Financial institutions must meet standards for safeguarding customer data given the particularly sensitive information they hold, and regulators have been stepping up their efforts to provide guidance on just how they must do it. In a recent example from October 19, 2016, three banking regulators—the FDIC, Federal Reserve, and OCC—released an advanced notice of proposed rulemaking that would require bank holding companies with at least $50 billion in assets and other systemically important financial institutions (SIFIs) to implement protections to respond to and prevent the spread of cyberattacks. About a month earlier, the New York Department of Financial Services also proposed cybersecurity requirements for financial services companies.
While the focus of these efforts contemplates a cyber-attack from the “outside” to steal customer data, financial institutions should pay close attention to the Wells Fargo incident for another type of cybersecurity concern. In September, the Consumer Financial Protection Bureau accused Wells Fargo employees of secretly opening unauthorized and phony customer accounts—using existing customers’ private data—in order to meet sales targets and earn bonuses. Wells Fargo fired roughly 5,300 employees for the conduct, and the ongoing fallout from the practice cost Wells Fargo’s CEO his job. Customers whose data was compromised responded quickly in court, filing multiple class actions, including a Utah federal court lawsuit alleging invasion-of-privacy and identity-theft claims.
The requirement that companies, including financial institutions, must safeguard sensitive data from its own employees is not a new concept. Stolen laptops, unauthorized software downloads, and weak passwords are just a few common broken links in the chain when it comes to protecting customer data. In the current technology environment, all companies must ensure that even basic employee training teach employees how to protect confidential customer data.
The Federal Trade Commission (FTC)—a law enforcement agency charged with protecting consumers—has used Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices in the marketplace, to enforce privacy and data security guidelines. And it has provided companies with guidance on how to avoid an embarrassing and costly data incident. In one suggested best practice on protecting personal information, the FTC advises companies to “scale down access to data.” The FTC also recommends that companies follow the “principle of least privilege.” In plain English, these concepts mean that “each employee should have access only to those resources needed to do their particular job.” Regardless how many employees a company has, it must provide adequate and ongoing training on how to protect confidential client information. Pleading ignorance just won’t cut it anymore.
