Think Your Secrets Are Safe?

You need to act fast to control access to your financial data

In coming weeks, households will receive a torrent of notices from every financial institution with which they do business. Many will dump the deluge as so much junk. If they do, they risk throwing away their right to protect their privacy over vast swaths of their personal and financial information from name and address to details of assets, income, and debts.

Under new rules now going into effect, financial institutions must disclose what information they collect about their customers, and how they share it, both with affiliates and outside firms. Consumers can't stop in-house sharing, such as by a bank with its brokerage arm, but they must be offered the chance to opt out of sharing with third parties. Hence, the avalanche of mail.

NO PROTECTION. If customers don't object, financial institutions can release customer account numbers to outside marketers or partners who run programs such as air-miles. The rules don't require institutions to make sure that third parties, handling everything from preparing account statements to marketing, keep consumer information under wraps. They don't protect information about people in employee benefit plans, such as 401(k)s, administered by financial companies. And they allow the sharing of extensive customer information that, while not personally identified, can be merged easily with other databases to create detailed portraits of consumers' financial dealings.

Until now, information sharing has been largely unregulated, leaving individual companies to decide how much, or little, they would protect privacy. "[The new law] extends some important additional protections to consumers about their personal information," says Julie L. Williams, chief counsel to the Treasury Dept.'s Office of the Comptroller of the Currency, who played a key role in writing the rules.

But privacy advocates complain the law permits an Orwellian intrusion into consumers' financial lives. Short of an outright ban on sharing of consumer information, they wanted a much stronger opt-in rule that would have prevented information-sharing unless customers positively agreed. "Consumers have no control over sharing most of their information most of the time," complains Ed Mierzwinski, consumer director for the U.S. Public Interest Research Group, a Washington watchdog group.

The rules are even leakier than they appear. For example, financial institutions must protect private information. But if they "reasonably believe" that information is publicly available, the data can be shared with third parties. So if information has been published say in a magazine or on a Web site--even if access is restricted by a password--then it's no longer protected. Some joint account holders might be in a strange situation: Though all holders have the right to opt out of disclosure of their information, the rules say financial institutions need send only one notice per account. And employees in benefit plans don't get the chance to protect themselves, as their employers, not they, are considered the customers.

If the new arrangements sound as though they were designed to please banks, brokers, and insurers, that's because they largely were. They are the by-product of a hugely expensive, two decades-long campaign by the financial industry to sweep away Depression-era laws that forbade mergers among banks, brokers, and insurers. The resulting Gramm-Leach-Bliley Act, signed in Nov., 1999, aimed to legalize one-stop financial conglomerates such as Citigroup. But it also laid down the parameters for privacy protection.

Financial institutions for the most part aren't adopting completely new privacy policies. Instead, they're codifying their current practice and telling customers about it. Atlanta's SunTrust Banks Inc., for example, uses outside firms to provide services such as credit cards and insurance. If customers don't object, the bank can give suppliers their information, including name, Social Security number, assets, income, account balance, and details of transactions with itself or its affiliates. Some firms, like New York's J.P. Morgan Chase & Co., go further. Its policy allows customer contact information--names, addresses, and phone numbers--to be shared with nonfinancial companies offering travel programs, dental or legal services, and the like.

A few institutions, leery of consumer backlash, have decided not to share information with outsiders. Bank of America Corp., for instance, will handle all customer contact itself if it enters joint marketing projects with third parties.

Still, most of the industry is intent on defending the rules. So far, it has been able to protect its big investment in getting the law changed. If customers don't react to the notices they're now receiving, that investment will be even safer.

By Christopher H. Schmitt in Washington

Before it's here, it's on the Bloomberg Terminal.