Banks balk at info-sharing provision in privacy law
Claim compliance with Calif. SB 1 will raise IT costs
Computerworld - Banks doing business in California are planning to appeal a recent federal court decision that lets the state enforce tough new provisions related to the sharing of customer information with affiliates.
The provisions are part of California's Financial Information Privacy Act, known as SB 1, which went into effect July 1. The law, which is hugely unpopular among financial service providers, requires banks to give customers the opportunity to opt out of cross-marketing programs in which their information is shared with affiliates such as mortgage and credit card companies.
Most financial companies in the state had expected that the affiliate sharing provisions in SB 1 would be preempted by existing guidelines in the federal Fair Credit Reporting Act of 1996, under which no such permission is required.
An attempt by the American Bankers Association, the Financial Services Roundtable and the Consumer Bankers Association to legally block the affiliate sharing provisions of SB 1 was rejected by a California Federal District Court judge in late June.
"We were certainly disappointed by that ruling," said Harvey Radin, a spokesman for Bank of America Corp. in New York. "The decision really makes it harder for our customers to do business with us." IT expenses associated with maintaining and processing customer preference information could contribute to increased costs, he added.
Under the law, companies have to send notices to all California-based customers and give them a chance to opt out of affiliate sharing. They must wait 45 days for replies. During that time, customer records have to be quarantined and can't be shared with others. Companies that share information with nonaffiliated third parties also need to get separate opt-in permissions.
From an IT standpoint, complying with the requirements means creating new database tables for recording information about when notices were sent out, when they were returned and a customer's preference, said Arshad Noor, CEO of StrongAuth Inc., an identity and compliance management company in Cupertino, Calif.
It also means putting policies in place "that spell out what business divisions need to do and a process for ensuring that they check this table before sharing any information with affiliates" and third parties, Noor said.
"Companies are making a huge effort to comply with the law. It caught a lot of them by surprise," said Fritz Elmendorf, vice president of communications at the Consumer Bankers Association. A lot of that group's members have "simply shut down cross-marketing activities" because they have not yet gone through the process of sending out notices, he said.
Notating the opt-out and opt-in selections on customer files "becomes complicated, time-consuming and expensive," given the separate systems that banks often maintain for mortgages, credit cards and deposit accounts, Elmendorf said. "Mergers often complicate this and compound it where there may be multiple systems in multiple states," he said.
- Big Data, Big Mess: Sound Risk Intelligence Through Complete Context This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Confront consumerization with convergence Virtualization expert Elias Khnaser spotlights the security, compliance, and governance issues that arise when enterprise users "consumerize" with shadow IT and public cloud...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!