“I was a scared counsel once,” opined Thomas Boyd, partner at DLA Piper, speaking of his former life at a financial services firm, “lying awake at night worrying about the letter we might receive one day.” For the financial services industry is among the most heavily regulated in the U.S., and it can be difficult to know just what the powers that be are focusing on this week, month, year.
That maybe explains why the closing panel at the IAPP’s Practical Privacy Series (PPS)-New York event yesterday was so well attended. Moderated by Boyd, and featuring representatives of the Office of the Comptroller of the Currency (OCC), the California Office of the Attorney General (AG) and the Consumer Financial Protection Bureau (CFPB), the discussion focused on insight into where regulators are focusing their efforts and what financial services companies can do to avoid their wrath.
For example, said Joanne McNabb, CIPP/US, CIPP/G, CIPT, “We look on breaches as opening a window into organizational practices, a window you would rather not have opened.” From her seat as director of privacy education and policy in the California AG’s office, McNabb has seen some 300 breaches reported since the 2012 law mandating reporting to the office went into place and has picked up on plenty of trends. (See the AG’s recent breach report for more details.)
She noted that financial services has reported 90 of those breaches, and the trend is toward insider mistakes and insiders doing malicious work. “You might want to make it impossible for them to do the wrong thing,” McNabb said by way of advice, by introducing better access controls, for example—especially since 77 percent of those breaches involved Social Security numbers, and “it’s hard to know what the consequences of that are.”
“You’ve got sensitive data,” McNabb deadpanned. “Duh.”
Bank of America CPO Christine Frye, CIPP/US, CIPM, wondered if financial services reported a greater percentage of insider breaches due to the market’s history of heavy regulation and self reporting.
“It could be that you’re more efficient in noting error,” McNabb allowed. “Insider error would be a breach where someone mistakenly posted something on the internet or sent an email to the wrong person and would be self-reported. Maybe you are better at that.”
McNabb emphasized that enforcement actions were much more likely to come from those companies that don’t self-report and don’t have robust privacy programs to avoid breaches in the first place.
The CFPB, on the other hand, has almost zero record of enforcement after two years of existence. Boyd grilled CFPB Senior Counsel, Research, Markets and Regulations Pavneet Singh on why that might be. “You haven’t really been involved in enforcing privacy in the way we expected you would,” he said. “Will it be a higher priority?”
Singh was reticent to get too specific on the bureau’s priorities but noted the organization is still very much in a learning mode and that it took a great deal of direction from the FTC’s unfairness actions.
Further, she noted the CFPB has already issued significant rule-making, including the recent decision to allow financial services companies to post privacy notices online, rather than sending them annually to every customer, provided the notice hadn’t changed in the interim.
“That reduces the compliance burden considerably,” she noted.
OCC National Bank Examiner Melissa Love-Greenfield said her organization similarly isn’t looking for "gotcha" moments. “We’re looking at your whole data life cycle,” she said. “How do you control data from the onset; who has access to that data, and if you’re transmitting data, how do you protect that data during transmission?”
And if there is an incident of unauthorized access?
“If you’ve thought about how you’re going to respond beforehand,” Love-Greenfield said, “then the way you respond will be a lot smoother than if you try to figure it out on the fly. Those companies who have taken the time to think about what they’re going to do to respond have a much smoother ride through the incident.”
Further, she said, “Companies that do ongoing risk assessments are the most successful. Those that see risk as one-and-done are the ones that have ongoing issues. You have to be continuously looking at risk and becoming a lot more dynamic with risk assessments, running them more frequently and getting a more accurate picture of your risk.”
Where does that risk tend to come from?
Love-Greenfield was the most precise about the threats she sees in the marketplace: “The area that pops up most frequently is vendor relationships. You have to truly understand what you’ve asked vendors to do on your behalf and understand the controls those vendors have in place.”
The IAPP’s PPS-NY continues today with a program focused on data breach response.
If you want to comment on this post, you need to login.