What if the federal government wants to determine if the United States banking system is being used to distribute a new ransomware variant? What if it secretly uses its systems and core processing platforms to make this determination? The need to protect citizens from harmful cyber-attacks is real. But what about your bank’s privacy? What about the privacy of your data? Where’s the balance between the two?
This is precisely the concern that digital banking is creating: On one hand, customers are demanding bank-from-anywhere convenience, but on the other hand, they are uncomfortable not having control over how, where and when their data is being used. International laws in 18 countries now address this, keeping data ownership with the customer and requiring companies to work with the data only in very specific ways. A dozen states also have data privacy laws that address specific data collection and handling requirements, setting up an authority to police actions so personal data is handled accordingly. Organizations can be fined 4% of revenue if they are found out of compliance with the law! These data privacy laws have teeth. In fact, the Consumer Finance Protection Bureau (CFPB) has begun looking for violations and responding to customer complaints with the new state laws. Multimillion-dollar fines have already been levied, and this process is just beginning.
In April of this year, Congress introduced a bill entitled “American Privacy Rights Act of 2024” to deal with data privacy at a national level. The patchwork of state laws is proving more difficult to manage than a thin federal law outlining basic data privacy protection requirements. Banks are left trying to figure out which laws apply to them, what is considered reasonable commercial data privacy protection, and how to get started with an information privacy program (IPP).
Over the past six months, 10 more states have introduced comprehensive data privacy bills, Mark Zuckerberg has apologized to Congress about data privacy violations, and the FBI has warned about coordinated China-based infrastructure attacks. Is there any chance we bankers can just get back to banking and stop worrying about all this cyber nonsense?!
Unfortunately, this is the new normal for banking. The banking industry infrastructure is in the crosshairs because, as Willie Sutton famously stated, “That’s where the money is.”
Nebraska, for example, has introduced LB 1294, the Nebraska Privacy Act, to change provisions relating to certain certificates and information relating to vital records and provide for certain records to be exempt from public disclosure. Colorado banks with customers in Nebraska need to comply with LB 1294. So, what does this mean? What types of certificates, information and disclosure changes does this introduce? It seems banks now need privacy lawyers to dissect these laws to understand how their banks and customers are affected.
Just as we begin to get control of our technologies and IT exams, game changers like AI come along and disrupt it all. One cannot open a newspaper, read an online article or watch the news without seeing something concerning artificial intelligence. AI is mimicking people online. As it relates to the financial system, AI is being used to impersonate and commit fraud. The latest apprehension is that as data privacy threats and laws emerge, AI will exponentially magnify these concerns. Thus, the field of AI privacy is born.
AI privacy is the set of practices and concerns centered around the ethical collection, storage and usage of personal information by artificial intelligence systems. It addresses the critical need to protect individual data rights and maintain confidentiality as AI algorithms process and learn from vast quantities of personal data. AI fundamentally relies on using large, disparate datasets to draw conclusions that would otherwise not be possible. The potential is fairly obvious, but equally obvious is that if this is not managed well, unintended consequences are certain. In the banking sector, where data privacy and artificial intelligence introduce risk to the banking system, it is only a matter of time before the regulators establish requirements and how they are going to enforce them.
Colorado passed Senate Bill 190, Protect Personal Data Privacy, to deal with privacy protections for citizens of Colorado. It applies to organizations meeting the following criteria: legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either control or process personal data of at least 100,000 consumers per calendar year; or derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers.
On the surface, it might appear that banks are exempt; however, just as cybersecurity has framed “commercially reasonable security,” data privacy will take the same course, requiring existing data privacy best practices to be implemented in all financial institutions.
The Attorney General for the state of Colorado is authorized to field data protection complaints and apply this law to promote consumer protection. If your bank has customers in 10 states and two countries, then your bank needs to comply with 12 different mandates. It is NOT enough to understand and comply with Colorado SB 21-190; rather, your compliance department needs to understand where your customers are, which states and countries have data privacy laws, what the requirements for each of these laws are and how to best meet these various requirements. This is why a thin federal law makes more sense than a patchwork of state laws.
What does this all mean for your financial institution? It means accountholders are being impersonated at unprecedented levels. It means data privacy protection moves up the priority list to keep data safe and comply with state and international requirements. It means your vendor management program must be expanded to include data privacy reviews and diligence. It also means you need to build an operational infrastructure to answer accountholder questions about their data, including what data the bank has, where it is stored and who it is shared with. Privacy policies and notices are required, and banks need to get ready to answer risk-based questions about data privacy, including what your bank is doing to control data privacy risks.
What should your bank do? First, name a Privacy Officer. The new Privacy Officer could be an expanded role for your current Information Security Officer, someone in marketing or legal, or a management employee in operations. Second, determine a data privacy plan and budget. Conduct a privacy gap analysis to assess your environment and build a three-year plan. The good news is that most of the data privacy actions banks need to take immediately do not cost a lot. A gap analysis is one tool to help build a data privacy roadmap and demonstrate to bank regulators that you have this issue managed (the M in the CAMELS rating).
What else should your bank do? Educate bank leadership on what data privacy is and what the current legal and regulatory landscape looks like, and begin to plan and operationalize a top-down managed information privacy program. Specific steps include:
- Conducting a data privacy risk assessment and drafting a basic information privacy policy;
- Dealing with emerging issues like data privacy always starts with education: board of directors, executive team, management, employees and customers;
- Getting the board and management team up to speed on what data privacy is and what the current laws look like and require;
- Understanding what information privacy program options are available;
- Figuring out how to conduct a data privacy risk assessment; and
- Putting someone at your bank in charge of data privacy (i.e., data privacy officer).
Addressing data privacy starts with educating your board, management, employees and customers to get everyone on the same page about what data privacy responsibilities the bank has and what it needs to do to address this growing threat. Look for outlets that are discussing the data privacy issue and know how to apply it to banking. Put data privacy on your next board agenda to frame the problem and begin a proactive plan to keep your financial institution out of harm’s way.
American Security and Privacy provides security and privacy solutions to businesses around the world.
Visit www.americansecurityandprivacy.com to learn more.