Consumer Privacy

 

STATEMENT OF

MICHAEL P. SMITH,

PRESIDENT and CHIEF EXECUTIVE OFFICER

NEW YORK BANKERS ASSOCIATION

BEFORE THE

NEW YORK STATE SENATE

COMMITTEE ON INVESTIGATIONS & GOVERNMENT OPERATIONS

COMMITTEE ON CONSUMER PROTECTION

 

 MAY 24, 2005

LEGISLATIVE OFFICE BUILDING

ALBANY, NEW YORK

 

 

Good morning Chairman Spano, Chairman Fuschillo, and members of the Senate.  My name is Michael P. Smith and I am the President and Chief Executive Officer of the New York Bankers Association (NYBA).  I thank you for the opportunity to testify here today.  NYBA is comprised of community, regional and money center banks in the State of New York, which in the aggregate have over 320,000 employees and assets in excess of $3 trillion. 

 

The privacy concerns of our customers have always been a top priority for the banking industry.  We welcome these hearings, because we believe that it is essential to provide the public with information about the many extensive safeguards in place to protect consumer privacy and to discuss the possibility of further action.

 

It is important that New Yorkers know that the financial services industry has the most extensive safety net of federal and state privacy laws of any industry in the nation.  Also, New Yorkers should be particularly heartened by the progress our industry has made in protecting consumers’ privacy in this State particularly.  For example, the New York Bankers Association (in conjunction with the New York Clearing House) developed Best Practices Privacy Guidelines for Financial Institutions in 2000.  Notably, these Best Practices include specific measures designed to combat identity theft.  Moreover, NYBA has consistently supported legislation and worked in partnership with governmental authorities to protect the banking public against fraud and identity theft.  In fact, NYBA testified regarding its commitment to the privacy concerns of New York’s consumers before the Legislature in March 2000, and we strongly supported the legislation enacted through your efforts, in New York in 2002 (Chapter 619 of the Laws of 2002), which criminalizes the theft of identity and the unlawful possession of personal identification information.  

 

Most recently, on April 7, 2005, NYBA testified on the issue of data security breaches before the Assembly Standing Committees on Banks, Consumer Affairs and Protection, and Codes, along with L. Richard Fischer, a partner at the law firm of Morrison and Foerster, who specializes in privacy and data security matters.  In our testimony we stated our support for the establishment of reasonable notification provisions, which, in order to avoid unnecessary conflicts and  consumer confusion, should be consistent with the procedures which are being recommended at the national level.

 

Currently, there are a number of federal laws and regulations in place which are designed to protect consumer privacy and which take direct aim at the identity theft issue.  At the conclusion of my testimony, Mr. Fischer will review this impressive body of law, as well as the efforts underway in Washington, D.C. to further address these issues.  Thus, I will confine my comments to the ways in which New York has addressed, and continues to address, its citizens’ privacy concerns.

 

As I mentioned earlier, at the State level, legislation has also already been enacted to address the identity theft issue.  Among those initiatives is a NYBA- supported 2002 law that criminalized the theft of identity and enhanced consumers’ rights to recover damages caused by identity theft.  In 2003, additional NYBA-supported legislation was enacted to prohibit businesses from printing credit or debit card numbers or expiration dates on electronically printed receipts.  The language of this legislation was later incorporated – almost verbatim – in the Fair and Accurate Credit Transaction Act of 2003 (the “FACT Act”) at the federal level.  New York law also specifically prohibits the recording of credit card numbers on checks, and also limits the acceptable uses of Social Security numbers.   Thus, there already exist a number of State laws that protect New York’s consumers against the perils of identity theft – and we commend the members of the Legislature for taking the lead on this important matter.

 

Most recently, a number of legislative proposals have been introduced in the State Legislature designed to mandate notification procedures in the event that a company suffers a security breach.  We understand the public’s deep concern about breaches and would support the establishment of reasonable notification provisions, which would allow for workable timeframes for investigation and verification of the facts.  Such legislation should ensure that the scope of the notification required is commensurate with the number of consumers involved and the level of the risk of harm.  We would note that the California law, which has become a template for many state legislatures, has several features that should be contained in any final proposal in New York.  For example, the California bill has broad application to all businesses, rather than just financial institutions.  It permits a delay in notification when requested by a federal or state law enforcement official, which, we believe, is important – in fact, we believe that such a delay should be required, not optional. 

 

Importantly, as for any New York action, we believe that any State-mandated notification procedures should be consistent with the procedures which have  been recommended at the national level in order to avoid a patchwork of conflicting requirements.  While Mr. Fischer will discuss the federal Security Guidelines in his testimony, we think it important to note that inconsistencies between State and federal notification procedures, could only serve to cause confusion in the banks’ administration of their privacy policies and to impede the notification process. 

 

NYBA also supports enactment of state legislation which would require non-bank ATMs to register with the New York State Banking Department in order to prevent ATM fraud.  Such legislation would further bolster consumer confidence in the use of ATM facilities, over half of which are not owned by banks.  As such, they are not subject to the array of laws and regulations, which govern bank-owned ATMs.  We would also note that a number of local jurisdictions are passing ordinances on this issue.  Consistent with our long standing policy, we believe the State Legislature should set uniform standards in such matters.   

 

The banking industry will also continue to protect its customers’ privacy interests through vigorous self-regulation.   Development and implementation of privacy principles have been part of individual banks’ corporate policies for many years.  Indeed, long before the enactment of the privacy provisions contained in the Gramm-Leach Bliley Act of 1999 (GLBA), the American Bankers Association, Consumer Bankers Association and the Financial Services Roundtable developed joint industry privacy principles.  Since the advent of these joint industry privacy principles, similar privacy policies were adopted voluntarily by many banks nationwide, and a number of banks have for some time also voluntarily posted their privacy policies on their websites.

 

Since the passage of the GLBA, I am proud to report that New York has taken the lead on advancing the privacy concerns of its banking customers, with the joint development by NYBA and the New York Clearing House, of Best Practices Privacy Guidelines for Financial Institutions (a copy of which is attached).  These Guidelines seek to provide effective approaches for the development and implementation of privacy policies and include recommendations, among other things, for (i) participation by bank management in the implementation and oversight processes; (ii) appropriate and ongoing privacy training; (iii) limited employee access to and other security procedures for the protection of nonpublic personal information; and (iv) specific measures, designed to prevent security breaches.   In this regard, the Guidelines endorse the use of procedures such as passwords, callbacks and signature verification to combat identity theft.  Many NYBA member banks post information specifically addressing identity theft on their websites.  NYBA itself is also now offering an array of educational seminars and products geared specifically towards the challenges of identity theft and security procedures.  These programs are being widely used by our membership. Be assured, therefore, that New York’s bankers are taking a voluntarily aggressive role in championing the privacy and data security concerns of their customers.

 

Thank you for the opportunity to discuss this important issue and I now will turn to Mr. Fischer for his statement, after which we would welcome questions.

 

Top

Click here to return to Bank Security page
©1999-2007 New York Bankers Association. All rights reserved. The information presented here may not under any circumstances be resold or redistributed, by framing or similar means, without prior written permission from the New York Bankers Association. In addition, users of nyba.com should note the restrictions of providers of linked-to web sites on the information contained in those web sites, and to abide by all restrictions placed on that information by such providers.
home | about nyba | government relations | education & meetings | profit solutions | publications | resources | search | job bank
press room | consumer center | contact us | site map