Lawmakers tackle privacy.Tech growing pains grow·ing pains pl.n. Pains in the limbs and joints of children or adolescents, frequently occurring at night and often attributed to rapid growth but arising from various unrelated causes. are giving privacy issues a high profile. Technology allows the easy accumulation and distribution of personal financial data as well as the theft of these data. The growing demands and interrelatedness in·ter·re·late tr. & intr.v. in·ter·re·lat·ed, in·ter·re·lat·ing, in·ter·re·lates To place in or come into mutual relationship. in of the marketplace have increased companies' need for profiling the purchasing habits and financial situations of consumers. A few companies made headlines last year for their poor stewardship of customer information. This notoriety NOTORIETY, evidence. That which is generally known. 2. This notoriety is of fact or of law. In general, the notoriety of a fact is not sufficient to found a judgment or to rely on its truth; 1 Ohio Rep. helped to make consumer financial privacy an urgent issue for Congress, the public and the business community. For example, U.S. Bancorp  This article or section needs copy editing for grammar, style, cohesion, tone and/or spelling.You can assist by [ editing it] now. of Minnesota sold confidential customer financial information from its files to third-party marketers. The story made national news, causing U.S. Bancorp and several other financial institutions to stop the practice and prompting the Minnesota attorney general to file suit against U.S. Bancorp. In another major privacy story, Amazon.com profiled its customers' most popular book and music purchases, named the companies employing those customers making the purchases and published the information on its Web site. Customers' reaction caused Amazon.com to immediately stop publishing it. But Amazon still retains the data. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. USA Today USA Today National U.S. daily general-interest newspaper, the first of its kind. Launched in 1982 by Allen Neuharth, head of the Gannett newspaper chain, it reached a circulation of one million within a year and surpassed two million in the 1990s. , only 20 of the 100 biggest online retailers have privacy policies that restrict the use of customer information to completing transactions. Although some e-commerce companies have seals--such as the WebTrust[SM] seal--to indicate the company's privacy policy, consumer groups and many on Capitol Hill believe that regulating the use of private financial information is necessary, and that disclosure and consumer choice regarding privacy policies are not enough to protect consumer privacy. This is an area where the CPA's expertise puts him or her in an excellent position to help financial institutions to implement, maintain and monitor the privacy policies and systems they will have to create. WAKE-UP CALL In early January details about the first major theft of consumer financial information from an e-commerce company flashed into the news. A computer hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. had broken into the system of CD Universe and copied 300,000 customer credit card files. The hacker attempted to extort To compel or coerce, as in a confession or information, by any means serving to overcome the other's power of resistance, thus making the confession or admission involuntary. To gain by wrongful methods; to obtain in an unlawful manner, as in to compel payments by means of threats of money from CD Universe in exchange for returning the information, When CD Universe refused to submit to extortion extortion, in law, unlawful demanding or receiving by an officer, in his official capacity, of any property or money not legally due to him. Examples include requesting and accepting fees in excess of those allowed to him by statute or arresting a person and, with , the hacker posted the names, addresses and credit card numbers of 25,000 customers on a Web site. Although this theft happened to an e-company, confidential financial information can be stolen from any company that maintains such records. Although federal law essentially shields consumers from any loss due to the unauthorized use of their credit cards (there is a $50 dollar limit on a credit card), this incident heightened concern over the privacy and security of data stored in computers. Ultimately, all consumers will foot the bill for these losses when companies pass the charges to their customers in the form of higher costs. NEXT? Since the accounting profession's stock-in-trade is confidential financial information, it is conceivable that the Federal Reserve Board could adopt a regulation subjecting CPAs in public practice to the privacy rules applicable to financial institutions, which require periodic disclosures to clients about the privacy and integrity of confidential data. However, the proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous pro·lif·er·a·tion n. of current and upcoming privacy statutes and regulations also opens up business opportunities for the profession and at the same time could subject CPAs to tougher requirements. To mitigate risks, companies will seek assurance services Assurance services have been defined by the American Institute of Certified Public Accountants (AICPA) as 'Independent Professional Services that improve information quality or its context'. that test the efficacy of their privacy systems. Clearly, of the act and what WebTrust achieves for e-commerce and SysTrust[SM] for any business are pioneering efforts in this area (see sidebar, "AICPA AICPA See American Institute of Certified Public Accountants (AICPA). Assurance Service institutions." Programs