From names to email addresses to Social Security numbers and even passwords that may be used on other accounts, banks and credit unions must be cautious about how customers’ privacy is protected as this data is gathered and stored. A handful of considerations should be top of mind any time customer information is collected.
Opt-in. With few exceptions, customers should be asked to opt-in to information collection activities rather than be expected to opt out. This helps to ensure the customers are aware they are providing data and that they agree your FI or its partners, if appropriate, may use the information in the future.
Disclosure. Customers are increasingly interested in knowing where their data goes and how it will be used. Provide information to customers during the opt-in phase as well as during all data collection events about how your bank may use the information, if you want to retain customer trust. Marketing and everyday operational activities are the most frequently stated uses. For example, banks need to share information to comply with Know Your Customer (KYC) requirements. In addition, if different business lines are active across the bank, and representatives ask a customer for the same document, it can be embarrassing to the bank and annoying to the customer. That said, using information for compliance and operational purposes feels different to a customer than supplying information to the National Security Agency without a subpoena or to marketers that will resell the information or use it without discretion. If you plan to share customer data with your partners, include that in your disclosure notice so there are no surprises for customers.
Website and mobile application security. When customer information is collected through an FI’s website, it’s crucial that security measures be in place to protect the entry and transmission of that data. The integrity of the connection and the level of security should be verified on-screen for customers, so they know they can safely type in their information. Mobile applications should be similarly protected, whether the application was created by your FI or a third-party developer. It’s best to include a feature that regularly checks for and downloads, via secure channels, any new security updates or patches.
Third-party partners. Many FIs use outside providers for a portion of the data collection, storage, or destruction process. It’s imperative these vendors employ appropriate data protection safeguards when handling customer information. Your vendor contracts and service agreements should include language that stipulates the type of data security measures these outside partners must use, and how they are to manage -- from receipt to destruction -- the customer data that is entrusted to them. The contracts should also specify what the suppliers’ responsibilities are in the event of a data breach or security event.
Two-factor authentication. This security measure requires a second form of verification beyond a password and is appropriate for use on web portals as well as mobile applications. Free services such as Dropbox, Google, Yahoo, Twitter, etc., are all using two-factor authentication, and it is beyond the time when it should be a standard. Two-factor authentication neutralizes keystroke loggers and password crackers, and effectively reduces the likelihood of unauthorized access to confidential information. Where passwords alone are easily cracked by novice hackers, two-factor authentication requires far greater effort and resources to bypass.
Secure storage. Once the customers’ data has been collected, it should be stored with a high degree of security, because it is extremely valuable. This information is sought after by attackers because it can be used to commit identity theft and fraud. Even though institutions may perceive this as a small percentage of overall revenue and a trivial issue, the victims that are hit by identity theft would have a different view entirely. Imagine having your identity stolen and, one night, having the FBI bust through your door and arrest you in front of your children due to the thief’s actions -- all because someone had committed money laundering in your name. This is not trivial, and any company collecting personal information should apply security measures commensurate with the value of the information being collected and stored.
Be sure to house it in an area of the network that is segregated from general Internet browsing and email activity, as these are common points of network compromise. Customer data should also be encrypted whenever possible. This additional layer of security is simple and inexpensive, and it will typically render the information unusable if somehow the data is exposed. Institutions are also encouraged to develop a protocol that provides for the secure destruction of customer data once it is no longer needed.
Employee training. When a customer has a question about the security of your FI’s website, how the organization collects and stores confidential data, what they should do if they suspect their information has been compromised, or any other facet of your privacy program, you want your employees to provide accurate responses. Ensure you have a team that understands data privacy best-practices and how your internal protocols support them. For employees who don’t need to receive this level of training to do their jobs, advise them whom they should refer customers to for additional assistance.
Routine security evaluations. As data privacy laws emerge and security threats and tools change, your FI’s protection measures will also need to evolve. Routine reviews of existing security protocols and tools are instrumental in keeping your security program current and effective. Your team should update your protocols regularly to maintain adequate protection for customer data. These security assessments may also uncover protection measures that aren’t functioning as intended, or that are being inadvertently defeated by other processes. Modifications can then be made to resolve the situation before a data breach occurs.
Deena Coffman is chief executive officer of IDT911 Consulting and has broad experience providing guidance to clients adopting technology or building programs relating to data privacy, data security, and electronic discovery. Prior to joining IDT, she was the chief operating ... View Full Bio