1 privacy and financial institutions john w. bagby, professor of ist school of information sciences...

1

Privacy and Financial Institutions

John W. Bagby, Professor of IST School of Information Sciences and Technology

The Pennsylvania State University Institute for Information Policy

©2001, 2002, 2003, 2004 by John W. Bagby

BA523 Privacy In Financial Institutions

©2001, 2002, 2003, 2004

by John W. Bagby

Pre-9.11: Pro-Privacy Momentum

Privacy Fundamentalists’ Successes Shifting Public Opinion to Pre-Emptive Protections Privacy Law Expansion Self-Regulation Initiatives

Privacy Regulation Proliferated Online (COPPA), Financial (G/L/B), Health (HIPPA), Encryption Strengthened


©2001, 2002, 2003, 2004

by John W. Bagby

Post 9.11: Pendulum Swings Back

Privacy Advocates in Retreat Battle lines redrawn from former aggressive posture Now defending existing privacyStriving to mute expansion of government investigatory powers without appearing obstructionist

Government Investigation Hawks have Success

Public opinion shifting, in re, government intrusions Law Enforcement gaining new powers: USA Act Money Laundering Regulation Enhanced


©2001, 2002, 2003, 2004

by John W. Bagby

So What IS Privacy? Webster’s New World:

Withdrawn from company or public view; Secrecy; One’s private life or personal affairs

Synonyms: Seclusion, solitude, retreat, intimacy, retirement, isolation, concealment, separateness, shame

Privacy vs. Confidentiality Shifting Privacy Focus: from Intrusions by Government to Include Intrusions by Private Parties, back to Government Monitoring PII - Personally Identifiable Information PIFI - Personally Identifiable Financial Information


©2001, 2002, 2003, 2004

by John W. Bagby

The Privacy Balance- a Classic Trade-off

Individual Autonomy/Secrecy vs. Societal Interests/Security 1st A. Speech Implies Listener’s Right to LearnDemocracy: Public’s Right to Know Law Enforcement’s Continuing needs Avoiding Adverse Selection

Deservedly discrediting informationManagement’s Fiduciary Duty to SH


©2001, 2002, 2003, 2004

by John W. Bagby

American Segmentation on Privacy 1. Privacy Fundamentalists

Value privacy highly, Summarily reject claims that PII needs are legitimate, Advocate general refusal to disclose PII, Seek strong regulation of privacy rights, Held steady @ 25% of population

2. Privacy Pragmatists Balance privacy with societal needs, Examine privacy policies & practices,

Disclose PII when economically rational, Support industry self-regulation unless ineffective, Grew from 55% in 1990 to 63% in 2000

3. Privacy Unconcerned Typically unconcerned so trust in benefits from disclosing PII, Unlikely to support

strong privacy rights, Declining from 20% in 1990 to 12% in 2000Source: Alan F. Westin, Interpretive Essay in Public Records and the Responsible Use of Information,

Choicepoint, 2000


©2001, 2002, 2003, 2004

by John W. Bagby

Economics of Private InformationInfo essential to market efficiency Market model presumes perfect info Info “wants to be free” Info IS property Who should capture value of PII?

Subject individualIntruder/collector

Privacy rights must balance competing, often deserving interests


©2001, 2002, 2003, 2004

by John W. Bagby

Incentives to Restrict Access Private data is like trade sec: irretrievable from pub domainPersonal private data susceptible to misuse Incomplete profiles too easily misinterpreted Irreparable harm from publication of defamation

Embarrassment, reputation, solitude

Data security is Inadequate Disclosure deters personal rehabilitation

Rationale for expansion of privacy rights:Long history of privacy intrusions Protects from societal predators (extortion, stalking)Privacy is a prerequisite to life, liberty & happiness

Declaration of Independence Creator endowed inalienable rights


©2001, 2002, 2003, 2004

by John W. Bagby

Incentives to Collect & Use Data availability is a “Goldmine” Broader data availability urged by:

Commercial info producersInformation wholesalers & users Law enforcement, National Security Individuals seeking personal safety assurance services

Costs of info collecn, archiving & repckging cont to drop Recruiting & employee monitoring; Insurance underwriting, obligor behavior; Target marketing; “Perfect price discrimination”


©2001, 2002, 2003, 2004

by John W. Bagby

Predictable Privacy Practices: Info. Indus.

Incentive to obscure the collecn, use & sale of PII

Lobby for weak privacy laws

Perfunctory industry self regulation

Slow to invest or innovate in privacy protections

Aggressive push on new items for collection

Refine/develop new methods: data collection; archival; use; data business models


©2001, 2002, 2003, 2004

by John W. Bagby

Law & Economics of PII Intrusions Prof. (Judge) Posner’s model would protect privacy or permit intrusion depending on a balancing:

1. Usefulness to society of PII acquired from the intrusion 2. Repugnance of the intrusion Applied to J. Hand’s formula:

Protect Privacy if B>P*L Intrude on Privacy if B<P*L

B=intrusion costs; P=probability of discovering useful info; L=societal losses


©2001, 2002, 2003, 2004

by John W. Bagby

Opting: In vs. Out

Opt-out - consumer ‘s affirmative act required to deny authorization for PII collection &/or use

Supported by data industry & users Database starts larger, declines only slowly Opting controlled by data collector

Opt-in - consumer ‘s affirmative act required to grants authorization for PII collect &/or use

Supported by privacy fundamentalists Database starts small, grows only slowly Must lure consumers to grant permission


©2001, 2002, 2003, 2004

by John W. Bagby

Proportion of Participants: Opt-in vs. Opt-out Consents

None

All

None

AllOpt-In Consent Opt-Out Consent

time time

some mostn n


©2001, 2002, 2003, 2004

by John W. Bagby

Regulation of Private Data Management

Fundamental Architecture & Mechanics of Private Data Activities PII Distribution Chain of Custody & Data Management Sequence:

1. Data Acquisition2. Information Analysis 3. Use of Knowledge


©2001, 2002, 2003, 2004

by John W. Bagby

PII Distribution Chain of Custody & Data Mgt Sequence

Activity Occurs & Subject Individual is Identifiable

Data Collection: Sensing, Observation Capture

Data Storage: Made Available

Data Analysis Association Aggregation Organization Interpretation

Direct Use: by Data Manager

Secondary Use: PII Sold or Shared with 3d Party


©2001, 2002, 2003, 2004

by John W. Bagby

US Privacy Law is Sectoral

US is sectoral: narrowly drawn to particular government methods & industry sectors

Enacted following experience with activities that the public finds abusive

EU is omnibus: comprehensive & uniform covering most industries & governments, strong privacy rights

Sets fundamental policy for individuals


©2001, 2002, 2003, 2004

by John W. Bagby

Sources of Privacy Law Constitutional Rights

1st, 3rd, 4th, 5th, 6th, 9th, 10th, 14th AmendmentsTorts

Appropriation, private facts, intrusion, false lightProperty Rights

Information is property Protective Regulations

Children, Financial, Workplace, Health, TeleCom Contract

NDAs, website policies, privileges Criminal Procedure International Law (e.g., EU)


©2001, 2002, 2003, 2004

by John W. Bagby

Fair Information Practice Principles

Origin: 1973 HEW Advisory Committee Rpt.1. Notice and/or Awareness 2. Choice and/or Consent 3. Access and/or Participation 4. Integrity and/or Security 5. Enforcement and/or Redress Spreading throughout government regulations and into

self-regulation Underlies the EU Private Data Directive


©2001, 2002, 2003, 2004

by John W. Bagby

Notice and/or AwarenessSubject individuals given notice of PII practicesBefore information collected Identify key details about

Data collectionData Security PII uses


©2001, 2002, 2003, 2004

by John W. Bagby

Choice and/or ConsentSubject individual has choice

Whether/how PII collected

How is Consent Manifest Opt-out (an affirmative act preventing PII collection and/or use) Opt-in (an affirmative act permitting collection and/or use)


©2001, 2002, 2003, 2004

by John W. Bagby

Access and/or ParticipationSubject individual access rightsGain timely & inexpensive access Review personal PII Simple & effective method to contest & correct inaccurate data


