Why Your Bank Can (Legally) Sell Your Secrets

By EDMUND SANDERS

Nov. 7, 1999 12 AM PT

TIMES STAFF WRITER

The nation’s largest banks release confidential customer information to telemarketing firms for a cut of the profits. State officials lay plans to sell salary data on 14 million Californians. Personal bank records and monthly credit card statements are routinely marketed on the Internet for as little as $100 a pop.

A surprising lack of privacy protections is making it increasingly difficult for consumers to keep their financial affairs private, and the void has opened the door to the commoditization of Americans’ most intimate financial secrets.

Though Congress is attempting to address the problem in the recently passed financial modernization bill, the proposed protections would serve primarily to formalize what most large banks already do.

And that means banks and other financial services companies would remain largely free to buy, sell, trade and share their customers’ private financial information.

“The laws have not kept up,” laments Susan Henrichsen, a deputy attorney general in California who is investigating the recent information-sharing practices of several California banks that sold customer information to telemarketers. But so far she has not found legal grounds to bring a case. “What are the consumer protections in this area? Minimal to none. That’s the short answer.”

Under federal law, a video store owner can be fined $2,500 for disclosing a customer’s movie-watching preferences; the confidentiality of an individual’s tax records is protected; misuse of a credit report can result in a two-year prison sentence.

But a bank, securities firm or insurer can do virtually anything it likes with most of the financial details it collects about its customers. That includes how much money a customer keeps in his or her account, which stocks that individual owns, where he or she uses credit cards and to whom checks are written.

That may seem unfair to consumers, but courts have ruled consistently that such information is the property of the company, not the customer.

Negative publicity about banks’ information-sharing practices--including one instance in which a Southern California bank sold credit card numbers to someone who had been convicted of a felony--helped spur legislators to approve new protections last week as part of the banking overhaul bill that would make it easier for banks to enter the securities and insurance industries. Under the bill, which President Clinton is expected to sign, banks soon would be required to disclose their information-sharing practices and allow consumers to “opt out” of having their information disclosed to third-party marketers. But privacy advocates note that most large banks already do that and argue that protections need to go much further.

Government officials and regulators, including California Atty. Gen. Bill Lockyer, and privacy advocates are calling for an “opt in” requirement that would force banks to get written approval from their customers before releasing any information. Consumer groups also want to prevent banks from sharing customer information with affiliates unless the customer approves.

“If banks are going to use or share customer information, consumers need to be protected,” said Ed Mierzwinski, consumer program at U.S. Public Interest Research Group, a consumer organization that it is also lobbying for stricter privacy laws.

Banks counter that they use or share customer information only to provide or market better products and services.

“It gives our customers more choice,” said Kathleen Shilkret, spokeswoman for Wells Fargo Bank, which shares customer information with third-party insurance companies to offer customers products the bank does not offer itself. “If we don’t offer the service, someone else will and we will lose the business.”

From Small Start to Big Business

The market for bank records and personal financial information is a relatively new one. Consumers’ names, addresses, phone numbers and publicly available information have been sold for years, but private bank records have been largely off-limits.

Early trafficking in bank records began as a black market of sorts, with private investigators and information brokers offering to obtain--for a price--the confidential financial records of just about anyone. Typically private investigators obtain such information by calling banks’ customer service centers and pretending to be customers, a practice known as “pretexting.”

Five years ago, it was an obscure and low-profile business. With the Internet, hundreds of Web sites today allow anyone to investigate his or her neighbor with the simple click of a mouse. At present, this practice is not technically illegal, but many consider it unethical.

For $400, Chicago-based Infotrace advertises that it will provide the cash value of someone’s life insurance policy. Give Miami-based TR Information Services $95 and seven days, and it pledges that it will deliver a monthly bank or credit card statement on someone. For $309, Buena Park-based A1 Trace’s Web site offers to provide a list of stocks, bonds and mutual funds owned by a particular individual, including account numbers.

