It may sound obvious
when it is pointed out, but one of the most important reasons for having a
private bank account is that account information remains, well, private. And
yet in this digital age, with stories of data thefts, security breaches and
zealous government assaults on what they see as illegitimate secrecy, the issue
of how to handle data protection is one of the most important facing the wealth
management industry. Developments such as mobile applications and cloud
computing have given an added edge to the issue. And the challenge of handling
private data correctly is made even more difficult due to different regulatory
regimes around the world, including Asia. 

This publication recently
spoke to the New York-headquartered firm Varonis, which advises and works with
firms, including financial institutions, to deal with how to handle data. Andy
Green, technical content specialist, answered questions about his firm and the
data protection challenge. While a lot of the comments focus on Europe and the US, Asia is also discussed.

Can you outline what
Varonis is and does and where it is based?

Varonis is the leader in data governance solutions,
providing a software framework that enables customers with unstructured and
semi-structured data residing on their file shares, intranets, and email
systems to audit data access activity, fix and maintain access controls,
identify sensitive data, find data owners, and involve them in access review
and authorization processes, making sure that only the right people have access
to the right data at all times from all devices, all use is monitored, and
abuse is flagged. Varonis Systems was founded by networking and storage experts
Yaki Faitelson and Ohad Korkus, and is a US-based company with headquarters in New York City.

Can you briefly recap
the different approaches towards data protection regulation in the US and European
Union?

In a nutshell, the US approach to consumer data
protection has been to focus on specific sectors with targeted laws while the
EU has a single and uniform set of rules. The US Congress over the years has
passed different pieces of legislation to cover medical, financial, and
consumer credit companies. Several regulatory agencies - SEC, HHS, and FTC - are
involved with data protection enforcement and rule-making.

The EU Commission took a far broader approach with its
landmark 1995 Data Protection Directive or DPD. It is a central law - guidance
really - to the EU community. The data protection and privacy scope is
enormous, covering any company that collects consumer data and not making any
distinction, as the US does, based on a particular industry.

While there is one DPD, each EU country is required to set
up its own data protection authority. In the UK, for example, the Information
Commissioner’s Office, has the power to regulate personal data as well as
expand on the DPD’s overall rules. There are similar authorities in other EU
countries. This has introduced some variations in the way the DPD is being
implemented and therefore causing a bit of regulatory confusion. Actually, this
is being addressed in a proposed change to the DPD to centralize rulemaking and
complaint handling.

What is the relevance
of such regulatory differences to banks and other financial firms, particularly
given how privacy issues, client confidentiality and anti-money laundering are
all key issues at the moment?

In the US,
there are few laws that have been established to protect consumer financial
privacy. You can go back to the Financial Credit Report Act from the late
1970s, which set rules-of-the-road for the national credit agencies - Experian,
etc. - over who could see consumer credit information and giving consumers the
power to correct inaccurate information. In the US, we also have the FRCA to thank
for requiring vendors to block out all but the last five digits of a credit
card number on receipts and bills.  

Gramm-Leach-Bliley or GLB, which became law in 1999, for the
first time brought comprehensive protections to consumer banking and financial
data. The FTC has regulatory power in this case and set high-level data
security rules. In terms of privacy, GLB also forced banks to inform consumers
when their data is being shared with third parties, allowing them to opt-out
under certain circumstances. Though sharing with companies under the same
corporate umbrella, known as affiliates, doesn’t require consumer permission.
And security standards generally loosen when the data is transferred to
non-affiliated third parties. Unfortunately, currently US consumers don’t have
the right to review and update possible inaccurate banking and financial
personal data.

The EU’s DPD, not surprisingly, has a more uniform and far
stricter regime when it comes to companies sharing with what they call “data
processors”- we don’t have the equivalent here in the US - and
explicitly requiring opt-in from consumers. Data processors are under the same
security requirements and legal obligations as the originating “data
controller”- the company that collects the data. And with the DPD, consumers
have an important right to access and correct any information that’s been
collected by them- that’s very powerful.

How do you see firms
on both sides of the Atlantic dealing with the data protection issue?

There are some similarities. They are both focused on
protecting the key part of the consumer data. In the US, we call it personally
identifiable information or PII; in the EU it’s referred to as personal data.
It gets messy here because each agency handles the definition differently, but
PII is essentially phone number, name, credit card numbers, address or any
other identifier along with other sensitive information that’s collected.

In the EU, it’s roughly the same idea, though there
definition of an identifier is more general, encompassing email address, IP
address, and even potentially bio-metric markers - any data that can be
“reasonably” related back to an individual counts as personal data.

