Banks Spend in Wrong Privacy Areas

Information security depends on policies and procedures as much as technology.

Massachusetts is self-imposing stricter privacy rules. Such measures to increase the protection of individuals' personally identifiable information (PII) are a good thing for customers, and states have been working on privacy regulations, with Massachusetts, Nevada, New Jersey and New York on the forefront.

However, when it comes to privacy regulation, a one-size-fits-all approach is not likely the best solution. And it's not desirable for government to set and enforce specific privacy technology requirements on private industry. Yet that seems to be where key lawmakers are headed, pushing to empower the government to define and enforce security technology requirements for private industry.

Customers' PII must be secured in a way that de-identifies personal data, such as obscuring Social Security numbers from database records and encrypting information systems. Often financial institutions think of IT-only security measures to protect personal data, but banks need to take a more comprehensive approach to securing PII. Most data breaches are linked to operational error -- a rogue employee or a stolen laptop.

Banks' policies and systems are very capable and mature, yet we see expenditures placed in the wrong areas. And with breach incidents on the rise, data breach preparedness is paramount. To better protect their customers' information, banks should do a PII-focused risk assessment; improve procedures around handling of PII inventory, including third-party risk and contracts; evaluate technologies for data breach detection; and have a breach-response plan in place. And many of these requirements are included in the Massachusetts Data Security Regulation.