Jim Freis talks about the reporting requirements for financial institutions Jim Freis, co-founder of CRINData, talks with John Maher about the reporting requirements businesses need to meet when they lose customer data through a data breach. He talks about the future of these requirements and provides tips for financial institutions that deal with customer data.
Transcript
John Maher: Hi, I’m John Maher, and I’m here today with Jim Freis, co-founder of CRINDATA, a FinTech startup supporting financial institutions and their service providers. Today our topic is reporting requirements for loss of customer data. Welcome Jim.
Jim Freis: Thanks John. Glad to be here.
Reporting Requirements for the Loss of Consumer Data
John: Great. So Jim, today we’re discussing how a disruption in business operations, including the loss of customer data can trigger a range of regulatory reporting requirements. And in the press we often hear about incidents involving breaches or potential disclosure of potentially massive amounts of consumer data. Can you tell me a little bit about the reporting requirements that this triggers
Jim: Sure, John. It’s clear that we see an increasing wave of disclosures, in some cases massive amounts of exposure. Massive, I mean, to hundreds of millions of consumer records of information that most people will be concerned about with respect to your full name, address, social security or other identification numbers.
When you tie that together with financial accounts or information about people’s health records, things that they generally even would not put on their social media accounts, that’s something that’s very much of concern to people. And one of the biggest aspects of it is that once it’s out into either the public domain or through a hacker, so someone with malevolent intent who is looking to abuse that. Even if it’s an inadvertent breach, then it’s hard to put that genie back in the bottle. And that’s one of the risks that we have in an increasingly online digital exposure world.
And frankly, part of the reason that we know about those incidents is on the one side, there are more of them. Why are there more of them? Because there’s more exposure and people taking advantage of that exposure, but also because there are requirements to report about them. Think about it, you’re the entity that made the mistake, or you’re the entity that has been the victim of an attack and lost some of your customer data. It’s not necessarily something that you would like to parade around, but it’s your obligation because you have breached an aspect of trust with your customers.
Business Requirements for Storing Consumer Data
John: All right. So tell me a little bit more about that exposure. If my personal data is out there and it’s being held by so many different parties, whether it’s my bank or places where I shop online or things like that, what are the actual requirements for them to protect my data? Or is it just kind of like in their best interest as a company to try to protect customers’ data, or is it an actual requirement?
Jim: That’s a good way to depose it because some companies will actually say that it is in their interest and they use a differentiation in their business model in terms of offering to hold data only under certain conditions of trust. Others, technology companies, they are big data companies and they can be quite open with it and customers get services without paying for them because their data is the way that they’re paying, inadvertently, to use that service.
So again, it’s part of the business model, but the most important thing, and as it gets to some of the regulatory requirements, it’s about giving the customer the choice. And that’s part of where we see things moving. Maybe stepping back to put that into context, especially for some of the most sensitive data, when we talk about data regarding people’s health situation or health risks and insurance and medical care, that’s an area where there have been specific requirements as to protecting that data and what to do in terms of breach.
In the US, a generation ago, we had HIPAA, the Health Insurance Portability and Accountability Act. In the European Union you have the GDPR, the General Data Protection Regulation, that includes specific protections for sensitive data which includes those related to medical and health situations among others. But that is an example of an area where there’s specific obligations on those entities, holding that sensitive data to retain it in a situation of trust.
In the financial industry, we’ve also seen that develop. A couple of decades ago, we had in the US the Right to Financial Privacy act, which started with the aspect of government limitations on access to financial data, but then the Gramm-Leach-Bliley Act, which we know more in terms of opening up the historic restrictions between the banking industry, the insurance industry, the investment banking industry that was accompanied by increased requirements to protect the privacy of individuals data.
Why? Because in part, it opened up supermarkets and opportunities for conglomerates to use data for cross-selling purposes. And this is again, reminiscent of what we see in the growing technology area, where the value of data is recognized and the value to market based on analysis of consumers preferences.
So all the more reason why you need to have an understanding of where there are specific legal protections, but it’s still is not universally recognized as a right to data privacy. It is something in the California constitution, but not to the same level in the U S constitution. It is an aspect of the EU GDPR and similar privacy rights around the company, but that is something that continues to develop and for which different companies, including the contracts that you sign with them will treat their data, your data in different ways.
What Happens When a Data Breach Occurs?
John: Okay. So despite all of these requirements to protect data though, breaches still happen. So then what happens then?
