financial industry modern day privacy policies

7/29/2019 Financial Industry Modern Day Privacy Policies

1/12

Running head: FINANCIAL INDUSTRY MODEN DAY PRIVACY POLICIES 1

Financial Industry Modern Day Privacy Policies

Steven M. Swafford

University of Maryland University College

Human Aspects in Cybersecurity

Dr. Ruth Parker

November 13, 2011


2/12

FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 2

Abstract

The financial industry whether banking, investments, or credit card services face an ever

changing landscape when it comes to privacy and if they are to safeguard themselves and their

consumers a proper plan must be implemented. There are a number of challenges surrounding

privacy in terms of data protection, consumer confidence, supplier partnerships, and of course

laws and regulations. The financial industry is particularly at risk because of the nature of

business as well as the utter amount of transactions and the sizeable customer base. Not only

does the Internet pose what is likely the single largest risk in the realm of privacy but also

traditional communications must accurately address privacy.

Keywords: cybersecurity, risk, financial, policy, banking, laws, regulations


3/12


Financial Industry Modern Day Privacy Policies

To set the stage of what privacy exemplifies the Webster dictionary defines privacy as the

quality or state of being apart from company or observation. Now that the definition of privacy

is clear, the financial industry must account for laws and regulations in order to both safeguard

themselves and their customers. To address privacy it is imperative to establish a policy, which

outlines the steps of how a bank manages and shares personal information. Many banks will use

personal information to increase partnerships, provide a good or service, or even to assist in

protection against fraud and identity theft. At this point, the scope of privacy begins to take

form.

Over the years, a business typically used paper-based statements and communications to

convey information but modern day, the Internet has improved the legacy business model.

While the Internet has not entirely substituted the legacy model, it does offer convince for

consumers and at the same time helps to

diminish cost for a business, at least in terms

of traditional mailers. Of course, the

Internet opens the door to hackers who can

exploit vulnerabilities as well as take

advantage of the population that does not

practice concrete security practices. In order

to properly address privacy then the financial industry must abide by laws and regulations while

also sharing in the responsibility of education for suppliers, partners, and consumers. To further

drive home this point reference figure one, which touches on a number of key areas in terms of

data use and protection (Earp & Payton, 2006). This paper will take a deeper dive into the

Figure 1. Bank Data Analysis


4/12


Figure 2. Privacy Type Notices

financial industry in terms of a comparison and contrast as well as recommendations in the area

of change that must occur.

Organization and Mission

The banking industry exists to serve customers from individuals, corporations, and

groups. The role of a bank is to facilitate in the end goal of financial freedom and investments.

The banking industry also serves a staple in both the United States and global economies that in

turn drive a robust need of regulations and laws. Typically, a mission statement may include:

1. Provides best of breed financial services

2. Accountability to shareholders and customers

By nature the banking industry is at abundant risk solely due to the utter amount of sensitive data

from the customer is enormous. The details of personal information and daily transactions drive

stout concerns from customers from both a privacy and security point of view.

Privacy Policy and Laws

The Federal Deposit Insurance Corporation (FDIC) is in place to aid in the protection of

the privacy of participants and the overall banking industry. The FDIC commonly provides both

high and low level guidance in the area of financial activities and operations, and in other limited

circumstances such as where required for

law enforcement and public disclosure

activities. In addition, the minimum

necessary information will be used, except

in limited situations specified by

applicable law. Other uses and disclosures of financial transactions will not occur unless the

customer authorizes them. Customers will have the opportunity to inspect, copy, and amend


5/12


Figure 3. Customer Data

their privacy elections as required by both existing laws and regulations. Privacy is extremely

important within the financial industry and figure two demonstrates three stages of the types of

notices, defines what stakeholders receives them, and finally the delivery time table (FDIC,

2001). Customers may also exercise the

rights granted to them under these same

laws and regulations free from any

intimidating or punitive acts. The public in

general is becoming much more educated

and aware of the risk of personal

information as well how all facets of

business and how they share information,

because of this there are two fundamental

principles:

