Privacy Lessons

A month before the deadline to comply with sweeping privacy regulations, I asked a senior IT person responsible for compliance at a securities firm how things were going. He laughed. Can you explain the regulations? he asked. He was joking, I think, but his comment sums things up.

The 1999 Gramm-Leach-Bliley Act (GLBA), which allows banks, securities firms and insurance companies to compete with each other, also requires financial institutions to protect customer information through privacy notices and security policies. The banking industry is spending billions of dollars to comply by July 1, which after an eight-month extension looks like a hard deadline. But the industry, customers and even the European Union are still scrunching their foreheads over GLBA. First, theres consumer confusion. Financial services companies are required to send customers annual notices that explain how their personal information is used and give them a chance to opt-out of any data sharing. In other words, unless a customer notifies the bank that she doesnt want her data shared, her name and address are fair game. In reality, though, customers with multiple accounts are getting inundated with notices full of impenetrable legalese, which sabotages the key intent of the regulations: to enlighten customers.

Then theres the headache for financial institutions, which face possible fines and lawsuits once the deadline passes. By mid-May, auditors were already holding institutions up to the new standardsand complaints had begun about how the regulations were being interpreted. [Auditors are] focusing on an unexpected area: encryption on wide-area networks, says Christian Byrnes, an analyst from the Meta Group, arguing that most WANs in the banking community are inherently secure. These were supposed to have been privacy regulations. Auditors are focusing on security first.

Meanwhile, the verdict is still out on whether GLBA will be strict enough to meet the European Unions privacy directive. It doesnt look likely, says Stewart Baker, a partner at the law firm Steptoe & Johnson in Washington, D.C. Thats because Europeans are generally stricter about privacy lawsalthough whether they enforce them is another story. Baker also notes that because financial institutions arent regulated by the FTC, they cant take advantage of a safe harbor agreement that the EU has offered companies in other industries. This has left global institutions confused about how to, say, send information about a European employee to U.S. headquarters.

Around the world, governments are working on other conflicting, messy regulations. In the United States, privacy regulation is even more likely now that the Democrats have gained control of the Senate. Thats good news for consumers; there have simply been too many high-profile screw-ups for many of us to believe that that self-regulation is working. But overall, the consequences of GLBA are enough to make even the biggest privacy advocates more than a little skeptical. At this point, we have two options. We can see GLBA as a learning experience for how privacy regulations should be drafted and enforced, or we can use it as fodder for the debate that privacy regulation is a bad idea. CIOs are in a unique position to get involved in the creation of those regulations or to get their houses in order so that they can argue, effectively, that regulations are unnecessary. What will you choose? How about both?