Many, many years ago, when I was an elementary school student, I experienced the excitement of that now-defunct practice called "recess." This outdoor break in the school day allowed students to blow off steam, get some exercise, and learn social playground skills. It also allowed weary teachers to have a break from us. One of my favorite things on the playground was the "teeter-totter," the simple, two-person balancing board affixed to a fulcrum. The boredom of just going up and down was interrupted by doing so with force and speed or by surprising one's partner by jumping off, thereby causing the other party to descend rapidly, sometimes causing his/her bottom to hit the ground before the feet. More challenging, however, was the concept of the two riders trying to position themselves so that the teeter-totter would actually balance itself in a way that both parties would be suspended off the ground. Great fun!
Balancing data privacy rights
Strangely, this activity bears a strong resemblance to what we find ourselves doing in the payments system today as we try to balance a consumer's right to data privacy with a service provider's responsibility to protect a customer from financial loss. Achieving this balance has become a time-consuming and expensive activity for the payments industry and for law enforcement agencies charged with catching bad guys after they breach protected files.
The responsibilities inherent in providing data privacy protection are complicated because data privacy laws today are set largely at the state level. Consequently, some variance exists in due diligence. Companies whose customers span multiple states struggle to deal with different requirements and remedial actions should a data breach occur. Frequently, a company adopts procedures that comply with the most rigid of the laws, in essence satisfying the "greatest common denominator," the effect of which is to gravitate toward a de facto national standard in federal laws on data privacy.
Responsibilities in managing data breaches
No fewer than 24 federal laws exist today that attempt to protect the privacy of some aspect of our personal and business lives. However, there is no overarching federal legislation in place that specifically addresses financial data privacy. Such bills have been drafted, but they are logjammed in Congress behind more pressing matters. At the state level, virtually all states have some form of financial data privacy legislation on the books. For the most part, the banking industry has looked at the construct and verbiage of the 2002 California law as the standard of care for all. In essence, the law requires a company to report any breach in which a customer's name is compromised in combination with a Social Security number, a driver's license number, or any bank account information, including debit and credit card numbers. More recently, in March, Massachusetts adopted a seemingly more stringent law that speaks less to the need for post-breach remedial action and more to the prevention of breaches in the first place. In this way, data privacy legislation seems to be converging with the "commercially reasonable" data security requirements of Article 4A of the Uniform Commercial Code.
Ultimately, trouble arises when organizations are forced to guess what standards are commercially reasonable. Trouble also arises when companies attempt to minimize exposure by extending the definition of protected data to include non-personal information, such as company names and other identifiers resident in payment transaction records. While courts will have to sort out the first issue, the practice of businesses adopting self-imposed, expanded data protection standards is another matter.
The problem here is twofold. First, excess caution will inevitably lead to higher costs that have to be recovered elsewhere in a bank's profitability formula. Frequently, this occurs through the institution of some form of account. Second, over-interpretation of laws creates barriers to effective industry controls and processes for detecting and mitigating fraud, as well as making the regulatory and law enforcement aspects of fraud mitigation more cumbersome and expensive. Where, then, is the balance point on this teeter-totter of financial privacy?
Where do we go from here?
Unfortunately, the answer may ultimately lie in creating some umbrella national legislation that tries to strike the right balance. Such legislation must allow for a cadre of "trusted parties" who bear the responsibility for protecting data as a price for collecting it so as to reduce financial crimes. As a consumer, I certainly don't want anyone misusing my personal information, but I also want those who do so to get caught and pay the price. It is only then that the cycle of improvement can take place—more forcible enforcement, more prison terms, fewer bad guys in the market, less privacy invasion, fewer sleepless nights. Inevitably, the balance point on a teeter-totter only occurs when one party pushes off first—and that may be the regulators and law enforcement.
By Rich Oliver, Executive Vice President of the Atlanta Fed and Director of the Retail Payments Risk Forum