Data protection practices and governance, action items for firms

Regulators want to see how well the organizations they oversee protect personal data. The challenge is to craft these protection protocols to meet their demands and to provide evidence of compliance.

It is getting more costly to fall short. The average total cost of a data breach increased 23 percent over the prior two years to $3.79 million, according to a study for IBM by the Ponemon Institute that surveyed 350 companies in 11 countries. 

In addition to possible civil and criminal sanctions, such breaches can impair customer confidence, lead to a loss of revenue and market share and damage brand and shareholder values.

Risks associated with the security of client data needs to be given the same priority treatment as other risks the firm manages, such as geographic, third-party vendor, credit, financial and conduct risk. 

Financial services firms must allocate their resources to design a program that adequately reins in this risk, including ensuring that sufficient skill remains in-house to be able to assess the suitability and quality of data protection services provided by outside experts.

U.S. federal and state laws

In the United States, no one comprehensive national law regulates the collection and use of personal data. Rather, the framework for "best practices" is set by a patchwork of federal and state laws plus some proposed rules and programs.

In 2015, the White House submitted a discussion draft of a Consumer Privacy Bill of Rights that establishes baseline protections for individual privacy in the commercial arena.

The Financial Services Modernization Act, as part of the Gramm-Leach-Bliley Act, applies broadly to financial services firms and businesses that supply financial services and products. It regulates the collection, use and disclosure of financial information, limiting the disclosure of non-public personal information, and in some cases requires financial firms to provide notice of their privacy practices and an opportunity for data subjects to opt out of having their information shared.

The Fair Credit Reporting Act applies to consumer reporting agencies, those who use consumer reports (such as a lender) and those who provide consumer reporting information (such as a credit card company).

Several U.S. states have enacted privacy legislation, most notably Massachusetts and California.

California's "Shine the Light" privacy law resembles the European approach to privacy protection by requiring companies to disclose details of the third parties with whom they have shared their personal information. The state’s data security law requires businesses to implement and maintain reasonable security procedures to protect personal information from unauthorized access, destruction, use, modification or disclosure. It also has a breach notification law that requires any business or person who has access to computerized data that includes personal data to disclose any breach of their systems.

Massachusetts takes a preventative stance, prescribing in detail the extensive list of technical, physical and administrative security protocols aimed at protecting personal information that companies must implement and describe in a written information security program.

For U.S. companies engaging in cross-border transfers of personal data between Europe and the United States, there are several options available. These transfers must meet the requirements of the EU's Data Protection Directive, which gives its citizens notice of their privacy rights, the choice whether their personal information can be used, access to this information and dispute resolution rights.

Lacking similarly stringent protocols, the U.S. Department of Commerce developed a Safe Harbor program that enables companies to voluntarily adhere to a set of seven principles to meet the compliance requirements of the Directive.

The Federal Trade Commission (FTC) has recently focused its enforcement efforts on companies that inaccurately represent their certification under the framework. The FTC brought a large number of enforcement actions against companies in 2015 for misrepresentations made by firms about their compliance with safe harbor certifications.

In Singapore, the first enforcement matter under that country's Personal Data Protection Act was imposed in 2014, assessing a financial penalty on a company that sent unsolicited telemarketing messages. The law outlines how companies must protect the personal data in their care, notify persons about what data about them has been stored, and ensure that the information is not kept by these organizations when there is no longer a business or legal need to do so. 

A similar concept underlies the "right to be forgotten" under European Union law, poised to come into effect in 2018. Binding on all 28 EU members, the law supports the claim of an individual to have certain data deleted so third persons can no longer trace them. 

The EU right to be forgotten does not apply to financial services firms, just search engines, which must remove links with personal information about those persons when the information ceases to be accurate, adequate or relevant or can be considered excessive. But it illustrates the differences between countries when it comes to freedom of speech claims. Such a rule would face First Amendment obstacles in the United States, but compliance professionals should be mindful that other countries have different concepts when it comes to deleting outdated information.

Data protection checklist for financial services firm

Considering the legal imperatives discussed above and the rapid conversion of the global economy to an increasingly digital, internet-driven model in all respects, firms need to access the expertise that can help them create a strong data protection infrastructure.

Compliance officers can help the process by creating an evolving list of action items designed to assist organizations begin the process of protection the personal data of their clients. Two experienced information technology experts explained to me what should go into the list. The list anticipates that the firm has assessed what types of data about clients are collected and where the information is stored.

Collection of data
  • When collecting data, clearly inform the individuals about the purpose for which it will be collected, used or disclosed and obtain their consent in writing.

  • If you collect personal data from third parties, ensure the third party has obtained consent from the individuals to disclose it for your intended purpose.

  • Be able to show that the client understands what the process entails for withdrawing consent for this use or disclosure of their data.

  • Provide regular training to all employees and third-party employees that will have any contact with and responsibility for personal data about how to safely collect it, use it, store it, alter it and remove it.

Use of the data
  • The purposes for which you obtained consent to collect personal data must indeed the only ones used by the firm and its vendors.

  • Any changes in the disclosure and use of the personal data collected should receive a new and separate consent in writing.

Access to the data
  • There must be a formal procedure in place to handle requests for access to personal data, including their purpose, an evaluation of their data security measures, storage locations, access rights (individuals and other companies) and disposal mechanisms. Clients should be informed that another party has requested access to their details and for what purpose – and again, consent should be retrieved in writing.

  • There must be a process in place at your firm and any others that have access to this data to handle correction requests – from how it is performed to who does it and verifies the changes are safely saved.

  • You should consider whether there other parties that could have access to the data through a backdoor mechanism – such as a password to another part of the system that does not contain sensitive details but through which a sophisticated hacker could navigate to gains such access.

  • Contractual arrangements for storing and transferring data overseas must include attestations that the data will receive the standard of protection accorded personal data in the United States and your organization’s own standards.

Audits and remediation
  • Your firm must have a schedule of regular audits on the data protection it holds – detailing all of the considerations listed above, among others. Outside experts can help with this task, but an in-house audit should also be done to show regulators the organization as a whole understands the processes being used and has a means to test them itself.

  • Draft a remedial plan that identifies the actions that must be taken -- including the resources needed and people involved – in case a security breach occurs. Outside experts can certainly weigh in, but the remediation must suit the type and breadth of information your business retains and the risks your organization faces – and those areas are best considered in-house.

In-house expertise

Although regulators do not expect compliance and risk professionals to be experts in the area of data protection and information security in general, there is a certain level of understanding that must remain in-house.

That is, firms must maintain sufficient internal understanding of the best practices enumerated above and about data protection in general to be able to ask the right questions -- and the right follow-up questions -- when hiring business partners to help manage this data. There needs to be enough firm-based know-how to be able to oversee this work with the sufficient skepticism and high standards required in this risk area.

A potential over-reliance on third-party assurances can be detrimental, and it would be wise for any firm to have one board member that can speak "tech speak" and generally be aware of the relevant best practices in this evolving arena.

Julie DiMauro
 is a regulatory intelligence and e-learning expert in the GRC 

Download File