It may sound obvious when it is pointed out, but one of the most important reasons for having a private bank account is that account information remains, well, private. And yet in this digital age, with stories of data thefts, security breaches and zealous government assaults on what they see as illegitimate secrecy, the issue of how to handle data protection is one of the most important facing the wealth management industry. Developments such as mobile applications and cloud computing have given an added edge to the issue. And the challenge of handling private data correctly is made even more difficult due to different regulatory regimes around the world, including Asia. 

This publication recently spoke to the New York-headquartered firm Varonis, which advises and works with firms, including financial institutions, to deal with how to handle data. Andy Green, technical content specialist, answered questions about his firm and the data protection challenge. While a lot of the comments focus on Europe and the US, Asia is also discussed.

Can you outline what Varonis is and does and where it is based?

Varonis is the leader in data governance solutions, providing a software framework that enables customers with unstructured and semi-structured data residing on their file shares, intranets, and email systems to audit data access activity, fix and maintain access controls, identify sensitive data, find data owners, and involve them in access review and authorization processes, making sure that only the right people have access to the right data at all times from all devices, all use is monitored, and abuse is flagged. Varonis Systems was founded by networking and storage experts Yaki Faitelson and Ohad Korkus, and is a US-based company with headquarters in New York City.

Can you briefly recap the different approaches towards data protection regulation in the US and European Union?

In a nutshell, the US approach to consumer data protection has been to focus on specific sectors with targeted laws while the EU has a single and uniform set of rules. The US Congress over the years has passed different pieces of legislation to cover medical, financial, and consumer credit companies. Several regulatory agencies - SEC, HHS, and FTC - are involved with data protection enforcement and rule-making.

The EU Commission took a far broader approach with its landmark 1995 Data Protection Directive or DPD. It is a central law - guidance really - to the EU community. The data protection and privacy scope is enormous, covering any company that collects consumer data and not making any distinction, as the US does, based on a particular industry.

While there is one DPD, each EU country is required to set up its own data protection authority. In the UK, for example, the Information Commissioner’s Office, has the power to regulate personal data as well as expand on the DPD’s overall rules. There are similar authorities in other EU countries. This has introduced some variations in the way the DPD is being implemented and therefore causing a bit of regulatory confusion. Actually, this is being addressed in a proposed change to the DPD to centralize rulemaking and complaint handling.

What is the relevance of such regulatory differences to banks and other financial firms, particularly given how privacy issues, client confidentiality and anti-money laundering are all key issues at the moment?

In the US, there are few laws that have been established to protect consumer financial privacy. You can go back to the Financial Credit Report Act from the late 1970s, which set rules-of-the-road for the national credit agencies - Experian, etc. - over who could see consumer credit information and giving consumers the power to correct inaccurate information. In the US, we also have the FRCA to thank for requiring vendors to block out all but the last five digits of a credit card number on receipts and bills.  

Gramm-Leach-Bliley or GLB, which became law in 1999, for the first time brought comprehensive protections to consumer banking and financial data. The FTC has regulatory power in this case and set high-level data security rules. In terms of privacy, GLB also forced banks to inform consumers when their data is being shared with third parties, allowing them to opt-out under certain circumstances. Though sharing with companies under the same corporate umbrella, known as affiliates, doesn’t require consumer permission. And security standards generally loosen when the data is transferred to non-affiliated third parties. Unfortunately, currently US consumers don’t have the right to review and update possible inaccurate banking and financial personal data.

The EU’s DPD, not surprisingly, has a more uniform and far stricter regime when it comes to companies sharing with what they call “data processors”- we don’t have the equivalent here in the US - and explicitly requiring opt-in from consumers. Data processors are under the same security requirements and legal obligations as the originating “data controller”- the company that collects the data. And with the DPD, consumers have an important right to access and correct any information that’s been collected by them- that’s very powerful.

How do you see firms on both sides of the Atlantic dealing with the data protection issue?

There are some similarities. They are both focused on protecting the key part of the consumer data. In the US, we call it personally identifiable information or PII; in the EU it’s referred to as personal data. It gets messy here because each agency handles the definition differently, but PII is essentially phone number, name, credit card numbers, address or any other identifier along with other sensitive information that’s collected.

In the EU, it’s roughly the same idea, though there definition of an identifier is more general, encompassing email address, IP address, and even potentially bio-metric markers - any data that can be “reasonably” related back to an individual counts as personal data.

