With more than 130 data protection regulations already in place, achieving and maintaining privacy compliance has become one of the most challenging imperatives in business today.
By Jake Frazier
What’s unique about data privacy versus other regulatory obligations is that it impacts organizations of all sizes, with requirements varying widely between industries and geographies. For financial services institutions and banks, several applicable regulations carry data privacy implications. Additionally, global, state-based and pending U.S. federal data protection legislation are adding additional layers of complexity to the range of obligations banks must fulfill. These have and will likely continue to demand refreshes to policies, operations and infrastructure.
Data privacy is not a new concept and has been embedded in a variety of laws for decades. However, it wasn’t until after the European Union enacted the General Data Protection Regulation in 2018 that privacy became a major and mainstream focal point. GDPR is considered the most stringent data protection law in the world. It provides expansive privacy rights and protections for all EU citizens, placing an array of obligations—from consent, breach notifications and mandatory data protection officers—to extensive data processing controls on companies that do business in the EU. Fines for non-compliance can be issued up to €20 million, or 4 percent of the violating organization’s global revenue. Nearly 1,000 unique enforcement penalties were handed down between 2018 and 2022. U.S. banks may be subject to GDPR requirements if they hold data belonging to EU citizens living in Europe at the time the data was collected.
Privacy implications within existing financial industry regulations
As GDPR has triggered a groundswell of regulatory attention on data privacy, the financial services industry continues to feel pressure to meet a range of data protection requirements, and are likely to experience increased scrutiny from enforcement agencies. Applicable existing regulations with data privacy elements include the following.
Gramm-Leach-Bliley Act. Among federal regulations that address data privacy, this law is the most direct in terms of its focus on the protection of sensitive consumer data. Under the act, any organization providing financial products must disclose their information-sharing practices to customers and meet certain standards for protecting sensitive customer information. It includes the Privacy Rule, which protects consumers’ “non-public personal information” and defines the rules financial institutions must follow in terms of providing privacy notices, safeguarding NPI and providing opt-out notices (certain exceptions apply to opt-out conditions). The act also includes the Safeguards Rule, which requires financial institutions to “develop, implement and maintain an information security program with administrative, technical and physical safeguards designed to protect customer information.” Both the Privacy Rule and the Safeguards Rule were updated in 2021 to bring them into better alignment with current market needs and technological advancements.
Dodd-Frank Act. While not directly focused on data privacy or data protection, several sections within the Dodd-Frank Act include provisions that implicate data protection requirements and offer certain rights to data subjects. Section 1033 defines the obligations of financial services institutions to provide consumers with access to their financial records and related information in an accessible format. Section 1034 reinforces that requests for information must be fulfilled in a timely manner. Further, section 1013 indicates an obligation for agencies to maintain data security, integrity, protection, and confidentiality of personally identifiable information.
Fair Credit Reporting Act. While primarily focused on ensuring accuracy in consumer credit ratings and reporting, the FCRA also implements limits on the use of data collected on consumers, and stipulates that financial services institutions may only collect data relevant to purposes of issuing credit, financing, employment and so forth. These purpose and use limitations are foundational principles in data privacy legislation such as GDPR, and to fulfill these requirements according to best practices, organizations should ensure they are operationalized via consumer disclosures (relating to purpose) and data processing and retention procedures (relating to use).
Right to Financial Privacy Act. This is another legacy law dealing with the protection of personal financial data. In place since 1978, this regulation established rules for federal agencies to follow when seeking and accessing individuals’ records from financial institutions. It also includes requirements for institutions to meet, prior to and during disclosure of customer information to federal government agencies.
NYDFS Cybersecurity Regulation. In place since 2017, the New York Department of Financial Services Cybersecurity Regulation was the first state-based law to impose cybersecurity requirements on financial institutions under NYDFS licensure (with some limited exemptions). The law requires covered institutions to establish a cybersecurity plan, policy and reporting function and appoint a chief information security officer. In November 2022, NYDFS finalized a proposed set of amendments to the law, intended to keep it up to date with the latest developments in the cyber threat landscape. The amendments include changes to exemptions thresholds (intended to minimize burdens on small businesses), increased governance and accountability requirements, increased frequency of risk assessments and guidelines for cybersecurity training and awareness practices. If approved, these changes will take effect during the second half of 2023.
As data privacy becomes increasingly prioritized among citizens and U.S. lawmakers, organizations of all sizes in regulated industries, including financial services, can expect a likely escalation of enforcement of these laws.
Individual states address data privacy
At least 16 states have either passed or are legislating comprehensive consumer privacy laws. The California Consumer Privacy Act is already active and was bolstered when its counterpart law, the California Privacy Rights Act, took effect at the start of 2023. Four additional states—Colorado, Connecticut, Utah and Virginia—have passed laws that also take effect this year.
