Safeguard customers’ personal information; regulators are watching

September 19, 2014

By Julie DiMauro, Compliance Complete

NEW YORK, Sept. 19, 2014 (Thomson Reuters Accelus) – In a sanction that can serve as a wake-up to the financial industry, Verizon Communications last week agreed to pay $7.4 million to end an investigation that found it failed to tell two million new customers about their privacy rights before using their information for marketing purposes, the Federal Communications Commission said.

The privacy probe highlights the vigilance that must be paid to consumer privacy rights to meet regulators’ requirements. Although the financial industry mostly answers to different regulators, it too is subject to laws and regulations protecting the privacy of its customers.

The FCC said its investigation found that these phone customers, starting in 2006, did not receive proper privacy notices in their first bills. The notices would have told consumers how to opt out of having their personal information used to tailor marketing offers, which the company later sent to them. Compounding the lapse, the FCC learned, Verizon failed to discover these problems until September 2012 and failed to notify the FCC of these problems until January 18, 2013 — 126 days later.

Phone companies are generally prohibited from using personal data they collect from their customers, although such data can be used for marketing – if the consumer gives permission via an “opt-in” or “opt-out” process.

Order and consent decree

The FCC noted in its order and consent decree with the company that Verizon must take significant steps to improve how it protects the privacy rights of its customers.

Those privacy-protection actions include:

  • Inserting opt-out notices on every bill it sends customers, not just the first bill.
  • Creating systems that can monitor and test the company’s billing systems and opt-out notice processes to ensure customers are receiving proper notices of their privacy rights.
  • Reporting within five business days to the FCC any problems that are detected in these systems that are not an anomaly, plus any instances of noncompliance.

Verizon’s spokesman, Ed McFadden, noted that Verizon’s settlement with the FCC did not involve a data breach or unauthorized disclosure of customer information to third parties. Rather, some Verizon customers got marketing materials from the company about other Verizon services.

Safeguarding privacy in financial services

The Gramm-Leach-Bliley Act requires financial institutions — companies that offer consumers financial products or services like loans, financial or investment advice, or insurance — to explain their information-sharing practices to their customers and to safeguard sensitive data.

The definition of “financial institution” includes many businesses that may not normally describe themselves that way. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, non-bank lenders, personal property or real estate appraisers, professional tax preparers and courier services.

As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.

The Safeguards Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services.

The rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. As part of its plan, each company must:

  • Designate one or more employees to coordinate its information security program;
  • Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
  • Design and implement a safeguards program, and regularly monitor and test it;
  • Select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
  • Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three areas that are particularly important to information security: Employee Management and Training; Information Systems; and Detecting and Managing System Failures. One of the early steps companies should take is to determine what information they are collecting and storing, and whether they have a business need to do so. A firm can reduce the risks to customer information if it knows what it has and keeps only what it needs.

In March 2011, the FTC settled with social networking site Twitter, resolving charges that Twitter deceived consumers and put their privacy at risk by failing to protect their personal information under the Safeguards Rule. The FTC alleged that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account.

Consumer-privacy best practices

Depending on the nature of their business operations, the FTC counsels financial services firms to consider implementing the following consumer-privacy best practices:

  1. Implement rigorous employee training and supervisor oversight. As the FTC reminds firms, the success of any information security plan depends largely on the employees who implement it. Mandating background checks of new employees and having them sign a confidentiality agreement outlining your security standards are essential steps, as are protocols for which employees handle certain types of information. Regularly remind employees of how to report any possible breaches and the legal requirements of how to keep customer data secure, particularly your policies on accessing the data on mobile apps and home computers.

    Impose disciplinary measures for security policy violations and make sure terminated employees cannot access customer information; immediately deactivate their passwords and user names and taking other appropriate measures.

  2. Maintain security throughout the life cycle of customer information, from data entry to data disposal. Know where sensitive customer information is stored, make sure only authorized employees have access. Keep secure backup records and keep archived data secure by storing it off-line and in a physically secure area and retain a careful inventory of all of the equipment on which customer information may be stored.

    Dispose of customer information in a secure way and, where applicable, consistent with the FTC’s Disposal Rule. Compliance with this rule often requires designating a records-retention manager to supervise the disposal of records containing customer information or hiring an outside disposal company to do so. If a vendor is hired to perform the task, the firm must conduct due diligence beforehand, checking for certifications from a recognized industry group, for example.

  3. Take reasonable steps to diagnose a security incident quickly and, and have a plan for responding effectively. Consider checking with software vendors regularly to get and install patches that resolve software vulnerabilities, using use anti-virus and anti-spyware software that update automatically, maintaining up-to-date firewalls, particularly if you use a broadband Internet connection or allow employees to connect to your network from home or other off-site locations.
  4. Create audit procedures to detect the improper disclosure or theft of customer information. The FTC suggests keeping logs of activity on and monitoring them for signs of unauthorized access to customer information, as well as implementing an intrusion-detection system that send our alerts about any attacks.
  5. Take immediate action to secure any information that has or may have been compromised. Preserve evidence, bring in security professionals to help assess the breach as soon as possible and notify law enforcement in the event of a security breach. Local laws can vary of whether consumers need to be informed and when.

Final note: Testing and monitoring

The systems used to protecting customers’ privacy will, as with every process, have glitches. What is crucial is that systems that are routinely tested and monitored will have any such problems ironed out before greater damage is caused. This vigilance, along with immediate reporting to regulators about any deficiencies unearthed and the steps taken to cure them, will go a long way toward showing the regulators, and your client base, how seriously you take these responsibilities.

(This article was produced by the Compliance Complete service of Thomson Reuters Accelus. Compliance Complete provides a single source for regulatory news, analysis, rules and developments, with global coverage of more than 400 regulators and exchanges. Follow Accelus compliance news on Twitter: @GRC_Accelus)

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/