American Express 2015 Annual Report Download - page 39

Download and view the complete annual report

Please find page 39 of the 2015 American Express annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 196

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196

consumers about its data collection, sharing and security practices and affords customers the right to “opt out” of the
institution’s disclosure of their personal financial information to nonaffiliated third parties (with limited exceptions),
and requires the financial institution to develop, implement and maintain a written comprehensive information security
program containing safeguards that are appropriate to the financial institution’s size and complexity, the nature and
scope of the financial institution’s activities and the sensitivity of customer information processed by the financial
institution. The GLBA does not preempt state laws that afford greater privacy protections to consumers. Various
states also have adopted laws, rules and/or regulations pertaining to privacy and/or information security, including
certain potentially applicable financial privacy laws (such as a law in effect in California); data security and/or data
disposal requirements (including potentially applicable requirements adopted in states such as Massachusetts and
Nevada); online privacy laws (such as a law in effect in California); and laws relating to the confidentiality of certain
types of data (such as laws governing certain health-related information and/or Social Security numbers, for which
there are also potentially applicable federal laws, rules, regulations and/or guidance as well). Certain of these
requirements may apply to the personal information of our employees and/or contractors as well as our customers.
Various U.S. federal banking regulators and 47 U.S. states, the District of Columbia, Guam, Puerto Rico and the
Virgin Islands have enacted data security breach notification requirements with varying levels of individual, consumer,
regulator and/or law enforcement notification in certain circumstances in the event of a data security breach. Data
breach notification laws are also becoming more prevalent in other parts of the world where we operate, including
Germany, Japan, Mexico, South Korea and Taiwan. In many countries that have yet to impose data breach notification
requirements, regulators have increasingly used the threat of significant sanctions and penalties by data protection
authorities to encourage voluntary breach notification.
We are also subject to certain privacy, data protection and information security laws in other countries in which we
operate (including countries in the EU, Australia, Canada, Japan, Hong Kong, Mexico and Singapore), some of which
are more stringent than those in the United States. We have also seen some countries institute laws requiring in-
country data processing and/or in-country storage of the personal data of its citizens. Compliance with such laws
could result in higher technology, administrative and other costs for us and could limit our ability to optimize the use of
our closed-loop data.
In Europe, European Directive 95/46/EC (commonly referred to as the “Data Protection Directive”), which has
been in place since 1995, provides for the protection of individuals with regard to the processing of personal data and
on the free movement of such data. The Data Protection Directive requires the controller and/or processor of an
individual’s personal data to, among other things, take the necessary technical and organizational steps to protect
personal data. We generally rely on our binding corporate rules as the primary method for lawfully transferring data
from our European entities to our entities in the United States and elsewhere globally. European Directive
2002/58/EC (commonly referred to as the “e-Privacy Directive”) sets out requirements for the processing of personal
data and the protection of privacy in the electronic communications sector. The ePrivacy Directive places restrictions
on, among other things, the sending of unsolicited marketing communications, as well as on the collection and use of
data about internet users.
In January 2012, the Commission proposed data protection framework regulation to replace the Data Protection
Directive. The EU legislative process is in the final stages and the new regulation will affect parties, such as the
Company, that collect and/or process the personal data of residents of Member States and may result in additional
compliance requirements and costs. The new regulation includes, among other things, a requirement for prompt
notice of data breaches, in certain circumstances, to data subjects and supervisory authorities, applying uniformly
across sectors and across the EU and significant fines for non-compliance.
In 2015, the European Central Bank and the European Banking Authority enacted secondary legislation focused on
security breaches, strong customer authentication and information security-related policies. Likewise, the
Commission released in December 2015 the text of its draft proposed network information security directive, to be
implemented into national laws by Member States. PSD2 also contains regulatory requirements on strong customer
authentication and measures to prevent security incidents.
Fair Credit Reporting
The FCRA regulates the disclosure of consumer credit reports by consumer reporting agencies and the use of
consumer credit report information by banks and other companies. Among other things, FCRA places restrictions
(with limited exceptions) on the sharing and use of certain personal financial and creditworthiness information of our
customers with and by our affiliates.
The FCRA was significantly amended by the enactment in 2003 of the FACT Act. The FACT Act requires any
company that receives information concerning a consumer from an affiliate, subject to certain exceptions, to permit
the consumer to opt out from having that information used to market the company’s products to the consumer. We
have implemented various mechanisms to allow our customers to opt out of affiliate sharing and of marketing by the
Company and our affiliates, and we continue to review and enhance these mechanisms to ensure compliance with
applicable laws, rules and regulations and a favorable customer experience.
28