Organizations operating across state lines must now track exposure under and establish compliance with this growing list of state-based data protection frameworks—which are applicable depending on the state in which the customer resides, not merely where the bank is located. As more laws come into force, banks must also ensure they understand exactly how the nuances of each law may impact their policies and practices, as well as any exemptions that may apply (given that many state privacy laws include exemptions for financial organizations and banks governed by the Gramm-Leach-Bliley Act).
Impending federal legislation
The American Data Privacy and Protection Act, a landmark U.S. federal privacy bill, is advancing through the legislative process. While it remains to be seen what the final outcome of this law will be, its adoption would bring the first full-scale federal privacy law in the U.S.
There are several core components within the current draft of the ADPPA that revolve around existing privacy principles. For example, the bill’s Duty of Loyalty component borrows a term from the corporate governance model and imposes a relationship between a consumer and a corporation. It is worded in a way that empowers the Federal Trade Commission potentially to define what this means through enforcement actions. Another is Private Right to Action, which would give consumers an avenue to pursue corporations for perceived wrongdoing, similar to those that the privacy laws in California, Colorado, Virginia and other states provide.
The subject of pre-emption of the various state regulations and regulators has also been addressed in proposed amendments to the ADPPA. Recent developments indicate that the bill is aimed at setting a minimum federal standard, rather than a framework that would pre-empt current state laws. That said, the carve-outs as they exist in the latest draft mean that any financial institutions that are subject to the ADPPA will need to remain aware of and address discrepancies that might linger after a federal law is established. These deviations may be difficult to manage from technical and procedural standpoints. Ultimately, the ADPPA may bring a possible solution to the current patchwork of state laws; conversely, it could eventually create further compliance challenges due to gaps and/or conflicts between federal
law and state requirements.
Notably and separate from the status of the ADPPA in the legislature is the executive order in late 2022 regarding the steps the U.S. will take to implement commitments to reinstate a data privacy framework with the EU. This development underscores the close attention the U.S. government is giving to data privacy as a right and principle in the U.S.
Moving forward in a changing landscape
Clearly, the data privacy regulatory landscape is varied and in a perpetual state of change. This fact alone is one of the principal challenges in maintaining compliance. Missteps are easy to make when the full scope of requirements are unclear and planning is difficult when new laws may crop up at any time.
Additionally, organizations are facing an array of new risk areas that can affect both their ability to uphold strong data privacy governance, document compliance and respond effectively to information requests. For example, the shift to remote work has opened up a range of new data privacy and data protection risks, especially in industries such as financial services, where most organizations did not previously allow remote work as a standard practice. With the blurring of lines between personal and company devices and communications, a wider dispersion of information and endpoints must be monitored and protected. With that, there has been a reported increased in the incidence of insider threats, which include well-meaning employees who inadvertently share sensitive company information, as well as malicious actors seeking personal gain by exposing or stealing company records ( such as information containing personal data that is subject to regulations).
Moreover, there are new communications channels to contend with. Collaboration tools (such as Slack, Zoom and Teams), messaging applications (including WhatsApp and Telegram) and productivity suites (Microsoft 365 and Google Workspace, etc.) have altered the ways employees share, store and use information (and the locations where malicious actors may attempt to infiltrate and breach sensitive data). In some cases, employees may be using these tools without the organization’s knowledge, creating blind spots in information governance, privacy compliance and security.
In part because of, and in addition to, these factors, there has been a steady rise in cyber attacks and data breaches, which carry serious implications for data privacy compliance. This is a significant area of concern for organizations of all sizes. Increases in cyber attacks and data breaches have cascading implications across the globe. As spotlights are focused on organizations impacted by a cyber incident, there are expectations that they took proper precautions to protect sensitive data, especially information pertaining to customers or clients. Ensuring these expectations are met often come in the form of regulation. Organizations can expect more stringent requirements around data privacy and protection, specifically regarding the implementation of protections prior to an incident occurring, with the goal of improving readiness and resilience across the board.
Beyond the compliance risks relating to a data breach or breach of data privacy laws, organizations must also consider the follow-on ramifications that can result. For one, data breaches are expensive. Ponemon Institute currently estimates the average cost of a data breach, across all industries and company types, at $9.44 million, and reported in the annual Cost of a Data Breach report that breaches in the U.S. cost more than the global average. These costs include incident response, business loss and disruption, regulatory penalties, and other related expenses. With many data privacy laws now providing consumers with the right to take private action, organizations are seeing an uptick in individual litigation and class action suits relating to data breaches, further amplifying both the expense and business disruption that follow such an event.
Reputational damage and loss of consumer trust also typically follow in the wake of a data breach or privacy violation. Without a strong incident response plan that demonstrates transparency, seriousness of response and comprehensive remediation, it can be very difficult and costly for businesses to rebuild customer confidence.
