Last week Congress voted to repeal the regulation preventing internet service providers from selling customers’ web browsing and app usage data without consent.
CU Times spoke with Information privacy, security and compliance consultant Rebecca Herold, president of the Des Moines, Iowa-based SIMBUS and CEO of The Privacy Professor, said this repeal of privacy and security protections under the law contains far-ranging consequences even into credit union security and compliance areas.
Last week, President Trump indicated his intention to sign the bill, S.J. Res. 34. The data privacy regulations enacted late last year at the Federal Communications Commission, but which hadn’t gone into effect yet, would have required ISPs to receive clear opt-in customer consent.
Herold said by repealing the pending regulation the legal security and privacy requirements for all ISPs/BIAS falls out of the federal government’s oversight and authority. “It now, once more, becomes an activity that must be addressed contractually by each credit union with their own ISP.
It also increases the need for credit union members and all consumers to ensure their ISPs/BIAS have well-documented privacy and security notices and policies in place (and that they are actively following them),” Herold said. “If ISPs don’t follow their own established security and privacy notices and policies, then it is basically up to credit unions and credit union members to report them to the FTC, which could then pursue legal action against them under Section 5 of the FTC Act for unfair and deceptive business practices.”
Gene Fredriksen, chief information security officer for the St. Petersburg, Fla.-based PSCU held that businesses like credit unions run the same risk as consumers when more of their data is collected, stored and resold. “One area of concern is that when data like online activity is resold, it may be stored in a third-party repository. If that repository is hacked or breached, it could yield a wealth of aggregate information.” Since those repositories do not exist today, they will be an attractive target for cybercriminals when to come on line.
Fredriksen also noted that businesses may also have to re-evaluate work from home rules. “Encrypted email and VPN connectivity are the only tools that can be used to protect remote users from data leakage. Credit unions need to think about what information could be gleaned from email, application logs and connection information from those employees working remotely.”
Both consumers, and their credit unions, banks and financial partners who facilitate commerce and payments, should be alarmed at this development, Bob Hedges, lead partner in the financial services practice of Chicago-based global strategy and management consulting firm A.T. Kearney, emphasized. “Responsible credit unions, banks, payments networks and retailers active in digital commerce should all be demanding more forward-looking and consumer-oriented legislation.”
Hedges added, “While the proposed relaxation of consumer data privacy rights should on the surface be immediately rejected, it actually poses the far greater risk of a reactionary legislative proposal that actually cripples the use of consumer data on the internet, bringing the meteoric and beneficial growth of digital commerce and payments to a screeching halt.”
CEO and founder of Boston-based security as a service provider EiQ, Vijay Basani, said, “Congress does not fully understand the depth of information that internet providers can capture and leverage. They are definitely compromising the privacy rights of the individuals using the internet.” Basani added it could be a lot worse because it could lead to misuse of personally identifiable information by leveraging the data for commercial use.
“With S.J. Res. 34, every citizen will have massive amounts of their data exposed when their ISP or a nebulous third-party intentionally or inadvertently fails to adequately secure the information,” James Scott, senior fellow at Washington, D.C.-based Institute for Critical Infrastructure technology, offered. “By drastically expanding that collection, storage, and exchange of data with a few short lines of legislation, Congress has jeopardized the security and privacy of every citizen, every organization, and every critical infrastructure.”
