FINANCIAL SERVICES
Can Your Business Protect The Data It Collects?
July 2005
By
Susan N. LeDuc
for New Hampshire Business Review
There recently have been many disturbing data security breaches. Some have been high-tech (transaction data intercepted in the payment system) and some have been amazingly low-tech (laptops and tapes were stolen, rogue employees sold protected information). But one thing is for sure: Information about individuals and their financial accounts is valuable because there is a market for it, and because the “bad guys” can use that information for personal gain. Information will be misused unless it is protected.
Businesses and other providers of products and services routinely asked for (and consumers routinely provide) personal and financial data in all sorts of situations: as a retailer, over the Internet, as a restaurant, government agency, employer, vendor, doctor, a bank – virtually everywhere there is a payment for a product or service via a method other than cash.
As a business that gets paid (and pays others) in some manner, how are you protecting the personal and financial account information that is provided to you?
Every business collects information about its customers. Every business also transfers payment information (i.e., someone’s personal and financial information) through the financial system to collect payment. These payments could be made by check, credit card, debit card, Automated Clearing House (ACH), wire transfer, online bill pay, demand drafts, etc.
While this information and the payment mechanisms (checks, credit card slips, demand drafts, etc.) are in your business’ possession, you have the responsibility to protect the information (for example, so that a rogue employee does not steal it and sell it), and you might be held liability for a compromise or misuse of the information.
Additionally, for any payment method, a Web of various vendors are needed to process the payment. For example, a business must set up a merchant account (with a vendor) in order to process credit card payments. Businesses also generally process payments through a depository institution of some type.
Every business that is not paid solely in cash must use other vendors to ultimately “collect” from receivers of its goods and services. As a business, you trust that the vendors through which your payments are processed are diligent in protecting data.
How can a business reduce its potential liability for a data breach? One way is to self-regulate and use guidance that applies to other highly regulated businesses. Recently, the federal banking regulatory agencies issued a Guidance which addresses procedures to be used by financial institutions to respond to unauthorized access to or use of customer information by third parties.
First, each business should assess the particular risks that its business and operations present to the security of customers’ information. Where might a physical, technical or administrative breach occur? Each business should then develop its own information security program to address these risks.
Certain minimum elements for all such information security programs, no matter the results of the business’ own risk assessment, should be considered. These elements include:
- Access controls on customer information systems, which include controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means.
- Employee background checks should be considered for employees who are authorized to access customer information.
- A risk-based response program to address incidents of unauthorized access to customer information systems.
At a minimum, the business’ response program should contain procedures to address the following elements:
- Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused.
- Notifying its primary regulator (if none, then the state attorney general) as soon as possible whenever the business becomes aware of an incident involving unauthorized access to or use of sensitive customer information.
- Notifying appropriate law enforcement authorities.
- Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information
- Notifying customers as soon as possible when warranted (i.e., the business determines that misuse of its information about a customer has occurred or is reasonably possible).
Each business also should consider requiring its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
A business’ contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the business’ customer information, including notification to the business as soon as possible of any such incidents, to enable the business to expeditiously implement its response program.
When a business becomes aware of an incident of unauthorized access to sensitive customer information, the business should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the business makes such a determination, then the business should notify the affected customers as soon as possible.
In a “best practices” environment, each business has an affirmative duty to protect its customers’ information against unauthorized access or use. When such unauthorized access or use occurs, the banking industry standard expects the bank to notify its primary regulator, and (depending on the bank’s assessment of the likelihood that the information has been or will be misused) its affected customers of an incident, regardless of whether it may be embarrassed or inconvenienced by doing so.
Businesses that hope to avoid regulation in this area should consider using these data security guidelines as a “best practice” checklist for protecting data in their care.
Return to top of page
Return to Financial Services Articles
Return to Firm Publications
