Banks are no strangers to the promise and perils of new technologies. Technological innovation has provided new revenue streams and efficiencies for banks, new customers, new competitors, and new vulnerabilities.
As 2020 dawns, we are in the midst of another technological revolution in the banking industry – the monetization of “big data.” Once again, this innovation will provide both opportunities and risks for banks.
Tech companies have made tremendous fortunes using big data to monetize their customers’ information. Indeed, this data is so valuable that tech companies often charge little or nothing to their consumers for the services they provide. The value of the data held by banks about their customers is at least as valuable as the data that most tech companies currently hold. Bank data includes information from which customers’ income, spending habits and day-to-day financial decisions can be derived.
Sensing this opportunity, tech giants are now attempting to enter the banking business. For example, Google recently announced it would be entering the fintech space by offering checking accounts to its customers, through a relationship with an unaffiliated bank. The announcement came on the heels of announcements by Amazon and Facebook that they, too, intended to enter the banking space, offering a credit card and a cryptocurrency, respectively.
If their forays into other businesses are any guide, it is likely that the tech companies will compete with established banks by offering much lower fees, or even no fees at all for their services, instead making money off the data they are collecting.
Privacy as Big a Worry as Security
Traditional financial institutions are already heading in that direction. Several investment firms have dropped investment fees so low that one research firm recently predicted major institutions may soon begin paying customers to invest with them. No-fee or negative-fee offerings can be rationalized, at least in part, by the vast amounts of information firms will be able to collect about their clients, and the money they can make using that information.
Whatever benefits financial institutions – or their customers – gain through the collection of ever greater amounts of information will inevitably create additional risks. In addition to heightening the preexisting risks of security breaches, possessing more richly detailed information also carries another risk – the risk of privacy violations.
Banks have become all too familiar with security breaches. Indeed, preventing and responding to data breaches has long been front-of-mind for the banking industry. Though banks invest more in computer security than almost any other industry, attacks on banks and other companies continue to increase. A recent McAfee report shows that cyberattacks employing malware more than doubled in 2019. Successful cyberattacks result in lost revenue, reputational damage, regulatory inquiries and – with ever greater frequency – class–action lawsuits.
It is only a matter of time before a similar pattern of events occurs after allegations of misuse of customer information – in other words, a privacy breach. California is leading the states with privacy regulation, starting with the California Consumer Protection Act (CCPA). Other states are starting to follow with their own legislation. Even at the federal level, there are competing privacy bills pending in Congress, each seeking to define and regulate how companies use the data they collect about consumers.
These laws may or may not complement the existing regulatory framework provided for by Title V of the Graham-Leach-Bliley Act, which governs how financial institutions protect customers’ nonpublic personal information; how and when they may share protected data; and, the disclosures they are required to make in order to share data. The heightened regulatory obligations on financial institutions that could be law in the coming year may redefine consumer and legal expectations around the use and monetization of customer data.
What Could Suits Look Like?
Though it may be some time before this regulatory framework is fully in place, it is reasonable to expect plaintiffs’ lawyers won’t wait until their path to recovery is clearly established. For this reason, litigation may well precede regulation in this area.
What might this privacy class action litigation look like? Some clues can be deduced from the issues that have arisen in security breach cases. Courts are continuing to struggle with key questions about security breach class actions, including: What sort of injury must be alleged for a person to gain standing to sue after a security breach? Is it enough to describe a risk or fear of future harm, or must there be some current, concrete harm? How similar must the injury be for a class to be certified? What is the value of the harm caused to an individual by a data breach?
These questions will demand different answers in the privacy breach context. What will establish standing in a privacy breach? Will the improper use of a consumer’s lawfully-collected data be sufficient or must the litigant establish some other, more concrete form of harm? Would it be enough merely to allege that a company violated its own terms of service in the way it handled private data? If so, what is the damage associated with that breach?
The questions around class certification may well also differ in the privacy context. In the data breach context classes are typically composed of individuals who had similar types of data exposed (Social Security numbers, credit card numbers, etc.). The fallout following an alleged privacy violation may well be less conducive to this type of grouping. For example, the harm of misused medical information may differ tremendously depending on the medical diagnoses involved, the community the person lives in, or even the individual personality of the person whose data was misused. It is not at all clear how courts will handle these issues.
Though we can’t now know exactly how the incorporation of big data in the financial industry will evolve, banks must be prepared for a new litigation environment. As the industry trend towards capturing and monetizing the reams of data generated by customers’ financial lives outpaces the development of regulatory and consumer expectations, banks will find themselves on a collision course with proponents of heightened data privacy that will inevitably pass through the courtroom.
Seth P. Berman leads Nutter’s privacy and data security practice group and is a member of the firm’s white collar defense practice group. James W. Gately is an associate in Nutter’s litigation department and a member of the firm’s business litigation practice group.