Wednesday, February 22, 2017

Security and Privacy


Banking on Good Security.  


Thinkstock.
The banking industry is responsible for safeguarding the most personal private information of our customers. Social Security Numbers, account numbers, credit card numbers, birthdates. You get the point!  We are held to the highest standard of security and privacy not only by our customers, but our regulators NCUA (National Credit Union Association). So it’s no wonder, when I apply for a Lowes’ credit card on a paper application in the store, I ask them where does the application go, is it filed in a drawer, who  has access to it. Most times I get funny looks when I ask these types of questions. I have been trained and programmed to always be thinking about security.  The reaction I get from people not of this mindset, is part problem with today’s consumers. The general public is not educated on how to protect their own personal information. So, as companies, we need to protect them – sometimes from themselves.

In a regulated environment, where we are audited on our privacy and security by the state, internal auditors and federal regulators, we hold ourselves to the absolute highest standards of privacy and security.   We are also responsible for training the employees and our customers on security.  We have dedicated a special section of our webpage to security and privacy content. Our employees receive annual security and privacy training and tested regularly.

Unfortunately, not all companies are committed to keeping their customer’s information safe. Case-in-point, TJX companies, and Heartland Data Breaches among the top data breaches.   According to Bloomberg.com, top “Data Breaches in the U.S.”, TJX back in 2007 resulted in a loss of 100 million dollars.

 Employee Guidance for Social Media - More than being "social"



Thinkstock
As employers, we have to set the expectations for our employees. When we created our company Facebook business account, I invited our employees to visit and like our page. We had many employees decline because they didn’t want our company, or other employees to see their personal Facebook accounts. Even though, they could change their privacy settings Coincidently, we were in the process of compiling a Social Media Policy for our employees. We have both an employee Social Media policy which includes Social Media Management. We provide guidelines for our employees which they agree to every year through policy review. These guidelines like those outlined by  National Relational Labor Board,  are approved and adopted within compliance guidelines for our industry. One of the interesting points made byte NLRB's guidance was the "Opinions are largely protected, even if they are factually incorrect" 

We are in the financial services industry. We have to exercise utmost security, regarding our buildings, security protocols and other information that could be used to perpetrate crimes against our business.  Federal Financial Institutions Examination Council (FFIEC) regulates topics like social media guidance for financial institutions. They provide us with the guidance of how we can conduct social media as financial institutions.  (Much, 2017)

  

https://thefinancialbrand.com/35584/ffiec-social-media-regulations-guidelines-banking/2/

https://www.facebook.com/about/basics/how-to-keep-your-account-secure

https://www.ncua.gov

https://www.bloomberg.com/graphics/infographics/top-data-breaches.html

 15 Social Media Security Tips, Siciliano, 2011
 
Mintz, L. C. (2012, February 1). http://www.natlawreview.com/article/nrlb-report-employers-social-media-policies-must-be-narrow-must-not-restrict-right. Retrieved from National Law Review: http://www.natlawreview.com
 

Quote of the Week: 


 

“Realize that you can become a victim at any time. Not a day goes by when we don’t hear about a new hack. With 55,000 new pieces of malware a day, security never sleeps”. -MacAfee (Siciliano, 2011)
Thinkstock


 
 


 









 

 


Posted by at
Labels: , , ,

6 comments:

  1. VictoriaFebruary 22, 2017 at 1:41 PM


    It’s refreshing to see that your workplace requires annual training and testing for security. My credit union pro-actively replaced my debit card due to the TJ Maxx and Target data breaches, and were great to work with when my debit card was stolen. They’ve recently added the option to freeze your debit card and get activity alerts on your phone… which will be great if I ever realize again that the fast food joint never returned my debit card and there are 4am purchases at a gas station outside of town on my transaction list and I won’t have to wait until the bank opens at 9 am. If someone tries to guess my password, my account will automatically be locked after six failed attempts. They still use SiteKey security images on the log-in page though... "photos of beaches, teapots, coffee and foods, among other options users can select from — as a way to show customers that the web page they were logging into was legitimate and not a phony website designed by a fraudster” (Anand, 2015). If you liked the clip from Adam Ruins Everything, check out his episode about security theater… what really makes us safe, and what only makes us think we’re safe.