With the new proposed revisions to the DPD that are currently working their way through the review process, there’s an understanding that personal and non-personal data are getting blurred and both need to be given the same protections. In other words, information than is now considered non-personal and  non-sensitive - say geo-location data or even anonymous preference information - can be combined with public social media data  to re-identify the owner of the data. So what looked like anonymous data is anything but that. This is the big privacy problem in the digital age- the rise of enormous amounts of personal data available on the Internet.

In the US, we are a little behind but the gears are moving, and the FTC recently released an important guidelines document that recognises the power of the social media to change what it means for data to be truly anonymous. 

What sort of awareness is there in the EU/US financial industries of the different data protection regimes, and the steps they must take to comply?

There’s certainly high-awareness and compliance in the US. Every bank and company “primarily engaged in financial services” has to list who they’re sharing their consumer data with - both affiliates and non-affiliates. You can spot these notices on bank web sites. In the US, we’re also used to getting privacy notifications and opt-out forms in the mail from our banks. 

EU countries have been focused on this a bit longer, and I would argue that privacy notions resonate more deeply there. There are also well-established rules for filing complaints with national protection authorities. The interesting issue that arises - and has made the headlines - is when US companies process EU consumer data. 

The DPD has not gone over especially with US social media and web service companies. Facebook, Google, and others have been openly complaining about the new proposed “right to be forgotten” rule, which would give consumers the power to delete all their social media posts. They are also not happy about existing rules requiring explicit opt-in when sharing data with third-parties and the right to review personal data. Remember the US has more of an opt-out digital culture. Some of their input and comments from US companies may actually change the way right-to-be-forgotten rule is ultimately written.

Where does this lead US financial companies doing business in the EU?

They would have to comply with the DPD as well. However, there’s an “it depends.” In general, US companies that process EU data outside the Eurozone would fall under a special EU-US Safe Harbor framework that lets them self-certify. By the way, the US’s FTC is in charge of ensuring that US companies live up to their DPD claims. But there’s a large exception for banks in the Safe Harbor agreement. They wouldn’t have to follow the right-to-be-forgotten and the rest of the DPD framework if they’re processing EU financial data in the US. Of course, Gramm-Leach-Bliley would still apply as far as I can see.

Any thoughts about how this plays in Asia?

We did some research recently on Singapore’s proposed Personal Data Protection law and noticed that it parallels the DPD, even using the same terminology. In Japan, they have similar legislation known as the Personal Information Protection Act. Actually regulators in Japan, Singapore, the EU, and even the US were influenced by an important privacy guidelines document written by the Organisation for Economic Co-operation and Development back in the early 1980s. The OECD was one of those groups that came out of the Marshall Plan. Anyway, the OECD’s privacy ideas can be most easily seen in the EU’s DPD but it clearly has been looked at by Asian regulators as well. 

What are your views on the ways that firms can best adapt to data protection requirements and in a cost-effective way?

Ultimately, everyone recognises privacy has to be built into the services and products from the start - ”privacy by design”. A good principle is to collect only consumer data that’s needed for business purposes and also to think carefully about how long data should be retained before it loses its business value, and take steps to find the data that should no longer be needed and dispose of it, with automation if possible. In the era of hackers, not following these principles can lead to lead unnecessary liabilities when records are breached.

The DPD was ahead of the game here - even though it was passed in the pre-Internet era - in mandating companies to not collect data in excess of what’s required for business functions. That’s good advice. But again, the US is also thinking along these lines in its regulatory guidelines.

How can technology firms overcome a perhaps understandable client cynicism that data protection, like other issues, is simply a ploy to sell services and products that they may not actually need?

Breaches have helped shift privacy and data protection principles into the conversation as a business strategy. PII or personal data is valuable information to hackers. Once they enter a business data centre, hackers and cyber criminals are searching for credit card numbers, email addresses, and account numbers in unprotected and unencrypted files in the corporate file system. Many companies have been careless about storing this data, say as spreadsheets or plain-text documents, with very loose file permissions.

Technology firms can help curb criticism by comparing digital assets to any other asset that needs protection. There’s little client cynicism about video cameras, fences, and padlocks. Controls for data protection make sense when you consider the value of the assets they are protecting.  

In the US, the regulatory agencies can fine companies and even bring civil or criminal charges if they receive consumer complaints about identify theft. So there are strong legal and financial motives for companies to seriously address their data security and privacy shortfalls.

Are there other points you want to make on this topic?

In our work, companies often come to us because they need to comply with regulations, and there’s a realization that the unstructured data in their file system can be an enormous potential liability. Companies don’t know what data is out there, who’s looking at it, who should be looking it, what the proper permissions are, and whether the data should be remove or archived. 

The trend with regulations and regulatory guidelines in both the US and the EU are all pointing to what we consider a fundamental principle - know your data.