©2001, 2002, 2003, 2004

by John W. Bagby

Integrity and/or SecurityCollector/Archiver/Custodians

Reasonable steps to assure accuracy of PII Administrative & technical security measures

Standards: Prevent unauthorized access Prevent unauthorized disclosurePrevent destruction Prevent misuse


©2001, 2002, 2003, 2004

by John W. Bagby

Enforcement and/or Redress

Mechanism(s) of privacy practices enforcementEX:

Self-regulationPrivate rights of action Regulatory enforcement


©2001, 2002, 2003, 2004

by John W. Bagby

Financial Privacy under Fair Credit Reporting & Gramm-Leach-Bliley

Considerable U.S. experience with Credit-worthiness Reports a/k/a Consumer Reports or Credit Histories from 3d parties “non-experience”

Relevance: lending, ins. underwriting, bonding, empl. Publicly available info: ct. records, mtg records, liens “Experience” info from creditor’s own records

Financial PII dBases on networked computers & institutional consolidation raise privacy risks


©2001, 2002, 2003, 2004

by John W. Bagby

Pre-GLB PII Security Mechanisms FCRA compliance regulations, FTC oversight Subject individuals have access & participation rts.Legitimate purpose required to access reports

Criminal liability for obtaining report under false pretenses & knowing provision for illegitimate purpose, e.g., pretextingCivil penalties: damages, atty fees, costs, punitives

FTC unfair/deceptive trade practice enforcement Torts: negligence, defamation, ID Theft

TRW (Experian) v. Andrews (S.Ct. 11.01) FCRA 2 yr S/L starts when report wrongfully supplied not on discovery


©2001, 2002, 2003, 2004

by John W. Bagby

Application of GLB Privacy Rules Universal banking permits merging of PII dBases In June 2000, all major federal regulators of financial institutions coordinated privacy rulemakings

Insurance, Commercial & Investment Banking SEC, FDIC, FTC, FRB, OTS, Comptroller

Regulated “Financial Institutions” may grow beyond: brokers, banks, thrifts, credit unions, check cashing services, retailers issuing

credit cards, appraisers, vehicle lessors, check printers, tax preparation, investment advisors, mortgage brokers, trust services, credit counselors

States may fill in the GLB “gaps” (ins, among affiliates) FL, ND, MA, CA


©2001, 2002, 2003, 2004

by John W. Bagby

Why GLB?Glass Stegall Separated

Investment Banking, Commercial Banking, Insurance

But why?Morgans, et. al. monopolized finance 1870s – 1920sGuilded Age – Populist revulsion

Expectation of post GLB:1 stop shopping, consolidation, RiF, Share mkt/experience data among affiliates


©2001, 2002, 2003, 2004

by John W. Bagby

GLB Privacy Provisions Nonpublic Personal Information - customer transaction data collected online or through traditional means from any source Privacy policies must be developed & disclosed

General PII categories collected, disclosed & to whom

Customer notice required Initial (2001) & when opening accounts Annually thereafter w/ same content Opt-out from onward transfer of customer “transaction & experience” PII to unaffiliated 3d parties


©2001, 2002, 2003, 2004

by John W. Bagby

SEC Reg.S-P: Rules 1 & 2 – Scope Applicable to SEC Regulated Financial Institutions

Domestic and foreign registered brokers, dealers, investment cos, investment advisors Referenced as “you” in S-P text

Privacy protection for individuals financial products or services primarily for personal, family or household use, Separate from and in addition to HHS’s health privacy rules under HIPPA.Futures commission merchants & introducing brokers:

Involved in securities futures products comply with S-P if in compliance with CFTC’s financial privacy rules (17 CFR part 160)


©2001, 2002, 2003, 2004

by John W. Bagby

SEC Reg.S-P: Rules 3 & 10 – Definitions

Affiliate Nonaffiliated Third PartyClear & ConspicuousCollect Customer Relationship Federal Functional Regulator Customer vs. Consumer

Financial Product or Service Nonpublic Personal Information Isolated Transaction with Consumer Partial Opt Out No Continuing Relationship


