Finance, Secure Systems, Regulatory Compliance, and Data Protection are Not the Same

Originally posted on July 25, 2014

I’ve been reading a lot about privacy and financial data (including the CIPP/US and EU exams) since returning from Europe for a new book I’m writing about the politics and practice of financial data in transatlantic counter-terrorism cooperation, which I will write about in future posts.

Most people do not think about money and data surveillance. It’s more common to talk about how governments monitor our emails, phone calls, Facebook entries, or mobile data because they are communications technologies in their unambiguous forms, but we don’t put much thought into what makes money tick.  The reality is that money is data and we have to view it as more than an instrument of wealth. 

Financial data is money, and it reveals behaviors.

Banks run entirely on information technologies for everything they do no matter what type of transaction or industry, and they are keen to use that data (or Big Data) as a commodity onto itself to sell you things, create market strategies, and to get ahead of their competition.  If a bank’s IT systems are down for 48 hours, that bank is gone, gone, gone.

And the dawn of a digital currency is not new either (e.g. Bitcoin). The anchor of the international monetary system, Special Drawing Rights (SDRs or XDRs, its formal currency code), were created by the G10 governments in the 1960s and have never existed except in digital form.

It’s time to focus on how money is data because financial institutions and governments certainly do so, since our spending habits reveal our behaviors and intentions.  As the old saying goes – “put your money where your mouth is.”  We tend to invest when we believe in things or people, and not much happens without at least a little money changing hands.

Which brings me to financial data protection and privacy.

The common refrain I heard from regulators and those in the financial services was that “finance is already heavily regulated so privacy isn’t much of an issue.” This is false logic.  Assuring client data confidentiality, compliance with record-keeping and accountancy guidelines, or ensuring sound security protocols does not automatically guarantee data privacy.  It’s a mistake to assume that because banks make sure that their data systems are not hackable, or that they are regulatory compliant, that the privacy of client data naturally follows.

My own bank failed to do this, and I offer this narrative as a small example of the disconnect among these concepts.   My visa application to Belgium required a bank letter stating that my accounts were in good standing.  I was not required to provide amounts, but in the end the bank gave me no choice but to disclose this information to 3rd parties.  I received a letter from corporate (after I tried to obtain the letter at the local branch I was told that they did not have that information – so you can decide to give me a loan, but this is too much?) with all the amounts of my accounts incuded.

The legal disclaimer was priceless:

 “Our response is commensurate with the purpose and amount of your inquiry. The information provided is strictly confidential and intended for use solely by the requesting party and in reliance on your statement of intended purpose or use.”

No, the letter was not generated to the “purpose and amount” of my inquiry, and it certainly exceed my intended purpose and use.  I specifically asked for no amounts to be listed in the letter.  The customer service representative said that it was a form letter, they could not alter it, and it “was generated by our lawyers.”

  “The information is furnished as a matter of courtesy without a duty to do so and without responsibility, liability or warranty, express or implied, on the part of ________________ to you to any third party. Information is obtained from electronic data sources, which may not contain all information in _____________ possession’ information is not guaranteed to be accurate and may be a matter of opinion. We do not accept any responsibility for errors, omissions or alterations after delivery. The information is constantly changing and therefore subject to change without notice.  _______________ will not update this response unless another written inquiry is received. This information applies to the name of the subject of the inquiry as styled in your request and does not include any indirect or related accounts or obligations, unless expressly specified in our response. _______________ encourages you to contact more than one credit reference prior to making any credit decision. If you received this response by FAX and you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error, and that any review, dissemination, distribution or copying of the information contained in this message is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and return the message to us by mail.”

I could comment about a lot of this, but the last part is precious.  So if you send this to someone by mistake, just let us know.  No damage done.

hope that my bank’s data systems are secure.  I hope they comply with regulations.  But I also know that US law gives me little control of how my data is handled, and corporate procedures imbue precious little concern about my financial privacy into their practices. So my financial data, my financial behavioral data, gets compromised more than I’d like to believe.

