The Dynamics of Data Privacy

Sponsored by SWBC

Privacy is an enduring concept highlighted in news of data breaches and how personal information is collected, shared and even sold. Most, if not all, credit unions have an obligation to protect the privacy of their members, employees and website visitors. This obligation is typically underpinned by applicable laws, regulations, contracts and dedication to member service. 

According to IBM and the Ponemon Institute, 23% of data breaches occur because of employee negligence. As you can imagine, it is important that your credit union implement a privacy program and educate and empower employees to make wise decisions that will protect member data.

The concept of data privacy continues to evolve in law and philosophy. Privacy is a multifaceted personal, social, legal and business issue. Privacy involves protecting information that may be linked to a particular person—like a date of birth, blood type or even location. The reality is, as we move into a more digitally connected and dependent age, any bit of information that can tie back to a person is could be considered personally identifiable information. Where the data lies on a spectrum, from first name to DNA mark, is what determines the risk that is associated with personal information. Approaches to protect privacy include market forces, legal controls, technology and self-regulation.

Privacy and security concepts are often interchanged, but they are different. Security controls are designed to protect information from unauthorized access, use and disclosure. The objective is to ensure the confidentiality, integrity and availability of information. By contrast, protecting privacy involves setting rules and procedures for collecting and handling personal information. For example, encryption is a security control used to protect information from unauthorized access, whereas a privacy control will determine when and how information may be collected and shared. 

Inherent Risk

When personal information is collected, used, stored or disclosed, it creates risk. Businesses and financial institutions carry legal, reputational, operational and investment risk for information they own, control or process. To manage risk, credit unions must counter identity theft and fraud; comply with privacy laws, regulations and contract provisions; and prevent data breaches. A privacy program is designed to help you and your employees make risk-informed decisions.

Data Privacy Guidelines

Credit unions should develop a privacy policy and evaluate employees’ roles within your credit union to provide them specialized privacy training based on the organization’s risk. We’ve compiled a non-exhaustive list of guidelines for your credit union to consider including in your privacy program:

1. When you collect information, you must protect it; assess risk before you decide to collect it.
2. Know what type of information you collect, use, store or share and how to protect it. 
3. Collect a minimum of information, only of the type you need to support the business requirement.
4. Strictly follow security and privacy policies; align your actions with your policy.
5. Require least privilege access to information for all employees and third parties. 
6. Do not store sensitive information on mobile devices; only use approved storage locations. 
7. Encrypt sensitive information when using untrusted networks and email. 
8. Share information only after full consideration of the risk; when in doubt, do not share.
9. Securely destroy media and data when it is no longer required by law, regulation, contract, policy or business need. 
10. Look for red flags to detect, prevent and mitigate identity theft. 
11. Provide employees with a platform or means to report data incidents—especially breaches.
12. Conduct periodic privacy impact assessments to understand the risk to your business.

Safeguarding privacy is a collective task that every employee in your credit union should strive to uphold. Your members have trusted you with their private information and it is critical—both from a legal and reputational standpoint—that you take reasonable measures to avoid a data breach. Keep in mind, a data breach could cause serious damage to your credit union and its reputation. 

Jeffrey Julig, CISSP, CEH, is SVP/chief information security officer for CUES Supplier member SWBC, San Antonio. Learn more ways to minimize risk at your credit union in our latest ebook, The Right Tools for Risk Management.