©2001, 2002, 2003, 2004

by John W. Bagby

SEC Reg.S-P: Rule 4 – Initial Notice

Clear & conspicuous notice required Must accurately reflect privacy policies & practices Revised notice required when new products/services obtained by existing customer Exceptions permit subsequent notice when prior notice is impractical


©2001, 2002, 2003, 2004

by John W. Bagby

SEC Reg.S-P: Rule 5 – Annual Notice

Ongoing, recurring, accurate notice required of privacy policies & practices Not less than annually – within consecutive 12 mo. period Financial institution may define 12 mo. If applied consistently to the customer Not required if customer relationship terminates


©2001, 2002, 2003, 2004

by John W. Bagby

SEC Reg.S-P: Rule 6 – Notice Contents

Categories of PIFI collected & disclosed about current & former customersCategories of affiliates & nonaffiliated 3d parties Explanation of opt-out rights & methods Policies & practices on PIFI security


©2001, 2002, 2003, 2004

by John W. Bagby

SEC Reg.S-P: Rule 7 – Form of Opt-OutExplanation of opt-out right & method Provide reasonable means to effect opt-out

One or more: check off boxes, reply form, electronic means (e.g., e-mail, website), toll-free phoneCustomer must agree to to use of electronic means Unreasonable if letter is only means available Joint customers may opt-out separately Opt-out effective whenever made Duration – until revoked in writing or electronically

Must comply with opt-out as soon as practical


©2001, 2002, 2003, 2004

by John W. Bagby

SEC Reg.S-P: Rule 8 – Revised NoticesFinancial institutions control terms of privacy policies so long as notice and opt-out procedures followed Revised notice may change privacy policies & practices May not disclose PIFI to nonaffiliated 3d party except as promised in initial notice without revised notice, reasonable opportunity new opt-out & consumer does not opt-out


©2001, 2002, 2003, 2004

by John W. Bagby

SEC Reg.S-P: Additional RulesRule 9 – Delivery

EX : hand-deliver, mail printed copy, posted on web-site & require electronic acknowledgment, postings for isolated transactions (ATM kiosk)

Rule 10 – Limits on Disclosures Rule 11 – Limits on Redisclosure & Reuse Rule 12 – Sharing Account No. for Marketing Rules 13, 14 & 15 – Exceptions Appendices – Sample Clauses


©2001, 2002, 2003, 2004

by John W. Bagby

Criticisms of GLB PrivacyPII sharing among affiliates encourages mergers to build data warehouses & conduct data mining

Insurer might not underwrite risky investor or spendthrift Highly sophisticated customer profiling of behaviors and preferences was not available heretoforeCustomers have no access rights to raw data nor to analysis of profiles or categorization 1st wave incomprehensible to most, even to FTC Commissioners (12.01)

Responses: 2 tiers (Madison Ave & legalese)But could become “nutritional-style” labeling


©2001, 2002, 2003, 2004

by John W. Bagby

Continuing Privacy Developments FTC Privacy Agenda

Nat’l No-Call List, Spam, ID Theft, Pretexting; FCRA Compliance; Enforce Privacy Promises; Children; Telemarketing; “Pre-Acquired Acct.Info;” P3PGLB Compliance

FTC Expanding use of Public Workshops SEC rather busy just now so FTC may become primary privacy regulator for financial institutionsNY Bar v. FTC (OK in failure to exempt lawyers) (DDC 4.30.02)


©2001, 2002, 2003, 2004

by John W. Bagby

PretextingFraud & Illegal Means to Obtain PIFI from Fin. Inst. under “Pretext” & Solicitation of others to Pretext

Websites tout pretexter would pose as legit. Inquirer

GLB Prohibits Pretexting as unfair & abusive FTC settle & enjoin several info brokers 3.02

Smart Data, Discrete Data, Information Search MD, NY TXDisgorgement

Note FTC’s ascension in financial mkt regulation Significant FTC budget enhancement request for privacy


©2001, 2002, 2003, 2004

by John W. Bagby

GLB Rulemakings ValidatedIndiv.References Serv. Group v. FTC 145 F.Supp.2d 6

(DDC 4.01) (cr.rptg. trade group + TransUnion)GLB regs apply to credit header sales/transfer/barter