That Address Privacy Issues," page 31). Privacy consulting--both creating privacy policies and systems as well as internal controls--is also an area where the accounting profession's expertise can put CPAs front and center in the effort to guard public and business interests. THE HARDWARE STORE AS FINANCIAL INSTITUTION The privacy provisions of the 1999 Financial Services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. Modernization modernization Transformation of a society from a rural and agrarian condition to a secular, urban, and industrial one. It is closely linked with industrialization. As societies modernize, the individual becomes increasingly important, gradually replacing the family, Act apply to financial institutions and their treatment of nonpublic personal information. The act defines a financial institution as "any institution the business of which is engaging in financial activities," and the Federal Reserve Board is given the authority to determine what activities are financial. Once an activity is determined to be financial in nature, then companies that engage in such an activity are subject to the privacy provisions of the act, whether or not the company is affiliated with a financial holding company. Such a broadening of the term financial institution heaps compliance burdens on an enormous number of businesses that before this development would not have been considered part of the financial arena. For example, a local mom-and-pop store could be a financial institution because it extends store credit to its customers. Stretching the concept further, it also is possible that accounting firms could be considered financial institutions for purposes of the privacy law--preparing tax returns is arguably ar·gu·a·ble adj. 1. Open to argument: an arguable question, still unresolved. 2. That can be argued plausibly; defensible in argument: three arguable points of law. a financial service. Businesses will face challenges: (1) they must comply with the provisions of the act and/or (2) they must ensure they do not lose customer loyalty because their systems are not secure and reliable. With the growing prominence of privacy issues, CPAs operating in various roles in industry, especially in financial institutions, should take notice of the privacy issues that affect their employers in both the online and offline worlds. These issues might take the form of new laws New Laws: see Las Casas, Bartolomé de. and regulations, such as those required by the act and/or the best practices that are being followed by industry to ensure that customer confidence and trust are kept at the highest levels possible (see sidebar, "Best Practices" page 32). Best practices include accepted industry standards and practices such as posting privacy policies on a Web site in a conspicuous place or having internal controls to ensure that privacy policies are not violated. For more information on best practices for banking and other industries, the CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. working in industry might look to the AICPA WebTrust program. CPAs who work in public practice should know the requirements of the act and inform clients how the requirements will affect day-to-day operations, especially businesses that might not think of themselves as "financial institutions" but are now considered such. In addition, the recent focus on privacy creates a wealth of service opportunities for the practitioner in his or her role as adviser to clients. As more and more clients migrate to e-commerce environments or engage in information-sharing practices, the need for consultative advice and assurance on all aspects of operations affected by these changes becomes paramount to clients and potential clients. Sometimes it's not the details that clients are aware of that add the most value to CPA services but, rather, the things they are not aware of. The Financial Services Modernization Act of 1999 The privacy law imposes burdens on all "financial institutions," whether or not they transmit nonpublic personal information to third parties. The law prohibits * The transmission of private personal information to nonaffiliated third parties without prior notice to the customer and without a customer option to prevent it. * The transmission of an account number "or similar form of access number or access code" to a nonaffiliated third party that wants to use the information for marketing purposes. The law requires all financial institutions to * Notify their consumer customers of the privacy policy at the onset of the relationship and annually thereafter. * Disclose the affiliate sharing notice and the opt-out opportunity for affiliate information sharing See data conferencing. . What it doesn't do * The act does not regulate the sharing of information between a financial institution and its affiliates. * The act does not ban all third-party transmissions. It provides for some exceptions, allowing the transmission of nonpublic personal information to third parties such as accountants and auditors without the necessity of customer disclosure and the opt-out choice. * The act does not provide for private rights of action for violations. Enforcement is given over to the federal financial regulators The Financial Regulator (Irish: Rialtóir Airgeadis), officially known as the Irish Financial Services Regulatory Authority (Central Bank and Financial Services Authority of Ireland Act 2003, Section 26 for banks, thrifts and credit unions; to the SEC for brokers, dealers, investment companies and advisers; to state insurance regulators for insurance companies; and to the FTC FTC See Federal Trade Commission (FTC). for everyone else. * The act does not