Dear Consumer Ed: 

I have a department store credit card issued through a retail bank. I recently received a privacy policy form in the mail.  Part of the policy states that the types of personal information they collect and share depend on the product or service I have with them, but the information collected and shared can include:

•    Social Security number and income

•    Account balances and payment history

•    Credit history and credit scores

They said you could phone and limit sharing – which I did immediately – but it may take up to 30 days from the date the notice was sent.  My question is this:  Do the department store/retail bank have the right to share my Social Security number with other people?  This seems like a huge security risk and invasion of my privacy.

Consumer Ed says: 

Although we have not disclosed the name of the particular department store or retail bank in this column, based on the information that you have provided to us it appears that the department store’s credit card is operated by the retail bank in question, so it is probably the bank’s privacy policy that you received in the mail.  The reason this matters is because the bank meets the definition of a “financial institution” under federal law.  As such, it is allowed to share your nonpublic personal information, e.g. your Social Security number, provided that it follows certain regulations required by the Federal Trade Commission (“FTC”).  Specifically, the bank can disclose nonpublic personal information about you to a nonaffiliated third party if it has done all of the following:

•    provided you initial notice;
•    sent you an opt-out notice;
•    given you a reasonable opportunity, before it disclosed the information to the nonaffiliated third party, to opt out of the disclosure; and
•    you do not opt out.

Additionally, any entity (whether it is a financial institution or not) that receives your personal information from the bank may be restricted in its reuse and re-disclosure of your personal information.  

Based on your question, it sounds like you’re also concerned about the security risks involved with the sharing of personal information.  You should know that the FTC has established a regulation requiring financial institutions to “develop, implement, and maintain a comprehensive information security program” in order to “insure the security and confidentiality of customer information.”  You can learn more by visiting the FTC’s webpage about the Gramm-Leach-Bliley Act at www.ftc.gov/privacy/glbact/glboutline.htm.  If you have any additional concerns and need legal advice, you should consult a lawyer.

If you enjoyed this post, make sure you subscribe to my RSS feed!