7/29/2019 Financial Industry Modern Day Privacy Policies
1/12
Running head: FINANCIAL INDUSTRY MODEN DAY PRIVACY POLICIES 1
Financial Industry Modern Day Privacy Policies
Steven M. Swafford
University of Maryland University College
Human Aspects in Cybersecurity
Dr. Ruth Parker
November 13, 2011
7/29/2019 Financial Industry Modern Day Privacy Policies
2/12
FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 2
Abstract
The financial industry whether banking, investments, or credit card services face an ever
changing landscape when it comes to privacy and if they are to safeguard themselves and their
consumers a proper plan must be implemented. There are a number of challenges surrounding
privacy in terms of data protection, consumer confidence, supplier partnerships, and of course
laws and regulations. The financial industry is particularly at risk because of the nature of
business as well as the utter amount of transactions and the sizeable customer base. Not only
does the Internet pose what is likely the single largest risk in the realm of privacy but also
traditional communications must accurately address privacy.
Keywords: cybersecurity, risk, financial, policy, banking, laws, regulations
7/29/2019 Financial Industry Modern Day Privacy Policies
3/12
FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 3
Financial Industry Modern Day Privacy Policies
To set the stage of what privacy exemplifies the Webster dictionary defines privacy as the
quality or state of being apart from company or observation. Now that the definition of privacy
is clear, the financial industry must account for laws and regulations in order to both safeguard
themselves and their customers. To address privacy it is imperative to establish a policy, which
outlines the steps of how a bank manages and shares personal information. Many banks will use
personal information to increase partnerships, provide a good or service, or even to assist in
protection against fraud and identity theft. At this point, the scope of privacy begins to take
form.
Over the years, a business typically used paper-based statements and communications to
convey information but modern day, the Internet has improved the legacy business model.
While the Internet has not entirely substituted the legacy model, it does offer convince for
consumers and at the same time helps to
diminish cost for a business, at least in terms
of traditional mailers. Of course, the
Internet opens the door to hackers who can
exploit vulnerabilities as well as take
advantage of the population that does not
practice concrete security practices. In order
to properly address privacy then the financial industry must abide by laws and regulations while
also sharing in the responsibility of education for suppliers, partners, and consumers. To further
drive home this point reference figure one, which touches on a number of key areas in terms of
data use and protection (Earp & Payton, 2006). This paper will take a deeper dive into the
Figure 1. Bank Data Analysis
7/29/2019 Financial Industry Modern Day Privacy Policies
4/12
FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 4
Figure 2. Privacy Type Notices
financial industry in terms of a comparison and contrast as well as recommendations in the area
of change that must occur.
Organization and Mission
The banking industry exists to serve customers from individuals, corporations, and
groups. The role of a bank is to facilitate in the end goal of financial freedom and investments.
The banking industry also serves a staple in both the United States and global economies that in
turn drive a robust need of regulations and laws. Typically, a mission statement may include:
1. Provides best of breed financial services
2. Accountability to shareholders and customers
By nature the banking industry is at abundant risk solely due to the utter amount of sensitive data
from the customer is enormous. The details of personal information and daily transactions drive
stout concerns from customers from both a privacy and security point of view.
Privacy Policy and Laws
The Federal Deposit Insurance Corporation (FDIC) is in place to aid in the protection of
the privacy of participants and the overall banking industry. The FDIC commonly provides both
high and low level guidance in the area of financial activities and operations, and in other limited
circumstances such as where required for
law enforcement and public disclosure
activities. In addition, the minimum
necessary information will be used, except
in limited situations specified by
applicable law. Other uses and disclosures of financial transactions will not occur unless the
customer authorizes them. Customers will have the opportunity to inspect, copy, and amend
7/29/2019 Financial Industry Modern Day Privacy Policies
5/12
FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 5
Figure 3. Customer Data
their privacy elections as required by both existing laws and regulations. Privacy is extremely
important within the financial industry and figure two demonstrates three stages of the types of
notices, defines what stakeholders receives them, and finally the delivery time table (FDIC,
2001). Customers may also exercise the
rights granted to them under these same
laws and regulations free from any
intimidating or punitive acts. The public in
general is becoming much more educated
and aware of the risk of personal
information as well how all facets of
business and how they share information,
because of this there are two fundamental
principles:
1. Establish both initial and annual
privacy policies
2. Provide a mechanism for customers
to opt in or opt out with information
sharing
There are established acts that allow banks to share customer information and once such act
is the Gramm-Leach-Bliley Banking Modernization Act of 1999 (Earp & Payton, 2006). Oddly
enough, the Gramm-Leach-Bliley Banking Modernization Act is rooted in a case from Victorias
Secret. Upon closer investigation of figure three, the customer information shared is broken out
by sex and the amount of sales. In this case, Representative Joe Barton of Texas felt that his
7/29/2019 Financial Industry Modern Day Privacy Policies
6/12
FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 6
credit union had disclosed his address to Victorias Secret even though he had not established a
business relationship with Victorias Secret (Hoofnagel & Honig, 2005). As we turn our
attention to the scope of technology and the variety of usage it brings to the table, it becomes
apparent that technology helps in everyday life activities but at the same time, this same
technology has unmistakably broken down other aspects of privacy (Nilakanta & Scheibe, 2005).
