Data privacy: How to keep customer data safe

Data privacy and security is a hot topic and is only getting hotter. It has implications for everything from regulatory compliance and risk management to a bank’s ability to engender trust in its customers.

According to a 2022 study by investment and intelligence company MAGNA, 74% of consumers say they highly value data privacy. Respondents also indicated a 23% increase in purchase intent for brands and companies with responsible data practices.

For all those reasons and more, it’s imperative that community banks position themselves as good stewards of their customers’ personal data. And while they can’t guarantee there will never be a data breach, they can communicate to customers everything they’re doing to minimize incidents and safeguard customer information—and their money—as much as possible.

Here are some pointers that community banks should consider about not only current threats but also opportunities, including how they can make the most of strong customer relationships to use data in a way that provides value to both parties.

How to reassure customers that their data is protected

The privacy of customers’ personal information is at the forefront of every community banker’s decisions, says Steven Estep, ICBA assistant vice president of operational risk.

“Community bank customers can be at ease knowing that community banks take the protection of their customers’ data very seriously, and community banks are regulated by some of the strictest data privacy laws of any sector,” Estep says.

“Data privacy and security is very important to customers, as data breaches can lead to a loss of customers’ trust, a traditional core value in banking services.”

—Bob Hickok, Eide Bailly

The federal Gramm-Leach-Bliley Act (GLBA) and its implementing regulations, specifically Regulation P and the Safeguards Rule, ensure that community banks are properly securing personal information while providing customers information about control over their data, he notes.

Bob Hickok

Regulatory oversight agencies require financial institutions to have routine information security audits and cybersecurity testing, and community banks could remind customers of the security testing practices independent parties perform for them each year, says Bob Hickok, senior manager, risk advisory services at Eide Bailly LLP in Fargo, N.D.

“Those banks that have rigorous in-house vulnerability management programs in place could comment on that to provide customers a higher level of comfort,” Hickok says. “Data privacy and security is very important to customers, as data breaches can lead to a loss of customers’ trust, a traditional core value in banking services.”

Community banks could also include links on their websites for customers to learn more about privacy and data security, he says. Best practice sources include the CISA, Department of Homeland Security, NIST, FBI, FTC and links to guidance from industry leaders such as Microsoft.

“Considering the fast pace at which information security can change, [putting] customers in touch with leading experts is an easy way to provide help, as well as [show them that we understand] the concerns we all have about our own information,” Hickok says.

7 current and emerging cyber threats to data privacy

Community bankers should always be apprised of the latest cyber threats to data privacy, says Bob Hickok of Eide Bailly LLP. “Cyber threats can change at a breakneck pace,” he says. “Attackers’ skills now are very advanced compared with even five or 10 years ago, and serious attacker groups are dramatically more skilled than 2010 and prior.”

1. Phishing continues to be the most common attack method used to start a breach. Once an employee is phished, attackers quickly work to identify vulnerabilities to exploit and gain greater privileges. “Those vulnerabilities include missing security patches and updates as we read about all the time,” Hickok says.

2. Misconfigurations can be default or blank passwords in critical network devices such as firewalls, switches, storage systems and default passwords in software. “Many vulnerabilities exploited are the result of misconfigured settings in hardware and software,” Hickock says. “Those cannot be patched, so they must be identified and mitigated to remove the ‘low-hanging fruit’ vulnerabilities.”

3. Ransomware continues to grow as a threat to data privacy. In addition to locking data to prevent access by the rightful owner, attackers’ approach in recent years has added routinely exfiltrating victims’ data prior to encryption. If the victim does not pay the ransom timely, the attackers leak the stolen data itself into the public until the victim is pressured to pay the ransom.

4. Supply chain attacks such as 2021’s breaches involving SolarWinds and other network security management tools and services continue to be effective. Such attacks can turn trusted security management tools into attack platforms with very high levels of access in the victims’ networks. Attacks on Active Directory are used to gain increased access and potentially complete control of a target company’s network, says Hickock. Active Directory attacks have become a common technique used in most attacks, following the initial compromise of a computer on the victim’s network. “As a result of COVID, many companies allow remote access connections into the network in far greater numbers than pre-COVID,” Hickok says. “This increases the likelihood of poorly secured computers connecting to the enterprise network, which, in turn, increases the company’s exposure to cyber threats.”

