Authored by Perry Menezes, Michael Orozco, and Steve Wertheim
Data privacy is not a novel concern in the cybersecurity or financial services industry. However, increasing challenges to data privacy are arising due to continued data collection by social media, the implementation of new regulatory requirements, and the adoption of new technologies such as artificial intelligence and machine learning. Digital transformations in the financial services sector are also opening the door for increased data privacy concerns, causing financial institutions to question cloud usage.
Challenges in Data Privacy
Individuals and enterprises face numerous data privacy challenges every day, one of the largest being the abundance of personal data. Personal data available on social media can be collected by commonly used applications to provide a personalized user experience, promoting an attractive cache for cyber criminals to pursue. Data is increasingly collected by social media platforms and corporate service applications that, when compromised, subsequently can lead to the sale of personal data and broad-reaching implications.
Data Privacy protection regulations are rapidly being adapted across the globe, triggering activity that must meet those disparate requirements while balancing user experience. These new regulations have costly fines and litigation assigned to them, making the adoption of a “privacy-first” strategy central to every business and organization.
Another data privacy challenge is the rapid adoption and use of Artificial Intelligence (AI) and Machine Learning (ML). These solutions pose a challenging complexity to protecting data privacy as they are being rapidly adopted while the proper controls and risk review frameworks lag.
A few examples of how AI and ML will jeopardize consumer privacy rights are:
- Data Exploitation: People’s daily lives depend on the use of smart devices (cell phone, cars, home appliances, home music devices, etc.) that collect their data as preferences to enhance user experience.
- Identification and Tracking: AI can easily identify, track, and monitor individuals across multiple platforms regardless of location.
- Voice & Facial Recognition: AI can recognize and identify one’s voice as a signature and there is a rapid development of applications that use our voice as our signature and password for access.
- Profiling: AI and ML use complex algorithms used for sorting, scoring classifying, evaluating, and ranking people in different settings and across various platforms.
Privacy Concerns in the Financial Services Sector
The financial services sector is experiencing seismic shifts due to digital transformation, causing additional impacts and growing concern over protecting data. A successful digital transformation, especially in the financial services sector, involves change that covers multiple areas from employees, customers, vendors and partners to organizational structures, strategies, revenue, and customer satisfaction. Digital transformations also affect technology platforms, governance, risk, and compliance requirements and many other areas. Undergoing a digital transformation securely requires cybersecurity to play an especially vital role. Digital transformation implies that environments, platforms, and entities are connected digitally, which in turn means an increase in the probability of either a cyberattack or exposure to one. With rapid proliferation in digital transformation, regulators, lawmakers, and policy makers are paying attention to the industry, resulting in new or existing laws being adapted or transformed to address a key requirement: data privacy.
With digital transformation come several questions or concerns that directly impact data privacy including if the data can be shared, if consent is needed, the length of time data is stored, the way it is stored and processed, how data is handled after being used, and several other concerns. Without appropriate answers to these questions (and the subsequent design and implementation of proper controls), firms are not just risking individual data elements, but they put the firm and its stakeholders at risk. Because of this, some financial institutions are having second thoughts about leveraging the public cloud due to privacy considerations and concerns. Experiences such as a reported breach at a major online bank, underscore the 3rd party risk associated with PII and PCI DSS data stored in environments.
Data Privacy Improvement
With challenges growing daily, enterprises need to be proactive with the protection of their corporate data and customers’ data. Adherence to the established data privacy regulations – GDPR, CPRA (California Privacy Rights Act, etc.) – is a necessary first step towards protecting data privacy. Additionally, implementing processes and controls that meet the increasing demands from consumers for transparency and a centralized user experience will be paramount. Corporations should take a collaborative approach with consumers about how their data is used and their tolerance for the risks of those uses. Notices, cookies, consent management, and subject rights requests should be made available to consumers via self-service portals.
It is vital for institutions to design data privacy from the start, not as an afterthought. Any digital transformation regardless of sector, needs to consider data privacy as part of its core design component, looking at all facets of data privacy including from a compliance and regulatory requirements perspective. Coupling this design element with a deliberate governance and reporting component will contribute to addressing many, if not most, of the concerns around this topic.
Within the financial services sector, some of the key provisions of the 23 NYCRR 500 law directly impact how firms deal with customer privacy issues:
- Establishment of cybersecurity policy, including information security, data governance and classification, access control and identity management, multifactor authentication for externally sourced access to nonpublic information, limitation on data retention, encryption of nonpublic information (both in-flight and at rest), business continuity/disaster recovery plans and resources, systems and network security monitoring, physical security and environmental controls, annual penetration testing, and biannual vulnerability assessments.
- Third-party provider security policy, mandatory for all third-party providers who have access to systems containing nonpublic information.
- Notification of a cybersecurity event within 72 hours from identification of same if the event requires notice to a government body, self-regulating agency, or other supervisory body, or if the event has a reasonable likelihood of materially harming normal operations.
How MorganFranklin Can Help
Whether they are in the financial services industry or any business sector, organizations need to be intentional about their data privacy policies and programs. Implementing a robust data security program can help to prevent problems before they occur. Additionally, adhering to appropriate cybersecurity policies and frameworks will help ensure regulatory compliance and protect against threats.
MorganFranklin’s strategy & risk experts have extensive experience designing solutions that protect clients from data privacy threats in the financial services sector. From auditing current risk programs, to developing risk specific procedures, to delivering board-ready presentations, our team of experts is trusted to define, implement, and maintain an effective data privacy strategy.