Recent data breaches have revealed two important aspects of the debate around consumer privacy: 

  • When it comes to keeping consumers’ trust, executives with MBAs are much more likely to make dangerous decisions than engineers focused on securing customers’ personal information. 
  • And the way people view the compromise of their most personal details has shifted. 

Unlike with past breaches, where consumer concern centered around the potential for malicious actors to exploit compromised data, those people have become increasingly worried about the conduct of the companies that hold their data. 

Just 28% of consumers feel they have control over the way companies use and share their data and three-quarters (75%) support stronger privacy regulations.


A recent report in the New York Times exposed an agreement between Facebook and the Royal Bank of Canada that gave the FI — along with Spotify and Netflix — special privileges to most likely allow its customers to read, write, and delete people’s private messages from within its mobile and web applications.  RBC denied it can “see users’ social media conversations.” But whether that is true doesn’t matter to bank customers, who will now flood customer service lines and question their relationship with the FI.

This shift in consumer privacy concerns is clearly reflected in the regulatory environment. While the General Data Protection Regulation in the EU stole headlines globally, in the U.S., states were flexing their own regulatory muscles. Both California and Vermont both passed sweeping privacy regulations, with stronger privacy regulations are also under consideration at the federal level.

The Senate recently introduced the Data Care Act of 2018. Although it’s unlikely to pass in a divided congress, it hints at what federal officials are interested in seeing enacted on a national level. The bill would create a national data breach notification standard, as well as a “duty of confidentiality” requirement that would “Extend to third parties when disclosing, selling, or sharing individual identifying data.”

At the state level, part of what makes the California Consumer Privacy Act (CCPA) remarkable is its expansive definition of "personal information." That covers effectively every class of data that could be conceivably linked with an individual or household, including IP addresses, information regarding the individual's interaction with the website, and even "inferences drawn" about the consumer from these interactions. 

While the CCPA does not immediately extend this definition of personal information to California's breach notification law, the array of protected data is expanding rapidly as consumers clamor for greater control and transparency over use of their data.

Recommendations:
  • FIs must understand their customers’ habits and privacy preferences. To keep trust with banking customers, FIs need to provide clear policies and educational materials.
  • Accelerate GDPR compliance to get a leg up on domestic regulations. Regulations like the CCPA take a page out of GDPR’s book in that they are structured to apply to any company that has at least one customer in the covered jurisdiction. Complying with the most stringent data regulations now can reduce the challenge of adapting policies to comply with new regulations as they appear.
  • Create clear definitions for required information. That’s data that can’t be deleted — despite customer requests. FIs must make clear disclosures and consent processes and evaluate them. Banks should also create process flows and swim lanes of responsibility to ensure the enforcement of privacy policies.


Author

About Kyle Marchini

Kyle is a senior analyst in Javelin's Fraud & Security practice.  His research focuses on strategies for financial institutions to protect their clients from fraud within the context of emerging threats to consumers’ financial security. He regularly co-authors reports analyzing methods for preventing, detecting, and resolving instances of financial crime, the impact of different fraud mitigation strategies on consumer behavior, as well as the projected consequences of technological changes in payment platforms on data security.

Before joining Javelin, Kyle was a Research Fellow at Ludwig von Mises Institute where he evaluated the financial and operational benefits from the implementation of the quality management standard ISO 9001 in manufacturing firms.

Kyle holds Bachelor’s degrees in Economics and Music from Grove City College.

Stay in Touch!
Author

About Sean Sposito

Sean Sposito is an analyst in the fraud & security practice at Javelin Strategy & Research. His primary focus is the intersection of retail banking and information security. The topics he’s keenly interested in are vulnerability disclosure, cybersecurity insurance, threat intelligence, and the overall challenges facing security executives inside financial institutions. 

Before joining Javelin, Sean worked as a reporter at the San Francisco Chronicle, the Atlanta Journal-Constitution, and American Banker, among others. As a content strategist at the Christian Science Monitor, he counseled security vendors, PR agencies, and in-house communications executives on storytelling techniques and media engagement. 

He has moderated panels at the Visa Security Summit, the ATM Debit & Prepaid Forum, the Emerging and Mobile Payments Card Forum, the Mobile Banking and Commerce Summit, and the Mobile Payment Conference, among others. He holds a bachelor’s degree from the University of Missouri’s School of Journalism. 

Stay in Touch!
Author

About Al Pascual

An accomplished industry analyst, market researcher, and financial industry practitioner, Al Pascual is Javelin’s Senior VP of Research and Head of Fraud & Security. As SVP of Research, he oversees the firm’s operations and ensures that Javelin’s research content provides the innovative perspectives that clients expect from the firm.

As Head of Fraud & Security, Al provides clients actionable insights on a variety of fraud and security issues, acts as a partner in developing strategies for managing risk, and identifies and raises awareness of future threats and solutions. Al researches a range of topics, including the applicability of biometrics in banking and payments, the effect of data breaches on the integrity of consumer identities, the relationship between identity fraud and loyalty, and the best methods for securing data and transactions.

Al has presented findings from Javelin’s rigorous, industry-leading research at conferences around the world, including BAI, CARTES, Money20/20, NACHA, and RSA. Al has provided commentary on fraud and security issues to media outlets such as American Banker, Bloomberg, CNNMoney, Fox Business, Reuters, The New York Times, The Wall Street Journal, The Washington Post, and Wired.

Previously Al held risk management roles at HSBC, Goldman Sachs, and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators, and the Federal Reserve Secure Payments Task Force. He earned a Bachelor of Arts degree in History from the University of South Florida.

Stay in Touch!