1. Establish both initial and annual

privacy policies

2. Provide a mechanism for customers

to opt in or opt out with information

sharing

There are established acts that allow banks to share customer information and once such act

is the Gramm-Leach-Bliley Banking Modernization Act of 1999 (Earp & Payton, 2006). Oddly

enough, the Gramm-Leach-Bliley Banking Modernization Act is rooted in a case from Victorias

Secret. Upon closer investigation of figure three, the customer information shared is broken out

by sex and the amount of sales. In this case, Representative Joe Barton of Texas felt that his


6/12


credit union had disclosed his address to Victorias Secret even though he had not established a

business relationship with Victorias Secret (Hoofnagel & Honig, 2005). As we turn our

attention to the scope of technology and the variety of usage it brings to the table, it becomes

apparent that technology helps in everyday life activities but at the same time, this same

technology has unmistakably broken down other aspects of privacy (Nilakanta & Scheibe, 2005).

Policy and Law Changes

The single largest challenge within the financial industry may be how privacy is

addressed in terms of business and the end consumers. While there are both modern and

historical laws and regulations, they often conflict one another or worse leave open opportunities

that are easily exploited or maybe even entirely overlooked. The banking industry as a whole is

doing a much better job surrounding privacy but as technology and business partnerships

continue to evolve, so does the need to address current policies and laws.

Figure 4. Four ethical Issues of the Information Age

Data collection and sharing has become ever so important in terms of conducting

business to the degree that ethics becomes center place. Over two decades ago, four issues of

ethics arose from the information age and a new acronym was born called PAPA (Mason, 1986)


7/12


which calls out privacy, accuracy, property, and accessibility. In order to begin tackling change

figure four outlines both problems and issues. This model may be used as a template for all

aspects of PAPA. The challenge is to take all existing laws, whether at state or federal level and

balance these laws across the banking industry while keeping in mind the needs of the business

and most importantly the customers.

Individual Rights

All consumers must have the right to access, inspect, and copy his or her information

within accordance to policy and laws. The banking industry generally must honor these rights,

except in certain circumstances when the information may result is a breach of privacy that a

spouse or family member is allowed to under applicable laws. Once consumers begin to

understand their rights, only then will they be in a better position to both protect them and self-

police the banking industry. Of course, this is easier said than done. Most consumers are

provided privacy information from the financial vendor in which they conduct business but the

information is confusing at best. Stop and consider for a moment the process a consumer

undergoes when opening a checking account with a bank. The bank adheres to laws and

provides a privacy statement but more often than not, these same privacy statements are written

in legal terms rather that common everyday language. The Federal Trade Commission (FTC)

plays a vital role between consumers and industries. Overall, the FTC performs as to

expectations in terms of consumer protection and one such example is the Fair Information

Practice Act of 1997. This act outlines five core principles:

1. Notice and Awareness

2. Choice and Consent

3. Access and Participation


8/12


4. Integrity and Security

5. Enforcement and Redress

Liability

Should banks not conform to laws and regulations the results it can be disastrous to the

industry itself but more importantly it has the potential to destroy personal financial freedoms.

For example, Chase Manhattan Bank was charged with selling their customers purchase history

and an agreement was reached in 2000 with the New York State Attorney Generals office (Hale,

2001). There are many other cases, which relate directly to the Chase Bank infraction that driven

the need for strong penalties when the area of privacy is violated. To better understand the

liabilities surrounding privacy, one must first understand the measures of protection, which may

include:

1. Implement a clean desk practice. Personal Identifiable Information (PII) must be put

away if the employee is away from his or her desk throughout the day and PII will be

placed in closed and locked drawers or cabinets when the employee is not in the office.

2. PII in paper format will be destroyed when it is obsolete or is not required to be retained

for storage purposes, with shredding the preferred method of destruction.

3. Limit the substance of PII in conversations with partners and other outside vendors to the

required minimum necessary.

4. Implement reasonable measures to prevent other individuals from overhearing

conversations, e.g., using speakerphone only when in a closed office.

5. Limit remote access to systems to secure methods.

By starting with these five points, the groundwork starts to take shape and a clear understanding

of risks begins to bubble up to the surface. As risks are identified and categorized only then can


9/12


the liability start to be reduced by taking these risks and build out strong policies and procedures.

In the case where a bank is conducting business over the Internet, The Federal Reserve Board

(FRB) has established guidelines where additional disclosure rules are needed to both protect

consumers and reduce the liability of the company in question (Hale, 2001).

Risk Management

The areas of managing risks are mutual by both the financial industry as well as

consumers and each must participate in certain risk management activities to ensure compliance.

The business has the greatest responsibility and because of this, there are numerous opportunities

when it comes to reducing risk.

1. Workforce training on the Policies and Procedures

2. Developing a complaint process for individuals to file complaints

3. Designing a system of written disciplinary policies and sanctions

4. Mitigating damages resulting from improper use or disclosure

5. Retaining copies of its Policies and Procedures, written communications, and actions

Some of these risk management rules require stakeholders to design processes affecting

employees under their control.

Complaints

Banks must have an established process to process apersons complaint about the

privacy policies and procedures, practices, and compliance. The resolution of complaints

depends on the varying facts and circumstances of the complaint. Examples of viable complaint

resolution include:

1. Educating the consumer

2. Implementing changes in the policies, procedures, and practices


10/12


Figure 5. Identity Theft Responsibilities

3. Providing appropriate training for employees

4. Issuing new communication materials both to the company and consumers

This process will assist in properly addressing consumer concerns as well as assisting banks in

terms of legal obligations.

Security Implications

At the end of the day, privacy is much more

than just protecting information. When a banks

information is breached by hackers or even by the

everyday nature of business, the results are

extremely damaging. The criminal act of stolen

identities is a billion dollar criminal enterprise and it all starts with improper privacy practices

(Warren, 2007). While many countries have defined agencies that oversee privacy, see figure

five, the reality is these same agencies tend to be rooted in existing laws that are outdated or even

must advocate the need for new laws.

Conclusion

At this point, the gravity of privacy as applied to both the banking industry and

consumers should be a call to action. Banks must make every reasonable effort to protect the

privacy rights and interests of consumers in the collection, use, transfer, or retention of

information to prevent inappropriate or unnecessary disclosures of information.

In closing, the following is instrumental to continually understanding and measuring

privacy concerns. The financial industry must make every reasonable effort to protect the privacy

rights and interests of consumers and their partners to include unnecessary disclosures of

information. The industry must further comply with all existing laws and regulations. Since


11/12


technology has become commonplace the online privacy aspect opens another area of concern

that warrants a drastic change is regulations. Of course, the challenge is the ever-changing

technology landscape that typically drives parties who enact laws to move quickly but often do

not fully comprehend the challenges surrounding modern day technology.


12/12


References

Burton, R. N. (2000). Discussion of information technology-related activities of internal auditors.

Journal Of Information Systems, 14(1), 57. Retrieved from http://www.atypon-link.com

Earp, J., & Payton, F. (2006). Information privacy in the service sector: an exploratory study of

health care and banking professionals.Journal Of Organizational Computing &

Electronic Commerce, 16(2), 105-122. doi:10.1207/s15327744joce1602_2

FDIC. (2001). Privacy Rule Handbook. Federal Deposit Insurance Corporation (FDIC).

Retrieved on November 13, 2011 from

http://www.fdic.gov/regulations/examinations/financialprivacy/handbook/

Hale, R. (2001). Federal privacy regulation of Internet credit card advertising and solicitation.

Journal Of Internet Law, 4(7), 16. Retrieved from http://www.aspenpublishers.com

Hoofnagel, C. & Honig, E. (2005). Victoria's Secret and financial privacy. Retrieved from

http://epic.org/privacy/glba/victoriassecret.html

Mason, R. (1986). Four ethical issues of the information age.MIS Quarterly, 10(1), 5-12.

Retrieved from http://www.jstor.org

Nilakanta, S., & Scheibe, K. (2005). The digital persona and trust bank: A privacy management

framework.Journal of Information Privacy & Security, 1(4), 3-21. Retrieved from

http://www.ivylp.com

Warren, A. (2007). Stolen identity: Regulating the illegal trade in personal data in the 'Data-

Based Society'.International Review of Law, Computers & Technology, 21(2), 177-190.

doi:10.1080/13600860701492187

financial industry modern day privacy policies

Documents