The Wall Street Journal has published a lengthy piece (Provider of Personal Finance Tools Tracks Bank Cards, Sells Data to Investors, by Bradley Hope, 8/6/15) that affirms what Yodlee customers and partners already know: Yodlee is an industry leader in value-enhancing analytic products, and independent auditors and leading academics experts have confirmed we uphold the highest safety, security, and privacy standards in the business. Nevertheless the article contains a number of concerning misapprehensions, insinuations, and omissions.

Yodlee is driven by the conviction that every business, no matter its model, must make advances in data analytics to survive and thrive. And we have for years enabled companies to make better decisions through rigorous, empirical data analysis.

Here are some other key facts you should know about Yodlee, many of which you won’t find in the Journal story.

• Yodlee has a very limited number of partnerships with firms to develop more sophisticated analytics solutions. These partners only receive a small, scrubbed, de-identified, and dynamic sample of data to enable trend analysis. Yodlee does not offer, nor do partners receive, raw data.
• Yodlee’s partners are contractually prohibited from sharing our data, and from even attempting to re-identify its source. They are also bound to maintain our strict legal, technical, and administrative controls that restrict who can access the de-identified data.
• Yodlee’s partners have no business reason or incentive to re-identify individuals. The Journal presented no evidence that they have violated these restrictions.
• Troublingly, The Wall Street Journal insinuates, by associating Yodlee’s practices with the results of an MIT study, that it might be possible to re-identify our data. The MIT study is inapplicable here. This is not a matter of opinion, but objective fact, and was explicitly pointed out to The Wall Street Journal both by Yodlee, and data privacy expert Professor Peter Swire, who informed the Journal, My view is that the study's results do not apply to the Yodlee facts. The MIT study was simply anonymized, in contrast to the multiple layers of technical protections that Yodlee applies. The MIT study did not apply to organizations that have made contractual commitments not to try to re-identify data, and so would be subject to legal enforcement even for attempting to re-identify individuals. The Yodlee data is kept behind a firewall, and no one can re-identify data that they can’t even access. The combination of technical and organizational controls that Yodlee deploys thus, in my view, means that the results in the MIT study do not apply to Yodlee’s facts.
• The Wall Street Journal provided no evidence or study showing it is possible for Yodlee’s data products which are protected, non-public, and scrubbed  to re-identify individuals.  We’ve included a statement from Professor Anton below which was also provided to The Wall Street Journal.  The Journal elected to omit the quote and the story only includes a brief quote from Swire.

Our view is that, despite weeks of good-faith interaction in which we repeatedly tried to educate and elucidate the Journal on our business practices, this story fails to meet basic journalistic standards by omitting key facts and relying on insinuation to give readers a limited and distorted view of our business.

The overriding question, today and tomorrow, is not whether businesses will need to leverage data to succeed they will but whether they can do it intelligently, securely, and in a way that does everything possible to protect privacy. Yodlee is an industry leader at doing just that, and we will continue to uphold the highest industry standards as we compete, grow, and innovate.

* * *

Addendum:
“Yodlee’s practices fundamentally differ from the re-identification reports in the academic literature. Those studies have gone after databases posted on the public Internet, so that researchers could try numerous technical means to seek to uncover one or a limited number of names in a large dataset. By contrast, Yodlee’s data is protected behind firewalls and other technical and administrative controls. An attacker would first need to breach the database, and then also crack data that is extremely well protected. This combination of strong technical and administrative controls is exactly what regulators have recommended to responsible companies. So this is a story about what companies are supposed to be doing with individuals’ data.”

“As a software engineer, I know that it is essential to have a comprehensive system in place to control data privacy and security when it enters an organization, during its handling, and when it leaves. Yodlee has done impressive work in engineering its data systems accordingly.”

—Professor Annie Anton, Professor and Chair, School of Interactive Computing, Georgia Tech; Founder and Director: ThePrivacyPlace.org; Former member, Department of Homeland Security Data Privacy and Integrity Advisory Committee