Chase Manhattan Corp.'s privacy settlement with New York State's Attorney General could provide a blueprint for addressing the issue of the use of customer data, but perhaps equally important was how it illustrated the way state government can work to tie up loose ends in federal law.

Almost immediately after passage of financial reform, experts predicted states would play a key role in developing rules for the financial industry. Chase's agreement not to share personal financial information anymore with non-affiliated marketing companies, a practice not barred under federal law, shows that in such areas, the states may well set the bar higher than Washington has.

Chase had been selling account information about its mortgage and credit card customers, including their credit limit, usage, balance, and the date of the customer's last transaction, to Cendant Corp., Signature Group, BrandDirect Marketing, and United Marketing Group. These companies marketed primarily nonfinancial products ranging from shoppers' clubs to dental plans.

Chase ended the practice in July, shortly after Attorney General Eliot. Spitzer met with officials of the bank about the issue. Under federal law, which goes into effect in November, such data sharing is permissible as long as customers are given a fair chance to opt out of such marketing, a standard short of the one set in Chase's agreement.

"This agreement takes it a step further than what the federal government requires," said Christine Pritchard, a spokeswoman for Attorney General Spitzer.

"We want to encourage other financial institutions to follow in the steps of Chase," Ms. Pritchard said, adding that Mr. Spitzer is currently investigating "similar situations with other banks in New York."

The case also shows how quickly banks are finding the regulatory landscape shifting under their feet.

"Practices that were fine and dandy a year ago might be out of balance now," said Martin E. Abrams, vice president of information policy and privacy for Experian Inc., the Orange, Calif., credit bureau. The demand for privacy-related instruction is at least strong enough for Experian to co-sponsor a first-of-its-kind privacy conference, along with the law firm Hunton & Williams, in February.

Another incident last fall involving U.S. Bancorp inspired an investigation by 20 state attorneys general into the information-sharing practices of the largest banking companies with significant credit card operations. Such cases, in which the states are leaders on privacy-related issues, are already affecting corporate behavior.

The practice of selling information beyond a consumer's name, address, and telephone number is dwindling, said Robert R. Belair, editor of the newsletter Privacy & American Business. "This might have been the norm as recently as a year ago, but most major financial institutions are not doing that now," Mr. Belair said. Mr. Belair is also a partner in the Washington, D.C., law firm Mullenholz, Brimsek & Belair.

Joan Warrington, vice president and general counsel for Citigroup Inc., declined to comment specifically on the company's data-sharing practices but said cases like U.S. Bancorp's, though "blown out of proportion," were already having a kind of beneficial effect. "Companies have tightened their policies," Ms. Warrington said.

In the long run, a patchwork of state agreements may not provide the kind of answers many nationwide banks are seeking in formulating their policies.

A senior bank official in charge of privacy issues at a large credit card company, who did not want to be identified, said sharing consumer information with outside companies has long been a standard industry practice, even endorsed by federal regulators as being "a reasonable part of commerce."

"A lot of us have been sitting, waiting to see how the new banking bill will come out," the executive said. "It's not worth it for us to undertake anything unless the regulations have been developed."

The banking industry is waiting for the specific language in the financial reform bill on consumer privacy disclosures, said John Byrne, general counsel of the American Bankers Association in Washington.

"We know we need to have an opt-out policy and disclose our privacy policies," Mr. Byrne said. But bankers don't know yet "every reference that needs to be in our privacy statement.

"Everyone is taking stock, doing a privacy temperature check and making adjustments based on the law," Mr. Byrne said.

For Chase, its privacy policy turned out to be central to the case. Without a law barring the sale of customer data, the New York attorney general would have turned to Chase's own privacy policy in preparing any action. Because Chase apparently contravened its own policy when it sold information on customer balances and other such figures, a state lawsuit would have probably centered on charges that Chase violated the state's deceptive labor practice statutes.

In its settlement, Chase neither admitted nor was accused of any violations of law. The banking company agreed to sharply limit the sale of information on customers approving such use to names, addresses, and telephone numbers.

In the case of U.S. Bancorp, the Minnesota-based bank was sued by the state attorney general, who alleged that U.S. Bancorp was selling consumer credit report information as well as actual account numbers. The lawsuit claimed that this violated the Fair Credit Reporting Act.

Subscribe Now

Access to authoritative analysis and perspective and our data-driven report series.

14-Day Free Trial

No credit card required. Complete access to articles, breaking news and industry data.