W Data Privacy – Getting Started By Dr. Kevin Streff, American Security & Privacy What if the federal government wants to determine if the United States banking system is being used to distribute a new ransomware variant? What if it secretly uses its systems and core processing platforms to make this determination? The need to protect citizens from harmful cyber-attacks is real. But what about your bank’s privacy? What about the privacy of your data? Where’s the balance between the two? This is precisely the concern that digital banking is creating: On one hand, customers are demanding bank-from-anywhere convenience, but on the other hand, they are uncomfortable not having control over how, where and when their data is being used. International laws in 18 countries now address this, keeping data ownership with the customer and requiring companies to work with the data only in very specific ways. A dozen states also have data privacy laws that address specific data collection and handling requirements, setting up an authority to police actions so personal data is handled accordingly. Organizations can be fined 4% of revenue if they are found out of compliance with the law! These data privacy laws have teeth. In fact, the Consumer Finance Protection Bureau (CFPB) has begun looking for violations and responding to customer complaints with the new state laws. Multimilliondollar fines have already been levied, and this process is just beginning. In April of this year, Congress introduced a bill entitled “American Privacy Rights Act of 2024” to deal with data privacy at a national level. The patchwork of state laws is proving more difficult to manage than a thin federal law outlining basic data privacy protection requirements. Banks are left trying to figure out which laws apply to them, what is considered reasonable commercial data privacy protection, and how to get started with an information privacy program (IPP). Over the past six months, 10 more states have introduced comprehensive data privacy bills, Mark Zuckerberg has apologized to Congress about data privacy violations, and the FBI has warned about coordinated China-based infrastructure attacks. Is there any chance we bankers can just get back to banking and stop worrying about all this cyber nonsense?! Unfortunately, this is the new normal for banking. The banking industry infrastructure is in the crosshairs because, as Willie Sutton famously stated, “That’s where the money is.” Nebraska, for example, has introduced LB 1294, the Nebraska Privacy Act, to change provisions relating to certain certificates and information relating to vital records and provide for certain records to be exempt from public disclosure. Colorado banks with customers in Nebraska need to comply with LB 1294. So, what does this mean? What types of certificates, information and disclosure changes does this introduce? It seems banks now need privacy lawyers to dissect these laws to understand how their banks and customers are affected. Just as we begin to get control of our technologies and IT exams, game changers like AI come along and disrupt it all. One cannot open a newspaper, read an online article or watch the news without seeing something concerning artificial intelligence. AI is mimicking people online. As it relates to the financial system, AI is being used to impersonate and commit fraud. The latest apprehension is that as data privacy threats and laws emerge, AI will exponentially magnify these concerns. Thus, the field of AI privacy is born. AI privacy is the set of practices and concerns centered around the ethical collection, storage and usage of personal information by artificial intelligence systems. It addresses the critical need to protect individual data rights and maintain confidentiality as AI algorithms process and learn from vast quantities of personal data. AI fundamentally relies on using large, disparate datasets to draw conclusions that would otherwise not be possible. The potential is fairly obvious, but equally obvious is that if this is not managed well, unintended consequences are certain. In the banking sector, where data privacy and artificial intelligence introduce risk to the banking system, it is only a matter of time before the regulators establish requirements and how they are going to enforce them. Colorado passed Senate Bill 190, Protect Personal Data Privacy, to deal with privacy protections for citizens of Colorado. It applies to organizations meeting the following criteria: legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either control or process personal data of at least 100,000 consumers per calendar year; or derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers. On the surface, it might appear that banks are exempt; however, just as cybersecurity has framed “commercially reasonable security,” data privacy will take the same course, requiring existing data privacy best practices to be implemented in all financial institutions. Colorado Banker 18
RkJQdWJsaXNoZXIy ODQxMjUw