at 612-315-3037 or
www.swansonhatch.com
The names are changed for purposes of privacy.
In 1999, Lori Swanson was Deputy Attorney General in the office of Minnesota Attorney General Mike Hatch. One of the first letters assigned to Deputy Attorney General Swanson on the topic of privacy was from a legal aid lawyer writing on behalf of an 87 year old man. He was a retired church janitor who lived in a nursing home for the last ten years. He had a credit card from Montgomery Wards, and telemarketers bought his personal data from the department credit card. Pretty soon, he was charged $2,400: for an auto club membership even though he didn’t own a car, for a homeowner’s warranty even though he didn’t own a home, and for a dental plan even though he didn’t have teeth. And all of this was charged on his Montgomery Wards monthly statement, which he dutifully paid.
Privacy isn’t just about financial data. In 1989, an actress by the name of Rebecca Schaeffer was murdered by a deranged man, Robert Bardo, who located her through the California driver’s license records.
For a price, a data aggregator can sort people based on income, lifestyle (e.g. enjoys the outdoors, tinkers with mechanics, etc.) or even a psychological profile of “ethnics who may speak in their native language but do not think in that manner.” An aggregator that specializes in healthcare can offer hundreds of lists of patients for sale, including the names and addresses of patients who are clinically depressed, who suffer yeast infections, or who have diabetes. One data aggregator offered for sale the names of high school students, sorted by GPA, religion, and ethnicity.
***
There are different types of privacy. One is the libertarian notion that a person should be able to make their own decisions without the government telling them what to do. This is embedded in court decisions relating to contraception, marriage, education, and abortion. Another type is the right not to have the government unreasonably intrude in one’s physical space. This is imbodied in court decisions recognizing that people are free from unreasonable searches and seizures by the government. Another type relates to the right to control the information about yourself.
Swanson is a libertarian at heart. She believes in an individual’s right to privacy and the right to define ourselves without intrusion by others. By 1999, it became obvious that technology, data mining, and the Internet were stripping people of their privacy. Government records involving birth, death, marriage, education, crimes, credit, and property ownership were becoming available online. The FBI monitored email and electronic communications through a program called “Carnivore.” The CIA and Great Britain shared telephonic and electronic communication otherwise protected by the constitution through various programs like ECHELON. Commercial activities were digitally mined through magazine subscriptions, credit card purchases, online orders, website visits, browser cookies, and fulfillment cards. Peeping Toms expanded their venue by use of clandestine cameras and malware on computers.
Attorney General Hatch wanted some public dialogue on the issue, because the public ought to be aware that their most intimate information was bought and sold. He wrote articles on the topic, drafted legislative bills, and asked Swanson to file a precedent-setting lawsuit.
It didn’t take long to figure out that trying to protect the citizen’s right to privacy was like throwing a pale of water into a 50 mile an hour wind.
And this was before the terrorist attacks of September 11, 2001 and disclosure of the federal government’s “Total Information Awareness Project.” And long before Edward Snowden’s disclosure of technology programs such as PRISM, Dishfire, Tempora, Fairview, MYSTIC, The Digital Collection System Network, BounlessInformant, Bullrun, Pinwale, and Stingray.
***
The first issue to be confronted was jurisdiction. Hatch and Swanson believed that the Minnesota Attorney General’s Office had authority to take civil action against insurance companies and banks that violated the consumer laws.
It turned out that U.S. Bank, along with several other major banks, sold financial data to telemarketers that operated call centers which hustled hundreds of millions of bank customers with “free trial memberships” in buyer’s clubs. U.S. Bank sold 22 pieces of information on their customers in exchange for a $4 million payment and a slice of the sales. The customer lists sold included 600,000 depositors and 300,000 credit card holders. The information included the customer’s name, address, phone number, social security number, age, bank account number, high balance (and date) during the month, the low balance (and date) during the month, and the average balance.
The telemarketer then contacted the bank customers, supposedly to sell memberships in a buyer’s club. Consumers, not aware that the telemarketer secretly had their financial information, allowed the telemarketer to send information about the “buyer’s club.” What the customer didn’t know was that the telemarketer used a “negative option” solicitation, meaning that the customer’s consent to sending information about the buyer’s club was construed to be consent by the customer to join the club, whose account was then charged a small amount each month. In the case of some senior citizens, it didn’t matter how the customer responded. They were signed up anyway. And billed. Two-thirds of those who were tricked into the buyer’s club were senior citizens.