Companies, and the law, need to stop thinking of privacy, security, and compliance as mutually inclusive.  They do overlap, but one does not necessarily represent another, and these systems and safeguards need to be developed in tandem.

p.s. I did write to complain and I received a mundane corporate response claiming that they could not do anything about it. They did thank me for bringing it “to their attention” which is corporate speak for telling me to fly off a building.

Google, Innovation & Trust

Originally posted on June 18, 2014

Today a piece I wrote for Harvard Business Review hits the “virtual” stands.  There are times when researching a hot topic is a curse (Mr. Snowden made privacy and surveillance touchy) but there are other times when it is a blessing.  The Google European Court of Justice’s (ECJ) decision  or “Right to be Forgotten” case has given me a chance to showcase the importance of privacy and data protection in the business world.

I have written a few pieces about data as it pertains to the financial services (here and here), and on the clash of US and EU privacy cultures and its impact on transatlantic counter-terrorism cooperation. The HBR piece focuses on how privacy can lead to profit and it draws heavily upon my interviews with the IT and corporate communities while I was in Europe.

In the popular imagination, the internet exists as a borderless world. In reality, there are many internets, and the rules that govern each of them reflect local beliefs about the role and responsibility of technology within society. The ECJ ruling classified Google as a data controller, and therefore under obligation to remove certain links to personal data upon an individual’s request, and it is a prime example of how localized privacy cultures and laws can assert themselves beyond their sovereign borders.  Although it specifically mentions search engines, it has implications for multinationals as well.

I think that the IT world was shocked by the ECJ decision because it holds the borderless internet view, it sees any curb on the free flow of information as censorship and a threat to its business model, and it is accustomed to the US-based view of data as property where corporations self-regulate data collection and usage.  Also, the Judge Advocate’s opinion, which concluded Google was not a data controller, set expectations for the final outcome of the case.

As the EU itself has been trying to figure out the legalities of balancing human rights with good commerce, the legislative ambiguities of the EU Data Protection Directive have in the past provided businesses, including European companies, with some wiggle room.  The ECJ verdict tightened the space to wiggle in some instances, but legal instruments are notoriously difficult to rely upon for definitions or guidelines for enforcement when applied in practice.

Problems of balance remain.  There is the balance of responsibilities between controllers and processors (are these distinctions even the way forward? One interviewee said we need to think of this in terms of accountability), the balance between human rights and national security, and human rights and the economy, the balance among differing views of privacy, and the realities that the physical structures in which the internet operates are transnational, which make it difficult to restrict the flow of data to certain transmission paths, let alone implement regional or national standards when doing so.  “You shouldn’t, and can’t, make Europe an island.”

No, the ECJ ruling does not mean you can be completely forgotten once you are on the global information superhighway, but it does mean that there are opportunities for government and business to innovate how data is managed, transferred, and used.  In short, legal instruments are not enough, the private sector needs to take privacy beyond compliance because its clients are demanding protections even when the law doesn’t require it.  In the HBR piece, I assert that this is part of a growing trend, spearheaded by consumers themselves (in the US, they talk about consumers, in the EU they speak of individuals) who believe that corporations feel entitled to use every bit of information they can find as part of a ‘big data’ marketing plan to endlessly feed algorithms for their own profit.  American IT firms did not help this image either.   EU legislators and privacy activists were not accustomed to the aggressive nature of US style K-Street lobbying in Brussels as IT firms campaigned against aspects of the new EU Data Protection Regulation.  The Snowden revelations only added fuel to their ire.  But this disgust has not been confined to the EU, Americans are increasingly suspicious of where their information flows end up too.

I have spoken about trust on this blog before regarding regulatory-corporate relations, but it applies here as well.  Corporations have to maintain the trust of their clients to keep them, whether they refer to them as individuals or consumers, and treat their data with respect. Individuals have a strong sense of ownership over their data because it reflects their personal choices, and while some consumers love the convenience that data analytics provides, some do not.  So I ask (somewhat rhetorically because I know there are some efforts, but will tackle them in later posts) businesses to consider services for those who want (and legally demand) more control over their data.

The HBR article touches upon some fundamental issues and I hope to follow up with another piece that connects data privacy to data security.  Unfortunately it is often treated as a separate issue, but privacy, security, and trust are endemic to any business relationship and when done right, they are, again, profitable.