Thursday, October 3, 2019
Data protection in online banking
Data protection in online banking Introduction Online banking is the practice of performing bank transactions over the internet. Due to the advanced nature of technology, most people use the internet to fulfil most of their personal needs, for instance; e-mails, internet calls, and video conferencing. Information technology is now being used to develop more supple and easy to use banking services (Nadim and Noorjahan, 2007). Online banking which can also be called internet banking is now being used and adopted by most people. Online banking can be useful in so many ways to both the customer and the banking institution, although the degree of its usefulness varies depending on whose point of view you look at it from. Online banking activities involves not only banks and customers but includes third parties too (Guptar, 2006). This essay would be looking at the privacy issues relating to the use of customers data and transactions in online banking. This essay would also be looking at the privacy concerns about how the customers per sonal data is used by the bank and what amount of control a customer has over the use of his/her data, how the bank shares customers personal data with third party or affiliated businesses and the rights and control customers have over the distribution of their data. And also what rights the government have over the monitoring of customers bank details and information, the ethical, social, professional and legal issues related to online banking services and the application of ethical/professional principles in the use of online banking services. Privacy issues in Online Banking Internationally, customers of several organisations can now pay their bills, transfer money to multiple accounts, make deposits, withdrawals or payments with online checks, view transactions on their account, trade bonds and securities, and all this can be done conveniently with just the click of the mouse and in the comfort of the customers home. The physical presence of customers are no longer needed for most transactions in the bank, as long queues witnessed in crowded banking halls can now be avoided which saves the bank the overhead cost of managing a crowded bank hall. But still, so many customers are concerned about the security of their personal information while operating the online banking service. According to Duquenoy et al (2005, p. 1), privacy is one of the main concerns associated with the use of online banking. I believe privacy is the most fundamental and relevant issue in online banking. Although there is not a specific privacy law in respect to online banking, ther e is an abundance of privacy laws that exist and this essay would be looking at a few of them as they are too many to write on all of them here. As noted by a few authors, Nadim and Noorjahan (2007) believed that privacy is one of the key factors amongst other issues which have an effect on a customers adoption of online banking technology. Most customers are concerned about how their personal data would be used when registering for an online banking account. What happens to their data after giving out their personal information? They are not sure and convinced about how secure and safe their data would be and how the data would be stored, manipulated, retrieved and updated. Mason (1986) stated that privacy concerns in online banking where raised by a few questions like; what information do customers require to reveal about themselves?; on what conditions?; what information can the customer can keep to themselves? According to Earp and Payton (2006) some major privacy concerns about the use of online banking technology are collection (enormous amount of personal information data collected and stored in databases), unauthorize d secondary use of data (personal data used for purposes other than they were primarily collected for), improper access (personal information viewed by unauthorized personnel), errors (unintended or intentional), and what level of protection could be put in place against them in personal information data. For example, there was a breach of information in which there was an identity theft of 3.3 million people with student loans in the weekend of March 20 21, 2010. Information such as name, addresses and social security numbers were stolen from a portable media device from the headquarters of Educational Credit Management Corporation, although the company claims it was a simple old-fashioned theft and not a hacker incident (WSJ, 2010). Howcroft et al (2003) noted that customers have confidence in their banks but their trust in the technology infrastructure of online banking was frail. Therefore privacy issues have proved to be an obstacle to the adoption of online banking technology (Nadim and Noorjahan, 2007). Most customers are worried about their personal data and financial information being revealed online. According to a study by Paul (2005), 94% of the banks customers express their concern about their personal information being exposed online. Privacy in online banking can be said to be the protection of the customers personal and financial information. It is the duty of IT professionals to secure and protect all customers personal information, they should conform to privacy legislation, professional codes of conduct and ethical principles to gain customers confidence in the technology and guard their reputation. Although Dewan and Seidmann (2001) argue that the success of online banking is expected to come w ith a growing price to personal privacy. They also stated that All online interactions leave detailed audit trails that continually depict a larger portion of our lives. Furthermore, privacy standards associated with the use of online banking technology in the banking industry (industry principles) currently exist. For example the American Bankers Association, Bankers Roundtable, Consumers Bank Association to name a few, have all approved equally to a set of privacy principles to portray a wide and united industry. They all have obligations to the similar set of guiding principles