The Annual Business "Cover Your A_ _" Barrage

Talking about junk mail. The “This is how we protect your privacy” CYA's are hitting the mailbox at an alarming rate; great for the U.S. Postal Service but pure confusion for the poor consumer. Have you ever tried to read one, much less understand it? I’m going to try by analyzing a notice just received from Chase Bank, who recently acquired Bank One.

The first question of the privacy notice is: “What information do you have about me?” Chase’s answer is they capture info from your requests, transactions and credit history. They specify your income, account balances and a credit bureau report. My interpretation is they have a lot of private information on you, anything that you revealed to Chase or they can find out about you, and the three items mentioned are just the tip of the iceberg.

Question two: “How do you safeguard information about me?” The answer is it is kept under physical, electronic or procedural controls that comply with or exceed government standards. Further, they authorize employees, agents and contractors to get information about you only when they need it to do their work. And, Chase requires companies working for them to protect your information, using it only to perform Chase requested services. My take on this is that industry security is at a minimum based on the Bank of America lost tapes, a wide range of people have access to your data, and companies like ChoicePoint agree to protect your information.

Question three: “Is information about me shared within your family of companies?” Their answer: “Yes.” Then, “We may share information about you within our family as required or permitted by law.” Interpreted…supposedly it helps them in their marketing efforts on other products, and supposedly you get the same security as in the answer to number two.

Question four: “Is information about me shared with service providers and financial companies outside your family of companies?” Chase answer: Another emphatic “Yes.” But only as permitted by “that law,” they add. Companies included are in the marketing field and outside financial organizations with which Chase has certain agreements. My explanation…”that law” quoted is the same one that permitted at least one-hundred data breaches in 2005, exposing 54 million private consumer records.

Question five: “Is information about me shared with non-financial companies outside your family of companies?” There’s that decided “Yes” again. And, under “that law” we just analyzed in number four. The companies included are retailers, auto dealers, auto makers, direct marketers, membership clubs and publishers. Quick diagnosis tells me that Chase can “share” your information with a large number of businesses outside their firm, but, only as permitted by “that law.”

Question six: “Is information about me shared in any other ways?” “Yes” number four. Once again, “that law” is resurrected as their mandate for this catch-all provision. They share your data to protect you against fraud, respond to subpoenas, service your account, report to credit bureaus and with your consent. My response is that sharing your data is the basic reason the fraud exists to begin with. And folks, never, I repeat, never, ever give your consent for any personal data release over which you do not have complete control.

Question seven: “What choices do I have about information sharing?” There are two. The first is a classic argument for giving consumers control over their names and private information. Paraphrased…you can tell Chase not to share information about you outside the company but they still will, as “required” or “permitted” by “that law.” In the second choice, you can restrict data such as income, credit history, loans or employment being shared with the family of companies. But, of course, they still will share things like your name and address, bank transactions and balances, as well as surveys to which you might respond “within the family.”

It’s that term, “within their family of companies,” that worries me most about all these privacy policy notices. Most large organizations in the business community have subsidiaries established to handle specific functions such as marketing. They can operate as independent entities with profit and loss responsibility to the parent. I worked with one such company in the junk mail industry, and I can tell you that the marketing people were privy to just about every piece of data at the corporate level. Not that it wasn’t used properly, but just that all that personal data was available.

My point is that this kind of relationship places your private information in yet a different location, in another computer, accessible to a new group of individuals, with security standards we know have been challenged repeatedly in the past. There is reason for my concern.

If you remember an earlier post on this subject, there was an article link, “Forecast: ID Theft by Insiders to Grow Dramatically in ’06,” by Gene Koprowski, a leading computer security analyst, on TechNewsWorld.com. He writes: “…there will be increased theft of secure data by insiders, employees.” I rest my case.