While it has always been vital for entities handling financial information — account identifiers, investment records, account balances, transaction fees, payment card information, credit reports, and the like — to take appropriate privacy and data security precautions, never before has it been quite the pressing concern that it is today.
The rapid deployment of innovative new technologies and the widespread availability of Internet banking tools, mobile apps, and other online data sharing capabilities has escalated the vulnerabilities of those handling sensitive information dramatically. Meanwhile, privacy and data security issues are at the top of legislative and regulatory agendas at both the federal and state level; with penalties for non-compliance and data breaches on the increase. Regulated financial services companies such as banks, credit card providers, and other lenders, should already have strict controls in place. But many other types of businesses handle financial information without the benefit of industry-specific laws to guide them.
It’s hard enough for major corporations to mitigate the privacy risks they face, let alone small-to-medium sized companies with limited budgets. Nonetheless, there are basic steps that all companies, regardless of size and budget, should be taking to identify their unique privacy vulnerabilities, the appropriate controls to neutralize those exposures, and solutions to correct any specific deficiencies/weaknesses in the company’s administrative, technical and physical safeguards.
1. Understand Your Risks – The unprecedented quickness and ease with which data can be transferred from one party to another can be a boon for businesses. This enables companies to become far more efficient. However, there is a dark side to these new capabilities. Bad actors have become increasingly proficient at illegally accessing data, often sensitive in nature, such as financial information.
The trend toward outsourcing and placing data in the cloud has the potential to multiply the points at which data is vulnerable to theft.
One particular concern for those handling financial data is the recent rash of fraud involving the Automated Clearing House (ACH) network, which is used by financial institutions to process deposits, checks, and other transfers of funds between companies and individuals. Cyber criminals have enjoyed great success in recent years, obtaining bank account and routing number information to seize funds through a variety of nefarious schemes.
A single exposure via the ACH network or otherwise can have a devastating impact on a business, both financially and with public relations. Look no further than New Jersey-based payment processor Heartland Payment Systems. After the company was victimized by hackers (which accessed its system to steal more than 130 million credit card numbers), Heartland reportedly lost an initial $500 million in stock value, and in the year that followed spent more than $32 million in legal fees, fines, settlements and forensics.
But it doesn’t take the involvement of sophisticated criminals for companies to end up with egg on their face. The media is rife with stories each week about companies suffering data breaches simply as a result of careless actions. Many companies have been victimized by the poor judgment of their own employees who, for example, have tossed sensitive records into trash cans, or left them in gym bags in the locker room.
Thus, clear policies about keeping sensitive data onsite, encrypting data on portable devices, regular auditing, and employee training can be key.
Even when there is seemingly no harm done by a data breach, such as when a gym bag containing bank account numbers is discovered and returned to the rightful owner, there can be significant consequences. A survey released by the Ponemon Institute earlier this year found that the average cost of a data breach in the U.S. was $204 per compromised record in 2009, a figure significantly more expensive than other countries studied. This amount is attributable in large part to data breach notification requirements, which may apply even if the information ultimately is retrieved.
2. Know Your Obligations – Compliance with relevant federal and state privacy and data security regulations is an enormous task for any organization, particularly in the U.S. Unlike certain nations which have developed comprehensive privacy laws and dedicated federal agencies to manage privacy regulation (such as Canada and the European Union), the U.S. maintains a sectoral regulatory system.
Businesses in the U.S. face a virtual alphabet soup of federal and state privacy and data security laws. Depending on the types of data a company handles, it may be subject to CAN-SPAM, COPPA, ECPA, FACTA, FCRA, GLBA, or any number of other federal laws, as well as state laws which often differ from one another significantly. Private standards may also apply by contract, such as the mandatory Payment Card Industry Data Security Standards or Direct Marketing Association voluntary rules.
In addition to the vast array of explicit federal and state laws on the books, both the Federal Trade Commission (FTC) and state attorneys general have been increasingly aggressive in their enforcement of laws prohibiting “unfair and deceptive trade practices” against companies that say one thing about how they will use information they collect, then do another (particularly when it comes to sensitive data such as financial information).
