Running head: FINANCIAL INDUSTRY MODEN DAY PRIVACY POLICIES

Financial Industry Modern Day Privacy Policies Steven M. Swafford University of Maryland University College Human Aspects in Cybersecurity Dr. Ruth Parker November 13, 2011

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES Abstract The financial industry whether banking, investments, or credit card services face an ever

changing landscape when it comes to privacy and if they are to safeguard themselves and their consumers a proper plan must be implemented. There are a number of challenges surrounding privacy in terms of data protection, consumer confidence, supplier partnerships, and of course laws and regulations. The financial industry is particularly at risk because of the nature of business as well as the utter amount of transactions and the sizeable customer base. Not only does the Internet pose what is likely the single largest risk in the realm of privacy but also traditional communications must accurately address privacy. Keywords: cybersecurity, risk, financial, policy, banking, laws, regulations

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES Financial Industry Modern Day Privacy Policies

To set the stage of what privacy exemplifies the Webster dictionary defines privacy as the quality or state of being apart from company or observation. Now that the definition of privacy is clear, the financial industry must account for laws and regulations in order to both safeguard themselves and their customers. To address privacy it is imperative to establish a policy, which outlines the steps of how a bank manages and shares personal information. Many banks will use personal information to increase partnerships, provide a good or service, or even to assist in protection against fraud and identity theft. At this point, the scope of privacy begins to take form. Over the years, a business typically used paper-based statements and communications to convey information but modern day, the Internet has improved the legacy business model. While the Internet has not entirely substituted the legacy model, it does offer convince for consumers and at the same time helps to diminish cost for a business, at least in terms of traditional mailers. Of course, the Internet opens the door to hackers who can exploit vulnerabilities as well as take advantage of the population that does not practice concrete security practices. In order
Figure 1. Bank Data Analysis

to properly address privacy then the financial industry must abide by laws and regulations while also sharing in the responsibility of education for suppliers, partners, and consumers. To further drive home this point reference figure one, which touches on a number of key areas in terms of data use and protection (Earp & Payton, 2006). This paper will take a deeper dive into the

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES

financial industry in terms of a comparison and contrast as well as recommendations in the area of change that must occur. Organization and Mission The banking industry exists to serve customers from individuals, corporations, and groups. The role of a bank is to facilitate in the end goal of financial freedom and investments. The banking industry also serves a staple in both the United States and global economies that in turn drive a robust need of regulations and laws. Typically, a mission statement may include: 1. Provides best of breed financial services 2. Accountability to shareholders and customers By nature the banking industry is at abundant risk solely due to the utter amount of sensitive data from the customer is enormous. The details of personal information and daily transactions drive stout concerns from customers from both a privacy and security point of view. Privacy Policy and Laws The Federal Deposit Insurance Corporation (FDIC) is in place to aid in the protection of the privacy of participants and the overall banking industry. The FDIC commonly provides both high and low level guidance in the area of financial activities and operations, and in other limited circumstances such as where required for law enforcement and public disclosure activities. In addition, the minimum necessary information will be used, except in limited situations specified by
Figure 2. Privacy Type Notices

applicable law. Other uses and disclosures of financial transactions will not occur unless the customer authorizes them. Customers will have the opportunity to inspect, copy, and amend

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES

their privacy elections as required by both existing laws and regulations. Privacy is extremely important within the financial industry and figure two demonstrates three stages of the types of notices, defines what stakeholders receives them, and finally the delivery time table (FDIC, 2001). Customers may also exercise the rights granted to them under these same laws and regulations free from any intimidating or punitive acts. The public in general is becoming much more educated and aware of the risk of personal information as well how all facets of business and how they share information, because of this there are two fundamental principles: 1. Establish both initial and annual privacy policies 2. Provide a mechanism for customers to opt in or opt out with information sharing
Figure 3. Customer Data