With the new proposed revisions to the DPD that are
currently working their way through the review process, there’s an
understanding that personal and non-personal data are getting blurred and both
need to be given the same protections. In other words, information than is now
considered non-personal and 
non-sensitive - say geo-location data or even anonymous preference
information - can be combined with public social media data  to re-identify the owner of the data. So what
looked like anonymous data is anything but that. This is the big privacy problem
in the digital age- the rise of enormous amounts of personal data available on
the Internet.

In the US,
we are a little behind but the gears are moving, and the FTC recently released an
important guidelines document that recognises the power of the social media to
change what it means for data to be truly anonymous. 

What sort of
awareness is there in the EU/US financial industries of the different data
protection regimes, and the steps they must take to comply?

There’s certainly high-awareness and compliance in the US. Every bank
and company “primarily engaged in financial services” has to list who they’re
sharing their consumer data with - both affiliates and non-affiliates. You can
spot these notices on bank web sites. In the US, we’re also used to getting
privacy notifications and opt-out forms in the mail from our banks. 

EU countries have been focused on this a bit longer, and I
would argue that privacy notions resonate more deeply there. There are also
well-established rules for filing complaints with national protection
authorities. The interesting issue that arises - and has made the headlines - is
when US companies process EU consumer data. 

The DPD has not gone over especially with US social media
and web service companies. Facebook, Google, and others have been openly
complaining about the new proposed “right to be forgotten” rule, which would
give consumers the power to delete all their social media posts. They are also
not happy about existing rules requiring explicit opt-in when sharing data with
third-parties and the right to review personal data. Remember the US has more of
an opt-out digital culture. Some of their input and comments from US companies
may actually change the way right-to-be-forgotten rule is ultimately written.

Where does this lead
US financial companies doing business in the EU?

They would have to comply with the DPD as well. However,
there’s an “it depends.” In general, US companies that process EU data outside
the Eurozone would fall under a special EU-US Safe Harbor framework that lets them
self-certify. By the way, the US’s
FTC is in charge of ensuring that US companies live up to their DPD claims. But
there’s a large exception for banks in the Safe Harbor
agreement. They wouldn’t have to follow the right-to-be-forgotten and the rest
of the DPD framework if they’re processing EU financial data in the US. Of course,
Gramm-Leach-Bliley would still apply as far as I can see.

Any thoughts about
how this plays in Asia?

We did some research recently on Singapore’s proposed Personal Data
Protection law and noticed that it parallels the DPD, even using the same
terminology. In Japan,
they have similar legislation known as the Personal Information Protection Act.
Actually regulators in Japan,
Singapore, the EU, and even
the US
were influenced by an important privacy guidelines document written by the
Organisation for Economic Co-operation and Development back in the early 1980s.
The OECD was one of those groups that came out of the Marshall Plan. Anyway,
the OECD’s privacy ideas can be most easily seen in the EU’s DPD but it clearly
has been looked at by Asian regulators as well. 

What are your views
on the ways that firms can best adapt to data protection requirements and in a
cost-effective way?

Ultimately, everyone recognises privacy has to be built into
the services and products from the start - ”privacy by design”. A good principle
is to collect only consumer data that’s needed for business purposes and also
to think carefully about how long data should be retained before it loses its
business value, and take steps to find the data that should no longer be needed
and dispose of it, with automation if possible. In the era of hackers, not
following these principles can lead to lead unnecessary liabilities when
records are breached.

The DPD was ahead of the game here - even though it was
passed in the pre-Internet era - in mandating companies to not collect data in
excess of what’s required for business functions. That’s good advice. But
again, the US
is also thinking along these lines in its regulatory guidelines.

How can technology
firms overcome a perhaps understandable client cynicism that data protection,
like other issues, is simply a ploy to sell services and products that they may
not actually need?

Breaches have helped shift privacy and data protection
principles into the conversation as a business strategy. PII or personal data
is valuable information to hackers. Once they enter a business data centre,
hackers and cyber criminals are searching for credit card numbers, email
addresses, and account numbers in unprotected and unencrypted files in the
corporate file system. Many companies have been careless about storing this
data, say as spreadsheets or plain-text documents, with very loose file
permissions.

Technology firms can help curb criticism by comparing
digital assets to any other asset that needs protection. There’s little client
cynicism about video cameras, fences, and padlocks. Controls for data
protection make sense when you consider the value of the assets they are
protecting.  

In the US,
the regulatory agencies can fine companies and even bring civil or criminal
charges if they receive consumer complaints about identify theft. So there are
strong legal and financial motives for companies to seriously address their
data security and privacy shortfalls.

Are there other
points you want to make on this topic?

In our work, companies often come to us because they need to
comply with regulations, and there’s a realization that the unstructured data
in their file system can be an enormous potential liability. Companies don’t
know what data is out there, who’s looking at it, who should be looking it,
what the proper permissions are, and whether the data should be remove or
archived. 

The trend with regulations and regulatory guidelines in both
the US
and the EU are all pointing to what we consider a fundamental principle - know
your data.