Financial services firms in the US are being overwhelmed by the volume, variety and velocity of sensitive data they have to process, according to Kristina Bergman, CEO of Integris Software, and calls from the Consumer Banking Association (CBA) for a federally-mandated privacy law could help solve a patchwork of state legislation.
Earlier this month CBA chief executive officer Richard Hunt sent a letter to Senate Commerce Committee chairman Roger Wicker and ranking member Maria Cantwell. Hunt wrote: “Congress should take seriously its authority and enact a federal data security and breach notification standard and pre-empt the current patchwork of state laws.
“With the recent breaches that have put millions of consumers at risk, the need to pass legislation to establish such a standard could not be more evident. Protecting consumer information is a shared responsibility of all parties involved.”
US citizen’s data is regulated by laws enacted at both national and state level. However, there is currently no principal data protection legislation. Federal statutes are usually targeted at specific sectors, and state laws focus on the privacy rights of individual consumers.
The Gramm Leach Bliley Act outlines the protection of personal information owned by the financial services industry. The Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) are also charged with protecting customers against data security loss.
For Bergman, meeting data security compliance requirements boils down to doing two key functions: “The first is understanding where sensitive data resides across all data source types, and the second is to map that data back to data handling obligations. Sounds simple enough, but companies really struggle on both fronts. Only 17% of mid and large US enterprises are able to incorporate all five common data types into their privacy management programs.
“Having a federal law won’t help much if you don’t understand what data you have and where it resides. But a federal law could simplify compliance by providing a standard taxonomy and rules around your data handling obligations. There are 30 states in the US with privacy legislation on the floor. It's only going to get worse before it gets better. A federal law would replace the growing patchwork of state legislation."
According to a report from US-based non-profit the Identity Theft Resource Center (ITRC), there were 135 data breaches in the US financial services sector in 2018, with 1.7m records exposed. The business sector recorded the highest level of breaches, at 571, exposing 415m records.
In the CBA letter, Hunt said banks are “on the front lines consistently monitoring for fraud and working to make consumers whole, no matter where a breach occurs.” From operating advanced fraud monitoring systems to reissuing cards, he added, CBA members spend considerable resources on preventing fraud.
Bergman believes data security issues are of critical importance to financial services firms. “These firms are being overwhelmed with the volume, variety, and velocity of sensitive data. Massive amounts of data are now streaming in and out of financial services firms. Much of this information is now ending up in data lakes which have the potential to become data dumpsters.
“The first step is to stop relying on spreadsheets and manual surveys to inventory your data sources. Financial services firms can adopt more modern approaches such as automating the discovery and classification of sensitive data across all data source types including file storage, big data systems, structured databases, SaaS applications, data lakes, and streaming data sources.”