Cause and Effect: If you build it, will they come?

July 23, 2014
/   Spotlight

Many financial institutions assume that digital banking is lucrative because the most valuable customers happen to bank online. While there is certainly a correlation between online bankers and higher profitability, quantitative evidence suggests that...

Fast Facts: Student Loans

January 22, 2013
/   Insights

The Financial Services Roundtable recently released another iteration of its Fast Facts, reliable, bullet-point research about issues facing the financial services industry. Topics span TARP, Dodd-Frank, insurance, lending, retirement savings and more.  Below are some updated Fast...

Intuit 2020 Report: The Future of Financial Services

April 11, 2011
/   Insights

Today, Intuit released the latest edition of the Intuit 2020 report, Intuit 2020 Report: The Future of Financial Services, which identifies and examines four key trend areas that will  transform the financial services industry...

Small Business: Perception vs. Reality

November 21, 2012
/   Insights

In the most recent election cycle, like most others before it, the one sector of the economy that got the most attention was small business.  This is the future, we were told by every...

The Top 10 Trends in the Digital Banking Industry

December 18, 2013
/   Spotlight

2014 is rapidly approaching and as the year wraps, the Digital Insight team has pulled together the top 10 trends in the digital banking industry based on data and trends from studying financial institutions....

Mobile Banking Engagement: Data from Digital Insight

June 24, 2013
/   Spotlight

Intuit Financial Services has been conducting a comprehensive and ongoing study of financial institution customers. From these studies, the company has been able to provide a deeper view of banking customer behavior across several...

Industry Perception, Optical Delusion

January 14, 2013
/   Insights

In Washington, they talk a lot about ‘optics.’ This has nothing to do with regulatory scrutiny, or government mandates on eyeglasses. It has to do with perception—how something looks, the way a particular story...

Social Banking: Blessing or Curse?

August 1, 2012
/   Insights

While the topic of Facebook and banking has generated plenty of heat (though not necessarily a lot of light), the debate seems mostly focused on two broad issues: The much-maligned IPO, and the notion...

With consumers wary of recent breaches, banks must clearly evaluate how they protect themselves and their consumers’ data.

Here we break down what you need to know.

Bank Security

Every bank, of course, has heavy-duty internal security measures to protect customer data. But what about when a bank’s data leaves the premises for recovery?

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to select service providers that maintain appropriate safeguards to protect consumer information. The Sarbanes-Oxley Act (SOX) requires that a financial institutions document all policies and procedures in place to safeguard that business’s data, and report on these policies and procedures annually. Neglect to comply with these regulations could mean millions of dollars in penalty fees, and even prison terms, for bank officers.

In order to maintain compliance with these and other federal regulations, time needs to be spent carefully vetting and reviewing the security of data recovery companies and any other company that may have their hands on the sensitive data from a bank and its customers. In addition, data recovery should be included as part of every financial institution’s security protocol and Business Continuity Plan.

Cost of a Data Breach

In addition to compliance with federal regulations, there are other reasons for a bank to protect itself from possible data breach via a third-party data recovery provider.

This past May, the Ponemon Institute released results from a new 2014 Cost of Data Breach study after examining the totals incurred by companies from 16 industries in the U.S. The average cost paid by an organization as a result of a single data breach was $5.9 million.

The financial industry made the top five in “per capita cost.” This may be because customer loss has shown to make up nearly 40% of the cost of a data breach and, of all the industries studied, the financial industry showed the highest susceptibility to customer loss after a data breach.

Verify Third-Party Data Security

The National Institute of Standards and Technology (NIST) Special Publication 800.34, Contingency Planning Guide for Federal Information System, (Rev.1) Section 5.1.3 (Protection of Resources) states:

Organizations may use third-party vendors to recover data from failed storage devices. Organizations should consider the security risk of having their data handled by an outside company and ensure that proper security vetting of the service provider is conducted before turning over equipment. The service provider and employees should sign non-discloser agreements, be properly bonded, and adhere to organization-specific security policies.

There are a large number of data recovery companies out there and many of them make claims they can’t back up—especially in regards to security. Be sure to ask for proof. Any certified secure location will have up-to-date documents from a third-party security auditing company. Be sure that the certifications held are enough to comply with SOX and GLBA. A SOC II Type 2 certification, for example, satisfies these and several other regulations. In addition, the SOC II Type 2 certification requires background checks for all employees prior to employment. Data recovery, after all, is the perfect vocation for identity thieves and other such criminals to gather precious personal data.

Visiting the physical locations of potential third-party data recovery companies is highly valuable. Ask to conduct an onsite audit and see with your own eyes what security protocols are in place. While you’re there, ask to see the Cleanroom and Cleanroom certifications. Even a strand of hair or speck of dust around an open drive could render important data unrecoverable.

With a thoroughly vetted, trusted data recovery company as part of the security protocol and Business Continuity Plan, not only will a bank be in compliance with federal regulations and avoid unwanted fines, it will be able to act quickly–and securely–in the case of an unexpected data loss emergency.

Follow the Checklist

To recap, here’s the checklist for vetting third-party data recovery service providers:

  • Proof of internal information technology controls and data security safeguards, such as annual SOC 2 Type II audits
  • Training and awareness programs for employees to ensure sensitive and confidential data is protected
  • Engineers trained and certified in all leading encryption software products and platforms
  • Proof of Chain of Custody documentation and certified secure network
  • Vetting and background checks of all employees
  • Secure and permanent data destruction when required
  • Use of encryption for files in transit
  • Proof of Certified ISO Class 5 Cleanroom

 

As Chief Information Security Officer (CISO) and Director of eDiscovery and Digital Forensics, Michael Hall directs and implements policies and procedures concerning the privacy and security of all data received at DriveSavers, including highly critical data from government agencies, major corporations and research laboratories. Hall was instrumental in helping NIST, FDIC, OTS and BITS identify the risks of improper screening of data recovery providers.

(371)

Insights

Banking.com’s perspective on industry news and trends

(220)

Spotlight

Must-read news and insights from financial industry leaders

(92)

Voices

Compelling voices and contributed content from around the web

James W. Gabberty

Gabberty is a professor of information systems at Pace University in New York City. An alumnus of the Massachusetts Institute of Technology and New York University Polytechnic Institute, he has served as an expert witness in telecommunication and information security at the federal and state levels and holds numerous certifications from SANS & ISACA.

Marisa Mann

Marisa Mann brings over 15 years of experience in consulting and financial services industries to the Solstice team, working on large scale enterprise initiatives across many technologies, including specializing in the digital space – Internet and mobile. Mann is passionate about mobile and the endless possibilities for the enterprise, delivering business value through strong brand recognition and driving to excellence in the consumer experience. Prior to Solstice, Mann worked at JP Morgan Chase, Diamond Management and Technology Consultants, Washington Mutual, Inc, and Accenture.

Zachary Ehrlich

25-year-old writer, and as a native San Franciscan, I am unreasonably loyal to Bank of America, if only for their superhero-like origin story, involving the 1906 earthquake and Italian fruit vendors.

Brad Strothkamp

http://www.forrester.com/rb/analyst/brad_strothkamp