All depository institutions must have comprehensive information security programs in place by July 1. Will these programs guarantee anyone's safety?
One of the biggest fears and concerns of any business operating in an electronic environment today has to do with threats to the security of the sensitive private data it maintains.
Though most companies have addressed security concerns at a basic level - perhaps only to the extent required by regulatory bodies - few, if any, have taken steps to minimize their legal liability in the event of a real problem.
This issue is not limited to business-to-consumer models, and it is not only consumers who are worried about compromise of sensitive data. Moreover, a business-to-consumer breach typically has spillover effects on a number of vendors involved with the compromised party. This increases the likelihood that any given company can get caught in the liability chain.
Everyone doing business in this environment must face a cold fact: There is no iron-clad security, no way to be sure that attacks from inside or out will be stopped in time, if at all.
At worst, a company has its fingers crossed, hoping that nothing happens to cause it huge embarrassment, loss of business, and money damages. At best, a company has firewalls, a secure socket layer, and a privacy policy.
Though depository institutions are now on notice that they must follow standards for safeguarding customer information, the real question is: What happens when, despite these safeguards, sensitive information gets loose? This question must be addressed by everyone doing business in the electronic environment because there is no reason to believe that it will never happen.
The issue here is not how to do a better job of protecting data, though that issue is in the background. The issue is how to manage the legal liability risk when data are compromised. What can the company do now to improve its chances of limiting money damages in the event of a problem that gives rise to litigation?
A company must dig down past its privacy policy, into its documented policies and procedures, into compliance monitoring, reporting, evaluation, and follow-up. How well have these policies and procedures been thought through? How are the policies administered? How detailed and thorough is the training program for personnel and how often is the training updated? What is the company's track record at compliance? How will the media be dealt with in the event of a problem?
And in an area that is perhaps most ripe for liability exposure, how does the company monitor its vendors' security practices and manage its risk from those sources?
Any company that is not asking and answering these hard questions and making the necessary changes is not properly managing its risk. The wisdom of insecurity is this: Assume that your security will eventually be compromised, and manage for that risk. The better the company is at managing these risks, the lower its exposure to liability will be in the event of an internal or external breach of security.
Ms. Hoover is the founder of the Hoover Partners Law firm in Washington.
| Note to Readers |
"Viewpoints" is a regular feature in American Banker, appearing every Friday. It serves as a forum for discussion and debate on a wide range of issues in the financial services industry, including management approaches and strategies, legislative and regulatory matters, and public policy in general. or e-mail your submission to barbara.rehm@tfn.com. |
