EPIC logo

ABA v. Lockyer

Top News

Introduction

In ABA v. Lockyer, financial services companies are suing to invalidate a California law that provides individuals with strong privacy rights. In 2003, California enacted the California Financial Information Privacy Act, commonly known as "SB1." SB1 provides the strongest financial privacy protection in the nation. It allows customers to "opt-out" of information-sharing practices between affiliated institutions, companies that have common ownership. SB 1 also bars financial institutions from sharing information about consumers with nonaffiliated third parties unless an individual gives his or her express "opt in" consent. However, the legal issue in ABA is limited to the constitutionality of the "opt out" provision for affiliate sharing, and a series of other rights created by SB1 are not being challenged in this case.

In April 2004, the American Bankers Association (ABA), the Financial Services Roundtable and the Consumer Bankers Association filed suit arguing that SB 1 is preempted or superceded by the federal Fair Credit Reporting Act (FCRA). As interpreted by the banking industry, the FCRA imposes a preemptive ceiling on state privacy statutes, thereby preventing any state or local regulation concerning affiliate sharing of consumer information.

However, District Court Judge Morrison C. England, Jr. ruled otherwise, holding that the federal Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) allows states to erect stronger financial privacy protections. Judge England’s Amended Order, issued on July 9, 2004, concludes that (i) the FCRA was not intended to regulate the simple sharing of information between affiliates, (ii) the only reasonable reading of the FCRA preemption provision is that it prevents states from enacting laws that prohibit or restrict the sharing of consumer reports among affiliates, and (iii) the FCRA preemption provision does not broadly preempt all state laws regulating information sharing by affiliates.

On July 28, 2004, the Ninth Circuit Court of Appeals granted Plaintiff ABA's request for an expedited appeal of Judge England's decision. EPIC is preparing an amicus brief against preemption of SB1 to support California's and other states' efforts to regulate affiliate sharing.

EPIC's Interest

Preserving states' right to regulate is important for privacy protection. Most privacy protections come from state, not federal law. Throughout history, state and local governments have served an important role as real-world laboratories for innovative health and safety policy initiatives. States enjoy a unique local perspective that allows them to craft and test programs to protect consumers. State legislatures are also closer to the constituents they represent and the business communities they regulate. They are the first to see trends and problems, and are well-suited to address new challenges and opportunities that arise from evolving technologies and business practices. Thus, it is important that state lawmakers retain the ability to tailor consumer protections to the needs of regional economies and constituencies. For detailed policy arguments against preemption of privacy law, see EPIC's Privacy and Preemption Page.

Federal privacy law is weak and allows prodigious information sharing. Federal law now allows a broad spectrum of financial institutions to affiliate and operate under a single corporate umbrella – a financial holding company. These diverse institutions engage in a wide range of activities and compile a vast amount of information about their customers. Each time a customer interacts with a single financial institution, a digital record of that interaction may be created and shared by that company's corporate affiliates. The shared data may include financial, medical and other sensitive information. For example, the types of personal information that may be shared include all information on applications to obtain financial services (including credit card or loan applications), bank and credit card numbers and account histories, and the fact that an individual is or was a customer.

Some financial holding companies have thousands of affiliates, making it exceedingly difficult for consumers to understand how personal information provided to a single entity will be employed for secondary purposes across the entity’s affiliate structure. CitiGroup, Inc., for example, has over 2700 corporate affiliates. Similarly, Bank of America has almost 1500. Given the vast number of corporate affiliates, individuals have limited insight into how, and for what purposes, their personal information is used by companies with whom they have no contact or business relationship. Furthermore, when information is misused by one of the thousands of an institution's affiliates and marketing partners, individuals are often unable to identify the offender due to the lack of visibility into affiliate sharing policies.

Significant privacy risks are created each time an individual’s personal information is shared with an affiliate. It is possible that a single entity collecting personal data may have a relatively secure technology platform to protect against computer hackers and other types of security breaches. Upon investigation, a consumer may feel comfortable providing such an entity with sensitive information in exchange for the customer service benefit it produces. However, it is a practical certainty that at least one of the potentially thousands of companies with whom the collecting entity may share personal information will not employ equivalent security standards. Variations in technology, personnel, and resources dictate that the protection of sensitive consumer information is inconsistent across affiliates. Absent SB 1’s "opt out" provision, consumers in California are stripped of all control over the dissemination of their personal information once it is obtained by a financial institution.