Policy and Law Changes
The single largest challenge within the financial industry may be how privacy is
addressed in terms of business and the end consumers. While there are both modern and
historical laws and regulations, they often conflict one another or worse leave open opportunities
that are easily exploited or maybe even entirely overlooked. The banking industry as a whole is
doing a much better job surrounding privacy but as technology and business partnerships
continue to evolve, so does the need to address current policies and laws.
Figure 4. Four ethical Issues of the Information Age
Data collection and sharing has become ever so important in terms of conducting
business to the degree that ethics becomes center place. Over two decades ago, four issues of
ethics arose from the information age and a new acronym was born called PAPA (Mason, 1986)
7/29/2019 Financial Industry Modern Day Privacy Policies
7/12
FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 7
which calls out privacy, accuracy, property, and accessibility. In order to begin tackling change
figure four outlines both problems and issues. This model may be used as a template for all
aspects of PAPA. The challenge is to take all existing laws, whether at state or federal level and
balance these laws across the banking industry while keeping in mind the needs of the business
and most importantly the customers.
Individual Rights
All consumers must have the right to access, inspect, and copy his or her information
within accordance to policy and laws. The banking industry generally must honor these rights,
except in certain circumstances when the information may result is a breach of privacy that a
spouse or family member is allowed to under applicable laws. Once consumers begin to
understand their rights, only then will they be in a better position to both protect them and self-
police the banking industry. Of course, this is easier said than done. Most consumers are
provided privacy information from the financial vendor in which they conduct business but the
information is confusing at best. Stop and consider for a moment the process a consumer
undergoes when opening a checking account with a bank. The bank adheres to laws and
provides a privacy statement but more often than not, these same privacy statements are written
in legal terms rather that common everyday language. The Federal Trade Commission (FTC)
plays a vital role between consumers and industries. Overall, the FTC performs as to
expectations in terms of consumer protection and one such example is the Fair Information
Practice Act of 1997. This act outlines five core principles:
1. Notice and Awareness
2. Choice and Consent
3. Access and Participation
7/29/2019 Financial Industry Modern Day Privacy Policies
8/12
FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 8
4. Integrity and Security
5. Enforcement and Redress
Liability
Should banks not conform to laws and regulations the results it can be disastrous to the
industry itself but more importantly it has the potential to destroy personal financial freedoms.
For example, Chase Manhattan Bank was charged with selling their customers purchase history
and an agreement was reached in 2000 with the New York State Attorney Generals office (Hale,
2001). There are many other cases, which relate directly to the Chase Bank infraction that driven
the need for strong penalties when the area of privacy is violated. To better understand the
liabilities surrounding privacy, one must first understand the measures of protection, which may
include:
1. Implement a clean desk practice. Personal Identifiable Information (PII) must be put
away if the employee is away from his or her desk throughout the day and PII will be
placed in closed and locked drawers or cabinets when the employee is not in the office.
2. PII in paper format will be destroyed when it is obsolete or is not required to be retained
for storage purposes, with shredding the preferred method of destruction.
3. Limit the substance of PII in conversations with partners and other outside vendors to the
required minimum necessary.
4. Implement reasonable measures to prevent other individuals from overhearing
conversations, e.g., using speakerphone only when in a closed office.
5. Limit remote access to systems to secure methods.
By starting with these five points, the groundwork starts to take shape and a clear understanding
of risks begins to bubble up to the surface. As risks are identified and categorized only then can
7/29/2019 Financial Industry Modern Day Privacy Policies
9/12
FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 9
the liability start to be reduced by taking these risks and build out strong policies and procedures.
