Financial sector Data Privacy in the U.S: problems and solutions from using NYM
Overview
Divulging personally identifiable information during a business transaction has become a commonplace occurrence for most individuals. This activity can span from sharing of bank account numbers, loan account numbers, and credit/debit card numbers, to providing non-financial personally identifiable information such as name, social security number, driver’s license number, address, and e-mail address. In short, there is a deluge of personally identifiable information that banking, capital markets, and insurance industries deal with and possess as a part of their day to day business. Due to the rising threat of data breaches, identity theft, and associated fraud across industries, companies are increasingly focusing on enhancing data privacy programs. The problem of data breaches is a concern across all industries; however the financial services industry is a primary target of fraudsters due to the inherent value of the underlying data.
Data Privacy: An Industry Perspective
Maintaining the privacy of confidential customer information has become essential for any firm which collects or stores personally identifiable data. Such information may be general yet sensitive such as names, addresses, and social security numbers; or it can be crucial and financially sensitive data such as credit card, debit card or bank account numbers.
The financial services industry operates and deals with a significant amount of confidential client and customer data for daily business transactions. Due to the perceived value of this data, the financial services industry is one of the primary targets for data breaches.
Hospitality, retail, and financial services have been among the industry verticals that were most affected by data breach events in 2010. Collectively these three verticals accounted for around 87% of data breach events recorded, with financial services accounting for almost 22% of total breach cases reported across industries in 2010. On a positive note for the financial services industry, this 22% represents a drop from 33% in 2009. The 2010 drop is likely due to recent arrests and prosecutions following large scale intrusions in the financial services industry, which is also leading to increased focus on less reactive targets such as the retail and hospitality industries.
Another way to measure breaches is the number of records that were compromised. In 2010, approximately 35% of the total records compromised came from financial services. Even based on this measure, 2010 has been a relatively good year for the financial services industry since traditional historical average has been 90% or more. This decrease reflects the lack of large-scale mega breaches in the financial services space in 2010.
Data Privacy and its Importance in the Financial Services Industry
The operational structure of financial services institutions requires them to have more stringent data security standards as compared to those operating in other industries. On a regular basis, financial service firms deal with large amounts of personal and confidential customer information including bank account information, debit or credit card data and other business confidential customer data. Data privacy regulations and the potential reputational risks associated with breach events make having a strong data privacy policy in place even more important.
The success or failure of a financial service firm can depend on how it balances the use of confidential customer information while maintaining privacy. To capitalize on emerging growth opportunities, financial firms need to be flexible in sharing confidential customer data—whether across different departments, affiliated partners, or non-affiliated third parties such as technology or outsourcing firms—while complying with regulations and protecting the company’s reputation. The key lies in this delicate balance between data sharing flexibility and maintaining data privacy.
Securing Data and Managing Breaches in the Financial Services Industry
A Look at High-Profile Data Breaches in financial service industry in the US
A quick glance through some of the most high profile data breaches affecting U.S.customers highlights that six of the top ten data breach events that have occurred since 2007 were at financial service firms, though the number of breaches in the financial services firms has decreased in 2010 and 2011.
While 2010 was relatively mild in terms of records breached, 2011 has been notable for a few high profile data breaches, notably the Sony PlayStation network breach which affected over 100 million customers globally. Additionally, the financial services industry witnessed data breaches involving large global firms such as Citigroup and Bank of America. In June 2011, Citigroup U.S. reported that hackers were able to gain unauthorized access to personally identifiable information such as customer names, account numbers, and contact information of around 360,0002 customers . Citigroup Japan suffered a similar breach affecting around 92,4003 customers . Bank of America suffered a massive insider breach in May 2011, which ended up costing the firm around US$10mn4
These high profile corporate breaches have highlighted the difficulties faced by even the largest global businesses to consistently protect their digital assets. Despite having robust data privacy programs and data security systems in place, firms are still vulnerable to fraud through exploring loopholes in existing data protection systems and practices.
A Brief Overview of Privacy Regulations across the Globe
Maintaining privacy of data is a primary concerns for companies and governments across the globe. Most countries have privacy laws and regulations intended to protect personal and sensitive customer data from misuse. These laws set standards for companies in terms of how they use, store, and process such data. Countries such as the U.S. have passed regulations mandating the client notification of data breaches as soon as a breach occurs.
Data privacy laws are present in almost all major countries across the world. While they all revolve around data security, accountability, access, data integrity, consent, disclosure, and notice, the stringency levels of these laws and their enforcement differ.
The following exhibit categorizes major countries based on the level of stringency in their set privacy regulations and enforcement. Germany and Argentina have the most restrictive laws and strictly prohibit data transfers to countries without adequate data protection regulations. Most other Western European countries fall in the restrictive category.
Undoubtedly, the changing technological landscape has had a major role to play in the rapidly evolving privacy environment. Various countries that have relatively weaker privacy legislation are now updating their privacy laws to be better positioned for the technological advancements.
