Pub. 13 2023 2024 Issue 6

The Attorney General for the state of Colorado is authorized to field data protection complaints and apply this law to promote consumer protection. If your bank has customers in 10 states and two countries, then your bank needs to comply with 12 different mandates. It is NOT enough to understand and comply with Colorado SB 21-190; rather, your compliance department needs to understand where your customers are, which states and countries have data privacy laws, what the requirements for each of these laws are and how to best meet these various requirements. This is why a thin federal law makes more sense than a patchwork of state laws. What does this all mean for your financial institution? It means accountholders are being impersonated at unprecedented levels. It means data privacy protection moves up the priority list to keep data safe and comply with state and international requirements. It means your vendor management program must be expanded to include data privacy reviews and diligence. It also means you need to build an operational infrastructure to answer accountholder questions about their data, including what data the bank has, where it is stored and who it is shared with. Privacy policies and notices are required, and banks need to get ready to answer risk-based questions about data privacy, including what your bank is doing to control data privacy risks. What should your bank do? First, name a Privacy Officer. The new Privacy Officer could be an expanded role for your current Information Security Officer, someone in marketing or legal, or a management employee in operations. Second, determine a data privacy plan and budget. Conduct a privacy gap analysis to assess your environment and build a three-year plan. The good news is that most of the data privacy actions banks need to take immediately do not cost a lot. A gap analysis is one tool to help build a data privacy roadmap and demonstrate to bank regulators that you have this issue managed (the M in the CAMELS rating). What else should your bank do? Educate bank leadership on what data privacy is and what the current legal and regulatory landscape looks like, and begin to plan and operationalize a top-down managed information privacy program. Specific steps include: • Conducting a data privacy risk assessment and drafting a basic information privacy policy; • Dealing with emerging issues like data privacy always starts with education: board of directors, executive team, management, employees and customers; • Getting the board and management team up to speed on what data privacy is and what the current laws look like and require; • Understanding what information privacy program options are available; • Figuring out how to conduct a data privacy risk assessment; and • Putting someone at your bank in charge of data privacy (i.e., data privacy officer). Addressing data privacy starts with educating your board, management, employees and customers to get everyone on the same page about what data privacy responsibilities the bank has and what it needs to do to address this growing threat. Look for outlets that are discussing the data privacy issue and know how to apply it to banking. Put data privacy on your next board agenda to frame the problem and begin a proactive plan to keep your financial institution out of harm’s way. American Security and Privacy provides security and privacy solutions to businesses around the world. Visit www.americansecurityandprivacy.com to learn more. 19 Colorado Banker

RkJQdWJsaXNoZXIy ODQxMjUw