00:05
Adam Stofsky
Sheri, I'm going to ask you a question that it may seem obvious, but I'm guessing it's actually more complicated than it sounds, which is what is financial data? What's the definition of financial data?
00:15
Sherry Shafchuk
So that's a really good question because the answer is not as obvious as most folks would think. The definition of financial data changes based on the law that you're looking at. For our conversation, I'm going to focus on the definition under the Gram Leach Bliley act because the state laws that are similar to the Gram Leach Bliley act have a similar definition. Financial data is two types of data. The first is personally identifiable financial information, and I'm going to dig a little bit more into that one in a moment. And then any list or description or group of consumers that is made up or created based on this personally identifiable financial information. What is not covered is publicly available information or lists, descriptions or groupings of customers obtained from this publicly available information.
01:14
Sherry Shafchuk
So we're talking about names that you get out of a telephone book, or names that you search online and get street address as well as telephone number, things of that nature.
01:26
Adam Stofsky
That's not, that's not considered. That's not subject to the law, correct. It's already out there and it's freely available.
01:33
Sherry Shafchuk
Exactly. Exactly. What is subject to the law is the personally identifiable financial information. And there's really three buckets of information that fall in this definition. The first one is any information that a consumer provides directly to the financial institution to obtain a financial product, like a loan, a credit card, or a financial service, like investment services, insurance services.
02:02
Adam Stofsky
So at a simple level, this is like I'm applying for a credit card. So I give my income and maybe a bit of other my age, my income, whatever that information is, falls into this first category.
02:13
Sherry Shafchuk
That's correct. The second category is now that you've provided the financial product and service, any information that you obtain as a result of this relationship is covered by the law and is financial data. And then the last bucket is any other information that you may obtain about the consumer related to the financial or product or service. So this is information that you can get from a third party related to providing these products or services. So a consumer report is probably the best example. So some of these examples include information that a consumer gives to a financial institution to obtain a loan or a credit card or any other financial product or service. It includes account balance information. It includes, like I mentioned, the consumer report information. It includes the fact that someone is your customer.
03:10
Sherry Shafchuk
So that would be considered financial data because it tells you that this person has a relationship with this financial institution. And from there you can probably make a few assumptions. And then the last one that I think is really unique and the one that has been brought up to focus a lot in recent days, even though this law is from the nineties, is any information collected from an Internet cookie. So any information collecting device from a web server, and that can be translated into something very broad. And so a lot of times we have to deal with, well, what's a cookie that's considered financial data, and what's a cookie that's not considered financial data?
03:55
Adam Stofsky
I think I've got all of these categories in my mind, except for the second category of information that the financial institution can obtain as a result of the relationship. Is it getting up to date information about an account balance over time, that sort of thing?
04:10
Sherry Shafchuk
That's right. So any type of information that you may get related to the product or service that's not from the customer, and it's not from the relationship that you may have with the customer.
04:26
Adam Stofsky
I have a Quickbooks account or some other similar kinds of accounts, and I link them up to my banks. So there is information being exchanged through those two entities automatically since I've linked them up, but I don't. I consented once, I guess, and I connect to the accounts, but I don't ever update them or provide that information directly to the bank. Is that an example of this? Or is it something a bit different?
04:48
Sherry Shafchuk
That's correct.
04:50
Adam Stofsky
Okay, interesting.
04:51
Sherry Shafchuk
And in a way, by connecting them, that's your way of giving that consent to share that information, because they can't provide you with a product or service if you don't provide that consent.
05:02
Adam Stofsky
And of course, you have the right to, like, delete it at any time. I believe on all these platforms.
05:07
Sherry Shafchuk
Exactly. The only time they won't delete it is just to keep it in their records for any type of questions they may receive down the line from regulators or lawsuits.
05:17
Adam Stofsky
Okay, so we've got those three categories. Any other categories are missing, or is that pretty much the universe of what financial information is?
05:25
Sherry Shafchuk
So I think the other one that I want touch on are these lists and groupings that are derived from financial data. And what is really focused here is any list that is derived from your relationship with a customer. So, for example, if a third party comes to the financial institution and says, please give me a list of all the customers that have been paying on a monthly basis, that would be considered financial data. Give me customers that have a credit score of X, Y and z. That list itself is financial data. So where this comes up a lot is when folks are buying lists of customers that they want to market to. So the question is, how was that list created, how is that list obtained? And so forth?
06:20
Adam Stofsky
Right. So in other words, the customers who own that data. Would have to consent to that use of their financial data.
06:27
Sherry Shafchuk
Correct.
06:28
Adam Stofsky
I have one follow up question on all of this. What exactly does personally identifiable mean? Is I'm assuming if I say to a bank, I want to understand the demographics of this community. And tell me what percentage has x credit score versus y credit. If it's anonymized, that's not personally identifiable, right?
06:45
Sherry Shafchuk
That's correct. So the difference between personally identifiable and de identified. Is if you can figure out who the customer is. Based on the information that you have. And this one is a little bit of a slippery slope. Because of technology and how far technology has gone. So there is guidance out there that says you can basically reverse engineer identity. So that one's a little bit where the devil's in the details.
07:15
Adam Stofsky
So is it a bit similar to other privacy laws. Where things like everything from names and addresses. But also things like photos or a likeness or even an IP address? All those things could be the piece of data that makes it personally identifiable.
07:31
Sherry Shafchuk
Correct. Any sort of data or any type of linkage to a person would make that information personally identifiable.
07:39
Adam Stofsky
All right, Sherry, anything else we've missed on this? Actually pretty complicated topic?
07:44
Sherry Shafchuk
I'm sure there is, but I think this is a good overview of what financial data is.
07:50
Adam Stofsky
Great. Okay. Thanks so much, Sherry.
<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/905667331?badge=0&autopause=0&player_id=0&app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture" style="position:absolute;top:0;left:0;width:100%;height:100%;" title="12030_What is Financial Data Under Data Privacy Laws"></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>