like; recognizing an individuals expectation of privacy; using, collecting and retaining personal information only if it produces the greatest benefit to such person; maintaining an up-to-date and accurate information; making individuals aware of the privacy policies; confine exposure of customers personal information; established security measures to protect information and maintaining an individuals privacy in business relationships with third parties (Earp and Payton, 2006). How can personal data be protected? Technological solutions that can give customers direct control over their personal information on their computer like cookie manager, encryption software, ad blocker to mention a few, give customers an amount of control over intrusions by hackers, spam and cookies. Also customer activism creating a policy taking direct action in online or offline environments to achieve desired enhancements in privacy policy, for example the American civil liberties Unions Take Back Your Data Campaign (Ashworth Free, 2006). Also privacy codes of practice like the BCS and ACM guide professionals on how to create and implement systems that protects the privacy of third parties. Privacy laws have been mostly controversial when viewing the laws relating to how much control customers have in the sharing of their personal information with third party organisations or affiliated business. Personal information in the control of banks about their customers data and transactions passes through different hands numerous times (Gupta, 2006).It is almost not possible for banks to retain customer data within their computer network let alone their jurisdiction. The risks of tampering of information, blockage and leakage are high and therefore needs an adequate legal and technical protection (Gupta, 2006). Most banks tend to use the personal data of their customers while advertising some of their other products and services. Third parties could use this data for marketing purposes, advertisements and customers usually view this as spam or unwanted information or some could also use it for illegitimate reasons like identity theft. The sale and distribution of customer pers onal data to third parties is a very lucrative business and generates a lot of revenue for companies. Duquenoy (2005) found out that the industry was valued at two billion pounds as at 2003. But how ethical is the sale or distribution of customer data to third parties? How does the third party make use of this information? These are some of the questions most banks have failed to look into in the use of personal data to make other products in online banking. Most customers find it a bit complicated controlling their personal information given out and collected by the bank, and its other businesses or government agencies that they could be shared with or sold to. It is required by the law that customers have to be given an option in order to decide what personal data can be collected and given out to third party or affiliated businesses, such options include the opt-in and opt-out methods. The UK follows the opt-in scheme under the provisions of the privacy and Electronics Communications Regulations 2003. The provision of an opt-out method gives the customer the choice of preventing personal information being disclosed to affiliated or non-affiliated businesses and third parties, while providing an opt-in option is the reverse which allows for the sharing of information for purposes specified by the bank (Giglio, 2005). Further, research discovered that customers must clearly inform companies of their wishes to opt-in or opt-out when registering or filling out online forms for the use of online banking or other internet services provided by the bank. In that case customers are to be told what, which and how their data can or may be used, they should also be given an explanation or description about what circumstances or situations by which personal information may be disclosed to third parties. The principles of rights based ethics (contractrianism) states that the cus tomer also has the right to know, the right to privacy and the right to property. Although, some customers might not mind having their personal data being shared, others might mind and tend to mind a lot. A major challenge being faced in the IT industry today is ensuring that sharing of data is secure and safe guarded (Raab, 2008). An IT professional should ensure that customer personal data is protected and is only shared with trustworthy third parties. And it is also the responsibility of the IT professional to ensure that personal data is used only for its primary or intended purpose or that which has been specified by the customer. One of the ethical principles in the BCS (British Computer Society) code of conduct states that You shall have regard to the legitimate right of third parties Third parties being referred to here could be viewed as the customer, and it is expected of an IT professional to know, understand and abide by the law and are also expected to regard and respect the rights of individuals, third parties and the society at large (Duquenoy et al 2005, p. 2). There have been a lot of cases whereby personal data is used for purposes other than which they have been collected for and this is ethically wrong. It is also called the secondary use of personal information which is the use of such information other than the purpose it was supplied for (Duquenoy et al 2005, p. 5). According to a research conducted through the distribution of questioners to a few people who make the use of online banking services with their banks in the UAE, 75% of customers get unsolicited mails about the banks new products and offers which they never requested for or signed up for, 8% view this as an intrusion of their privacy and specify not to be mailed about such future produ cts. The remaining 17% seem not to have been educated and informed properly about how to opt-out from the use of their personal data for distribution and marketing purposes or opt-in if they require being aware of promotions and offers the bank makes. It is essential for the bank to foster trust