240 likes | 793 Views
Consumer Privacy & Protection . Joanna Acocella May 22, 2007. What’s the big deal?. Sensitive information is required to meet the customers’ demands for services and products. Consumers have an expectation that their information will not be shared without their consent.
E N D
Consumer Privacy & Protection Joanna Acocella May 22, 2007
What’s the big deal? • Sensitive information is required to meet the customers’ demands for services and products. • Consumers have an expectation that their information will not be shared without their consent. • Identity theft and data breaches are on the rise. • Consumers, investors, public policy-makers & the media have taken notice of these trends. We have legal and ethical obligations to protect customers’ privacy. Honoring that commitment enhances the consumers’ experience.
Why is privacy a hot topic for us? • Demographics • Dramatic increase in credit based products • Role of schools and lenders as credit counselors • Federal program requirements • Security breaches of school networks • Fines, fees and fallout
Social Security Number Fundamentals • Intended to track individual earnings • Technically authorized for use only by IRS, banks and state governments • Not illegal for private industry to use as an identifier • Most commonly used identifier for record keeping systems and data exchanges in the US • Legal to refuse services to customers who refuse to provide it • Highly effective in predictive modeling for fraud prevention • Only way to access credit information
Federal Laws Gramm-Leach-Bliley Act (GLB) • Obligates financial institutions to protect the confidentiality of consumers’ non-public personal information (NPI) • Establishes standards for security, protection and confidentiality of NPI Privacy Act of 1974 • Restricts the use and disclosure of SSNs by federal agencies Fair Credit Reporting Act (FCRA) • Restricts disclosure of consumer reports except for specified permissible purposes
Federal Laws Fair and Accurate Credit Transactions Act (FACT Act) • Enhances identity-theft prevention • Further restricts information sharing and reuse provisions of the FCRA Bills Introduced in the 110th Congress • 11 deal with cyber security • 93 address security of personal information • 56 propose new rules for information security • 18 tackle data security
Potential Federal Measures • Implementing uniform national notification standards to preempt more than 30 current state laws • Granting primary authority over data providers and privacy matters to a single federal agency • Requiring company officers to certify adequate data security measures • Creating standard credentialing procedures for customers of data information providers • Prohibiting use of SSNs as identifiers and/or authenticators in private industry • Banning the sale of SSNs
Potential Federal Measure …. Leahy-Specter Personal Data Privacy and Security Act of 2007: • Applies to companies that have personal information on 10,000 or more U.S. persons • Requires a data privacy and security program, including: controlling risks, employee training, vulnerability testing, service provider contractual accountability, and periodic assessment against current threats • Imposes a fine of $5,000/day up to a total of $35,000/day while violations persist (more for “willful violations”) • Mandates GSA evaluation of Government contractor security
Don’t Forget the States ….. California’s SB-1386 “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Don’t Forget the States ….. • More than 30 states and at least one local jurisdiction have passed similar bills • Arkansas – proactive as well as reactive; destroy information no longer needed to be retained and “implement and maintain reasonable security procedures” • Florida – administrative fines each day after breach and prior to disclosure • Montana – breach must be one that “materially compromises the…personal information”; also, SSN and driver’s license number included in definition • New York – person or business shall notify the state attorney general, the consumer protection board, and the state office of cyber security and critical infrastructure coordination • North Dakota – broader definition of personal information, to include mother’s maiden name, DOB, and “the individual’s digitized or other electronic signature”
The Privacy Policy Notice • Explains an institution’s information collection and privacy practices • Should include: • the types of information collected • the 3rd-parties with whom it is shared • the reasons why it is shared • the safeguards in place to protect it • the opt-out or opt-in choices available to the consumer, if applicable • the ways a consumer can request further information about the privacy practices
The Privacy Policy Notice • Make available on the web in addition to paper copies • When and how often should a copy of the PPN be provided to a borrower? • when each new loan funds • annually thereafter • when privacy practices change • upon request
Workplace vs. Customer Privacy Employers often have Total Information Awareness • Health insurance plans • Payroll and benefits information • Web monitoring • Background checks • Cell phones Meaningful consequences • Databases are open to federal government parties • Risk of breach – fiscal, reputational, political • Common law duties • Litigation
Security & Confidentiality Practices • state-of-the-art technology protection • physical protection • procedural protection People -- not computers -- are often the weakest link in a security program.
Privacy Best Practices À La NCHELP • Cover privacy and security policies during new employee orientation. • Require employees to secure paper containing customer information whenever the documentation is not in use. • Require all passwords which contain upper and lower case letters, numbers and special characters. Require they be changed regularly. • Utilize encryption on all external email that contains customer information. • Allow employee access to information on a need to know basis.
Privacy Breach vs. Identity Theft Breach does not always lead to identity theft nor to legal liability Guin v. Brazos Higher Ed. Service Corp. • Insufficient evidence for the court to determine that Brazos failed to comply with the GLB Act. … “Brazos had written security policies, current risk assessment reports, and proper safeguards for its customers’ personal information as required by the GLB Act.” • “Furthermore, the GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office. Despite Guin’s persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement.”
Recovering from Identity Theft • Get organized • File a police report with local, state or federal authorities • Place a fraud alert on your credit file • “Freeze” your credit report • Contact creditors • Close affected accounts • Complete an FTC ID theft affidavit • www.consumer.gov/idtheft/ • Consider moving to online bill payment • Monitor your credit report • www.annualcreditreport.com