WASHINGTON-The privacy wars are about to heat up again. This time, the focus returns to the state level, and is centered on the promised enforcement actions of several prominent attorneys general. Not that some members of Congress have given up on efforts to pass stronger consumer privacy provisions than those contained in the Gramm-Leach-Bliley Act (the financial modernization bill), they haven't. But with strong privacy bills pending in 24 states, the impetus has changed. Speaking here recently at the first meeting of the Congressional Privacy Caucus (CU Times March 15, Feb. 23) both Mike Hatch, AG of Minnesota and Elliot Spitzer, AG of New York, promised to keep up their vigilance on privacy issues and advocacy for greater consumer privacy protections. In opening remarks to the Caucus, which was open to the public, Senator Richard Shelby, (R-Ala.) lauded the efforts of both Hatch and Spitzer, who have secured agreements with banks (Hatch against U.S. Bancorp and Spitzer with Chase Manhattan) that stopped both from sharing private customer data with unaffiliated marketers. "The fact is, the state Attorneys General are on the front line on privacy-related matters specifically and consumer protection issues in general," said Shelby. Both Hatch and Spitzer favor an "opt-in" approach, they say, because it returns control of a consumer's private financial information to the individual. Whether laws that restore that right may pass in Minnesota, New York or elsewhere remains questionable. Spitzer's testimony on March 24 to several joint committees of the New York State Legislature pointed out that the focus on privacy has moved from the government to the private sector. Spitzer stated that the "greatest threat to privacy now comes from huge private commercial interests," that are enabled by new information technology to gather private financial information and sell it for profit, all without consent, and usually, unbeknownst to bank customers. He noted that while Gramm-Leach-Bliley (GLB) contained some privacy provisions, it also posed "new and additional threats to privacy." "There is nothing to prevent an individual's health information-provided to a bank courtesy of an affiliated insurance company- from affecting the bank's determinations about the customer's credit worthiness," he warned. He said that the "significant loophole" contained in the law that provides for joint marketing agreements for financial products from which consumers may not "opt out" is "overly broad and unduly vague and provides neither meaningful guidance for regulators nor adequate protections for consumers." Credit union lobbyists secured separate NCUA rulemaking power for privacy regulations and have made much hay of the fact that CUs usually require a confidentiality agreement with third-party vendors with which they do business. But they have objected to stronger calls for privacy protections on grounds that requiring them is too costly, a position also put forward by the banking, insurance and securities industries. Spitzer also objected to the new law's lack of limiting the redisclosure of personal financial information, especially if the third-party is also a "financial institution," which is defined very loosely, he said. Various organizations that provide "shoppers' advantage cards, auto or travelers' advantage cards or a host of other such `financial' devices" will qualify to receive private data that is passed down the line, so that "victims of privacy violations will have trouble finding out who first released the information, and under federal law, the victim can't sue." Spitzer's proposal to the legislature (Program Bill 72-2000) would provide an "opt-in" for such joint marketing provisions and redisclosure and would require banks and credit unions and their affiliates to give consumers notice of how their personal information is to be used. He advised that industry proponents will say that the "opt-in" will impede operations and deprive consumers of valuable products they may want; that "opt-out" provides adequate privacy; that states enacting a patchwork of privacy laws is unworkable and that GLB should be allowed to unfold before further action is undertaken. Shelby was blunter still, calling the GLB provisions a "sham." "The bill does not require the disclosure of the names of institutions to which the information is being shared, or the purpose and use for which the information is being shared. Thus, even with the passage of the so-called `privacy protections,' the consumer will not know exactly who the information is being shared with or how that information is being used," said Shelby. Hatch's legislative proposals follow the very same lead. "A consumer's personal information, such as their financial data and medical records should be private unless the consumer decides otherwise; an individual should be allowed to define who they are to society and to determine how their personal information is used, or not used," said Hatch. NAFCU focused on the costs of implementing the disclosures mandated by GLB in a recent survey of federal credit unions. Based on a sample of 100 respondents, NAFCU found that 43% believed that "system upgrades associated with the `opt-out' provision would be responsible for most costs," and mailings and web site upgrades will add further costs. CUNA had previously put a cost of $1 per member on the expense of complying with the disclosure regulation. A recent "White Paper" published by the STAR network, Maitland, Fla., the largest credit/ATM processor in the country, suggested that opt-in rules would "deprive consumers of popular services." The report said that Minnesota's Hatch "exploited" an "isolated, but compelling incident" and gave privacy advocates a "timely talking point...It also fed a belief that business organizations viewed private financial information as a commodity to be sold for profit rather than as a tool to benefit their customers." Hatch's agreement with US Bancorp represented, he said, the bank's willingness" to address customer privacy and step up to the plate to do the right thing." As the regulations contained in GLB will only filter down to consumers over several months, a number of advisors, including syndicated columnist Robert K. Heady, recently urged readers to "block a massive invasion of your privacy by the nation's banks, insurance companies and brokerages" by writing to financial regulators before 0the comment period runs out on March 31. And Dr. Martin D. Weiss, of the bank rating firm Weiss Ratings, Inc., Palm Beach Gardens, Fla., issued a press release to consumers concerning the protection of their information. Weiss urged consumers to take an active interest in how their data was used, with several precautions, including "weighing the pros and cons of letting an institution sell your private information." "Don't assume that doing all your business with the same group of companies is the best or most convenient plan of action," said Weiss. -
caburger@cutimes.com
