Privacy Rights Clearinghouse
By Beth Givens, Director
U.S. Office of the Comptroller of the Currency
I have been asked by the Office of the Comptroller of the Currency (OCC) to present an overview of consumers' concerns about financial privacy and security. I think the best way for me to do that is to tell you about some of the cases that have come to my attention from people calling our hotline or sending e-mail messages.
Frank has taken over the banking for his elderly aunt. He asked the bank to send her monthly bank statements to his house, addressed to her. Now he finds that he is getting an assortment of what he calls "junk" mail solicitations addressed to his aunt at his address. Frank is convinced that the bank has sold this information to marketers because that's the only account that he transferred from his aunt's home to his. But he is unable to get a clear answer from the bank.
I call this the case of the evil twin. I got a call from a Stephen Smith of Oregon, not his real name. He complained about a bank in Los Angeles which had a dishonest employee. The employee was also named Steven Smith, although he spelled Steven with a v, whereas the Oregon man spelled it with a ph. The employee had access to a credit reporting terminal and had obtained Stephen's credit report. He proceeded to use the information he had obtained from the credit report to commit identity theft and open a number of credit accounts in his name. Stephen wanted to sue the bank for its negligence in hiring someone like the dishonest Steven, in not supervising him adequately, and, in a sense, giving him the keys to the kingdom without having sufficient safeguards in place to prevent his ability to commit fraud.
I received an e-mail message from George. He delivers newspapers for a living and exists on a very low income. He can't afford a bank account. But he needs to cash his paycheck and has tried to do so at a nearby bank. But the bank requires his fingerprint because he's a noncustomer. George has very strong feelings against being fingerprinted and has refused to provide his prints. But he has offered numerous forms of ID that the bank refuses to honor, including his driver's license, and utility and phone bills with his home address on it. He feels he is being discriminated against as a low-income person. He is forced to go to a check cashing store which takes a percentage of the check.
This is a composite case. One of the consumer reporters at a San Diego TV station has made a name for herself by dumpster diving in the trash bins behind a variety of businesses, including banks. She often brings her treasures to my office so I can comment on them vis-a-vis these companies' obviously flawed information-handling practices. I have seen numerous unshredded credit reports, even an unshredded background check, chucked into the trash by banks.
Mrs. Johnson called me from the Bay Area and told of her experience opening a checking account at the credit union. She was asked to fill out a form called a Universal Signature Card, which she did -- her name and signature, plus her Social Security number, mother's maiden name, date of birth and phone number. She thought nothing more of it until about 2 weeks later when she received a phone call from a stranger -- an honest stranger, thankfully, who had found Mrs. Johnson's Universal Signature Card in a parking lot across town from the credit union where Mrs. Johnson had filled it out. Imagine what a dishonest person could have done with that card. The credit union was not able to explain how that happened.
Jane and John live in Orange County, just north of San Diego. They discovered that John's former wife has obtained copies of Jane's bank account statements and credit reports to use against the couple in a child support legal case. The ex-wife hired a private investigator who, by using pretext interviews, no doubt, was able to get this information. They are suing the ex-wife but so far are making little headway.
By the way, Jane and John were featured on a CBS "48 Hours" segment on privacy a few months ago. They agreed to allow the reporter to dig up as much information as she could on them. She used a private investigative service and obtained even more bank records, long distance phone records, and medical records. The private investigator refused to divulge the methods used to gain such information, but it was probably pretext interviews and/or access to insiders.
This too is a composite case. We get numerous complaints from people about financial institutions' use of the Social Security number (SSN) as account numbers, as PIN numbers, and as access numbers for telephone banking services. We tell them what the banks should have told them from the start, and that is to change those numbers to something else and to use a password other than mother's maiden name. Better yet, of course, is for financial institutions to dispense with these obvious ID numbers from the start -- the same with mother's maiden name as the password to gain access to financial services.I am watching with interest a legal case in the Bay Area, not involving a bank, but involving the use of the SSN by a health club as the member ID. A member of the health club became a victim of identity theft and was able to track it to an employee of the health club, someone who had easy access to the SSNs of members. He has hired an attorney and is suing the health club for its negligence, not only in its use of the SSN, but also for not checking the background of its employees. The identity thief was found to have a criminal record of forgery.Given the large number of identity theft cases befalling consumers today, and the common denominator of ease of access to Social Security numbers and other sensitive personal information, I think we are going to be seeing more lawsuits like the one against the health club.In conclusion, what do these cases illustrate?
- Inadequate disclosure and consent mechanisms in the junk mail case.
- Inadequate security measures in several of the cases.
- Negligent hiring in the case of the dishonest employee with access to the credit report terminal.
- Inadequate training and supervision in several cases.
- In the fingerprint case, a rigid policy that forces the individual to disclose sensitive information, when there are alternatives that are less objectionable to the individual.
- And most of the cases share the common denominator of lack of accountability. Nearly all of these individuals reported difficulty in finding an accountable person or persons who can answer questions knowledgeably, and explain policies.
Another common denominator for nearly all of these cases is the inability of consumers to get meaningful redress for their grievances. Very few individuals have the financial resources to hire a lawyer, like the man who is suing his health club. And even if they do, few consumers want to go through the aggravation and uncertainty of a law suit. And, of course, they must be able to show considerable harm, which is often difficult to do. There must be better ways to safeguard consumers' privacy and provide them meaningful redress for their grievances when their privacy is invaded.
With that, I conclude my comments. Thank you.