There are established acts that allow banks to share customer information and once such act is the Gramm-Leach-Bliley Banking Modernization Act of 1999 (Earp & Payton, 2006). Oddly enough, the Gramm-Leach-Bliley Banking Modernization Act is rooted in a case from Victorias Secret. Upon closer investigation of figure three, the customer information shared is broken out by sex and the amount of sales. In this case, Representative Joe Barton of Texas felt that his

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES

credit union had disclosed his address to Victorias Secret even though he had not established a business relationship with Victorias Secret (Hoofnagel & Honig, 2005). As we turn our attention to the scope of technology and the variety of usage it brings to the table, it becomes apparent that technology helps in everyday life activities but at the same time, this same technology has unmistakably broken down other aspects of privacy (Nilakanta & Scheibe, 2005). Policy and Law Changes The single largest challenge within the financial industry may be how privacy is addressed in terms of business and the end consumers. While there are both modern and historical laws and regulations, they often conflict one another or worse leave open opportunities that are easily exploited or maybe even entirely overlooked. The banking industry as a whole is doing a much better job surrounding privacy but as technology and business partnerships continue to evolve, so does the need to address current policies and laws.

Figure 4. Four ethical Issues of the Information Age Data collection and sharing has become ever so important in terms of conducting business to the degree that ethics becomes center place. Over two decades ago, four issues of ethics arose from the information age and a new acronym was born called PAPA (Mason, 1986)

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES

which calls out privacy, accuracy, property, and accessibility. In order to begin tackling change figure four outlines both problems and issues. This model may be used as a template for all aspects of PAPA. The challenge is to take all existing laws, whether at state or federal level and balance these laws across the banking industry while keeping in mind the needs of the business and most importantly the customers. Individual Rights All consumers must have the right to access, inspect, and copy his or her information within accordance to policy and laws. The banking industry generally must honor these rights, except in certain circumstances when the information may result is a breach of privacy that a spouse or family member is allowed to under applicable laws. Once consumers begin to understand their rights, only then will they be in a better position to both protect them and selfpolice the banking industry. Of course, this is easier said than done. Most consumers are provided privacy information from the financial vendor in which they conduct business but the information is confusing at best. Stop and consider for a moment the process a consumer undergoes when opening a checking account with a bank. The bank adheres to laws and provides a privacy statement but more often than not, these same privacy statements are written in legal terms rather that common everyday language. The Federal Trade Commission (FTC) plays a vital role between consumers and industries. Overall, the FTC performs as to expectations in terms of consumer protection and one such example is the Fair Information Practice Act of 1997. This act outlines five core principles: 1. Notice and Awareness 2. Choice and Consent 3. Access and Participation

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 4. Integrity and Security 5. Enforcement and Redress Liability

Should banks not conform to laws and regulations the results it can be disastrous to the industry itself but more importantly it has the potential to destroy personal financial freedoms. For example, Chase Manhattan Bank was charged with selling their customers purchase history and an agreement was reached in 2000 with the New York State Attorney Generals office (Hale, 2001). There are many other cases, which relate directly to the Chase Bank infraction that driven the need for strong penalties when the area of privacy is violated. To better understand the liabilities surrounding privacy, one must first understand the measures of protection, which may include: 1. Implement a clean desk practice. Personal Identifiable Information (PII) must be put away if the employee is away from his or her desk throughout the day and PII will be placed in closed and locked drawers or cabinets when the employee is not in the office. 2. PII in paper format will be destroyed when it is obsolete or is not required to be retained for storage purposes, with shredding the preferred method of destruction. 3. Limit the substance of PII in conversations with partners and other outside vendors to the required minimum necessary. 4. Implement reasonable measures to prevent other individuals from overhearing conversations, e.g., using speakerphone only when in a closed office. 5. Limit remote access to systems to secure methods. By starting with these five points, the groundwork starts to take shape and a clear understanding of risks begins to bubble up to the surface. As risks are identified and categorized only then can

