This is the third article of a three-part series for data security and data privacy. In the first article, the similarities and differences of data security and data privacy were discussed. In the second article, an example of a geographical regulation and its impact to risk managers and institutions was provided. In this third article, a historical context provides a framework to emerging privacy laws across the country, their impact, and the frontier law against cybersecurity threats.
With the advent of cybersecurity and cyber attacks, the financial and banking sector has called for better protection and mitigation of risks associated with security exploitation and vulnerabilities. The number of cyber attack cases leading to significant monetary losses and reputational damage has significantly increased over the past five years. According to a report from the Boston Consulting Group, financial institutions are 300x more susceptible to an attack than other industries. Unfortunately, banks and financial institutions offer tremendous monetary prizes, and therefore threats against these institutions are growing rapidly—pressuring them to quickly adopt technologies for improved service and security.
Cybersecurity threats have existed since the early adoption of the internet, and governments and institutions have implemented various laws, regulations, data security parameters, and privacy acts to protect consumers. Here, we dive into the relationship between governments and financial institutions as they adapt to the growing challenges of data security amidst increasing cyber threats.
Data Security and Privacy Compliance Regulations
To protect critical financial services, governments and organizations throughout the globe have implemented certain regulations and standards to control the security of financial and sensitive information. With increased data breaches over the last three years, law enforcement agencies and large institutions around the world have increased strict regulations on the collection and storage of sensitive customer data. Throughout history, the adoption of these acts, regulations, and industry best practices have helped hold our economy intact against cybersecurity threats.
SOX & GLBA
In 2002, former U.S. President George W. Bush signed the Sarbanes-Oxley Act (SOX) act into law. Then, in 2003, the U.S. implemented the Gramm-Leach-Bliley Act (GLBA), which was designed to govern the collection, storage, and exposure of sensitive and personal information of customer’s financial data. Although these regulations offer different protection (with SOX protecting financial information of public companies and GLBA protecting consumer data of financial institutions), both were designed to help keep sensitive data secure.
Payment Card Industry Data Security Standard (PCI DSS)
In 2004, four major credit card companies—Visa, Discover, MasterCard, and American Express—formed the Payment Card Industry Data Security Standard (PCI DSS), a widespread acceptable standard for the implementation of privacy and data protection. The standard optimized the security of credit cards, debit cards, and cash, and protected cardholders against the misuse of their financial cards. Geared more towards cybersecurity threats than GLBA and SOX, this standard specifies information about: the security of a network, protection of card and cardholder’s information, protection of systems against cyber attacks and malware attacks, controlled access to system information and operations, and the constant monitoring of networks and information security policy.
While the PCI DSS standard is neither a government regulation nor a state or federal law that requires institutional compliance, some states—such as Massachusetts and Minnesota—require adherence to some components of the standard. The Massachusetts 201 CMR 17.00 law (inspired by concepts derived from the PCI DSS standards and Minnesota’s Plastic Card Security Act) enforce fines for companies that maliciously store data as defined by PCI. These guidelines are limited to the protection of specific financial data related mostly to card payment information.
A New Landscape of Regulations: 23 NYCCR 500
The 23 New York Codes Rules and Regulations (NYCCR) 500 passed in the state of New York on March 1, 2017. This was defined by the New York Department of Financial Services (NYDFS) as a set of regulations for institutions in the financial and banking industry. By introducing the most stringent set of cybersecurity rules, the 23 NYCCR 500 took cyber threat mitigation to the next level and enforced data encryption controls over sensitive information.
The Era of Data Encryption
The 23 NYCCR 500 covers a broader range of personal and entity-level data that is related to non-public information, and states that financial services not only have to encrypt non-public information in transit, but must also mandate data at rest encryption. It also directs the review of controls used to protect data in three distinct stages: data in use, data in transit, and data at rest.
- Data in use: Data is accessible, viewable, and manipulated by an authorized end user
- Data in transit: Data is transferred from a resource to the end user (i.e. from a protected server resource to a web browser)
- Data at rest: Backups, software application files, data, or documents that sit in a storage device (such as a disk drive or cloud based infrastructure)
An institution must appoint a Chief Information Security Officer (CISO) that annually reviews the process for meeting these compliance requirements. These processes could include overseeing strict access controls, investing in infrastructure that supports encryption at rest, and establishing industry protocols that enable secure data transmission. (Referenced in sections 500.4, 500.7, 500.8, 500.12, 500.13, and 500.15 of the requirement.)
The impact of 23 NYCCR 500 has reached beyond its intended original geography and is a strong stance against cybersecurity threats. Perhaps we’ll begin to see adoption of similar regulations and practices across different states and other parts of the world.
GDPR vs. CCPA
In May of 2018, the European Union introduced the General Data Protection Regulation (GDPR). This regulation establishes rules surrounding a consumer’s right to know about their personal information collected by organizations. As a data protection and privacy law for European citizens, the GDPR data security policy informs customers of how companies can use their data and ensures strict regulations are followed for a potential data or security breach. Companies or businesses which choose to operate or deal with European nations must comply with GDPR regulations, or otherwise face harsh penalties and fines.
The GDPR’s global impact, beyond organizations’ compliance, encouraged many countries and governments to implement data security and privacy policies for European customers. Shortly after its roll out, the state of California enacted the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020. The CCPA focuses on the IT data privacy needs and consumer protection of California residents’ financial information. Under this act, “personal information” includes:
- Direct identifiers
- Unique identifiers
- Biometric data
- Internet activity
- Sensitive information such as individuals’ financial information
The GDPR and CCPA were designed to protect residents of both the European Union and California; but unlike GDPR, the CCPA was designed significantly for for-profit organizations with excess of 50,000 California customer records and with an annual revenue of greater than $25 million. However, because GDPR did not have restrictions on the total number of records or a revenue threshold, it was considered more far reaching due to its broader scope and definition. While one can conclude that CCPA is more granular than GDPR, the similarities and intentions are clear—both were designed to improve the security of personal information collected.
Unlike the European Union’s GDPR, the U.S. currently does not have a similar unified law or legislation. Instead, the U.S. enforcement of data security and privacy protection relies on the Federal Trade Commission’s (FTC) enactment of several federal privacy laws and state-level laws. In recent years, the influx in cybersecurity threats has led to a rise in data security laws and regulations at state levels and across multiple industries. After the roll out of CCPA in California, many other states, such as Hawaii, Maryland, Massachusetts, and North Dakota, followed with similar pending legislation.
With the overwhelmingly challenging task of protecting the global economy and its consumers from cybercriminals, the U.S. and the international community will need to collaborate, learn, and adapt from the ever evolving threats.
It’s evident that these privacy laws, regulations, and standards all share one common goal regardless of their origin—to secure non-public information and prevent it from getting into the wrong hands from corporate abuse, cyber attacks, or unintentional mishandling errors.
While no single and uniform law exists in the U.S., the world is collectively embracing and adapting to the increasing threats of cybersecurity by taking the necessary measures to reduce, and even attempt to eliminate, the potential for mischief. This universal goal to protect consumers and the world economy is driving some states to act faster and more effectively than others. With the evolution of privacy laws, institutions must be prepared to understand the magnitude of the impact and plan accordingly to thrive as they adopt these new countermeasures.