With such a vast spectrum of risks relating to data privacy, it’s easy for business leaders to become overwhelmed. Knowing where to start is difficult, even for large, sophisticated organizations that have a dedicated data privacy function.
A number of foundational steps and practices can help teams create a roadmap for establishing a broader privacy program, or strengthen existing governance. These include:
Define obligations. The functions and policies within an organization’s privacy program will depend on the regional and industry-specific laws under which the business is covered. A simple first step is assessing the applicable laws and regulations, both federal and state, and working with legal and compliance to determine the full scope of requirements the business must meet.
Refresh policies. With documentation of the applicable data privacy requirements and regulations, organizations can revisit existing policies and refresh them to address gaps between obligation and practice.
Map the data. Taking inventory of the data footprint is an essential part of operationalizing for privacy compliance. It is impossible for organizations to protect data they don’t know they have or data stored in unknown repositories. Build a data inventory that accounts for key data assets and maps out the various flows of data in, through and out of the business.
Classify and establish retention rules accordingly. Data classification enables privacy teams to define which security controls should be applied to which data sets. For example, marketing records will not require the same degree of safeguarding that sensitive customer financial information will. Maintaining categories of different types of information according to sensitivity will make it easier to create a privacy and security program that prioritizes the highest risk data. Further, classification can be used to inform the retention schedule, so that data can be retained for the appropriate durations (per business needs and regulatory requirements) and disposed of as its use expires.
Prioritize minimization and remediation exercises. The greater the data footprint, the greater the risk. While some businesses can justify data redundancy (whether for backup needs or legal hold requirements), the majority of data within an organization is stored for longer than necessary. Often, sensitive and redundant data that is no longer needed will sit, unknown to legal and compliance, in legacy systems, accounts, and devices. Meanwhile, data minimization is a requirement under certain data privacy laws, and even when not required, is a best practice of good data hygiene. While data remediation activities can be a heavy lift, it’s essential to prioritize these exercises so anything outside of the scope of what’s needed for business and compliance purposes is deleted.
Establish strong data protection and security. A data protection program that is built on reaction is an insufficient strategy to combat threats and mitigate cyber risks. An approach founded on readiness and resilience, and one that incorporates assessing vulnerabilities, penetration testing, threat hunting, third-party auditing, etc., will result in fewer successful attacks, while simultaneously minimizing damages and allowing for a speedier recovery.
Operationalize data subject rights. Numerous data privacy and financial industry regulations provide consumers with rights to make various data requests of businesses that hold their personal information. These include rights to access, correct and delete information. These requests must be responded to and addressed in a timely and reasonable manner. Having a data map in place is one important step to operationalizing data subject requests, but organizations must take additional steps to reduce the burden of, and time to response for, these requests. This may include establishing an internal stakeholder responsible for data subject requests, creating new workflows for responding to them and implementing tools that can automate certain aspects of the process.
Conduct incident response planning. This is an essential element of a preparedness strategy and requires organization-wide cooperation. Each member of the organization, including technical teams, board members, general counsel, HR, the c-suite, etc., should know their exact roles and responsibilities in responding to an incident. This plan should also be routinely tested and altered based on lessons learned and to keep pace with an evolving threat landscape. Organizations may also forget to incorporate contingency plans, such as having a hard copy of their response plan in case computer access is restricted, which is why using realistic situations to stress test capabilities is so crucial.
Plan for change management. A culture of compliance across an organization is a cornerstone in enabling long-term privacy best practices. Teams can conduct internal research to understand how privacy compliance is perceived among employees, and then create training, awareness and change management programs that align to the existing culture, as well as the broader compliance objectives.
Privacy by design principles. As the compliance culture solidifies, privacy by design principles can develop organically as part of new products, services, programs and implementations. Privacy leaders who can collaborate well with security, IT and other counterparts will gain ground faster in building privacy from the ground up, versus those who remain siloed.
Data privacy is a fundamental part of business today. Requirements and public perception continue to evolve around the world, which will create challenges and uncertainty for businesses of all sizes. However, while the associated risks and the steps needed to meet compliance can be daunting, a strong data privacy posture is essential to adding business value and securing competitive advantage. Banks can simultaneously reduce their risk and tap into this value by starting small. Focusing on incremental wins, rather than getting bogged down in attempts to boil the ocean, will be key in demonstrating to customers and regulators that privacy is being appropriately prioritized.
Jake Frazier is a senior managing director at FTI Consulting and heads the information governance, privacy and security practice within the technology segment. The author would like to thank Jordan Rae Kelly, senior managing director and head of cybersecurity for the Americas at FTI Consulting, for her assistance with this article.