Jim: So that’s another aspect that’s very critical in terms of these regulatory requirements, the laws with respect to data privacy. First, the disclosure, the upfront transparency and limitations on usage, but then what happens when there has been a violation of the expected usage or a violation of the trust that you have, and the biggest requirement of that is notification in different directions.
And when you think about this, it’s pretty obvious who would have an interest in such notifications, definitely the subjects, meaning the consumers, the individuals, or the companies whose data has been exposed. When it gets beyond a one-off type situation, so where you’ve hacked into a database or inadvertently disclosed significant amounts of customer data.
And some examples of that, again, it’s not just a hacking aspect, it could be a misconfiguration in your system so that one client of yours inadvertently gets access to lists of other clients, customers, employees, counterparts, personal data that that type of disclosure you tell the individuals affected. When it hits certain thresholds there’s state reporting requirements as well. If it impacts more than a thousand individuals within a state, you have to give notice under that state’s laws and also reporting requirements to relevant government authorities.
That includes the Federal Trade Commission for industries generally, it includes banking supervisors when it impacts financial services information, and it also includes criminal authorities. It can be the state Attorneys General, my former agency FinCEN takes in reporting requirements when it’s related to financial crime. Why? Not just to go after the entity that might’ve had a regulatory breach, but to go after malevolent actors who might be trying to abuse that trust. So there’s a lot of different interests in that regard and a range of different regulatory requirements for reporting breaches.
The Future of Data Breach Reporting Requirements
John: And are these regulations and requirements and expectations always changing? And if so, where do you see them going in the near future?
Jim: They certainly are changing and they’re evolving with respect to the risk. And partly it’s an aspect of what we’ve learned about breaches and what are the ramifications of breaches. One thing that we do see, even from what we as the general public might read in the press, that there can be a very significant lag time in when a breach or exposure occurs to when the affected individuals know about it.
It could be because let’s say you have a Trojan in your system, or someone accessed the backdoor vulnerability through the IT, it might not be known at that point. It might be six months later that they even find out that data was exposed or exported, or they might not know what was the volume of potential data that was exposed. So the lag time and an expectation of more transparency in a faster speed are definitely a focus.
And another aspect is the potential repercussion of that exposure in terms of penalties, whether they imposed by a confident authority or also repercussions under your contractual expectations in dealing with that third-party provider that’s holding your data either directly as a consumer or as a company that is relying on that third party as an outsourcer.
Recommended Risk Management Approaches for Financial Institutions
John: So then moving back to specifically financial institutions and the companies that are working with financial institutions that might have my financial data, what do you recommend to them as part of their risk management approach?
Jim: Well, this is clearly an example where the old saying applies that an ounce of prevention is worth a pound of cure. Again, once data has been disclosed, you can’t really put it back, especially if it’s out in the public domain, the internet, things have a life of their own, and it takes a lot of effort to change passwords, to set up a monitoring service, to cancel credit cards, change accounts, et cetera.
And keep in mind that when we’re talking about risk management, the fundamental starting point is that any entity that relies on a third party service provider has less control over that firm, that third party, than they would if it was completely within their own framework. And that’s even before we think of that aspect, that that third party service provider could be relying on further subcontractors or further sub outsourcers down the chain.
So then you get into the aspect of remediation and notifications and each of the remediation and the notification steps, again are outside of the control of the primary entity. You rely on steps from these third party providers, as well as their subcontractors or their sub outsourcers to get you the information that you need. So bottom line, you need to anticipate that a risk incident or an exposure can and will happen. It’s just an aspect of time, regardless of how good your mitigation measures are, what you’re essentially doing through your preventative measures are lowering the probability that an event will happen.
But as long as you’re holding data and relying on external parties, you cannot exclude an event. So you ultimately also have to, as part of your risk mitigation efforts, have procedures in place to know what your exposures are, what your notification requirements are, and be able to react very quickly in that regard. You shouldn’t spend a lot of time looking up those rules when the breach happens, you should spend your time on getting back to business, protecting your customers and rebuilding that trust with them.
Contact CRINData to Talk About Risk Management
John: All right. Well, that’s really great information, Jim. Thanks again, for speaking with me today,
Jim: It’s a really important topic and I hope for all of us that we make some further progress in this regard. So thank you.
John: Absolutely. And for more information, you can visit the website at crindata.com. That’s C-R-I-N-data.com.
