As we started the new year, I was introduced to some new neighbors. As we exchanged pleasantries, the usual question came up; “What do you do for a living?” From my explanation about being a privacy pro, my new acquaintance wanted to dive down into what information should be protected. My recitation of the definition of personal information, any information related to an identified or identifiable individual, was insufficient, so we began a deeper dive.
As we went through various examples, we eventually came to financial account.
The quest for a definition of 'financial account'
From a general privacy practice standpoint, the question may be moot. Any account of any kind that can be related to an identified or identifiable individual should be protected. This is re-enforced by law in the EU.
However, from a legal perspective in the U.S., financial accounts are called out as one of the components of personal information in data breach, security and destruction laws. Most state data breach laws’ definition of personal information enumerate the inclusion of financial accounts with a phrase like: "financial account number, credit card number, or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account."
I decided to take to Google and search for a definition, or at least some guidance, on what constitutes a financial account. As you would expect, there are several circumstance-specific definitions for a financial account, such as banking laws, accounting practices, and child support laws to name a few. However, there is limited guidance on what a financial account is when related to U..S state privacy statutes.
Feeling frustrated, I called my state’s Office of the Attorney General. After a couple of hours of being forwarded around, I could not get a definition for a financial account number. Maybe the thinking is that you will know a financial account when you see it?
However, in the non-binding Frequently Asked Questions Regarding 201 CMR 17.00, Massachusetts provides some guidance:
What is a financial account?
A financial account is an account that if access is gained by an unauthorized person to such account, an increase of financial burden, or a misappropriation of monies, credit or other assets could result.
Examples of a financial account are: checking account, savings account, mutual fund account, annuity account, any kind of investment account, credit account or debit account.
Applying the definition
Based on the examples, a financial account seems as if it may be limited to those accounts held by banks or other financial institutions. Since any account (use in a generic sense) that may add to the financial burden of the account holder may be considered a financial account, per the definition above, the examples of financial accounts may be a much broader list.
I used a hypothetical, based in fact, on the IAPP Privacy List, to illustrate this and gather some opinions. Here's the hypothetical:
Two privacy pros decided to spend New Year’s morning playing a round of golf. One of the pros is a member of a local club, so they decided to play there.
They entered the pro shop to pay for the round. It turned out that the club did not take cash for the green’s fees, but applied a charge to the member’s account for payment at the end of the month. The member verbally provided his account number and the duo teed off.
After the round, the privacy pros went into the club’s restaurant. When the bill came for the meal, it was also a no cash policy; the charge was once again applied to the member’s account. The member provided the account number on the bill, signed the slip, and off the pair went.
As they were heading back to their cars, the guest privacy pro noticed a listing of all of the day’s tee times, including member names and account numbers, posted outside of the pro shop in a public space. He turned to his partner and asked “Do you think that could lead to a data breach under U.S. state breach notification laws?”
Based on the thread, several privacy pros agreed that the member’s account number qualified as a financial account; there were also opinions that the member’s account number was not in scope of state data breach laws. Interestingly, another example came out of the discussion. Hotel room numbers where you can charge meals or other services may be considered a financial account as well.
As one participant in the thread pointed out, we really will not know if membership accounts or hotel room accounts are considered financial accounts until the premise is tested in court.
For now, I am playing it safe with my clients, explaining the potential legal and reputational risks, then establishing business practices to protect against these risks.
If you want to comment on this post, you need to login.