between itself and the customer as this is good for business and it is a known fact that it is harder to regain trust than initially gaining it. This is why it is essential that much more effort be put in place to secure customer data sharing (Raab, 2008). While conducting an interview with Suhail bin Taraff, an IT staff of Emirates NBD which is the largest bank in the UAE, it was noted that the customers that make use of the internet banking services of the bank would require to opt-in by ticking a check box in their personal online banking account if they require to be notified of products the bank offers and if they would also require their personal data passed on to third parties and affiliates of the bank producing similar or specific products or services.Online banking has two types of risk: maintaining integrity of customer information and preventing unauthorised use of such data (Gupta, 2006). The indiscriminate use of personal data is viewed as a violation of an individuals privacy right and in the UK the right to privacy is covered by the Data Protection Act. The second principle of the Data Protection Act 1998 states that the customer has the right of information about the processing of their personal data, including the rig ht to be informed either at the time the data is first processed or when that data is first disclosed to a third party, and also the right of access to their personal data (Duquenoy et al 2005, p. 20). Although the law cannot keep pace with technology, under the Data Protection Act a person has to demonstrate if they have been subjected to unwarranted distress/damages through their datas exposure in order to claim any sort of compensation (Raab, 2008). Does the government have the right to monitor online banking transactions? Businesses view the use of information as a means to making more money while the government tend to view information as a means to protect security. However, in both cases individuals or groups have limited control on how their personal data is used. It is found to be known that knowledge is power and the more information the government gathers about customers bank transactions the more power they have over them and the less power the customers have. And there could be abuse of such power by the government or whoever is in charge to use such power, for selfish means or politically motivated aims. The government claims that they use the capabilities offered by IT to get the intelligence that enables them to meet their responsibilities to protect citizens. But most individuals have little confidence in the governments handling of their data and fear that there could be a misuse or misinterpretation which could lead to persecution and prosecution of innocent people in the application of law and order and also while protecting national security. There is also found to be a lack of confidence in the governments ability to protect personal data and keep it secure, most online banking customers fear that this could give the government too much power and control over them. Most customers tend to mind if the government or law enforcement agencies read their communications or view their bank transactions, even if they have not done anything wrong or have nothing to hide. Part two of article eight of the Human Rights Act, 1998 states thus: There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interest of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedom of others (Duquenoy et al 2005, pg. 11). In the United States of America, the government created a secret programme to monitor bank transactions of suspected terrorists or people having ties with them that routes through the Belgian based financial company SWIFT (Society for Worldwide Interbank Financial Telecommunication), since the terrorist attack that occurred on the 11th of September 2001. The proprietary electronic network, SWIFT, then gives the US government access to financial data from institutions worldwide (Jacobs, 2007). Banks tend to view privacy matters almost completely in conditions of regulatory conformity. But the same government that claims to protect the rights and freedom of individuals seem to invade it also. The Regulation of Investigatory Powers Act 2000 and the USA Patriot Act 2001 are legislations that tend to serve the interest of the state related to issues of counter terrorism and crime detection and support the monitoring and surveillance of individuals. Professor Charles Raab (2008) said that there is a need to question the sharing of personal data to cater the needs of society other than the protection of privacy. Some may argue that the monitoring of an individuals bank account transactions without their consent violates the rights of confidentiality and anonymity of such customer. Any country that signs up to the UN Declaration of Human Rights must make sure they take steps to protect privacy. In Europe the EU includes privacy in its convention on Human Rights while the UK includes it in the Data Protection Act. In the UK the monitoring of a customers bank transactions and data can be viewed as an invasion of the customers privacy by the government and violates the privacy rights of the customer and goes against the data protection act which states that personal data can only be processed when consent has been given or necessary to contract and must be only for specified purposes, adequate, relevant and not excessive, not kept longer than necessary and processed in ac cordance with rights of data subject (ICO, 2010). According to a research conducted by the BCS, 61% of members believe that there is an inequality between the data rights of the individual and the state while only 17% believe that the present legal regulations on data are sufficient (BCS, 2010). The secure handling of a customers personal information is a legal, ethical and social requirement in online banking (Duquenoy et al, 2005). The potential for abuse is great in online banking therefore ethics plays a vital role. Ethical issues that arise in online banking gives a cause for concern, for example more than 24,000 HSBC customers were affected by a breach