But the market for private financial information emerged as a national industry this summer, when banks got into the act themselves.

* Bank of America, U.S. Bancorp, Wells Fargo and other giant financial institutions revealed that they had been selling or disclosing information about millions of their customers--including bank account balances, credit card balances, account numbers and Social Security numbers--to telemarketing firms in exchange for a cut of the profit from every sale made.

* Charter Pacific Bank, based in Agoura Hills, started selling the credit card numbers it processed on behalf of merchants until one of the buyers, a man who once been convicted of a felony, was suspected of using the numbers to put $46 million in fraudulent charges on 900,000 card accounts. A Charter Pacific spokesman said the bank broke no laws but that it has since halted the practice.

* Mortgage lenders in half a dozen states, including California, got laws passed that allow them to buy salary information collected by state employment departments. The California Employment Development Department stood to take in $15 million over 10 years by selling the information, which was only to be released with the permission of the individual. But consumer complaints led Gov. Gray Davis to drop the California program in June, before any information was released.

“This business used to be very low-key and underground,” said Al Schweitzer, a Colorado private investigator and 20-year veteran of the information industry. “Now the market has broken wide open. Pretexting is just onesie-twosie stuff. It’s small potatoes compared to what banks are doing themselves.”

A Customer Fights Back

When Jack Sandweiss discovered that Bank of America, his bank for 22 years, had sold his name to a telemarketing firm, he hit the ceiling.

“Enough is enough,” the Westchester resident said. Sandweiss, a licensed family therapist, said he considers his financial information as confidential as what’s in his patients’ medical records.

“People have certain thresholds. This crossed mine. That information belongs to me and the institution I deal with. Period. It’s nobody else’s business.”

In September, Sandweiss sued Bank of America in small claims court, arguing that his account contract prohibited Bank of America from disclosing information about him without his permission. The judge agreed, awarding Sandweiss $5,000.

Officials at Bank of America declined to comment.

Sandweiss’ victory, however, is something of an anomaly.

A combination of legal loopholes, court rulings and legislative exemptions have left banks largely unregulated when it comes to how they can use the financial data they gather and store about their customers.

At the heart of the issue is a simple question: Who owns a bank customer’s financial information? Most consumers would be surprised by the answer.

“Courts have said again and again that banks are the legal owners,” said Alan Westin, a privacy researcher and law professor emeritus at Columbia University in New York.

That means that checks, deposit slips, credit card slips and monthly account statements are all considered business records of the bank rather than the personal property of the customer.

In addition, banks were specifically exempted from many of the privacy restrictions of the Fair Credit Reporting Act, which regulates the use of and disclosure matters regarding credit reports. So even though release of a credit report--which details information about a consumer’s debts--is only permitted under certain circumstances, banks face no such restrictions on the bulk of the financial data they collect about their customers, as long as the information is based on their own transactions and experience with the customer.

Securities firms and insurance companies are similarly unregulated in this regard. In 1995, and again in 1997, the National Assn. of Securities Dealers, a self-regulatory body, proposed rules that would have required its members to obtain written permission before disclosing certain financial information. Each time, industry opposition led the regulatory agency to shelve the idea.

Insurers are regulated chiefly by state law. In California, insurance companies are free to use customer information for marketing purposes as long as they: do not release medical-records or lifestyle information; disclose the practice; and give customers an opportunity to stop the release of information about them.

Banks staunchly oppose efforts to restrict their use of customer information, arguing that no outside regulation is needed, because many, including Bank of America, Wells Fargo and U.S. Bancorp, already permit their customers to opt-out of some kinds of information sharing.

“There’s no reason why the marketplace cannot respond to consumer preferences in this area,” said Lamar Smith, senior vice president of government relations for Visa USA, noting that many large credit card issuers offer the opt-out choice.