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES

the liability start to be reduced by taking these risks and build out strong policies and procedures. In the case where a bank is conducting business over the Internet, The Federal Reserve Board (FRB) has established guidelines where additional disclosure rules are needed to both protect consumers and reduce the liability of the company in question (Hale, 2001). Risk Management The areas of managing risks are mutual by both the financial industry as well as consumers and each must participate in certain risk management activities to ensure compliance. The business has the greatest responsibility and because of this, there are numerous opportunities when it comes to reducing risk. 1. Workforce training on the Policies and Procedures 2. Developing a complaint process for individuals to file complaints 3. Designing a system of written disciplinary policies and sanctions 4. Mitigating damages resulting from improper use or disclosure 5. Retaining copies of its Policies and Procedures, written communications, and actions Some of these risk management rules require stakeholders to design processes affecting employees under their control. Complaints Banks must have an established process to process a persons complaint about the privacy policies and procedures, practices, and compliance. The resolution of complaints depends on the varying facts and circumstances of the complaint. Examples of viable complaint resolution include: 1. 2. Educating the consumer Implementing changes in the policies, procedures, and practices

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 3. 4. Providing appropriate training for employees Issuing new communication materials both to the company and consumers

10

This process will assist in properly addressing consumer concerns as well as assisting banks in terms of legal obligations. Security Implications At the end of the day, privacy is much more than just protecting information. When a banks information is breached by hackers or even by the everyday nature of business, the results are extremely damaging. The criminal act of stolen
Figure 5. Identity Theft Responsibilities

identities is a billion dollar criminal enterprise and it all starts with improper privacy practices (Warren, 2007). While many countries have defined agencies that oversee privacy, see figure five, the reality is these same agencies tend to be rooted in existing laws that are outdated or even must advocate the need for new laws. Conclusion At this point, the gravity of privacy as applied to both the banking industry and consumers should be a call to action. Banks must make every reasonable effort to protect the privacy rights and interests of consumers in the collection, use, transfer, or retention of information to prevent inappropriate or unnecessary disclosures of information. In closing, the following is instrumental to continually understanding and measuring privacy concerns. The financial industry must make every reasonable effort to protect the privacy rights and interests of consumers and their partners to include unnecessary disclosures of information. The industry must further comply with all existing laws and regulations. Since

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES

11

technology has become commonplace the online privacy aspect opens another area of concern that warrants a drastic change is regulations. Of course, the challenge is the ever-changing technology landscape that typically drives parties who enact laws to move quickly but often do not fully comprehend the challenges surrounding modern day technology.

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES References

12

Burton, R. N. (2000). Discussion of information technology-related activities of internal auditors. Journal Of Information Systems, 14(1), 57. Retrieved from http://www.atypon-link.com Earp, J., & Payton, F. (2006). Information privacy in the service sector: an exploratory study of health care and banking professionals. Journal Of Organizational Computing & Electronic Commerce, 16(2), 105-122. doi:10.1207/s15327744joce1602_2 FDIC. (2001). Privacy Rule Handbook. Federal Deposit Insurance Corporation (FDIC). Retrieved on November 13, 2011 from http://www.fdic.gov/regulations/examinations/financialprivacy/handbook/ Hale, R. (2001). Federal privacy regulation of Internet credit card advertising and solicitation. Journal Of Internet Law, 4(7), 16. Retrieved from http://www.aspenpublishers.com Hoofnagel, C. & Honig, E. (2005). Victoria's Secret and financial privacy. Retrieved from http://epic.org/privacy/glba/victoriassecret.html Mason, R. (1986). Four ethical issues of the information age. MIS Quarterly, 10(1), 5-12. Retrieved from http://www.jstor.org Nilakanta, S., & Scheibe, K. (2005). The digital persona and trust bank: A privacy management framework. Journal of Information Privacy & Security, 1(4), 3-21. Retrieved from http://www.ivylp.com Warren, A. (2007). Stolen identity: Regulating the illegal trade in personal data in the 'DataBased Society'. International Review of Law, Computers & Technology, 21(2), 177-190. doi:10.1080/13600860701492187