amend the Fair Credit Reporting Act The Fair Credit Reporting Act (FCRA) is legislation embodied in title VI of the Consumer Credit Protection Act (15 U.S.C.A. § 1681 et seq. [1968]), which was enacted by Congress in 1970 to ensure that reporting activities relating to various consumer transactions are conducted in a , which provides an opportunity for customers to opt out of a company's sharing "nontransaction" financial information, such as a credit report, with an affiliate. EXECUTIVE SUMMARY * E-COMMERCE PRIVACY ISSUES ARE HIGH PROFILE in Washington. Technology allows the easy accumulation and distribution of personal financial data as well as the theft of these data, and security must be ensured. * INCIDENTS THAT CAUGHT THE ATTENTION OF Congress were a bank selling confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead to third-party marketers; a major Internet company publishing customer data; and a hacker who tried to extort money from a company to stop publication of stolen credit card numbers. * IMPORTANT ACTION IS UNDER WAY, Look at the list of bodies promulgating regulations that will affect financial institutions: the Federal Reserve Board, the FDIC FDIC See: Federal Deposit Insurance Corporation FDIC See Federal Deposit Insurance Corporation (FDIC). , the Office of the Comptroller of the Currency The Office of the Comptroller of the Currency (or OCC) was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and the federal branches and agencies of foreign banks in the United States. , the Office of Thrift Supervision The Office of Thrift Supervision (OTS) was established as a bureau of the Treasury Department in August 1989 as part of a major Reorganization Plan of the thrift regulatory structure mandated by the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) (12 U.S.C.A. , the SEC, the FTC and the National Credit Union Administration The National Credit Union Administration (NCUA) is responsible for chartering, insuring, supervising, and examining federal credit unions (FCUs) and for administering the National Credit Union Share Insurance Fund. . * WHAT CONSTITUTES A FINANCIAL INSTITUTION? The act's definition goes far beyond traditional labels. It defines one as an entity engaging in an activity that is financial in nature or incidental or complementary to a financial activity, and it empowers the Federal Reserve Board to determine which businesses fit the definition. That description could include a local merchant that extends consumer credit or a CPA firm that prepares tax returns. * THE FINANCIAL SERVICES MODERNIZATION ACT of 1999 bans the dissemination dissemination Medtalk The spread of a pernicious process–eg, CA, acute infection Oncology Metastasis, see there of consumer information to third parties without a customer option to prevent it. It also requires financial institutions to disclose to consumers their privacy policy at the outset of the relationship and annually thereafter. Enforcement is solely the province of federal financial regulators. RELATED ARTICLE: AICPA Assurance Service Programs That Address Privacy Issues WebTrust[SM] WebTrust addresses the fundamental privacy concerns of both the business community and the online customer. The WebTrust seal informs potential customers that a CPA has evaluated a Web site's business practices and controls to verify they conform with the WebTrust principles and criteria for business-to-consumer electronic commerce. WebTrust is the only online privacy seal program that provides for independent verification and the only Internet service that reviews security of financial information maintained by e-commerce companies. As e-commerce becomes the global and preferred way of conducting business, countries around the world are setting standards to assure citizens that their information is kept private. The European Union privacy directives See EU Directive. for the European market took the lead in this area. In the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , the Online Privacy Alliance, a coalition of businesses, is leading an initiative to demonstrate that the government does not need to be involved. WebTrust meets or exceeds all these key organizations' critical requirements regarding privacy, as well as the key requirements of the Financial Services Modernization Act of 1999. WebTrust requires online businesses to make privacy disclosures and testing in the following areas: * The specific kinds and sources of private information that is being collected and maintained; the use of the information; and third-party distribution of the information. * Choices regarding how identifiable private information collected from an individual online may be used and/or distributed. * The business transaction consequences of an individual's refusal to provide private information or of his or her decision to opt out of a particular use of such information. * How individually identifable private information collected can be reviewed and, if necessary, corrected or removed. * If a Web site uses cookies (files placed on a consumer's computer by an online business that allow it to track information on sites visited and buying habits), how they are used and the business transaction consequences of an individual's refusal to accept a cookie cookie File or part of a file put on a Web user's hard disk by a Web site. Cookies are used to store registration data, to make it possible to customize information for visitors to a Web site, to target Web advertising, and to keep track of the products a user wishes to . For a complete copy of the CPA WebTrust principles and criteria, refer to www.aicpa.org/Webtrust/index.htm. SysTrust[SM] In a SysTrust engagement, a CPA firm issues an