Coming Soon to a Financial Institution Near You
Anyone in financial services is familiar with the importance of keeping data and information secure. In fact, there are entire regulatory departments to ensure all banks, wealth managers, trust companies – basically anyone who handles financial data – comply with strict guidelines. And as consumers of such services, we all are familiar with the privacy notices that show up in our mailbox. And here-to-fore, those notices were a simple opt-in/opt-out process. You either consented to have your info shared, or you didn’t.
But soon you will have a third option available to you: the option to delete. Because of new legislation set to go in effect for the State of California on January 1, 2020, consumers (or clients) can now get better visibility into how their data is being used, and ultimately have that data deleted. Assembly Bill 375, or more commonly known as the California Consumer Privacy Act of 2018 – CCPA for short – takes privacy a step further toward protecting your personal information and gives you the ability to request that all your commercially-obtained data be deleted. It is largely based on the GDPR legislation in the European Union, which came to be called “the right to be forgotten.” And given California is home to some of the largest collectors of personal data in the world (i.e., Facebook and Google), it is no wonder the state is at the vanguard of this sweeping new legislation.
So what does this mean for clients of First Foundation? In simple terms, clients now have the ability to submit a formal request for information about all of the personal data that we collect and store about them. First Foundation will then be required to provide information about the personal data within 45-90 days, noting the purpose of use, such as deposit account management, portfolio management, loan maintenance, etc. Upon seeing how we store such data, the client then has the right to request the deletion of all personal information that is not directly used for current or ongoing business. In theory this all sounds fair, and lawmakers likely had the interests of the people in mind when passing such legislation, but some obstacles will exist when this law goes into effect.
Ensuring the client’s identity is the first obvious hurdle. For instance, what is stopping the fraudsters from acting as you and requesting a download of all the data we have on you? It will be our responsibility to verify the identities of those requesting data before we release or delete personal information, but that doesn’t mean that the bad guys might not try. CCPA does require requests be made in writing but allows the use of electronic transmission aka email, and we all know how “secure” email requests are. We will have strict call-back procedures in place to ensure the request is from whom it says it is.
Also, a related challenge to this is the fact that First Foundation maintains a Record Retention Policy that stipulates how we keep files on our clients. Oftentimes these retentions are mandated by state and federal law. So, there might be situation where we cannot delete your records from our system given we are mandated by other laws to keep your data. This conflict of law poses a challenge for many in the financial services world, and Sacramento is busy addressing how best to handle situations such as this.
And finally, this law has not yet been tested and comes at a time when companies across all industries are still building securities procedures around data they collect. What is to happen when companies are now forced to open up those security procedures in an effort to share data? Again, in theory this all sounds good for the people, but there are unintended consequences that remain to be seen. The equivalent law in Europe still poses challenges for consumers and companies alike, and while solutions are being built, there are many details that have yet to be addressed.
Lawmakers here in California continue to work through many of the details of CCPA and changes are certainly expected.
In the meantime, there are some helpful resources in the media about this legislation, including a piece from Forbes entitled: “California Just Passed A New Data Privacy Bill. Here's What It Means.”
And for those who want to read the entire text of the bill, you can visit the California Legislative Information website here.
If you have questions about any of this, please do not hesitate to reach out to your contact at First Foundation.