FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking
FIRMA April Introduction: Not only are we mandated to design, implement and maintain safeguards to protect client information, but keeping client information private and secure is vital to our businesses. In the case of private banking, the use of the word “private” is not coincidental. Maintaining trust confidentiality is equally important. How do financial institutions achieve these regulatory requirements and honor client expectations? When there is a breach of confidential information, is your institution ready to appropriately respond as quickly as possible?
FIRMA April Preserving Client Confidentiality within and outside your organization To keep client information under physical, electronic and procedural controls... Do your affiliates perform services for the benefit of your clients? Do you have control around how affiliates access your client information? Is staff dedicated to serving your client base within your affiliates Dedicated office space—no space sharing with other lines of business without specific approval and training for personnel Dedicated printers/faxes/files Are there “ring-fences” around your technology? If not, how are you vetting access? Consider confidentiality agreements for those people with access to your systems that are not dedicated solely to your clients Place “entitlements” on technology access Do your contracts with third-party providers address client confidentiality ? Client information given over to them should be used solely for the stated contractual purposes Do your third-party providers have well defined privacy practices? Have you adopted internal policies and procedures around preserving client confidentiality? Make sure your personnel are aware of them Examples: Written procedures for the transportation of paper containing confidential information Policies around technology access—who monitors and approves access to your systems Clean desk policies
FIRMA April 2010 Educating your personnel Ongoing training—for example, mandatory annual privacy training Periodic reminders—complements formal training efforts Examples: Protecting client information in s Never share passwords to your systems At every opportunity, stress the importance of your privacy practices Even when every reasonable precaution is taken and you have made every effort to educate your staff and your clients about safeguarding information, breaches can happen... 3
FIRMA April Privacy Breaches Some background: Data Protection/Breach—Interagency Guidelines: Requires financial institutions to establish response programs for unauthorized access to customer information: Applies to consumers only Applies to paper as well as computer based information Applies to information held in foreign countries Must identify and assess breach of information Must notify federal regulator if “sensitive” information involved Must notify law enforcement and file SAR if crime involved Must notify consumer customer if sensitive information is, or could possibly be, misused “Sensitive information” means: ID information in conjunction with SSN or account numbers, or Any combination of information that would allow access to customers account, e.g., name and password or PIN
FIRMA April Considerations from the States: Many states, the District of Columbia and Puerto Rico have enacted laws that require the establishment of response programs for unauthorized access to customer information Similar to Federal Guidance but some state laws have these differences: Applies only to computer information (a few states apply to paper too) Must notify state Attorney General or other agency rather than law enforcement Must notify customer regardless of whether information is, or could possibly be, misused (a few states have risk of harm standard) Specify fines and/or penalties for violations Privacy Breaches
FIRMA April 2010 An organized approach to responding to privacy breaches Establish an umbrella Privacy Office or designated contact that is ultimately responsible for creating standards and guidelines for use by your institution when dealing with breaches Establish escalation points within the various areas of your firm Form “Incident Response Teams” with legal, compliance and/or risk representation Incident Response Teams can serve as a control around proper escalation and response, including any required response to clients or reporting to regulatory agencies. Adopt the use of an “Incident Report Form” Gives your folks a tool to report breaches effectively. Can include: name and contact information of the person reporting incident description of the incident with enough detail to allow an investigation— date and time of the incident, when discovered, by whom, etc. Where did it occur—Country/City, etc. A description of the information involved Were third parties or outside service providers involved 6
FIRMA April An organized approach... Required elements of notification When sensitive information has been breached, notification must include: a description of the incident, what your institution has done to protect client information from further unauthorized access, a phone number for further information, and a reminder that clients should be vigilant over the next month period and that they should promptly report incidents of suspected ID theft, Consider including in the notification recommend clients review account statements for suspicious activity describe fraud alerts and explain how to place alerts on their consumer credit reports recommend they obtain periodic credit reports from a nationwide reporting agency Credit Monitoring Consider offering credit monitoring services or providing clients with the name of a credit monitoring service they can contact on their own.
FIRMA April THE MODEL PRIVACY FORM In October 2009, the Agencies adopted new model privacy notification forms – the Model Forms. Standardized--page layout, content, format, style, pagination, and shading are prescribed. Only certain fields may include variable text. Address information sharing and non-sharing practices. May require an “opt-out” depending on how sharing reasons are answered. Did not generally contemplate private banking The Federal Regulators launched an “online form builder” Since you have little latitude to change it, the form builder is quite useful While the Agencies have indicated that use of the Model Forms is voluntary, a financial institution that does NOT choose to use the Model Forms may: Receive new and enhanced scrutiny, as to format as well as content, from Agency examiners; Will lose its safe harbor; Will appear different from other firms--consumers will not be able to do the simple comparison of privacy practices the Agencies were seeking; May find itself a focus of media and consumer advocates critical of different forms.