Are you using real customer data for testing? In a recent survey, well over 60 percent of IT professionals use live customer data for application testing and for software development. Guess how many IT professionals outsource application testing (and share live data with the testing company)—about 50 percent. Worried about sensitive data? Compliance with data breach statutes? Privacy concerns? Is this a potential gap in the security wall many companies build around their networks? You bet. Could it be a big compliance, legal and regulatory problem? Bigger bet. While live customer data is obviously the most representative for testing, it’s also the most risky. What can you do? Use fake data. Anonymize or sanitize real data. Use encryption. Limit access and strengthen contract, monitoring and audit controls. We know privacy and security, regulation and compliance. Call us.
Financial Supermarket? No. Financial Advertising Supermarket? Well, Maybe…
Years ago, a number of companies hoped that by offering to simplify financial record-keeping and collect your financial information in one place, consumers would find it easier than trying to keep track of all of the numbers, codes and IDs they have to contend with in the real world. The concept fizzled, primarily because there was resistance to giving one website all the information—putting all your nest eggs, so to speak, in one basket. Now, some companies are hoping to revive the concept, this time with the lure of education, advertising and sponsorship.
Although the basic idea remains, the new aggregation model uses sponsored links—recommendations based on an analysis of consumer data and financial information—all geared to educating consumers about the availability of financial products and services. Just as search engines accumulate information about browsing—to prioritize and serve advertising believed to be of higher value to the individual—these new sites use the same model to recommend financial services. If you use a credit card to purchase airline tickets, the site might recommend or display an advertisement for an affinity credit card tied to an air carrier or one which offers points for your purchases. Use an overdraft line of credit for your checking account? You might see an advertisement or recommendation to consider a home equity line of credit to potentially lower your tax bill while you borrow.
While advertising-supported revenue models may have greater appeal from an economic viewpoint and may attract financial institution sponsors and advertisers, these sites still have to overcome consumer discomfort with making all—or a significant portion—of their nonpublic financial information available at a single point of aggregation. With the identity theft, data breach and privacy issues front and center in the past few years, one has to wonder if the power of advertising can overcome that anxiety.
The Empire Strikes Back?
You can’t possibly have missed the flurry of articles in the press over the past few years regarding identity theft and the measures being taken (or vulnerabilities exposed) to protect the non-public, personally identifiable financial information consumers access, use and provide in the course of routine payment transactions—both off and online. Indeed, several years ago, the Payment Card Industry (“PCI”) began formulating it’s own self-regulatory standards governing the protection of consumer information relating to the processing of credit, charge and debit card transactions. This has led to the development of the PCI Data Security Standards (“DSS”) and corresponding Data Security Audit Guidelines. In broad terms, the PCI DSS requires the protection (by encryption or other effective means) of personal information in the payment card process—whether in storage, card processing, point of sale/purchase, recordkeeping—in every link in the chain of payment using a payment card or device linked to an account at a financial institution.
As a result of the furor over the release of private information—including releases from governmental agencies and databases (e.g., social security numbers, drivers license numbers)—more than 30 states have passed specific legislation requiring companies that know, or reasonably suspect, that data, databases or electronic/digital information involving personal information of consumers has been compromised or actually leaked, to disclose and notify consumers affected (or potentially affected) by the security lapse or potential breach. Federal legislation has been proposed, although nothing has yet been enacted, and the states have stepped in to fill the perceived gap and protect the information of its citizens, and to regulate the conduct of companies doing business within their borders.
Much of the angst over the private sector, commercial transaction compromises over security—starting most visibly with ChoicePoint several years ago and continuing in a steady stream thereafter—arises from the fact that retail merchant establishments have traditionally not had to worry about privacy and the secure management of customer personal and financial information, primarily because they haven’t been regulated or needed to do so. Enter the digital age of information and the ability of marketing and advertising gurus (within and for retailers) to data-mine and use vast amounts of previously cumbersome and often unattainable information about customers. If information has always been power, than digital information transforms that power exponentially, at the speed of light (literally for those physics majors masquerading as lawyers or marketing professionals).