Presentation on theme: "Consumer Privacy & Protection Joanna Acocella May 22, 2007."— Presentation transcript:
Consumer Privacy & Protection Joanna Acocella May 22, 2007
What’s the big deal? Sensitive information is required to meet the customers’ demands for services and products. Consumers have an expectation that their information will not be shared without their consent. Identity theft and data breaches are on the rise. Consumers, investors, public policy-makers & the media have taken notice of these trends. We have legal and ethical obligations to protect customers’ privacy. Honoring that commitment enhances the consumers’ experience.
Why is privacy a hot topic for us? Demographics Dramatic increase in credit based products Role of schools and lenders as credit counselors Federal program requirements Security breaches of school networks Fines, fees and fallout
Social Security Number Fundamentals Intended to track individual earnings Technically authorized for use only by IRS, banks and state governments Not illegal for private industry to use as an identifier Most commonly used identifier for record keeping systems and data exchanges in the US Legal to refuse services to customers who refuse to provide it Highly effective in predictive modeling for fraud prevention Only way to access credit information
Federal Laws Gramm-Leach-Bliley Act (GLB) Obligates financial institutions to protect the confidentiality of consumers’ non-public personal information (NPI) Establishes standards for security, protection and confidentiality of NPI Privacy Act of 1974 Restricts the use and disclosure of SSNs by federal agencies Fair Credit Reporting Act (FCRA) Restricts disclosure of consumer reports except for specified permissible purposes
Federal Laws Fair and Accurate Credit Transactions Act (FACT Act) Enhances identity-theft prevention Further restricts information sharing and reuse provisions of the FCRA Bills Introduced in the 110 th Congress 11 deal with cyber security 93 address security of personal information 56 propose new rules for information security 18 tackle data security
Potential Federal Measures Implementing uniform national notification standards to preempt more than 30 current state laws Granting primary authority over data providers and privacy matters to a single federal agency Requiring company officers to certify adequate data security measures Creating standard credentialing procedures for customers of data information providers Prohibiting use of SSNs as identifiers and/or authenticators in private industry Banning the sale of SSNs
Potential Federal Measure …. Leahy-Specter Personal Data Privacy and Security Act of 2007: Applies to companies that have personal information on 10,000 or more U.S. persons Requires a data privacy and security program, including: controlling risks, employee training, vulnerability testing, service provider contractual accountability, and periodic assessment against current threats Imposes a fine of $5,000/day up to a total of $35,000/day while violations persist (more for “willful violations”) Mandates GSA evaluation of Government contractor security
Don’t Forget the States ….. California’s SB-1386 “Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.”
Don’t Forget the States ….. More than 30 states and at least one local jurisdiction have passed similar bills Arkansas – proactive as well as reactive; destroy information no longer needed to be retained and “implement and maintain reasonable security procedures” Florida – administrative fines each day after breach and prior to disclosure Montana – breach must be one that “materially compromises the…personal information”; also, SSN and driver’s license number included in definition New York – person or business shall notify the state attorney general, the consumer protection board, and the state office of cyber security and critical infrastructure coordination North Dakota – broader definition of personal information, to include mother’s maiden name, DOB, and “the individual’s digitized or other electronic signature”
Workplace vs. Customer Privacy Employers often have Total Information Awareness Health insurance plans Payroll and benefits information Web monitoring Background checks Cell phones Meaningful consequences Databases are open to federal government parties Risk of breach – fiscal, reputational, political Common law duties Litigation
Security & Confidentiality Practices state-of-the-art technology protection physical protection procedural protection People -- not computers -- are often the weakest link in a security program.
Privacy Best Practices À La NCHELP Cover privacy and security policies during new employee orientation. Require employees to secure paper containing customer information whenever the documentation is not in use. Require all passwords which contain upper and lower case letters, numbers and special characters. Require they be changed regularly. Utilize encryption on all external that contains customer information. Allow employee access to information on a need to know basis.
Privacy Breach vs. Identity Theft Breach does not always lead to identity theft nor to legal liability Guin v. Brazos Higher Ed. Service Corp. Insufficient evidence for the court to determine that Brazos failed to comply with the GLB Act. … “Brazos had written security policies, current risk assessment reports, and proper safeguards for its customers’ personal information as required by the GLB Act.” “Furthermore, the GLB Act does not prohibit someone from working with sensitive data on a laptop computer in a home office. Despite Guin’s persistent argument that any nonpublic personal information stored on a laptop computer should be encrypted, the GLB Act does not contain any such requirement.”
Recovering from Identity Theft Get organized File a police report with local, state or federal authorities Place a fraud alert on your credit file “Freeze” your credit report Contact creditors Close affected accounts Complete an FTC ID theft affidavit Consider moving to online bill payment Monitor your credit report