Chief Privacy Officers’ Perspective on Data Privacy and Security

Posted on by

From time to time we have industry experts come on board to guest blog in order to provide our readers with interesting and insightful commentary.  Today’s article is by Larry Niland, LIMRA Senior Regulatory Consultant and former CCO of the John Hancock Financial Network and David Somers II, Esq., LIMRA’s Director of Regulatory Consulting and former IA Regulatory Officer and V.P. at Advest, Inc.

Best Practices and Regulation Roundtable Meeting

Over 261 million data records of U.S. residents have been exposed due to security breaches since January 2005, according to the Privacy Rights Clearinghouse. If you’ve talked to your firm’s Chief Privacy Officer (CPO) lately chances are he or she was not in a good mood. States are passing new regulations at a record pace on how client personal information and other critical data must be protected, controlled, transmitted, encrypted, transported, shredded; and when it is not, how to report the breach to everyone affected, including the regulators.

At a recent LIMRA roundtable meeting in Connecticut of broker-dealer and insurance company CPOs, participants discussed data privacy and security best practices and regulation. The following issues and topics are highlights from the meeting:

1. New State Regulations

The CPOs focused on new state regulations and the specific challenges related to meeting those new requirements. As of January 1, 2009, forty-four states have enacted legislation requiring notification of securities breaches involving personal information. Most notably, Massachusetts’ new regulation (201 CMR 17.00) requires companies to implement a comprehensive data security plan, including encryption.

2. Identity Theft “Red Flags” Rule Implications

CPOs from firms that are involved in credit extension or hold creditor check writing accounts discussed the impact of the Identity Theft “Red Flags” rule (16 CFR 681.11) promulgated under the FACT Act, and the implications for broker-dealers pursuant to FINRA Regulatory Notice 08-69. The primary goal of the Identity Theft “Red Flags” rule is to help identify, detect, and respond to specific activities, patterns, or practices that could be the result of identity theft. Some CPOs expressed confusion and uncertainty concerning their obligations under the rule, with much of the discussion focusing on reporting obligations when possible discrepancies are found.

A few weeks after the roundtable meeting, the Federal Trade Commission (FTC) delayed the compliance and enforcement deadline of the “Red Flags Rule” from May 1, 2009 to August 1, 2009 in order to give creditors and financial institutions with “covered accounts” more time to develop and implement written identity theft prevention programs. In addition, the FTC has released a “Red Flags Rule” compliance guide for businesses.

3. Defining and Remedying a “Breach”

Each CPO’s firm has a plan to respond to and report data breaches, but the CPOs differed on how firms should decide what qualifies as a breach, and how to remedy the breach. Breach costs can vary widely depending on the extent and nature of the data breached as well as the appropriate remedy. In assessing risk, most CPOs try to balance the risk of identity theft and the potential for misuse when deciding how to reassure clients and what remedies to offer clients (e.g., credit monitoring services). All the CPOs agree that once a breach occurs it is critical to respond quickly, use a predetermined team to assess the breach from the top down, and promptly report the breach to the required regulators.

4. Data Encryption

CPOs also discussed data encryption and standards, when encryption must be used, and what steps firms are taking to minimize or eliminate the use of certain customer data like social security numbers. Some CPOs use techniques for data masking, namely making personal client data work for the firm but rendering it useless to persons who come to possess it by breach or accident. All the CPOs’ firms are in the process of or have already completed encrypting all company mobile devices, including employee laptop computers and Blackberry devices. In addition, some CPOs also require hard-drive encryption on all employee desktop computers.

5. Vendor and Contract Management

The CPOs perform varying degrees of data inventories since the requirement to do so varies by regulator. All the CPOs’ firms have privacy policies and train employees across the enterprise. However, many CPOs are still debating how to deal with vendors in possession of private information; this includes affiliates and third-party vendors servicing clients (e.g., IT vendors managing databases). Many express concerns that the regulators setting policy on certification of vendors possessing such data may not understand how varied and complex those relationships really are. The CPOs have all met with their legal or contract procurement department to ensure that new legal agreements contain the appropriate language to meet all the emerging requirements and to assure that affiliated and third-party vendors are obligated to take the required steps to protect client information, including controls and testing. A few CPOs whose firms have overseas operations that store U.S. client data, indicate that they have extremely robust controls on the data at those facilities.

6. Virtual Employees and Independent Contractors

The emerging employment trend of remote employees or “virtual employees” is causing some privacy concerns for CPOs. Although these employees may have access to client data to do their work, the equipment they use can vary at some firms. A few firms maintain strict requirements that only company-provided hardware with encryption technology can be used for such activities. CPOs with independent producers or registered representatives talked about checking their firms’ data systems, including encryption compliance and breach reporting at branch offices. Other CPOs noted how data used to comply with their firms’ Business Continuity Plans (BCPs) was protected. Such BCP data can also be helpful in identifying the scope of breaches when data equipment is stolen.

7. Email Policies and Practices

The email policies and practices at the CPOs’ firms led to a discussion that included how to roll out encryption, different approaches to secure/encrypted email, and the use of email review technology to either quarantine or block emails containing private information (e.g., social security numbers and credit card numbers). All the CPOs agree that such policies and practices are beneficial, but none say that their current system works perfectly.

If you would like to learn more about how to improve you firm’s privacy controls or how to join LIMRA’s Privacy Officer Roundtable, please call Larry Niland at 877-843-2641 or email lniland@limra.com.   LIMRA is a worldwide research, consulting, and professional development organization. Our Compliance and Regulatory Services unit helps insurance and financial services companies around the world meet today’s regulatory scrutiny and turn these requirements into a brand advantage. We provide solutions for risk management, supervisory controls, compliance education and training, and other regulatory obligations.

Reprinted with permission from LIMRA’s free bimonthly LIMRA Regulatory Review newsletter which provides insight into today’s top compliance and regulatory issues. Sign up for a free subscription.

This entry was posted in Guest Post by HedgeOp. Bookmark the permalink.

About HedgeOp

HedgeOp Compliance, LLC focuses exclusively on helping investment managers meet their compliance and regulatory obligations and rise to meet operational challenges. HedgeOp has developed a successful business based on its proactive approach to servicing clients and a proven reputation. Our clients range from start-ups to large firms with well-established track records.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>