Privacy Policy At Citigroup

 

Short Assignment: Policy Analysis

 

 By Li Chen

 

      As a holder of Citibank credit card, I think that information Security of a credit card company for customers is the most important factor for a credit card company.  If a company has a good record, but another has a bad record, obviously I will choose the first one.  Suppose I cannot believe a company, I would not become a member of this company. Normally, even though I already order items from this company, once I cannot trust this company, I will cancel the order. However, as a user of a credit card, you must provide some finical information to the company.  For my point, I think financial information is the most important information for an individual. Because of revealing your bank account number, maybe you will bankrupt.  Hence, I chose to analysis Citigroup’s privacy policy.

 

Privacy Policy Summary

 

    The privacy policy of the Citigroup (http://www.citibank.com/us/index.htm) contains four sections: general privacy policy, online data policy, customer account privacy policy, and customer account privacy notice. Every section explains different facts.

 

Citigroup Privacy Promise for consumers

 

    This section describes the general Citigroup promise for its customers.  The promise states that who can access the customer information and mentions that Citigroup will use, control and update its customer information. In addition, for the hired organizations, Citigroup responses to require them obey Citigroup’s Privacy promise and audit them.

 

Citi.com Online Data Policy

 

    With the rapid grown of the Internet, more and more e-commerce was born. Citigroup also provides online service for its customers. This section describes what is cookie, how to use cookie to collect customer information, cookie filters, and how Citigroups use other company to set cookie and help Citigroup gather information. They also collect other information that customers provide online. All information gathered form online and offline must be governed by Citigroup privacy policy.

 

My Accounts Privacy Promise for Consumers

 

      “My Account” focuses on convenience, control, and privacy for Citigroup customers. Citigroup and Yodlee, a famous world-class company, provide the online personal account service for their customers. This service does not transact information form Citigroup’s web site and only the customer who knows correct user name and password can access his/her account. Citigroup set a very secure environment for this service. It includes five components: firewall, intrusion detection, private addressing (using private IP address to protect servers), Secure Socket Layer, and sanitized system—i.e. using minimum services to operate application. In addition professional firms regularly audited and inspected this service’s security.

 

 My Accounts Privacy Notice 

 

      This section describes several sources that Citigroup collect the personal information. Citigroup gather information form registration pages, payment history, account activity, transaction, and other sources. Although Citigroup protects its collected personal information, in the following three cases Citigroup will share personal information with others: “ (i) to companies that perform marketing, research and data processing services on our behalf; (ii) as permitted by law, including disclosures necessary to process and services your account, to protect against fraud, to protect the security or confidentiality of our records; or (iii) at your direction or with your permission”.

 

 

Criteria for Analysis

 

The following is my criteria for analysis Citigroup’s private policy:

 

  1. Information collection

 

Which personal information is collected?  What are the sources of the information?

 

  1. Security

 

Which methods are used to protect the collected information? Who can access and control, maintain the collected information?

 

  1. Disclaimers

 

In which case the company will violate its policy?

 

  1. Ambiguity

 

Does this privacy policy clearly describe? Is it easy to understand?

 

 

Privacy Policy Analysis

 

Information collection

 

       Citigroup collects all personal information that it can gather. It collected personal name, address, email address, payment history, and household income. They also gather the user cookie information form the web site.  They not only use the web site and transactions to collect information, but also use other method to gather information, such as form your bank account and your insurance company. For my view, I do not like this way to collect information although Citigroup promise that they do not share this information with others. After known the sources of collecting information, I always fell that others inspects me.

 

Security

 

       Citigroup use several methods to protect their security environment.  They use private IP address to apply networking, minimize services to operate application, use SSL to encrypt connection between customer and Web servers. The combined method can enhance the system security.

       In addition, only authorized employee can access the collected customer information. I think it is a good method to protect customer information. But since Citigroup worked with other company to maintain their information, it is possible to reveal this information.

 

Disclaimers

 

         Although Citigroup states that they do not share customer information with others, I think it is impossible. First, Citigroup hired some company, i.e. Citigroup use other company’s server, and those companies can get Citigroup’s customer information. Second, for some companies, which perform marketing or research for Citigroup, they also can obtain the customer information. Finally, if it is required by law, Citigroup will provide customer information to others. Actually, I disagree that provide customer information due to law, since it will reduce customer trust.

     

Ambiguity

 

      For the most part, it is a well written and easy to understand privacy policy. But I still feel to confuse at several points. First, this policy states that Citigroup will obey strict standards of security and confidentiality. What are these standards? I read all policy, but still cannot find them. Second, in the cookie section, the policy first pointed out that customers can decide whether use cookie or not, but after this sentence, it said that if customer do not accept cookie, he/she cannot use the online service. It is so funny! Why not point out customer must accept cookie directly.

 

 

Recommendations for changes to policy

 

     

      For the content of this policy, it contains extensive so that there is no much to change. They include most of the things that I am worried about. They explain in which cases they will violate their policy and the detail security environment their adopted. The only shortcoming in they content is that they do not provide the detail link for their standards of security and confidentiality they obeyed.

 

       However, they should provide a special URL for their privacy policy.  I think it will be better if they can provide a web page about frequency questions for their privacy policy, since it can help them to improve the privacy policy effectiveness.

 

       Another issue is that they could allow the customer to decide what information can be collected and in which cases it can be used. I think that every customer do not want his/her information are collected.