PIFI now includes PII (name, addresses, contacts) FCRA permitted mkts in PII Agencies w/in Chevron (S.Ct.’84) statutory interpretation & rulemaking discretion

No 1st or 5th A. violations (=Protect, narrow legis class)TransUnion is a “financial institution” under GLB


©2001, 2002, 2003, 2004

by John W. Bagby

Remain Current on Evolving Privacy Regulations & Grassroots EffortsSec.govFtc.govFcc.govFrb.govDot.gov europa.eu.int

Andrewsonline.comSiegelgale, Inc. Epic.orgItsa.org Cookiecentral.com Public Citizen W3.org (P3P)


©2001, 2002, 2003, 2004

by John W. Bagby

California Privacy Law DevelopmentsCalifornia Financial Information Privacy SB 1

Effective 7.1.04Opt-Out for affiliate sharing & joint marketing unless under common branding/holding co. or accessing common customer databaseOpt-In for 3d party sharingUniform customer notice format


©2001, 2002, 2003, 2004

by John W. Bagby

California Privacy Law Developments

Security Breach Disclosure SB 1386Effective 7.1.03 ID Theft – applicable to govt AND businessApplies to “persons” conducting business in CA Covers PII “linked” to ssn, drivers lic #, acct#, security codes (e.g., pin, p/w)Requires Encryption


©2001, 2002, 2003, 2004

by John W. Bagby

California Privacy Law DevelopmentsCA SB 1386 Disclosure Obligation:

Triggered by any breach of security-unauthorized acquisition of computerized data To: affected CA residentWhen: “most expedient time possible” & “without unreasonable delay” How: written, electronic (E-SIGN) If cost of notice exceeds $250,000 or over 500,000 persons impacted, then: email, conspicuous website, pressRemedies: damages, injunction


©2001, 2002, 2003, 2004

by John W. Bagby

Fair & Accurate Credit Transactions Act

Effective 1.1.04ID Theft Protections, Quicker Resolution of Disputed History & New Business ModelsFree Credit ReportNotice to Consumers Before Adverse Report to Credit BureauCreditor Investigation before Invoking Collector


©2001, 2002, 2003, 2004

by John W. Bagby

Security & Privacy Relationships Glass Half Empty:

PII not Secret unless SecuredPII Custodians Violate Privacy Duty w/o Adequate Security

Glass Half Full: PII remains Secret When Secure PII Custodians Comply w/ Privacy Duty w/ Adequate Security


©2001, 2002, 2003, 2004

by John W. Bagby

Security & Privacy RelationshipsSecurity of Info Systems & Physical Assets Better Assured when Privacy MaintainedIndividuals responsible for security made vulnerable when their PII is CompromisedTangible & intangible assets vulnerable with inadequate security over confidential trade secrets


©2001, 2002, 2003, 2004

by John W. Bagby

PIFI Data Security Standards GLB §504 Requires Agencies to Collaborate in Developing Consistent Data Security Regimes

Fed. SEC, OCC, FTC, Treasury, FDIC, OTS, NCUA FTC “Safeguards Rule” Imposes Standards for Safeguarding Customer Information

Regulated financial institutions must develop, implement & maintain reasonable, administrative, technical & physical safeguards to protect the security, confidentiality & integrity of customer information Flexible: need be appropriate to institution’s size & complexity


©2001, 2002, 2003, 2004

by John W. Bagby

PIFI Data Security Standards Designate Data Security Employee(s) Perform Risk Assessment, at least evaluate risks in:

Employee training & management Information systems, including, inter alia

Network & software design Information processing, storage, transmission & disposal Detecting, preventing & responding to attacks, intrusions

or system failures


©2001, 2002, 2003, 2004

by John W. Bagby

PIFI Data Security StandardsDesign & Implement Safeguards to Control Risks IdentifiedRegularly Test & Monitor Effectiveness of Key Controls

Evaluate & adjust as in light or as dictated by changing business conditions or other material circumstance

Select & Retain Reasonable Service Providers Impose these risk management obligations on service providers


©2001, 2002, 2003, 2004

by John W. Bagby

SEC 17 CFR 248.30Less Specific than FTC or HIPPA StandardsRequire Financial Institutions w/in SEC Jurisdiction to:

