The European Commission last week announced plans to widen the scope of current EU legislation for the protection of personal data to make it mandatory for all companies that store data on consumers to report data security breaches. If these proposals go
through, banks that do not already have a thorough data protection policy in place could be hitting the headlines more often than they would like and for the wrong reasons. What could cause even more incalculable damage to a bank's reputation is if a data
security breach that becomes public knowledge was the work of an "insider".
While most banks have secured their networks from "external " threats, in the absence of thorough user auditing and control systems, there remains an immediate risk from the bank's own staff, contractors and outsourcing partners. Part of the problem is that
some staff have inappropriate access to systems and sensitive data, thereby creating serious security threats.
Even if all users can be limited to the systems that they need access, there remains no guarantee that these users will act responsibly when using their access rights. This is especially true where there are inadequate levels of accountability. At the same
time as trying to prevent the loss of data, banks need to keep their business fluid and responsive as well as maintaining effective controls within a set of cost constraints.
Add to that the need to respect employees' privacy rights, and financial institutions are left with a myriad of issues that they need to address. They are not the Ministry of Defence so locking all systems and data sources down, and frisking employees as
they leave the building, is not the way to go!
The plans to extend European legislation on data protection to the financial services sector should serve as an incentive for banks to review current data security policies and conduct serious risk assessments to identify where there is potential for data
loss. Once these gaps have been identified, financial institutions can then take the appropriate measures to address data leakage points and avoid becoming front page news.