    Browsing the FFIEC social media guideline seems like a very helpful start to establishing your in-house guidelines. Letting your employees know their rights and how to adjust their Facebook privacy settings should prove very helpful. Sometimes, even if you know the settings exist on a social networking site, it’s hard to figure out where to adjust them.


    Anand, P. (2015, November 5). Those security images on your bank log-in pages? They’re useless. Retrieved from http://www.marketwatch.com/story/banks-find-online-security-images-offer-little-protection-2015-11-05

    ReplyDelete
  2. Kendall BurkeFebruary 24, 2017 at 1:32 PM

    Hi Judy!

    I am one of "those" who basically has a similar password for all of my accounts so your post really hit home!

    When I have applied for store credit cards, I have never thought where that information goes or who has access to it. It makes me feel ill to think that all of my personal information was just sitting in a drawer at Target where any of their employees could have gone in and had access to it.

    I also didn't know that TJMaxx even had a data breach and unfortunately I have a card there. Definitely need to check this out...

    Great post!

    Kendall

    ReplyDelete
    Replies
    1. VictoriaFebruary 25, 2017 at 10:22 PM

      Here's a case study about the TJMaxx data breach, http://sydney.edu.au/engineering/it/courses/info5990/Supplements/Week07_Malware&Security/Supp07-4TJXCaseDetails.pdf

      It happened several years ago, but compromised data of 45 million credit cards. Somehow my bank found out my debit card number was in that list, and immediately froze my card and issued me a new card with a new number as a precaution.

      Delete
    2. JM Brazil February 26, 2017 at 2:52 PM

      Thank you for sending the TJX case study. The reason your bank was proactive in reissuing your debit card is because if they are like our credit union, they receive notifications for affected card numbers.

      Most consumers have no idea about the costs associated with data breaches and fraud. The issuer, a bank or credit union or credit card companies, absorb the cost of the plastic replacement cards. Cards can run about $2.55 -$3.00 per card multiply that times 45 million from the TJX compromise equals about 115 million dollars in plastics costs! This figure doesn’t include the cost of any fraudulent transactions that the financial institution or credit card company has to restore to its customers. For the consumer, the good news is they remain protected. In many cases they are only responsible for the first $50.00 or sometimes they have zero liability of any fraudulent transactions. Most of them do not know that because as we mentioned in previous conversation thread, they don’t read the disclosures or terms of agreements.




      Delete
    3. JM Brazil February 26, 2017 at 3:07 PM

      Hi Kendall,
      You can ask for the application back once they put into the system. Or at the very least, tell them you want it shredded. Companies are now required to employ strict data protection laws. This wasn't always the case. In the example of the TJX companies, they were storing customer data. When their systems were breached, all that personal customer information was still on their system, making their customers' information vulnerable to the hack. In retrospect, they realized that there was no reason to store unnecessary customer data on their system. The one good result from the TJX breach was the introduction of a new set of standards for storing and sharing personal, private information. Companies are now required to adhere to stronger requirements. Ultimately, like on social media, the responsibility has to rest with the consumer or user having a complete understanding of how their data and personal information is being used.

      Delete
  3. JM Brazil February 26, 2017 at 3:30 PM

    Just saw this on Twitter - It's relevant to our discussion on privacy. It's a wonder we sleep at all with all these worries about the safety of our personal information! Bitly wouldn't work - sorry for the long url.

    https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/electronic-healthcare-data-in-the-underground?utm_source=trendlabs-social&utm_campaign=02-2017-healthcare-data-in-the-underground&utm_medium=smk

    ReplyDelete

Subscribe to: Post Comments (Atom)