in the storage of their personal information in the banks data centre on the 15th of March 2010, this was as a result of data theft by one of the IT employee (BCS, 2010). This shows a disregard of the ethical principle which implies respect for other people. Unauthorised use of an individuals personal computer without their permission or knowledge could be termed as an invasion of that individuals privacy. Unauthorised access of personal information or poor security measures in Information Systems put customers (society) at risk and this could result in a loss of confidence by the general public and could have a negative effect on the use of online banking services. It is also viewed as a social issue due to the effect it has on the general public and prospective customers. This could lead to hacking or installation of spyware in the individuals computer and puts the owners personal data at risk. There are many legal issues that affect online banking like identity theft, protecting privacy, online crime and misuse of data. Using the internet has its own risk and most customers expect laws to be in place that will protect them while banking online. In the banking industry, the Gramm-Leach-Biley Act of 1999 (GLBA) was passed to augment the protection of privacy while the Data Protection Act (1998) covers the right to privacy in the UK. The law is in place to protect digitally stored personal information from being widely distributed and mismanaged. Organisations are required by the act to make sure that personal information is kept secure. Professional issues could imply how a professional should act and also their role in the design, implementation of data systems and in the manipulation, modification of data and the important role they play. The BCS is the professional body for those employed in the IT industry in the UK. One of the aims of the BCS is to maintain standards in the industry and in most cases these are translated into principles set out in a code of conduct (Duquenoy et al 2005, p. 5). IT professionals are expected to know the law and abide by it. They are also expected to ensure public safety and respect the rights of third parties like the general public. Conclusion Online banking technology seems to be slowly adopted by majority of prospective customers despite being aware about the usefulness of this technology and this is due to the fact that customers are seriously concerned about the privacy of their data and do not really feel secure giving out their personal data digitally. A number of privacy issues have been analysed and discussed in this essay and the rights and control customers have of the use of their personal data, the measures and steps they can use to protect their personal information and the degree to which government agencies have access to the customers bank transactions and personal data. The professional, legal, ethical and social requirement in online banking technology and how an IT professional should apply ethical principles in the use and handling of a customers personal data. Reference List Ashworth, L. Free, C. (2006), Marketing Dataveillance and Digital Privacy: Using Theories of Justice to Understand Consumers Online Privacy Concerns, Journal of Business Ethics, Vol. 67, pp. 107-123. Duquenoy, P, Jones, S, Rahanu, H, Diaper, D, (2005) Social, Legal and Professional Issues of Computing. Middlesex University Press 2005 Stamatellos, G. (2007), Computer Ethics: A Global Perspective, Jones and Bartlett Publishers Mason, R, 0, (1986) Four Ethical Issues of the Information Age, Issues and opinions, MIS quarterly Earp, J. B. Payton, F. C. (2006), Information Privacy in the Service Sector: An Exploratory Study of Health Care and Banking Professionals, Journal of organizational computing and electronic commerce, vol. 16, no. 2, pp. 105 122. Giglio, V. (2005), Privacy in the world of cyberbanking: Emerging legal issues and How You Are Protected. Ng, P. (2010), What is online banking? viewed 20 February 2010, http://www.wisegeek.com/what-is-online-banking.htm Roundtree, D. (2001), Taking Care of Customer Privacy, Bank Technology News, Vol.14 Issue 11, p.20. European Parliament Blocks US powers to monitor EU bank transactions, viewed 21 February 2010, http://www.out-law.com/page-10748 Nadim, J and Noorjahan, B. (2007), Effect of Perceived Usefulness, Ease of Use, Security and Privacy on Customer Attitude and Adaptation in the Context of E-Banking, Journal of Management Research, vol. 7, no. 3, pp. 147 157 Howcroft, B, Hamilton, R. and Hewer, P. (2002), Consumer Attitude and the Usage and Adoption of Home-based Banking in the United Kingdom, The International Journal of Bank Marketing, 20(3): 111-121. Jamieson, P (2005), Consumers and Online Banking, Point for Credit Union Research Advice Dewan, R and Seidmann, A. (2001), Current Issues in E-BANKING, Communications of the ACM; Vol.44 Issue 6, p. 31-32 Raab, C. (2008), The privacy conundrum, viewed 13 March 2010, http://www.bcs.org/server.php?show=conWebDoc.17577 The office of the Information Commisioner, viewed 13 March 2010, http://www.ico.gov.uk British Computer Society (2010). Code of Conduct, viewed 10 March 2010, http://www.bcs.org/server.php?show=nav.6030 Gupta, A, (2006), Data Protection in Consumer E-banking, Journal of Internet Banking and Commerce, vol. 11, no. 1 State has more data on citizens than necessary, say BCS members, viewed 26th March 2010, http://www.bcs.org/server.php?show=conWebDoc.34817 Jacobs, E, (2007), SWIFT Privacy: Data Processor Becomes Data Controller, Journal of Internet Banking and Commerce, vol. 12, no. 1 The basics, in Information Commisioners office, viewed 9th March 2010, http://www.ico.gov.uk/what we cover/freedom of information/the basics.aspx Freedom of Information Act (2000), viewed 15th March 2010, http://www.opsi.gov.uk/Acts/acts2000/ukpga 20000036 en 1 Pilon, M, (2010), Data Theft Hits 3.3 Million Borrowers, The Wall Street Journal, viewed 29th March 2010, http://online.wsj.com/article/SB10001424052702304434404575150024174102954.html?KEYWORDS=data+theft+hits+33+million+borrowers
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.