A bank sold the account records of its depositors? It even included the depositors' social security numbers?
I could not imagine that might be legal. Apparently, neither could the Minnesota attorney general. But it looks as though US Bancorp recently took those actions. If true, it represents the type of arrogant disregard for individual privacy that many Internet users assume is the norm.
Banks have long been seen as the paragons of discretion. The impression most of us have is that banks hold information about our accounts in secret, except in response to IRS inquiries and court orders. It has been quite a scandal whenever it has appeared that the secrecy was violated.
This is one of the reasons there was so much controversy over the recently withdrawn federal program in the US to get banks to "know their customers". This plan aimed for banks to become an investigative arm of the government and report whenever there was suspicious activity in their customers' accounts.
How banks maintain their trustworthy image even though many of them issue credit cards (and credit card issuers have been vilified as the worst violators of personal privacy), I do not know.
Thus it came as quite a shock when the Minnesota attorney general charged that US Bancorp had sold customer account information, including social security numbers, credit ratings, marital status and birth dates, to the telemarketing company MemberWorks. The bank was to get commissions on whatever MemberWorks was able to sell to the bank's customers. In addition, the bank gave MemberWorks the ability to automatically withdraw money from the accounts of the bank's customers if MemberWorks said it had sold something to the customers.
In its defence, MemberWorks claims it did not use the information and that any "protected customer information" was returned to the bank unused.
The bank claims it has not broken any laws and, sadly enough, the institution might be right (though the Minnesota attorney general thinks differently). The very fact that there is any question about whether this sort of wholesale violation of banking customer privacy is against the law is an indication of the problem that we all face in using the Internet. If banks are not required to protect details about your personal life, who is?
This incident has made all the more urgent the push toward the comprehensive privacy protection legislation underway in Washington, DC. But, like most things in Washington, there is no guarantee that any laws coming out of Congress - even ones that have titles like "Financial Information Privacy Act" - will not actually wind up codifying the ability of banks and other powerful interests to treat you as a source of information to sell. So it is not yet time to breathe easily.
Disclaimer: Harvard, per se, does not breathe, so the above must be my dark mutterings.
Scott Bradner is a consultant with Harvard University's University Information Systems. He can be reached at firstname.lastname@example.org.