attestation report Noun 1. attestation report - a consulting service in which a CPA expresses a conclusion about the reliability of a written statement that is the responsibility of someone else attestation service that evaluates whether management of an e-business has maintained effective controls to ensure that its systems function reliably within a specified period of time. Developments in information technology make far greater power available to companies at far lower costs. The systems supported by this technology range from tools for bookkeeping bookkeeping, maintenance of systematic and convenient records of money transactions in order to show the condition of a business enterprise. The essential purpose of bookkeeping is to reveal the amounts and sources of the losses and profits for any given period. to running businesses, producing products and services and dealing with customers and business partners. Among the concerns of customers and business partners is the reliability of conducting business in a manner that protects private or confidential information from unintended or unlawful uses. A reliable system is defined as one that is capable of operating without material error, flaw or failure during a specified period of time in a specified environment. A SysTrust report on a reliable system is underpinned by four essential principles--the benchmarks of reliability: * Availability--the system is available for operation and use. * Security--the system is protected against unauthorized access. * Integrity--the system processing is complete, accurate, timely and authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: . * Maintainability--the system can be updated when necessary. SysTrust is the only attestation service Noun 1. attestation service - a consulting service in which a CPA expresses a conclusion about the reliability of a written statement that is the responsibility of someone else attestation report available for signifying whether a company's privacy systems have effective controls that enable the system to function reliably. For more information on the CPA SysTrust services and to review the SysTrust principles and criteria, refer to www.aicpa.org. RELATED ARTICLE: Best Practices for Building Consumer Trust In response to growing concerns from online shoppers about security and privacy protection, and in light of recent high-profile breaches of public trust at several brand-name Web sites, the AICPA offers several tips to Web merchants to help them build consumer trust and confidence. Maintain a High Level of Security E-commerce sites must use the most reliable security controls and tools and communicate that they do so to their customers in easy-to-understand language. This includes the latest SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. technology, digital certificates, secure server technology and authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. to ensure that personal customer information is safe. The site should be independently verified to ensure that its security controls adequately protect its customers from risk of security breaches. Build Online Credibility and Legitimacy Brand names are important on the Internet. They help shoppers make choices when they have a limited range of knowledge about quality and functionality. If an e-commerce site lacks its own recognizable consumer brand name, it can sell branded products from other manufacturers, partner with an established brand, offer samples of its services through low-risk trials and creative offers or use a CPA to independently verify that it is a legitimate business. Whichever strategy is used, it is important to be consistent and adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. the highest set of standards so that customers trust the site. Maintain a High Standard of Integrity With All Transactions Web sites have to maintain a high degree of integrity with every transaction and they should be independently tested for compliance against a stringent set of standards. Many a Web site loses sales when the buyer has to struggle to complete a transaction. Nothing alienates shoppers more often than order-entry glitches that cause the loss of entered information, computer freezes or being bounced off the site. A site's lack of full disclosure regarding actual costs is also a big turnoff. Online shoppers want to know all costs before going through detailed registration in order to avoid surprises and significant changes to the online price. An order-tracking system that allows online shoppers to review orders and/or maintain addresses and credit card information is also very helpful in building trust in a site. Fully Disclose Policies and Make the Site Easy to Navigate Online shoppers want to know how a site will handle their personal information, so Web merchants must explain how they collect and handle consumer data and must post easy-to-read privacy statements. Some customers are not willing to buy online without assurance from independent third parties that their confidential information will be protected. The design and content of a site are also critical elements in attracting potential customers. Support Online Consumer-to-Consumer Dialogue E-commerce sites can build additional trust when they encourage their customers to contact and inform each other about a site's products and services: A chat group sponsored by the site allows its customers to question each other about their purchasing experiences. The online business can also provide links to other independent sites that allow customers to obtain feedback and ratings. Empower Consumers to Take Control of Decisions Online shoppers will trust a site when they know that