The essence of the evolving privacy laws is on the protection and maintenance of customer’s personal information. However, the stringent nature of these privacy laws and regulations can pose business challenges for firms that have centralized operations with a presence in multiple locations as well as firms that work with external vendors in offshore locations. For example, the European Union data protection directive imposes restrictions on the transfer of all personal information outside the EU region. The U.S. on the other hand has no specific laws addressing cross-border flow of data but has various laws which require firms to secure all personally identifiable information.
The challenges posed by disparities in market-specific privacy laws standards have been addressed relatively well, with most governments focusing on the harmonization of privacy laws. India, one of the leading outsourcing service providers to many mature markets, has recently developed a comprehensive set of data privacy rules under new legislation. This legislation, termed the Information
Technology Rules 2011, applies to all companies including back office and third party outsourcing firms in order to strengthen data privacy laws in the country. Mexico, another upcoming outsourcing destination, joined 50 other countries in adopting broad privacy regulations focusing on private sector firms.
Cost Implications of Data Breaches
Data breaches have become an uncomfortably common feature in today’s business context and quite often make news headlines. The cost of a data attack for any company can be huge and has been increasing in recent years.
In 2010, the average cost of data breach has increased across the globe with the U.S. breaches costing around US$214 per record compromised and a global average of US$156.
In fact, data breach costs have shown an increasing trend over the past four years. Malicious/criminal attacks, third-party mistakes, and loss or theft of data storage devices (such as laptops) have led to an increased average cost of data breaches in 2010. The increase has been especially true for firms that have shown an inability to prevent and counter these threats. Additionally, the lack of proper breach response plans by firms has also been a key driver of rising data breach costs.
An analysis of the costs incurred in 2010 reveal that reputational losses, as well as post-breach response costs, is increasingly becoming one of the primary components of overall data breach costs outside of the U.S. In the U.S., regulatory compliance is the main driver of data breach mitigation costs.
Firms that are subjected to a data breach bear both direct and indirect costs. Breach detection and escalation costs; costs of notifying affected customers; and other response costs such as setting up a communication platform to help breach victims are direct costs that can be measured by the labor and money spent on these activities. Additionally, firms that are found to have been guilty of breach due to non-compliance of existing privacy laws and weak data security policies may have to incur other costs in the form of legal fines.
However, there are also indirect costs such as reputational costs which can only be measured on an economic estimate of lost business opportunities.
Challenges to Data Breach Prevention in an Organizational Setup
Due to increasing scrutiny from regulators and the media, financial services institutions continue to face pressure to maintain high standards of data security. Today, financial firms face the following challenges when addressing privacy concerns and regulations.
■ Information flexibility. Financial service institutions need to provide dynamic access to sensitive customer data to clients, employees, and external partners. Such a high flow of information exchange can make it difficult to protect data.
■ Proliferation of social media. Social networking sites are being used extensively for purposes such as brand building and establishing relationships with customers. While social media provides a relatively inexpensive method of marketing financial products/services and better connecting with the customers, it also provides challenges in maintaining data security.
■ Sophisticated external hackers. Cyber criminals are increasingly using sophisticated viruses, malware, and other techniques designed to outsmart traditional data security technologies.
■ Educating employees in data protection. Despite firms having automated data loss prevention (DLP) solutions, employees still play an integral part in avoiding data leaks and handling sensitive data. As a result, it can be a challenge to continually educate both new and existing staff about various security issues.
NYM Enhancing Financial Data Privacy in the US
NYM can significantly enhance data privacy in US financial institutions by implementing the following measures:
End-to-End Encryption of Network Traffic: NYM employs multi-layered encryption to protect data packets in transit. This ensures that sensitive financial information remains confidential and secure during transmission.
Anonymous Metadata Protection: NYM’s mixnet obscures metadata, including IP addresses, communication patterns, and device information. This prevents the tracking and profiling of users, enhancing privacy for financial transactions.
Incentivized and Decentralized Mix Nodes: By allowing anyone to run a mix node after pledging an initial bond in NYM, the network promotes decentralization. This means that the responsibility of data processing is distributed across a wide range of nodes, reducing the risk of central points of failure or potential breaches.
Proof of Mixing Mechanism: Similar to how Bitcoin rewards miners for securing the network, NYM rewards mix node operators based on their reputation and quality of service. This incentivizes responsible operation and helps maintain a high level of privacy and security for end users.
Compatibility with Various Blockchains: NYM is designed to work with any blockchain, including widely used ones like Bitcoin and ZCash. This allows financial institutions to integrate NYM seamlessly into their existing infrastructure, ensuring network-level privacy for crypto transactions.
Application Development Support: Developers in financial institutions can build their applications on top of NYM, leveraging its robust privacy features. This means that financial platforms, wallets, and other services can offer enhanced network-layer and metadata protection to their users.
By implementing NYM, financial institutions can create a secure and private environment for handling sensitive financial data, protecting both the content and metadata of transactions. This not only safeguards the interests of users but also enhances the overall security posture of the institution itself.
