Personal Data Firewall Remains an Illusion

Just a few short years ago, lawmakers and regulators across the land were debating what kind of "firewall" would best protect the privacy interests of the consumer. Exciting new technology was zooming in on us, and the computerized delivery systems for an entire new menu of products and services would mandate change in the relationship between the vendor and the consumer.

They called it a new information age, the information being personal data about millions of people. That information was like gold in the hands of commercial and financial interests.

Making certain that the individual maintained absolute control over the release, use, and recapture of personal information was recognized as a major challenge. As the debate went on, conflicting forces struggled with the question of how legitimate commercial needs could be met without violating the rights of the individual.

Finding the right answer to that difficult question ranked at the top of the agenda of ethicists representing commercial, banking, and government interests as well as consumers. At no time during that debate were firewall protections seen as a fringe benefit or a tradeoff for some concession from the other side. Firewalls were considered integral to the body of law this new technology would spawn and to the protection of the American consumer.

Though the public understanding of the coming changes in banking was sketchy, there was a very clear understanding on the part of the consumer as to the potential for abuse regarding their personal information while in the hands of others.

Because firewalls were the subject of many long debates and discussions, many and probably most Americans held a belief that protections of their privacy rights had become law. Any such sense of security on that question is totally unwarranted.

During the long and protracted firewall debate in my home state of Minnesota, those who supported firewalls were charged with being anti-business, or worse. Voluntary compliance was offered as an alternative to the enactment of legislation, and firewall proponents agreed to try that course, assuming the advocates were acting in good faith.

Though the "voluntary compliance" language seemed to invite loophole interpretations, and though restraints were few and vague, this regime, in a spirit of fairness to the consumer, could have worked.

Then came the recent charge by the Minnesota attorney general that U.S. Bank of Minneapolis had engaged in fraud, false advertising, and violations of the Fair Credit Reporting Act in its dealings with telemarketing firms. A substantial but unverified number of bank customers pulled their accounts as a result.

When the issue became public, the bank denied wrongdoing and proclaimed it had violated no law. Within 24 hours, all 15 of its telemarketing contracts had been canceled and the top officer off the Midwest giant attempted to put an entirely new spin on the matter by virtually treating it as a "customer relations" move. Another high-ranking officer of the bank tried to shift the focus by accusing the attorney general's office of political motivation.

Soon thereafter it was announced that Wells Fargo was being sued by a consumer advocacy group over similar marketing deals, and Wells too canceled contracts where improper use had been made of customer information.

Further action establishing standards and parameters for what has now become a truly nationwide banking system should follow the initial move in Minnesota. The question of how to effectively, fairly, and sensibly regulate the commercial use of private and confidential information about a consumer will not be answered easily or quickly. Two complexities immediately come to mind.

Larger banks often operate in-house brokerage departments or subsidiaries wherein the absence of firewalls permits the free exchange of consumer data between departments. To impose different limitations on banks whose smaller size makes outsourcing a logical alternative would put them at an unfair disadvantage.

The other issue has to do with units of government that regularly sell information in their possession. Is government inclined to gather more information than can be justified, and can government justify maintaining extensive files on American citizens who pose no threat to society nor to the nation?

There is a fundamental American tenet that, except in very extreme circumstances, the key to the private information and confidential data about an individual should never be taken from the hand of that person. I believe most Americans subscribe to that tenet.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER