Financial Services Compliance Print E-mail

An Overview of Customer Data Privacy Regulation in the Financial Services Sector

In the last eight years alone, there have been eight new Federal laws targeting financial services entities, making financial services the most highly regulated sector.  More specifically, much of this legislation is concerned with the protection of non-public information (NPI) and personally identifiable information (PII).  With major customer data breaches reported by the media on a daily basis, and with identity theft as the fastest growing financial crime, it is not surprising that regulators are focusing their attention on this growing issue.  Even more legislation is on the horizon. 

Understanding these data protection laws is no simple matter.  Each law typically contains hundreds of pages of information and legal jargon, and can each take many hours to read and comprehend.  Furthermore, correct interpretation – understanding how, when, and to whom they apply – can be a significant hurdle for any size institution, not to mention developing and implementing solutions to aid compliance.  Many small to midsize institutions, who do not always have technical expertise in-house, often struggle with what is required for compliance.  Without specialized skills, it is not surprising that many organizations have an incomplete understanding of their duties for meeting compliance.  It can be a “hit or miss” process in many cases, resulting in greater scrutiny and even fines and penalties from regulators including the Federal Financial Institutions Examination Council (FFIEC), the Securities and Exchange Commission (SEC),  the Federal Trade Commission (FTC), and other agencies.

The purpose of this whitepaper is to give an overview of data privacy laws that are applicable to the protection of non-public information (NPI) and its counterpart, personally identifiable information (PII).  Because of complexity, this white paper is not intended as a single source for implementing compliance strategies.  Rather, the paper serves to highlight regulations for further investigation.   In addition, it will also illustrate how Intrusion’s Compliance Commander data protection products serve to help meet regulatory compliance.

Non-Public Information (NPI) and Personally Identifiable Information (PII)

Non-public information (NPI) is an encompassing term that refers to all information appearing on applications for obtaining financial services (credit card or loan applications), or on account histories (bank or credit card).  It also includes the customer’s status with the organization:  either a current or previous customer.  NPI can include:  names, addresses, telephone numbers, Social Security numbers, PINs, passwords, account numbers, salaries, medical information, and account balances.  In general, NPI is broader than its counterpart, personally identifiable information (PII).

PII is typically regarded in the information security and privacy fields as any piece of information which can potentially be used to uniquely identify, contact, or locate a single person.  PII can include:  national identification numbers, street addresses, driver’s licenses, telephone numbers, IP addresses, email addresses, vehicle registrations, and ages.

While identity theft is the number one financial crime in the United States, the theft of intellectual corporate data is also on the rise.  Out of the last eight Federal laws enacted three specifically mandate financial services entities to protect customer personal information and to combat identity theft:  GLBA, the Identity Theft and Assumption Deterrence Act, and the USA Patriot Act.   In addition, 23 states have passed data protection laws, which also apply to financial services organizations.   The remaining  laws relate to protecting intellectual corporate data and information assets, but the same security safeguards apply to all. 

Popular Misconceptions of Regulations

Because of their complexity, it is easy to understand why misconceptions about regulations are frequently found in the financial services sector.  Following are a few examples of these misconceptions:

  • Gramm-Leach-Bliley Act (GLBA) - Early on, financial institutions were under the misconception that GLBA only involved privacy notifications and the opt in/out requirements for sharing of information with non-affiliated parties.  Many organizations were not implementing the information security program requirements for protecting NPI.

  • Sarbanes-Oxley Act (SOX) - At one stage, SOX was once thought to only be a financial regulation and not to have any ties to information technology; however, information systems are the backbone of financial applications and processes, and are used to originate, house, store, and transmit financial information.

  • CA SB1386 and other state data protection laws - Many organizations have inaccurately evaluated the applicability of the individual state data protection laws to their businesses because they were not physically located in that state.  The majority of the state laws dictate that if a business has customers that are residents of the enforcing state, the law applies to that business regardless of whether or not the business is physically located in the enforcing state.  Many of the laws also exempt from disclosure encrypted information that is stored or transmitted.