Information sharing can lead to fraud. Major financial institutions have used their aggregate customer lists to target consumers for fraudulent telemarketing schemes. Capital One, Chase Manhattan, Citibank, First U.S.A., Fleet Mortgage, GE Capital, MBNA America, and U.S. Bancorp all have provided their customers' personal and confidential information to fraudulent telemarketers.

In these cases, financial institutions provided telemarketers with the names, telephone numbers and other information about their customers. They also gave them the ability to charge customers' accounts without having to ask consumers to provide an account number. This practice, called preacquired account telemarketing, has subjected thousands of individuals to unauthorized charges for products and services they never wanted or ordered. In one case, during a thirteen-month period a national bank processed 95,573 cancellations of membership clubs and other products that were billed by preacquired account telemarketers without customers' authorization.

Even non-customers can be defrauded by information sharing. In some cases, the sharing of financial information has allowed businesses to defraud non-customers as well. This can occur where a bank sells personal information to another business. Charter Pacific Bank sold its database containing 3.6 million valid credit card account numbers to a convicted felon who then fraudulently billed the accounts for access to Internet pornography sites that victims had never visited. In fact, approximately 45% of the victims did not even own a computer. Charter Pacific did not develop the database from its own customers' information. Instead, it compiled the information from credit card holders who had purchased goods and services from merchants that had accounts at Charter Pacific. The information included the date of sale, account number, and dollar amount of every credit card transaction processed by the bank's merchant customers. The unrestricted sharing of this information resulted in over $44 million of unauthorized charges.

Affiliate sharing can expose the elderly and other at-risk consumers to increased likelihood of fraud. For example, NationsBank shared with its affiliated securities company data on bank customers with low-risk, maturing federally insured CDs. The affiliate, NationsSecurity, then aggressively marketed high-risk investments to these conservative investors, misleading many customers to believe that the investments were as safe and reliable as federally insured CDs. Many customers, including retired elderly, lost significant portions of their life savings. After an investigation, the Securities and Exchange Commission found that the companies intentionally blurred the distinction between the bank and the brokerage, and between the insured CDs and riskier investment products. Affiliate sharing of customers' information made this possible. NationsBank provided the investment representatives with maturing CD customer lists, as well as customers' financial statements and account balances. As a result, when these investment representatives called NationsBanks' customers and indicated that they were with the "investment division" of the bank, many customers reasonably believed that they were bank employees, not brokers. NationsBank is not the only bank to have engaged in such a practice. First Union settled a private lawsuit alleging a similar scheme.

Identity theft is fueled by insiders--financial services company employees--with access to your personal information. The unrestricted sharing of consumers' information also facilitates criminal activity, such as theft of financial identity. Identity theft is one of the nation's fastest growing white-collar crimes. Many of these identity theft cases are "insider jobs," committed by employees who obtain access and misuse individuals' personal information stored in their employers' databanks. A soon-to-be-published survey by researchers at Michigan State University found that up to 70% of identity theft cases involve an insider with access to personal information.

Public opinion polls show strong support for more privacy protection. Independent polls demonstrate that Americans want more control over the use of their personal information. Over a decade of public opinion polling has demonstrated that individuals care about the privacy of their personal information, and that they want protections in law following Fair Information Practices. In 1990, a Harris Poll showed that 65% of Americans favored the creation of a privacy protection commission. A year later, a Time-CNN poll showed that 93% of respondents believed that the law should require companies to obtain permission from consumers before selling their personal information. For more public polls on privacy, see EPIC's Privacy and Public Opinion Page.

Resources

District Court Proceedings

Ninth Circuit Court of Appeals Proceedings

News

EPIC Privacy Page | EPIC Home Page

Last Updated: October 19, 2005
Page URL: http://www.epic.org/privacy/preemption/abavlockyer.html