The charges were identified on the customer’s account statement with innocuous titles, such as Leisure Advantage, Homeworks, Valuemax Shopping Service, Simple Escapes, 24Protect Plus, Countrywide Dental & Health, HealthMax Advantage, SmartSource, Travel Club, etc. The charges were low enough to “fly under the radar” for most consumers, but month after month added up to big money.
The lawsuit was filed against U.S. Bank on June 9, 1999.
The public was shocked at the invasion of privacy. The office received thousands of calls and letters. The case was covered by the New York Times, Wall Street Journal, and Financial Times in Europe. Within days, Wells Fargo and Bank of America announced that they would no longer sell such information. The public thought that their bank information was confidential, and they wanted it treated that way.
Interestingly, there was no “black letter law” on the issue of bank privacy. Indeed, every depositor at the bank signed an “account opening” agreement which was very confusing about the matter, and the bank argued that nothing in the agreement promised that the data would be confidential. The lawsuit described the matter as “consumer fraud” (i.e. the bank said it would keep their information private but did not.) To the public, though, the case was about an invasion of their privacy.
In response, the bank denied that it “sold” the information. It instead called its relationship with the telemarketer a “cooperative arrangement.” The bank denied receiving a $4 million payment for the data. Rather, it claimed that it only received “commissions” that coincidentally totaled $4 million dollars.
It didn’t matter what the bank said, because the depositors at the bank were furious, closing out their accounts and demanding credits for the fraudulently-charged memberships.
Within days, the bank stated that it was terminating all relationships with outside vendors.
The second thing Swanson and Hatch experienced was the wrath of corporate America that a government agency would take action against one of their own. Corporate America didn’t like the lawsuit. The U.S. Bank executives called it a political stunt. CEOs of other corporations derided the lawsuit and confidently proclaimed that the office would lose.
In the meantime, the office had filed another pending lawsuit against American Family Insurance Company for only paying to fix mismatched siding after storm damage. The company was similarly beating its war drums in the media, labeling the lawsuit against it as a “power grab” or publicity stunt. (The office won that case after a trip to the Minnesota Court of Appeals.)
Swanson started the negotiation with U.S. Bank’s lawyers trying to parse out legalese in a settlement. In the midst of these negotiations, a bank vice president claimed the suit was baseless.
The arrogance of the bank executives was troubling. If the bank treated a government regulator this way, how did the little guy stand a chance?
In the end, the Attorney General’s Office was quite proud of the result: It was the first real case to create a strong right of privacy in the financial industry.
Unfortunately, it didn’t take long for the banks to lobby Congress to change the law and give them “protection” against Attorneys Generals and consumers. In the summer of 1999, Congress enacted the Graham-Leach-Bliley law, which allowed banks to get into the securities business. Big mistake, as was discovered in the Great Recession of 2008. Another bad part of the law was the so-called “Financial Privacy Rule.” Under the Financial Privacy Rule, banks were supposed to disclose how they collect and distribute financial data of their customers. A notice provided that customers could, if they chose, write to the bank and limit the release of data to outsiders. This so-called “opt-out” provision is almost always ignored by the unsuspecting consumer. In other words, the banks succeeded in unwinding the principles established in the U.S. Bank settlement.
Yet, some banks and credit card issuers found a way bypass even this Financial Privacy Notice. By using “joint marketing agreements,” banks (such as First USA, Washington Mutual, California Federal Bank and Providian Financial Corp.) could continue to sell names, addresses, Social Security numbers and account information with outside firms that hawk financial products such as car insurance, credit cards, mortgages, brokerage services, credit card life insurance and roadside assistance plans. They could sell the financial data even on customers who explicitly opted out of having their information disclosed to third parties.
The office tried to get enacted a series of bills to better protect privacy of driver’s licenses, bank data, and the like. It ran into a buzzsaw of over 85 lobbyists retained by the impacted industries, who overwhelmed legislators and successfully killed the bills.
In the ensuing 20 years (before the era of “fake news”) when the office locked horns with corporations engaged in malfeasance, it would repeatedly encounter other “war rooms” and spin machines geared up to disseminate disinformation and hardball tactics as a litigation strategy.
References:
U.S. Bank Complaint - Download below
Settlement Document - Download below