The data consumers share with their financial institutions is some of the most sensitive information around. Monthly income, shopping habits, social security numbers and much more are stored on the servers and in the file cabinets of banks, wealth management companies and accountants. Because of the sensitive nature of this information, financial institutions already face a high level of scrutiny and regulation when it comes to their handling of clients’ personal data.
The 1999 Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act, requires financial institutions to explain how they share their clients’ data, give them the option of opting out of any sharing agreements and devise safeguards to protect personal information. In addition to this federal law, a new California statute, the California Consumer Privacy Act of 2018, is now causing companies across the country – including local and national financial institutions – to review the way they collect, handle and communicate the use of client data. The new state law goes into effect on January 1, 2020.
“Right now, the way that the statute reads, it covers all personal information collected about California residents,” Dominique Shelton Leipzig, a partner at the Los Angeles-based law firm Perkins Coie LLP, told the Business Journal. This includes California residents who aren’t customers of the financial institution, but have merely browsed their website or otherwise interacted with their services and shared personally identifiable information. Online, “cookies” stored on person’s computer by a website they visit are an example of a unique identifier that would qualify as personal information under the new law.
“The GLBA covers customer relationships,” Leipzig explained. “So if you have somebody visit a website that you have assigned a persistent identifier to their device, so that you can tell whether they visit or not, but they never become a customer – that’s still personal information. And while it wouldn’t be covered under GLBA, it would be covered under the CCPA.” Those unique identifiers, with the help of third-party services like Google Analytics, are often used by digital marketing teams to advertise specific products to consumers likely to purchase or sign up for them.
Cookies and other non-client identifiers are only one new subset of information that hasn’t previously been covered by laws governing financial institutions’ handling of personal data. “Employee data, unless that employee is a customer of the bank or the financial institution, that’s another bucket of data that’s not incorporated,” Leipzig noted.
Henry Walker, president of Farmers & Merchants Bank (F&M), said financial institutions are already much more aware of the sensitive nature of their clients’ and employees’ personal data than many other companies, giving them a leg up in the preparation for new data privacy regulations.
“Unlike many other businesses, banks and other financial services, we’ve been required since 2001 under federal law to provide disclosures, policies, practices and train staff to draft consumer privacy protection issue rules,” Walker explained. “Even on the employee side, we keep our information confidential. So, the confidentiality of what we do as a financial institution has always been at the highest level and we will continue to do that.”
Companies handling the personal information of international consumers have been affected by a groundswell of data protection laws in previous years. Following the implementation of the European Union’s General Data Protection Regulation in 2018, companies like Facebook and Google have been the subject of investigations and hefty fines for their handling of consumers’ personal data, and many others have changed their protocols to comply.
“There’s a lot of other companies out there, large national and international companies, that have a whole lot of data on people. How we purchase, what we buy, what we like, when we turn our lights off at night,” Walker said. “There’s a lot of data out there that, candidly, should be confidential. And it’s beyond just the financial services side. That, I think, is concerning.”
Still, Walker said, F&M hasn’t seen increased interest in data protection in light of the new regulations among their client base. “I think there’s always a small percentage that have a high sense of urgency around these topics, but the vast majority presume institutions are handling their data correctly,” Walker said. “There’s an expectation that we will keep their data private.”
Michael Miller, president and chief executive officer of International City Bank, echoed that assessment. Miller said that in some cases, it’s even necessary to communicate to clients why certain measures are taken to protect their data and what could happen if their data wasn’t properly protected.
“We also try to help our customers understand these threats and explain how they can keep their data safe by ensuring that they are sending confidential or sensitive information through our encrypted messaging system, and recognizing these security exploits and potential risks in their own business practices,” Miller said. “When customers question why we take security measures that may seem time-consuming or extraneous, we explain that it’s to protect their data and their business.”