Businesses deal with customer financial data - this is a simple reality of doing business. Unfortunately, for as many businesses as there are handling financial data, the lack of businesses who understand how to handle this data is striking. A simple misstep can result in not only huge legal trouble, but huge ethical concerns and a cycle of broken trust between the business and the customer.
This data is wide and varied - thus, knowing how to protect the data is vitally important, and has been heavily legislated. In this piece, we’re going to discuss what is actually considered financial data, the specific requirements placed on businesses to safegaurd this data, and the various ways you can comply with these requirements.
As an aside - we are not lawyers, and this is not legal advice.
What is Financial Data?
While this seems a bit of a dumb question, legislation often has very strict definitions of what something is and isn’t, and understanding these distinctions can help to differentiate the various approaches we’re going to discuss later on in this piece.
Financial data is personal information collected from a customer, and used in the process of purchasing or disseminating a good or service. This data includes names, personal addresses, phone numbers, any banking information, credit card numbers, income data, credit histories, Social Security Numbers, and even shopping habits.
The rule of thumb here to apply is this - would the data I’m reviewing be relevant in any way to the purchasing of my offerings? If so, it is financial data, and is subject to specific rules and laws.
Compliance - Who Cares?
This legislation isn’t just for businesses, however - under the Gramm-Leach-Bliley Act, a piece of legislation dealing in part with this issue, the Safeguards Rule, a rule which establishes proper data handling for financial data, is applicable to both traditional businesses and those who may not actively classify themselves as such.
What this means is that, yes, the store down the road must comply - but so must colleges, charities, and even roadside stands. The rules state that any business “significantly engaged” in commerce of any kind, dealing with any service or item, is subject to this law and consideration, even if the service provided is not directly offered as a benefit (i.e., ATMs, credit reporting agencies, and debt collectors).
Broadly speaking, there are a few key points that must be adhered to for proper compliance. This list is by no means exhaustive, but the other points of compliance naturally extend from proper implementations of solutions to these compliance issues - thus they are covered by following the below concepts.
- Businesses must form a data management plan that is public. This data management plan must disclose what data is collected, why, and how it will be used. If you’ve ever called a bank and heard at the start of a call a spiel concerning “any interest rates offered” having stipulations or time limits, and that any data collected will be “retained for account purposes”, this is an example of proper compliance.
- Businesses must train their employees if they handle this data. Having a data plan is not enough - a business must engage in training any employee who handles this data. You cannot simply say “well the employee should have known better” or use the employee ignorance as an excusing or mitigating factor, legally speaking - the employer is responsible for the actions of the employee, and thus must train them for compliance.
- The data management process must be routinely tested and audited. As part of the Safeguards Rule, the data safeguard process must be routinely tested to ensure compliance, just the same as a food inspector would routinely check a kitchen or a building inspector would routinely inspect integrity during inspections.
- Data must be collected only pertinent to its use, and destroyed only when legally allowed to. Any outstanding requests for data must be fulfilled before the relevant data is destroyed, and any data slated for destruction must be marked as such and considered as either “in use” or “not in use”.
Securing Information During Collection
Securing this data begins in the earliest phases, while data is being collected, can help establish security throughout the data’s life. Ensuring that secure data entry forms are used, that only what data is needed is collected, and that the data collection is limited in scope to only the relevant consumers is vitally important.
As part of this, encryption can be easily established as part of an early methodology to securing data. By securing the database as it’s being built through custom and complete encryption, providers will find their data is kept in a more secure state than any solution which secures it later on in the lifespan.
Securing Information During Usage and Archival
This is where data is often exposed, if it is at all. Figuring out how to secure data while making it usable and searchable is a balancing game between “usability” and “security”. While a database with no security is more valuable in terms of usage than any other solution, its lack of security makes for an attractive target, diminishing value to zero. However, the most secure database in the world is entirely useless without being able to access it - a tradeoff is always part of the consideration.
As such, consideration needs to be given to frequency of access. If Social Security Numbers are rarely accessed, given their demands of security, they can be heavily encrypted and even stored away in remote servers or hard copy form. Something like a customer ID, though, is actively used and constantly referenced, so obviously the encryption scheme needs to be balanced against the need to access with relative ease.
Securing Information Through Destruction
Funnily enough, one of the best methods of securing data is something you may not consider a positive act. Destroying data, especially data marked as superfluous, obsolete, or unneeded, goes a long way to securing the rest of the data present on the server.
There’s a concept in IT called “surface area”, wherein the more material is publically accessible, the greater the “area of attack” for hackers and other n’er-do-wells. Deleting information and securely wiping it is perhaps the strongest methodology outside of encryption for securing customer data, as it reduces this area of attack, and establishes a more controlled “battlefield” on which the battle against criminality will be waged.
Luckily, there’s a great solution for data management that securely wipes data and ensures that consumers are well protected. ClaraWipe is a data destruction utility that uses a variety of complex mechanisms to wipe data completely, replacing it with random or set digits in a variety of proven mechanisms used by the government, private sector businesses, and IT professionals.
This cannot be overstated - proper data destruction is a cornerstone of securing client information. Insecurely deleted data can be forensically recovered, leading to data breaches - and these breaches, in turn, can lead to further breaches, especially if data leaked, such as birth dates and family members, can lead to commonly formatted password types.
Best of all, ClaraWipe adheres to the following industry standards:
- Sarbanes-Oxley Act (SOx)
- HIPAA & HITECH
- The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
- US Department of Defense 5220.22-M
- CSEC ITSG-0
- Payment Card Industry Data Security Standard (PCI DSS)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- EU data protection directive of 1995
- Gramm-Leach-Bliley Act (GLBA)
- California Senate Bill 1386
Simply put, securely deleting data is the best approach to long-term client security - and for this reason, should be a cornerstone for any data security plan.