Adopt policies & procedures, reasonably designed to Insure security & confidentiality of customer recordsProtect against anticipated threats or hazards Protect against unauthorized access or use that could result in substantial harm or inconvenience


©2001, 2002, 2003, 2004

by John W. Bagby

Uniting & Strengthening America (USA Patriot) Act

Controversial Provisions: Expanded Federal investigation powers Detention of aliens, designation of terrorist orgs. Online surveillance enhancements Secret searches, Interagency info sharingMonitor confidential Atty-Client communications


©2001, 2002, 2003, 2004

by John W. Bagby

Links Between MoneyLaundering & Financial Privacy

Further Money Laundering Restrictions GAO Report: Insufficient Progress in Anti-Terrorism WarConundrum:

Must screen & monitor customer transactions, detect suspicious patterns, cooperate with law enforcementLiability for misuse of customer transaction data or participation in illegal activity


©2001, 2002, 2003, 2004

by John W. Bagby

What IS Money Laundering? Various practices create illusion of legitimate transactions, disguise origin & movement of $ Law Enforcement motto: “Follow the Money!” Modern Term originated in 20s-30s gangster era

Coin cash flow from “numbers” racket cleansed through mob-operated coin-op laundries


©2001, 2002, 2003, 2004

by John W. Bagby

What IS Money Laundering?Existed for nearly 4000 yrs Hide earnings from despotic govt confiscation & taxes Essential to terrorism, illegal drug trade, organized crime, smuggling


©2001, 2002, 2003, 2004

by John W. Bagby

Money Laundering Methods & ToolsWell-known practices but detection is costly Transactions with minimal recordkeeping

Payments under $10K to avoid Currency Trans. RptsCash used whenever possible Minimize use of checks, wire transfers, credit cards “Legitimate Fronts” apparently respectable businesses

See http://www.moneylaundering.com


©2001, 2002, 2003, 2004

by John W. Bagby

Anti-Money Laundering Laws Federal Statute with Money Laundering Provisions

Anti-Money Laundering Purposes and Methods

Bank Secrecy Act of 1970 (BSA)

Currency Transaction Report ("paper trail" for transactions over $10,000); civil & criminal penalties

Money Laundering Control Act of 1986

Creates three new federal money laundering crimes: (1) assistance in laundering, (2) engaging in $10,000 transactions involving property from criminal activity & (3) structuring transactions to avoid BSA disclosures of Currency Transaction Reports.

Anti-Drug Abuse Act of 1988 Increased civil & criminal sanctions. Forfeiture of property involved in violating BSA or other Anti-Laundering statute. Requires recordkeeping of large cash purchases of monetary instruments (bank drafts).


©2001, 2002, 2003, 2004

by John W. Bagby

Anti-Money Laundering LawsFederal Statute with Money Laundering Provisions

Anti-Money Laundering Purposes and Methods

Crime Control Act of 1990, §2532 Federal banking regulators authorized to negotiate with foreign banking regulators for help in certain criminal investigation

Federal Deposit Insurance Corporation Improvement Act of 1991, §206

Federal banking regulators given discretion to disclose information to foreign banking regulators to enforce anti-money laundering laws.

Housing and Community Development Act of 1992, Title XV [Annunzio-Wylie Anti-Money Laundering Act]

Authorizes seizure, closing and/or revocation of charter of financial institutions guilty of money laundering or BSA offenses. Specifies mitigation factors.

USA Patriot Act of 2001 Broadens definition, programs & training required, tougher civil & criminal penalties


©2001, 2002, 2003, 2004

by John W. Bagby

USA Patriot: Anti-Money Laundering Provisions

Broadens definition of financial institutions regulated under money laundering lawsRequires anti-money laundering programs & trainingRegulates private and correspondent bankingFCPA now defines money laundering defined as a form of bribery Stiffens civil & criminal penalties for money laundering

60

THE END

1 privacy and financial institutions john w. bagby, professor of ist school of information sciences...

Documents

privacy balance

privacy unconcerned

shame privacy

privacy advocates

privacy focus

expansion of privacy

strong privacy rights

privacy policies practices