One of the greatest challenges businesses face is how to handle a data breach, which happens far more frequently than many realize (according to the Identity Theft Resource Center, there were 498 significant, reported data breaches last year, exposing an estimated 222 million records). Because of the disparate nature of state breach notification laws (45 states as well as the District of Columbia, Puerto Rico, the Virgin Islands and New York City have passed their own laws) a data breach for a company operating nationally is extraordinarily complex to manage.
The obligations for businesses handling financial and other sensitive information will only grow more onerous in the coming years. The Best Practices Act, for example, which was introduced by Rep. Bobby Rush (D-Ill.) in July, proposes a bevy of new regulations to be administered by the FTC, with penalties for non-compliance reaching as high as $5 million.
3. Be Prepared – Although it is impossible for firms to ensure 100 percent protection against data breaches, and as IT professionals know, any company claiming to have “flawless” or “perfect” data security is either being dishonest or doesn’t understand that there is no such thing, regulatory compliance is achievable as is adequate preparation to handle data breaches if they occur.
Companies that put their best foot forward to prepare themselves appropriately not only handle incidents more smoothly, but often avoid the wrath of federal and state regulators. On the flip side, businesses not compliant with privacy regulations often have the hammer brought down by regulators when an incident compromises personal information. Certain privacy laws also offer citizens a private right of action to bring claims against companies that exposed their data.
If companies haven’t already developed a comprehensive privacy and data security plan (for some businesses, such as those doing business in Massachusetts, this is mandated by law), they should do so immediately.
Although privacy and data security policies often originate with and are best effectuated by IT departments, such policies must become integrated into all aspects of a business, such that every part of a company has systems in place to fully comply with legal requirements and minimize the risks involved. This is particularly true for financial information, which is likely to originate outside the IT function, and be handled by multiple personnel.
A starting point for mapping best practices when it comes to financial data privacy and security is the FTC’s “Red Flags Rule,” which was designed to help businesses to protect against identity theft. The Red Flags Rule is mandatory only for companies that fall within the definition of financial institution or creditor, but the FTC’s guidance provides a useful template for all businesses handling sensitive financial information.
Sometimes the most important fixes are ones that cost little or no money — it’s just a matter of companies focusing on their challenges and addressing them properly.
For example, two recent, similar, high profile breaches involving Lincoln National Corporation (“Lincoln”) and Twitter resulted from insufficient password management practices. Lincoln, a financial services firm, had been allowing passwords granting access to the personal data of 1.2 million customers to be shared for as long as seven years. An anonymous whistleblower alerted the Financial Industry Regulatory Authority to the issue, creating an embarrassing and costly situation for Lincoln.
Twitter suffered a breach in January 2009 leading to then President-elect Barack Obama’s account getting hacked. Administrative control of the account was achieved through the use of an automated password-guessing tool. Twitter’s password was a weak, lowercase, common dictionary word, and no mechanism was in place to suspend or disable an account after a reasonable number of unsuccessful login attempts. In June, Twitter entered into a highly publicized settlement with the Federal Trade Commission on charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information.
These incidents highlight the need for companies to have a comprehensive privacy and data security plan in place, so that policies are established and maintained to account for such deficiencies. Administrative, technical and physical safeguards should be incorporated into all aspects of the business, and regular audits should be implemented, to determine whether any corrections are necessary to ensure that the company is satisfying its regulatory responsibilities and security needs.
Compliance with privacy and data security laws is an essential element of running any business today, particularly when financial data is being collected, stored, processed or shared. IT managers provide enormous value to their companies when they insist on implementing adequate protections. While compliance can require a significant amount of resources, many important solutions will not break the bank.
At a minimum, companies should take the steps above, examining carefully the risks they face, and how they might be addressed. Those who fail to do so are truly playing with fire.
Elise Dieterich is a partner at Sullivan & Worcester LLP and leads the Telecommunications and Privacy & Data Security Groups.
Ron Whitworth is an associate in the Privacy & Data Security and Telecommunications Groups and is a Certified Information Privacy Professional (CIPP), as certified by the International Association of Privacy Professionals (IAPP). Sullivan & Worcester LLP is a leading corporate law firm providing counsel to domestic and international clients ranging from Fortune 500 companies to emerging businesses.