For the financial services industry, compliance with regulatory standards governing information privacy and security has never been more challenging than it is today. In the last eight years alone, eight new federal laws have targeted the industry.
Much of this legislation focuses on protecting non-public information, such as information appearing on applications for obtaining financial services like a credit card or loan, and its counterpart, personally identifiable information, including customer account numbers and Social Security numbers.
Understanding data protection laws is no simple matter and the Big Data era in which financial institutions now operate has further complicated efforts to track, manage and control information as part of financial institutions' business processes. In the context of legal and regulatory compliance, the risks and costs associated with the failure to proactively manage NPI and PII – including inadvertent disclosure – can result in costly sanctions for noncompliance and serious reputational damage with significant business consequences.
Although financial institutions face key challenges within the tangled web of data privacy laws and regulations, they can take proactive steps to mitigate risk associated with confidential data.
Implement an information governance program. If thoughtfully designed and implemented, an information governance program can help organizations control confidential data. Key elements should include privacy and security policies that protect confidential information about consumers and employees, as well as retention procedures that ensure that data containing consumer information is retained for the required statutory period - and no longer.
Perform periodic privacy audits. Financial institutions should annually audit compliance with its privacy policies to identify vulnerabilities in security procedures. This audit should also compare the company's measures against the current legal and regulatory framework to detect and rectify any gaps. Documented retention policies should also be audited to ensure compliance.
Know how data is managed in the cloud. Many financial institutions have outsourced data processing and related functions to third-party cloud providers. Organizations should perform due diligence and security vetting to ensure that the provider has sound security policies in place governing data storage, access and retention, and should understand a provider's procedures for handling security breaches and disaster recovery. Guidelines or requirements in these areas should be applied uniformly to all of the institution's service providers and reviewed annually to determine whether policies should be updated.
Implement employee policies. As part of its privacy policies, corporations can take a number of measures to avoid exposure by employees. For example, they should limit access to PII and NPI, perform thorough background checks on employees with access to sensitive data and remain vigilant for internal security breaches by monitoring employee email and Internet use. Many companies allow employees to store company data on smartphones and other devices. Without strategies to secure this data, corporations are even more vulnerable, particularly when connected to an unsecured or public network, or when devices are lost or stolen. Companies should govern the use of these devices and require that employees take measures to protect them.
Ensure litigation readiness. The best time to address the risks associated with Big Data is before a triggering event, such as litigation or a government investigation, occurs. A comprehensive plan should include protocols and policies to manage confidential data, including a timeline of tasks and names of the stakeholders – both internal and external – who are responsible for each action. Organizations also should create a data map that specifies the types of confidential data they create and where it is stored to facilitate a more effective and timely response during a crisis.
Utilize technology. In litigation or investigations, utilizing advanced technology can help firms more effectively balance the need to meet discovery obligations – which often require the review of terabytes of emails, spreadsheets and other documents – with the need to protect confidential information contained in those documents. Automated redaction tools, for example, allow corporate counsel and their law firms to search across data sets for user-provided terms (such as email addresses) and automatically redact those terms from the document more expeditiously than traditional manual review. These tools can be utilized in conjunction with advanced data detection techniques that identify PII or NPI within a document, including formatted data such as account and Social Security numbers. Similarly, inverse redaction tools allow reviewers to specify the text they wish to keep in a document and redact all remaining content quickly and easily. Use of such advanced tools can help organizations meet privacy protection requirements both expeditiously and cost-effectively, while simultaneously minimizing the risk of inadvertent disclosure of confidential information.
Financial services institutions that fail to take measures to protect their PII and NPI face the increased risk of penalties, sanctions and reputational damage. These risks are significant and corporations should follow best practices to help insulate against potential liabilities.
Gabriela P. Baron Esq. is vice president of business development for Xerox Litigation Services, the e-discovery division of Xerox. She assists Xerox Litigation Services' largest clients with regulatory investigations, major class actions, employment matters and commercial cases filed in federal and state courts. Baron can be reached at email@example.com.