Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
January 14, 2013
Data Collection and Privacy: A Continuing Discussion
During my childhood, my parents would frequently challenge me with "if-then" decisions, often in an effort to direct my behavior. They'd say, for example, "If you finish your homework early, then you can go out and play." Consumers are constantly faced with similar if-then choices related to disclosing their personal information as they conduct their business, whether online or in physical locations. Many of us have been confronted with this type of choice: "If you want to receive coupons or other special offers, then sign up for our loyalty card program (where we may track all your purchases and may provide that information to others for marketing purposes)." Or: "If you want to access this website, then you must agree to the following terms and conditions." Of course, the consumer can always decline the offer. However, the business doesn't want that to happen, so it generally looks for the right balance that would allow the consumer to feel comfortable while it realizes its goals.
The data privacy issue comes to the forefront with every announcement that some database has been hacked and customer information, including account numbers, has been compromised. Most recently, the state of South Carolina acknowledged that hackers had gained access to information for more than three million bank accounts, almost two million Social Security numbers, and about five thousand credit card numbers. The overall cost of recovering from such a large-scale incident—not only in direct costs including possible fines but also in reputational costs and diminished consumer confidence—can be substantial. Businesses and governmental agencies must continually work to strengthen their data security systems.
The primary privacy issues appear to be focused on overall informational privacy concerns and the lack of consistent and comprehensive state and federal laws. In February 2012, the White House released a privacy bill of rights policy document titled Consumer Data Privacy in a Networked World. This document is intended to serve as a legal baseline for all companies as to how they should treat consumer data and manage customer interactions. Then in March 2012, the Federal Trade Commission (FTC) issued a similar report, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers. The White House and FTC reports offer similar recommendations, including:
- Congress should enact baseline privacy protection legislation, and the industry should increase its self-regulation efforts.
- Consumers should be clearly provided a "Do Not Track" option. This mechanism would allow them to choose whether they wanted to allow websites to collect information about their Internet activity and use it to deliver targeted marketing messages or other behavioral advertising.
- The company should obtain a positive consent from a user before its uses collected data for a purpose other than for what it was collected.
- The website should allow users to view the data that has been collected by data brokers for marketing purposes and provide a mechanism for updating incorrect information.
It will be interesting to watch these activities over the next year to see at what pace the various data collection and privacy constituencies will examine and address these issues. In a future blog, I will examine in more detail the legislative and regulatory efforts that are underway to address these recommendations. The issues of security and privacy will continue to evolve in the banking and business industries and will be frequent topics of discussion in future Portals and Rails posts. We encourage your comments as this discussion continues.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
January 14, 2013 | Permalink
TrackBack URL for this entry:
Listed below are links to blogs that reference Data Collection and Privacy: A Continuing Discussion:
- EMV Comments That Make Me Cringe
- Taking a Quantum Leap into Payment Security
- Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud