credit Transactions Act (FACT Act)
 Enhances identity-theft prevention
 Further restricts information sharing and reuse
provisions of the FCRA
Bills Introduced in the 110th Congress
 11 deal with cyber security
 93 address security of personal information
 56 propose new rules for information security
 18 tackle data security
Potential Federal Measures
 Implementing uniform national notification
standards to preempt more than 30 current state
laws
 Granting primary authority over data providers and
privacy matters to a single federal agency
 Requiring company officers to certify adequate data
security measures
 Creating standard credentialing procedures for
customers of data information providers
 Prohibiting use of SSNs as identifiers and/or
authenticators in private industry
 Banning the sale of SSNs
Potential Federal Measure ….
Leahy-Specter Personal Data Privacy and Security Act of 2007:
 Applies to companies that have personal information on 10,000
or more U.S. persons
 Requires a data privacy and security program, including:
controlling risks, employee training, vulnerability testing,
service provider contractual accountability, and periodic
assessment against current threats
 Imposes a fine of $5,000/day up to a total of $35,000/day
while violations persist (more for “willful violations”)
 Mandates GSA evaluation of Government contractor security
Don’t Forget the States …..
California’s SB-1386
“Any person or business that conducts business
in California, and that owns or licenses
computerized data that includes personal
information, shall disclose any breach of the
security of the system following discovery or
notification of the breach in the security of
the data to any resident of California whose
unencrypted personal information was, or is
reasonably believed to have been, acquired
by an unauthorized person.”
Don’t Forget the States …..
 More than 30 states and at least one local jurisdiction have passed
similar bills
 Arkansas – proactive as well as reactive; destroy information no
longer needed to be retained and “implement and maintain
reasonable security procedures”
 Florida – administrative fines each day after breach and prior to
disclosure
 Montana – breach must be one that “materially compromises
the…personal information”; also, SSN and driver’s license number
included in definition
 New York – person or business shall notify the state attorney
general, the consumer protection board, and the state office of
cyber security and critical infrastructure coordination
 North Dakota – broader definition of personal information, to
include mother’s maiden name, DOB, and “the individual’s digitized
or other electronic signature”
The Privacy Policy Notice
 Explains an institution’s information collection and
privacy practices
 Should include:
 the types of information collected
 the 3rd-parties with whom it is shared
 the reasons why it is shared
 the safeguards in place to protect it
 the opt-out or opt-in choices available to the
consumer, if applicable
 the ways a consumer can request further information
about the privacy practices
The Privacy Policy Notice
 Make available on the web in addition to paper copies
 When and how often should a copy of the PPN be
provided to a borrower?
 when each new loan funds
 annually thereafter
 when privacy practices change
 upon request
Workplace vs. Customer Privacy
Employers often have Total Information Awareness
 Health insurance plans
 Payroll and benefits information
 Web monitoring
 Background checks
 Cell phones
Meaningful consequences
 Databases are open to federal government parties
 Risk of breach – fiscal, reputational, political
 Common law duties
 Litigation
Security & Confidentiality Practices
 state-of-the-art technology
protection
 physical protection
 procedural protection
People -- not computers -- are often the
weakest link in a security program.
Privacy Best Practices À La NCHELP
 Cover privacy and security policies during new
employee orientation.
 Require employees to secure paper containing customer
information whenever the documentation is not in use.
 Require all passwords which contain upper and lower
case letters, numbers and special characters. Require
they be changed regularly.
 Utilize encryption on all external email that contains
customer information.
 Allow employee access to information on a need to
know basis.
Privacy Breach vs. Identity Theft
Breach does not always lead to identity theft nor to
legal liability
Guin v. Brazos Higher Ed. Service Corp.
 Insufficient evidence for the court to determine that Brazos failed
to comply with the GLB Act. … “Brazos had written security
policies, current risk assessment reports, and proper safeguards for
its customers’ personal information as required by the GLB Act.”
 “Furthermore, the GLB Act does not prohibit someone from working
with sensitive data on a laptop computer in a home office. Despite
Guin’s persistent argument that any nonpublic personal information
stored on a laptop computer should be encrypted, the GLB Act does
not contain any such requirement.”
Recovering from Identity Theft
 Get organized
 File a police report with local, state or federal
authorities
 Place a fraud alert on your credit file
 “Freeze” your credit report
 Contact creditors
 Close affected accounts
 Complete an FTC ID theft affidavit
 www.consumer.gov/idtheft/
 Consider moving to online bill payment
 Monitor your credit report
 www.annualcreditreport.com