Is your bank website inadvertently sharing customer data?

The recent explosion of class-action lawsuits related to hospital websites sharing sensitive personal health information has been raising concerns in every industry.

First came lawsuits claiming the unauthorized sharing of patient information from hospital websites to Facebook. After that, we saw several hospitals report the incidents as a breach of customer data that created violations related to the Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA) and wiretapping laws.

These incidents should serve as a warning to banking and financial institutions that are subject to data protection laws, such as the Gramm-Leach-Bliley Act, which requires financial institutions to safeguard sensitive data, and through recent rulings by the Consumer Financial Protection Bureau.

To better understand the scale of website data sharing, Lokker conducted a global online privacy study that set out to determine the prevalence of data privacy threats, including the unauthorized sharing of data with third parties, across a variety of organizations’ websites. For the banking industry, the research sought to answer:

• What percentage of banking and financial institution websites utilize trackers, pixels and third-party software?
• Is protected personal financial information being shared from these websites with third parties?

In our evaluation of 3,500 websites in banking and financial services, we found that more than a third of the websites had the Facebook pixel and close to 20% had the LinkedIn pixel. Also represented in the findings were the Twitter pixel (10% of the websites), Oracle tracker (7%), TikTok pixel (2%), Pinterest pixel (2%) and the Snapchat pixel (2%).

This is significant because the collection and sharing of data via web trackers and JavaScript (as a “pixel,” or tracking code) may be in violation of the financial services data protection acts. Under the Gramm-Leach-Bliley Act, nonpublic personal information (NPI) is defined as “any information you get about an individual from a transaction involving your product or services. For example, the fact that they are your customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases.”

Imagine a scenario in which a customer visits their bank’s website and completes a customer service form requesting help related to insufficient account funds. For those websites with tracking pixels, those actions (and content from that page) may be collected and sent back to social media sites. Those sites may then use that information to target the visitors with ads related to this behavior or promote third-party services related to insufficient funds, which could be a violation of privacy protections.

Often, banks aren’t aware that these trackers are on their sites, or they might not be fully aware of the extent of the data that is being shared. This can get banks in trouble with regulators as well as violate state privacy laws, such as the CCPA, which requires disclosure and consent before collecting and sharing personal information.

The first step is for banks to understand if these pixels or trackers are present on their sites. Once a tracker is identified, organizations need to understand exactly what data is being collected from their web visitors and if it complies with the law and with the company’s privacy policy.

Banks should also be able to regularly monitor their site’s usage of all third-party tools so they can detect any cybersecurity and privacy issues. Malware, code delivered from foreign domains and scripts sourced from newly registered domains often indicate risk.

The bottom line: Getting visibility and control over the third parties on banking websites needs to be a priority in order to protect customer privacy, protect institutions from regulatory fines and penalties, and help organizations avoid costly lawsuits and reputational damage.

Ian Cohen is founder and CEO at Lokker.