5. Double extortion involves bad actors not only demanding ransom to return stolen data, but also encrypting the data and then demanding payment for the decryption key. “There’s also been significant changes to cyber insurance, including increases in premiums and deductibles,” says Anna Kooi, national financial services leader in the Chicago office of Wipfli LLP. “There are also more exclusions from coverage if companies don’t have certain controls in place, such as multi-factor authentication, end-to-end detection and periodic testing of backup systems.”

6. Social engineering “is, and probably will remain, the most effective method for attackers,” says Steven Estep of ICBA. “Whether that is through phishing, vishing [voice phishing] or smishing [SMS phishing], the easiest way into a network remains through people.”

7. Undiscovered, or “zero-day,” vulnerabilities in common software are also targets for attackers, Estep says. Applying patches to software as quickly as possible is crucial in protecting data from potential unauthorized access.

The California Privacy Rights Act ripple effect

Community banks with customers in the Golden State should be well versed in the California Consumer Privacy Act (CCPA), which has led to similar laws in other states, says Tom Tollerton, principal and cybersecurity advisory at FORVIS LLP in Charlotte, N.C. “The federal government has been unable to pass comprehensive consumer privacy legislation, leading many state governments to introduce laws that would require organizations to protect personal information and limit how that information is used,” he says.

When the CCPA was enacted in 2018, it was the most comprehensive state data protection law passed to date, he says. CCPA was modeled closely after the European Union’s General Data Protection Regulation (GDPR). Like GDPR, California’s law is considered broad both in the scope of the nature of covered data, as well as the number of affected businesses.

“One of the most significant changes CPRA brings … is the establishment of [an agency] to implement and enforce rules under administrative law.”

—Tom Tollerton, Forvis LLP

In November 2020, the California Privacy Rights Act (CPRA) was passed by California constituents as a ballot initiative, amending and expanding upon the original CCPA, Tollerton says. Effective Jan. 1, 2023, the new law will broaden the definition of covered data and expanded consumer rights, including a private right of action in the event consumer rights are violated.

Tom Tollerton

“One of the most significant changes CPRA brings to the California privacy law is the establishment of a California Privacy Protection Agency to implement and enforce rules under administrative law,” he says. “There are also significant obligations to which businesses must adhere, including increased transparency on the use of third-party processors and data storage limitations.”

California’s data privacy law only applies to for-profit businesses with a gross annual revenue of over $25 million; that buy, receive or sell the personal information of 50,000 or more California residents, households or devices; or that derive 50% or more of their annual revenue from selling California residents’ personal information, says Estep of ICBA.

“While the CCPA does provide a data-level exemption for financial information covered by GLBA, it does not provide an entity-level exemption and significantly expands on GLBA’s definition of personal identifiable information, including geolocation data, internet activity, biometric data and inferences that can create a profile about a consumer,” Estep says.

Any business that has basic interactions with a California resident, including collecting website cookies from a California resident, may fall subject to CCPA, he says.

Cybersecurity education matters

For many years, regulatory and industry best practice recommendations have included the need to educate customers, as well as bank employees, regarding data security, says Bob Hickok of Eide Bailly LLP.

Education topics for customers, as well as employees, should include:

• Best practices for passwords—long, strong, and never reuse passwords on multiple Internet login accounts
• Ways to identify phishing emails and other social engineering threats
• Monitor credit reports and bank account activity to timely identify and prevent fraud and identity theft
• Financial abuse and exploitation of elders
• Email account compromise and attackers’ exploitation by using breached accounts
• The need to keep operating systems and other applications current with software security patches and updates
• The need to uninstall software that is end of life and no longer supported with vendor security patches. No security updates are available to plug security holes found in these unsupported versions of software.

Many community banks have held or sponsored customer and community education events. Shredding and disposal events for customers to securely dispose of paper and electronic storage devices (CDs, DVDs, disks, etc.) are often popular.

“Training employees regularly is crucial to promoting a strong culture of cybersecurity,” says Steven Estep of ICBA. “Banks should consider training on basic concepts of cyber hygiene, training on new and emerging threats, and job-specific training.”