Selling the essence of you
By Scott Bradner
Network World, 06/28/99
A bank sold the account records of its depositors? It even
included the depositors' social security numbers?
I could not imagine that might be legal. Apparently, neither
could the Minnesota attorney general. But it looks as though US
Bancorp recently took those actions. If true, it represents the
type of arrogant disregard for individual privacy that many
Internet users assume is the norm.
Banks have long been seen as the paragons of discretion. The
impression most of us have is that banks hold information about
our accounts in secret, except in response to IRS inquiries and
court orders. It has been quite a scandal whenever it has
appeared that the secrecy was violated.
This is one of the reasons there was so much controversy over the
recently withdrawn federal program to get banks to "know
their customers." This plan aimed for banks to become an
investigative arm of the government and report whenever there was
suspicious activity in their customers' accounts.
How banks maintain their trustworthy image even though many of
them issue credit cards (and credit card issuers have been
vilified as the worst violators of personal privacy), I do not
know.
Thus it came as quite a shock when the Minnesota attorney general
charged that US Bancorp had sold customer account information,
including social security numbers, credit ratings, marital
statuses and birth dates, to the telemarketing company
MemberWorks. The bank was to get commissions on whatever
MemberWorks was able to sell to the bank's customers. In
addition, the bank gave MemberWorks the ability to automatically
withdraw money from the accounts of the bank's customers if
MemberWorks said it had sold something to the customers.
In its defense, MemberWorks claims it did not use the information
and that any "protected customer information" was
returned to the bank unused.
The bank claims it has not broken any laws and, sadly enough, the
institution might be right (though the Minnesota attorney general
thinks differently). The very fact that there is any question
about whether this sort of wholesale violation of banking
customer privacy is against the law is an indication of the
problem that we all face in using the Internet. If banks are not
required to protect details about your personal life, who is?
This incident has made all the more urgent the push toward the
comprehensive privacy protection legislation underway in
Washington, D.C. But, like most things in Washington, there is no
guarantee that any laws coming out of Congress - even ones that
have titles like "Financial Information Privacy Act" -
will not actually wind up codifying the ability of banks and
other powerful interests to treat you as a source of information
to sell. So it is not yet time to breathe easily.
Disclaimer: Harvard, per se, does not breathe, so the above must
be my dark mutterings.