Totalitarian governments keep their subjects under constant surveillance by requiring everyone to carry "papers" that must be presented to any government functionary on demand. This is an internal passport that everyone must show to authorities for permission to travel within the country, to move to another city, or to apply for a new job.
Having to show "papers" to government functionaries was bad enough in the era when "papers" meant merely what was on a piece of paper. In the computer era, personal information stored in databases can be used to determine your right to board a plane, drive a car, get a job, enter a hospital emergency room, start school, open a bank account, buy a gun, or access government benefits such as Social Security, Medicare, or Medicaid.
While each classification currently has its own set of rules, connecting all these dots would amount to the personal surveillance and monitoring that are the indicia of a police state. The Washington buzz words "information sharing" are often put forth as the solution to 21st century problems, but this has significant privacy implications that must be addressed.
Invasions of privacy are no longer limited to government. Big business has become nearly as powerful in demanding, collecting, sharing, and selling our personal information. Information-gathering and sharing by Big Brother and Big Business raise varying levels of concern, and both are privacy invaders. Government and business often commingle and corroborate their information-sharing in the name of catching deadbeat dads, terrorists, money launderers, drug peddlers, and criminals.
The global economy is obsessed with gathering information. The lifestyle or profile of each consumer is a valuable commercial commodity. The checks you write and receive, the invoices you pay, and the investments you make reveal as much about you as a personal diary. Where I shop, how often I travel, when I visit my doctor, how I save for retirement are all actions known to financial institutions, which connect the dots of my life and create a valuable personal profile. This compilation of personal information is bad enough, but the sharing of it without my consent is even worse.
Thus far, big business has largely been unwilling to exercise self-restraint to respect the privacy of consumers. The bottom-line dollar is viewed as more important. Financial institutions do not want to seek prior express permission to share customer profiles because they know that most people will not sign-up.
True privacy protections encompass the principles of notice, access, correction, consent, preemption, and limiting data collection to the minimum necessary. These form the core of the Fair Information Practices (FIP) first codified in the 1974 Privacy Act, and they should serve as the model for every classification or compilation of personal information.
Three years ago, Congress had the opportunity to dramatically change how financial institutions treat personal information by embracing these core principles, but the resulting law was only a slight improvement over no protections at all.
On November 12, 1999, President Clinton signed into law the Financial Services Modernization bill, known more commonly as Gramm-Leach-Bliley (GLB). This act included several sections aimed at protecting sensitive personal information obtained and maintained by financial institutions, but in practice, these meager provisions are proving inadequate.
Achieving true financial privacy was conflicted by the underlying goal of GLB, which was to streamline financial services, thereby increasing affiliation and cross-company marketing once affiliated. Greater affiliation meant greater information sharing. Interjecting the right of individuals to control their personal information into that streamlining equation was perceived as a threat to this big business scheme.
As a result, the GLB sections on privacy were severely watered down. Instead of personal information being kept confidential, financial institutions collect, repackage, and share the data. In some instances personal information is shared with the government, and in other instances, it is shared with hundreds of other "affiliated" companies. Even under GLB, it's still legal. GLB failed to recognize that consumers are the rightful owners of their personal information. Your financial diary should be your property, not the bank's.
GLB does not provide consumers with any opportunity to decide for themselves about the transfer of their private information among affiliates. Particularly troubling is the large number of companies marked as affiliates. For instance, Bank of America has nearly 1,500 corporate affiliates, and CitiGroup has over 2,700. There is no opportunity to stop this free flow of personal information.
GLB did include a privacy notice provision. Privacy notices should be simple documents outlining what kinds of information are collected and how the business uses that information. However, the notices sent to consumers as a result of GLB turned out to be too complicated for the public to cope with.
When GLB was set to go in effect, few consumers understood their rights. Notices began reaching consumers, and we began receiving questions about them through our website. Making the situation even more confusing, a mass e-mail was sent out by an unknown source claiming that anyone could opt-out of all information sharing of banking, credit, and other financial records by calling the credit reporting companies. We tried to provide clarification and assistance through a special alert on our website, but financial institutions failed to explain the companies' privacy policies in simple terms.
GLB also provided the right to opt-out of information sharing but only to third parties. With all the confusion in the notices, figuring out how to prevent the sale of your personal financial diary, and to whom you were actually denying it, was yet another significant obstacle. Opt-out consent depends on being able to understand what you are saying no to. This is a misplaced burden, especially when combined with complex, unintelligible privacy notices. Again, the design of GLB failed to begin with answering the essential property rights question. The individual was burdened with seeking further explanation of his options and consent rights to ensure protection of his financial diary.
If financial institutions want to offer such a range of popular services, they should have no problem simply explaining those services and letting individuals decide whether they want to sign-up for such offers. The burden should be on the financial institutions to be honest, to better market their products, and to respect the best interests of the customer. This would contribute to more confidence and trust in the customer-business relationship.
One redeeming factor of GLB was in the area of preemption. To the financial institutions' chagrin, GLB set a floor of protections rather than ceiling. Stronger state privacy laws can be placed on top of GLB's limited protections. Some states have already taken action and more are likely to do so. For instance, when the question was put to the people of North Dakota, information sharing without consent lost by 73%. A financial privacy bill in California was narrowly defeated this year, but state legislators are expected to revisit the issue.
The problems with the GLB privacy provisions are clear. Exceptions, such as sharing among affiliates, make notices very complex. Typically buried in small print, the limited opt-out consent burdens individuals, insufficiently protects nonpublic data, and minimizes the confidence in financial institutions' practices. The banking lobby is working hard to defeat greater financial privacy, but they should embrace better business practices that put their customers’ interests first.
It is also important to mention a disturbing trend in government exchange and reliance on private collections of information, such as through financial institutions. The post-9/11 atmosphere encourages more information-sharing and verification of identity, but any actions should be done cautiously so as to not impact law-abiding citizens.
In 1998, the Clinton Administration proposed a federal regulation called Know Your Customer, which would have turned your friendly local banker into a snoop reporting to the federal database called FinCen any deviation from what the bank decided is your deposits/withdrawal profile. The American people responded with 300,000 angry e-mail criticisms and the regulation was withdrawn. However, the Bank Secrecy Act still requires banks to share personal information with the government through suspicious activity reports.
The Bush Administration's proposed regulations announced on July 17 to implement the USA Patriot Act's Anti-Money Laundering provisions call for identity verification, but they are even more intrusive than Know Your Customer. On that same day, the Wall Street Journal reported that the Treasury Department entered into an agreement with the Social Security Administration (SSA) "to develop and implement a system by which financial institutions may access a database to verify the authenticity of Social Security numbers provided by customers at account opening."
Congress promised us that the SSN would never be used for anything else when it was created, and certainly not for identification purposes. Giving financial institutions access to SSA's database embraces the SSN as a national ID number, which is a step in the wrong direction. Such so-called anti-money laundering provisions are threats to the privacy of law-abiding citizens. Is access to our personal records housed in the Internal Revenue Service the next step?
In conclusion, neither government nor private business should act as if they can own, share, display, or traffic our personal information without our consent. Our personal financial data should be protected by a firewall and accessible only to those who have authority. Financial institutions are in a unique position of housing our financial diaries that often contain all the dots of life. Extra caution and care should be taken by these corporations to ensure protection not only from fraud but also from misuse and overuse within the companies. Unless financial institutions are willing to raise their privacy standards independently, Congress should revisit GLB to raise the floor of privacy protection for our financial diaries.
Home | Menu | Links | Info | Chairman's Page