WASHINGTON - A California bank's sale of credit card data on three million consumers to operators of a pornographic Web site could open the floodgates for privacy legislation, industry critics said last week.

To date, financial services lobbyists have been effective in fighting off tough new privacy laws, but consumer advocates are contending that this latest scandal could push politicians their way. The California incident follows on the heels of U.S. Bancorp's agreement two weeks ago to pay $3.5 million to settle a class action lawsuit charging that it had illegally shared customer information with a marketing firm.

"This and the U.S. Bancorp recent settlement with a number of states shows that the Gramm-Leach-Bliley Act isn't enough and that Congress needs to do more," said Ed Mierzwinski, a lobbyist for U.S. Public Interest Research Group. "We will absolutely use the fact that a bank made its customer database available to pornographers who ripped off customers. We'll be using and leveraging this."

Privacy hawks in Congress vowed to push for tougher legislation. "This case illustrates the inadequate level of privacy protection at many banks across the country," said a spokesman for Rep. Edward J. Markey, D-Mass. "The public continues to be at risk of having their privacy violated."

Industry lobbyists downplayed the case that emerged Thursday as an isolated incident, and said that banks and other companies are better policing themselves now.

"I don't think this case has any particular implications for financial institutions," said Alan Caskie, executive director for the Financial Services Coordinating Council privacy program. "The sale of account information by financial institutions was widespread several years ago when all this activity took place, but that is no longer the case."

The industry is catching a break because most state legislatures have gone home for the year and Congress is expected to adjourn in less than a month. It is unclear whether the California case will stir controversy long enough to prompt action next year.

The Federal Trade Commission on Thursday won a $37.5 million verdict in federal court in Los Angeles against a California adult Web site provider accused of conducting an illegal billing scam. The owners of the operation - Kenneth and Teresa Taves, and Dennis Rappaport - bought access to a large database of credit card numbers from Charter Pacific Bank of Agoura Hills, Calif.

The Web site owners then used those numbers to make nearly 800,000 fraudulent charges on individuals' credit cards, the FTC said. The agency said that more than 90% of the Web site's $49 million of sales came from unauthorized charges. Many of the customers who were charged by the site did not even own computers.

But Michael Ward, the president of $101 million-asset Charter Pacific, adamantly denied his bank did anything wrong. In an interview Friday, he said the database was not intended as a money-making operation, and was only licensed to specific merchants. Those merchants had complained of excessive chargebacks - customers seeking credits for items charged to their cards that they deny buying. The database, Mr. Ward contended, was only set up to help merchants identify consumers who were reported for excessive chargebacks. More importantly, he said, the information supplied by the bank did not include names, addresses, phone numbers, expiration dates, or any data other than the credit card number and whether there were chargebacks.

Mr. Ward said that use of those numbers alone should not have been enough for credit card companies to clear purchases or transactions. "Nobody should have been able to charge anything if everybody else was doing their job," he said. "The only reason we had the database was to perform a fraud scrub."

Mr. Ward said the bank offered the service to specific merchants for three years, and ceased the practice in September 1999 when reports of misuse surfaced.

The bank was never charged by the FTC, but Mr. Ward said the Federal Deposit Insurance Corp. took two enforcement actions against the bank, ordering it to stop the licensing of database information and to stop its involvement with high-risk merchants who make credit card transactions that are not face-to-face. Mr. Ward said the bank sold off its credit card business last month.

FDIC officials said the bank's activities violated the Fair Credit Reporting Act, which prevents financial institutions from sharing such customer information except in specific circumstances. Fraud detection is not considered one of those circumstances, said Steven Cross, FDIC director of supervision.


Related Content Online:

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.