Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News & Commentary

03:55 PM
Mike Fratto
Mike Fratto
Connect Directly

Editorial: Offering Web Services? Your Customer’s Privacy Is Priority One

Make no mistake. Your organization has a legal and ethical responsibility to ensure that inadvertent data leakages--no matter how minor--do not happen.

Mike FrattoLast August, I received an e-mail message from Bank of America reminding me that my credit-card payment was due in a week or so. I had a strong feeling this was legitimate and not a phishing scam, because it contained the last four digits of my credit-card number, my balance and the minimum payment in clear text. So I fired up my browser and typed in the URL from memory (never, ever click a link in an e-mail message purporting to be from your bank, even if you're sure you won't get phished).

I wanted to verify that I had not signed up for e-mail notification. I make it a point not to, but I might have missed something. I cruised through the preferences and couldn't find an e-mail option, so I called customer service and complained. The rep told me the bank had just enabled the service but hadn't updated the site. He went on to say that he would disable notification for me, though it might take two months. Why two months was beyond me, but I bit my lip and thanked him.

To the bank's credit, my name was removed immediately. Or so I thought.

In January, I received another e-mail notification with my account information. I clicked over to the customer service section of the site and typed an e-mail message, explaining how I had verified that I had not opted in to the notification service, yet I received a notification.

I understand that mistakes are sometimes made, and BofA was responsive when I complained the first time. But the problem recurred five months later. This is a serious business issue for BofA because it may have violated the customer-privacy provisions of the Gramm-Leach-Bliley Act and the Federal Financial Privacy Law, and BofA certainly violated its own privacy policy and service agreement by sending information about my credit-card account without my authorization. A survey of 1,000 customers last spring by the Gallup Organization and American Banker magazine indicated that 60 percent of consumers are concerned that their primary financial institution might release their personal information without their consent.

If your organization offers services over the Web, protecting your customers' privacy is paramount. Your organization has a legal and ethical responsibility to ensure that inadvertent leakages, however minor, don't occur. That means controls must be in place to ensure compliance with state, federal and company regulations and policies. BofA dropped the ball. Don't let your company do the same.

Mike Fratto, Editor [email protected]

Mike Fratto is a principal analyst at Current Analysis, covering the Enterprise Networking and Data Center Technology markets. Prior to that, Mike was with UBM Tech for 15 years, and served as editor of Network Computing. He was also lead analyst for InformationWeek Analytics ... View Full Bio

Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.