In the case where a bank is conducting business over the Internet, The Federal Reserve Board
(FRB) has established guidelines where additional disclosure rules are needed to both protect
consumers and reduce the liability of the company in question (Hale, 2001).
Risk Management
The areas of managing risks are mutual by both the financial industry as well as
consumers and each must participate in certain risk management activities to ensure compliance.
The business has the greatest responsibility and because of this, there are numerous opportunities
when it comes to reducing risk.
1. Workforce training on the Policies and Procedures
2. Developing a complaint process for individuals to file complaints
3. Designing a system of written disciplinary policies and sanctions
4. Mitigating damages resulting from improper use or disclosure
5. Retaining copies of its Policies and Procedures, written communications, and actions
Some of these risk management rules require stakeholders to design processes affecting
employees under their control.
Complaints
Banks must have an established process to process apersons complaint about the
privacy policies and procedures, practices, and compliance. The resolution of complaints
depends on the varying facts and circumstances of the complaint. Examples of viable complaint
resolution include:
1. Educating the consumer
2. Implementing changes in the policies, procedures, and practices
7/29/2019 Financial Industry Modern Day Privacy Policies
10/12
FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 10
Figure 5. Identity Theft Responsibilities
3. Providing appropriate training for employees
4. Issuing new communication materials both to the company and consumers
This process will assist in properly addressing consumer concerns as well as assisting banks in
terms of legal obligations.
Security Implications
At the end of the day, privacy is much more
than just protecting information. When a banks
information is breached by hackers or even by the
everyday nature of business, the results are
extremely damaging. The criminal act of stolen
identities is a billion dollar criminal enterprise and it all starts with improper privacy practices
(Warren, 2007). While many countries have defined agencies that oversee privacy, see figure
five, the reality is these same agencies tend to be rooted in existing laws that are outdated or even
must advocate the need for new laws.
Conclusion
At this point, the gravity of privacy as applied to both the banking industry and
consumers should be a call to action. Banks must make every reasonable effort to protect the
privacy rights and interests of consumers in the collection, use, transfer, or retention of
information to prevent inappropriate or unnecessary disclosures of information.
In closing, the following is instrumental to continually understanding and measuring
privacy concerns. The financial industry must make every reasonable effort to protect the privacy
rights and interests of consumers and their partners to include unnecessary disclosures of
information. The industry must further comply with all existing laws and regulations. Since
7/29/2019 Financial Industry Modern Day Privacy Policies
11/12
FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 11
technology has become commonplace the online privacy aspect opens another area of concern
that warrants a drastic change is regulations. Of course, the challenge is the ever-changing
technology landscape that typically drives parties who enact laws to move quickly but often do
not fully comprehend the challenges surrounding modern day technology.
7/29/2019 Financial Industry Modern Day Privacy Policies
12/12
FINANCIAL INDUSTRY MODERN DAY PRIVACY POLICIES 12
References
Burton, R. N. (2000). Discussion of information technology-related activities of internal auditors.
Journal Of Information Systems, 14(1), 57. Retrieved from http://www.atypon-link.com
Earp, J., & Payton, F. (2006). Information privacy in the service sector: an exploratory study of
health care and banking professionals.Journal Of Organizational Computing &
Electronic Commerce, 16(2), 105-122. doi:10.1207/s15327744joce1602_2
FDIC. (2001). Privacy Rule Handbook. Federal Deposit Insurance Corporation (FDIC).
Retrieved on November 13, 2011 from
http://www.fdic.gov/regulations/examinations/financialprivacy/handbook/
Hale, R. (2001). Federal privacy regulation of Internet credit card advertising and solicitation.
Journal Of Internet Law, 4(7), 16. Retrieved from http://www.aspenpublishers.com
Hoofnagel, C. & Honig, E. (2005). Victoria's Secret and financial privacy. Retrieved from
http://epic.org/privacy/glba/victoriassecret.html
Mason, R. (1986). Four ethical issues of the information age.MIS Quarterly, 10(1), 5-12.
Retrieved from http://www.jstor.org
Nilakanta, S., & Scheibe, K. (2005). The digital persona and trust bank: A privacy management
framework.Journal of Information Privacy & Security, 1(4), 3-21. Retrieved from
http://www.ivylp.com
Warren, A. (2007). Stolen identity: Regulating the illegal trade in personal data in the 'Data-
Based Society'.International Review of Law, Computers & Technology, 21(2), 177-190.
doi:10.1080/13600860701492187