Computerworld online –
California lawmakers, in a key vote Monday, moved closer to rebuking the financial privacy provisions set in federal law by giving consumers in the nation's largest state more control over their financial information than a recently enacted federal law allows.
Financial services groups, worried that California may lead a national push by states toward tougher financial privacy, are lobbying against the bill. Companies that have already spent millions, including IT costs, to comply with the privacy provisions of the Gramm-Leach-Bliley (GLB) Financial Modernization Act, which took effect July 1, face the possibility of having to again change systems to deal with a new set of privacy rules for sharing customer information.
If the California law is adopted, other states may follow, argue industry opponents. "Hypothetically, we would have to come up with 50 different databases for 50 different laws," said Jim Garavaglia, a senior vice president and chief privacy officer at Comerica Inc., a Detroit-based financial services firm.
In approving the GLB law, Congress didn't limit the rights of states to set more restrictive privacy standards. "I think that was a flaw in the law," said Garavaglia.
The California Assembly's Banking and Finance Committee approved the Financial Information Privacy Act, Senate Bill 773, sponsored by state Sen. Jackie Speier, a Daly City-based lawmaker. The bill has already won state Senate approval but it faces additional review by other Assembly committees, a floor vote in that chamber, as well as approval by the governor.
The proposed law differs from the GLB act in two key respects: Unlike the federal law, it gives consumers the ability to "opt-out" of confidential data sharing with affiliated firms. GLB allows personal information sharing to affiliates without consumer consent. Second, the proposed state law requires "opt-in" or affirmative consent rule for companies that want to sell or share customer data to third parties. The federal law only requires opt-out for third parties.
Privacy advocates, as well as many in Congress, believe GLB offers weak privacy protections. Although the California bill applies only to companies that do business in that state, whether they have a physical office in the state or not, the law could have national implications.
"It's not lost on us that a state of 35 million people is in many ways a bellwether for other states," said Robert Herrell, Speier's staff director.
For IT managers, the implications raised by varying privacy rules depend on how integrated their systems are. Financial services companies with disparate databases face greater obstacles in adapting to regulatory changes, said analysts and end users.
"If you were designing a system today with privacy in mind, you would want . . . a common platform for your data," said Dan Rainey, director of IT services at Amerisure Cos. in Farmington Hills, Mich.
The impact of privacy on systems also makes it important to work with the business side of a company to stay abreast of regulatory issues, said Rainey. "If you don't have a good relationship with your general counsel, you should get one," he said.
Complying with the federal law was a costly enterprise for many firms. For instance, Nationwide Financial Services Inc. in Columbus, Ohio, spent approximately $6 million to $10 million to comply with the law. The cost covered everything from mailing out privacy notices to systems changes, said Kirk Herath, chief privacy officer at Nationwide.
Herath said new changes to privacy rules could add millions of dollars in costs and change the company's business models. Insurers, such as Nationwide, separate risks within various company affiliates. For example, someone with a good driving record may get a policy issued by one affiliate, while someone with a bad record may be handled by another affiliate. The customer may deal with one insurance agent, but restrictions on data sharing between affiliates could hinder that customer interaction, he said.
New systems would be needed to handle those privacy restrictions, said Herath. "I can't see where it would be any less complex then what we just went through" to comply with GLB, he said.
Privacy watchers say the backlash on GLB is due in part to privacy notices sent out by financial institutions that were, in many cases, difficult for consumers to comprehend or offered few privacy protections on data sharing. The GLB notices have been a "public relations and customer relations disaster for the banks," said Evan Hendricks, editor and publisher of "Privacy Times," a Washington-based newsletter. Most of the notices offered few privacy protections, he said.
Privacy advocates and industry representatives both agree that it's impossible to predict whether California will spur Congress to preempt state law. Congressional response may well depend on how the California bill, if it becomes law, affects consumers.
"If it breaks down in the states and there is a chaotic situation that develops, Congress will have very little option but to preempt state law," said Michael Lovendusky, senior counsel at the American Council of Life Insurers in Washington.
Ari Schwartz, a policy analyst at the Center for Democracy and Technology in Washington, said the impact of the California legislation on other states isn't clear. As an example, he pointed to Quebec, which has a restrictive privacy law that hasn't been adopted by other Canadian provinces. "It's been argued both ways," he said.