Last summer, in response to complaints, Bank of America and Union Bank of California agreed to stop sharing customer information with outside marketing firms; Wells Fargo and U.S. Bancorp curtailed their information-sharing with outsiders but still will release customer data in certain circumstances. Nearly every bank continues to share information about customers with corporate affiliates such as its credit card unit or securities subsidiary.

The industry argues that new laws will only provide fodder for class-action lawsuits and may harm customer service, particularly if banks are restricted from sharing customer information with affiliates. Such rules not only would restrict cross-selling among different divisions of a financial services company, they also might prevent banks from offering customers easier-to-read consolidated monthly statements, providing call centers that could serve all the customer’s needs, or granting special discounts and services to most loyal customers.

As for what’s taken place so far, banks continue to insist they have done nothing illegal.

“It’s clear that a customer’s transaction information is not restricted by federal law, and a bank is free to use it and share it,” said Lee Mitau, general counsel at U.S. Bancorp, the Minneapolis-based bank that found itself at the center of a national privacy debate in summer after the Minnesota attorney general, invoking state laws, filed suit against the bank for selling customer information to a telemarketing firm.

U.S. Bancorp settled, without admitting wrongdoing, agreeing to pay a $3-million fine. But the bank maintains it did nothing illegal.

The lack of specific privacy rights has proved frustrating to government regulators and customers.

California is part of a multi-state task force that is investigating U.S. Bancorp, Bank of America, Wells Fargo, Citigroup and other financial firms accused of disclosing customer information to telemarketers, but state regulators admit they are hard-pressed to find specific laws or regulations that have been violated, even in the case of Charter Pacific’s selling of credit card numbers to someone who had been convicted of a felony. To date, no formal action has been filed against Charter Pacific, a bank spokesman said.

Even California’s constitutional guarantee to the right to privacy has failed to provide state regulators with the ammunition they need, officials say.

“We do have a constitutional protection in California, but no one knows exactly what that means,” said Herschel Elkins, the California deputy attorney general who is also examining the financial privacy issue.

Legal Efforts to End Abuses

Cracking down on information brokers and pretexting may soon be easier, according to Federal Trade Commission attorney David Medine. Previous efforts to outlaw pretexting have failed, but legislators included an amendment to Congressional legislation that would make the practice a crime.

“It will help to have the law clearly laid out,” said Medine, associate director of financial practices for the FTC.

Meanwhile, attorneys representing bank customers are filing lawsuits to assert their clients’ privacy rights, but they--like regulators--say clearer laws would help.

“It’s not a slam-dunk,” said Albert Meyerhoff, an attorney with Southern California firm Milberg, Weiss Bershad Hynes & Lerach, which is representing the nonprofit group Privacy Rights Clearinghouse in its suit against several banks. Meyerhoff said that though he believes that the California Constitution clearly prohibits the banks’ recent information-sharing practices, he is nevertheless basing much of his case on claims of unfair business practices and false advertising, which he says will be easier to prove in court.

Likewise, attorneys in Los Angeles representing more than 300 bank customers who have filed a similar suit admit they are testing some new legal theories in their action. For example, the suit claims the banks violated the customers’ “property rights” by depriving them of their right to profit from selling their financial data themselves, says Kamran Ghalchi, partner at Mehrban Ghalchi & Yeroushalmi. The suit also invokes a state privacy law that is more commonly used to prevent a celebrity’s photograph or voice from being used to sell products without his or her permission.

“Admittedly, we are using the law creatively,” Ghalchi said. “But there’s no other case or ruling on point. We’re somewhat on the cutting edge.”

Times librarian Sheila Kern contributed to this report.

(BEGIN TEXT OF INFOBOX / INFOGRAPHIC)

Personal Data for Sale

There’s a big and largely unregulated market for private financial information about consumers. Here are some recent examples.

INFORMATION

Bank account balances, credit card balances, Social Security numbers

Credit card numbers

Individuals’ salaries

Bank account balances, credit card statements, stock and mutual fund account information

SELLERS

Large banks, including several in California