For the financial services industry, compliance with regulatory standards governing information privacy and security has never been more challenging than it is today. In the last eight years alone, eight new federal laws have targeted the industry.
Much of this legislation focuses on protecting non-public information, such as information appearing on applications for obtaining financial services like a credit card or loan, and its counterpart, personally identifiable information, including customer account numbers and Social Security numbers.
Understanding data protection laws is no simple matter and the Big Data era in which financial institutions now operate has further complicated efforts to track, manage and control information as part of financial institutions' business processes. In the context of legal and regulatory compliance, the risks and costs associated with the failure to proactively manage NPI and PII – including inadvertent disclosure – can result in costly sanctions for noncompliance and serious reputational damage with significant business consequences.
Although financial institutions face key challenges within the tangled web of data privacy laws and regulations, they can take proactive steps to mitigate risk associated with confidential data.
Implement an information governance program. If thoughtfully designed and implemented, an information governance program can help organizations control confidential data. Key elements should include privacy and security policies that protect confidential information about consumers and employees, as well as retention procedures that ensure that data containing consumer information is retained for the required statutory period - and no longer.
Perform periodic privacy audits. Financial institutions should annually audit compliance with its privacy policies to identify vulnerabilities in security procedures. This audit should also compare the company's measures against the current legal and regulatory framework to detect and rectify any gaps. Documented retention policies should also be audited to ensure compliance.
Know how data is managed in the cloud. Many financial institutions have outsourced data processing and related functions to third-party cloud providers. Organizations should perform due diligence and security vetting to ensure that the provider has sound security policies in place governing data storage, access and retention, and should understand a provider's procedures for handling security breaches and disaster recovery. Guidelines or requirements in these areas should be applied uniformly to all of the institution's service providers and reviewed annually to determine whether policies should be updated.
Implement employee policies. As part of its privacy policies, corporations can take a number of measures to avoid exposure by employees. For example, they should limit access to PII and NPI, perform thorough background checks on employees with access to sensitive data and remain vigilant for internal security breaches by monitoring employee email and Internet use. Many companies allow employees to store company data on smartphones and other devices. Without strategies to secure this data, corporations are even more vulnerable, particularly when connected to an unsecured or public network, or when devices are lost or stolen. Companies should govern the use of these devices and require that employees take measures to protect them.
Ensure litigation readiness. The best time to address the risks associated with Big Data is before a triggering event, such as litigation or a government investigation, occurs. A comprehensive plan should include protocols and policies to manage confidential data, including a timeline of tasks and names of the stakeholders – both internal and external – who are responsible for each action. Organizations also should create a data map that specifies the types of confidential data they create and where it is stored to facilitate a more effective and timely response during a crisis.