they control access to their personal information. Web sites that ask permission to obtain customers' personal details personal details npl (on form etc) → coordonnées fpl personal details person npl → Personalien pl personal details are taking the smartest approach. Some companies, for example, discuss the benefits provided by cookies on a user's hard drive (the cookie ensures that preferred settings appear without the customer logging in A colloquial term for the process of making the initial record of the names of individuals who have been brought to the police station upon their arrest. The process of logging in is also called booking. each time) and then asks the user for permission to place a cookie. The online shopper is fully informed and empowered to make the decision whether to allow the cookie onto the hard drive. Many e-commerce sites are beginning to ask consumers to serve on panels that independently audit their privacy policies, the integrity of their transactions and their fulfillment records. RELATED ARTICLE: What's Happening in D.C.? Privacy was not an issue during the first four years of debate on the Financial Services Modernization Act of 1999 (the GrammLeach-Bliley act). This changed when the U.S. Bancorp story broke. Concerns about privacy helped spur Congress to adopt as part of the act the first comprehensive federal privacy provisions applicable to financial institutions. According to Gary Gensler Gary Gensler was Undersecretary of the Treasury (1999-2001) and Assistant Secretary of the Treasury (1997-1999) in the United States. Gary Gensler spent 18 years at Goldman Sachs, making partner when he was 30, becoming head of the company's fixed income and currency , treasury undersecretary for domestic finance, the Clinton administration Noun 1. Clinton administration - the executive under President Clinton executive - persons who administer the law will offer new privacy legislation this year. The Treasury will also finish a wide-ranging study of privacy issues by the end of 2000, which could lead to additional privacy proposals. In February Senator Richard Shelby Richard Craig Shelby (born May 6 1934), sometimes known as Dick Shelby, is an American politician. He currently is the senior U.S. Senator from Alabama. Originally elected to the Senate as a Democrat, Shelby switched to the Republican Party in 1994 when it gained the (R-Ala.) and Congressman Edward Markey (D-Mass.) announced the founding of a bipartisan Congressional Privacy Caucus caucus: see convention. . Its purpose is to fight for tougher consumer financial privacy laws. Regulations defining the exact scope of the privacy provisions will be promulgated prom·ul·gate tr.v. prom·ul·gat·ed, prom·ul·gat·ing, prom·ul·gates 1. To make known (a decree, for example) by public declaration; announce officially. See Synonyms at announce. 2. by several federal agencies. The federal banking agencies, the Federal Reserve System, the Federal Deposit Insurance Corporation Federal Deposit Insurance Corporation (FDIC), an independent U.S. federal executive agency designed to promote public confidence in banks and to provide insurance coverage for bank deposits up to $100,000. , the Office of the Comptroller of the Currency and the Office of Thrift Supervision have issued a joint proposal and will adopt identical regulations. Also adopting regulations will be the Securities and Exchange Commission, the Federal Trade Commission, and the National Credit Union Administration. It is expected that these regulations will be similar to each other in some aspects but will differ in others. An example of how they may differ in treatment is the definition of nonpublic personal information. The modernization act defines personally identifiable financial information as information that is provided by the consumer to the financial institution. Excluded is information that is publicly available through sources such as the telephone book, tax records or land records. It is possible to determine that a customer's name and address are nonpublic because the financial institution receives them from the customer. Contradictorily, since this information is also available from the telephone book, tax records and other public records, it could be determined to be public information. The act allows states to adopt privacy policies that provide consumers with even more protections. If the states ultimately adopt different privacy laws, financial institutions operating across state lines will need to have multiple privacy policies and disclosures. The federal banking agencies, NCUA NCUA National Credit Union Administration (US government) NCUA Nbcs Control Unit Atm and the FTC issued their proposed regulations in February, the SEC in March. The modernization act provides that the regulations be made final by May 12, with an effective date six months later. Federal regulators are empowered to set an effective date that is later than November 12. PETER M. KRAVITZ is director of congressional/political affairs at the AICPA. His email address See Internet address. is pkravitz@aicpa.org. ANTHONY PUGLIESE, CPA, is director of assurance services at the AICPA. His email address is apugliese@aicpa.org. The authors are both employees of the American Institute of CPAs and their views, as expressed in this article, do not necessarily reflect the views of the AICPA. Official positions are determined through certain specific committee procedures, due process and deliberation deliberation n. the act of considering, discussing, and, hopefully, reaching a conclusion, such as a jury's discussions, voting and decision-making. DELIBERATION, contracts, crimes. . |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion