Going the Extra Mile
California's Financial Information Privacy Act, known as SB1, is about to send shock waves through IT shops everywhere. The bill was overwhelmingly passed in the California state legislature Aug. 19 and was signed by Gov. Gray Davis last week. With the coming of the new law, IT departments need to get to work closing off applications and databases to ensure customer privacy.

In short, SB1 requires "opt-in." Financial institutions must get customers' authorization to share or sell personal and financial data with third-party companies with whom the customers have no prior agreement. Customers can also "opt-out," meaning that institutions will be required to offer customers a chance to prohibit the sharing or selling of personal and financial information with their affiliates or other financial institutions with whom they have agreements.

The bill also requires consent verification, which means financial institutions will have to take steps to ensure that those from whom they obtain personal and financial information about customers have followed similar notice and consent rules.

Meeting the tough requirements to prevent data sharing isn't the hardest work that IT will face as a result of the new measure. They must make company executives understand that unless they go beyond the law's measures, a confusing patchwork of state and federal laws is likely to come on the books.

How did we get into this mess? The 1998 repeal of the Depression-era Glass-Steagall Act, which mandated the separation of banks, brokerage houses and insurance companies, has fomented a frenzy of consumer financial information sharing. With the advent of affiliated-yet-separately-regulated financial services companies, consumer data now gets passed around so these different entities can cross-sell to one another's customers.

Just one thing's wrong. Companies haven't asked consumers for permission.

Sure, we've all been inundated with little slips of paper in our credit card bills, mortgage statements and brokerage reports telling us, as FleetBoston recently told me, "Protecting your privacy is important to us. We want you to understand what information we may gather and how we may share it."

These privacy notices provide, in practice, a license to circumvent customers' desire for privacy, thereby letting integrated companies sell them everything from insurance to retirement plans. Rather than taking a "Pirates of the Caribbean" approach to consumer privacy, companies should instead use technology to allow consumers to make decisions about how their private information is used.

SB1 is likely to become a model for future state and federal legislation. It doesn't preclude affiliated companies from sharing information; it simply requires consumer permission to share. Companies should jump on this opportunity, offering maximum control over their financial information as a competitive advantage. An example: Companies could put a link on their bill presentment screen called "privacy controls" that opens a page where consumers can indicate interest in sharing information to gain special deals on insurance. Since consumers review and pay bills monthly, financial institutions will have at least 12 guaranteed page views per year to appeal to consumers to share information in an informed way.

http://www.eweek.com/article2/0,4149,1238730,00.asp