Banks and financial institutions conduct business in an industry that is highly regulated. Banks need to keep the risk, regulatory, legal, info-security teams in sync with what they are trying to achieve right at the ideation stage of a product or project. There are typically processes in place in banks and financial institutions that vet each product or service before launch; however, it is highly critical in today's world to pay special attention to user data and privacy checks.
Customers trust banks inherently and thus put a tremendous burden on banks to be trustworthy and to follow the rules and to protect the interests of their customers. Banks still carry the most significant responsibility when it comes to transparency.
Every day banks go through hundreds of thousands of documents, such as mortgage documents, loan forms, and customer information. Handling so many documents in both physical and digital formats can be time-consuming and may require specialized software. Procedures such as verification of the identities of clients in case of fraud, may involve a lot of different documents such as proof of identification and pay stubs that are sent in different file types.
Complying with the security and industry policies doesn't stop when your documents reach end-users outside of your business. Redaction software allows banks to grant and revoke access remotely using the full suite of the security capabilities of automatic redaction software.
What Should Banks Do Next About Data Privacy?
The pioneering Consumer Protection and Privacy Act of California (CCPA), the first comprehensive consumer privacy law passed in the United States, came into force on January 1, 2020, but some of the ramifications of the law are already emerging.
Just like the General Data Protection Regulation (GDPR), it has given users the right to learn more about how an organization performs its privacy policies as well as the right to access, remove and own identifiable information, prohibiting the company from selling personal data.
Financial institutions are not exempt from the law. As regulators are focusing on standardization, banks should assess their data processes and review privacy practices to account for their interaction with regulations like GDPR and CCPA, in addition to the Federal Deposit Insurance Corporation's Final Rule FDIC 370 and Capture Consent.
Redact Documents for Bankruptcy Cases
In compliance with Federal Rule of Bankruptcy Procedure 9037, banks are required to secure customer information or "personal data identifiers," such as account numbers, tax identification numbers, and social security numbers. When consumers need to get their papers for filing, banks need to make sure the confidential information is removed from the documents they send out. Our reliable redaction tools can permanently remove confidential data and make documents ready for courthouse e-filing.
What Is the Principal Data Protection Legislation?
In the United States, there is no single principal data protection law. Alternatively, a jumble of hundreds of laws enacted at both federal and state levels serves to protect US citizens' personal data. The Federal Trade Commission Act (15 Code § 41) significantly empowers the US at the federal level to bring regulatory action to protect consumers from unfair or deceptive practices and to enforce federal regulations on privacy and data protection. The FTC has taken the position that, in addition to using misleading advertising or marketing strategies, "deceptive practices" entail failure of a corporation to meet its reported privacy commitments and its inability to provide adequate security to personal information.
As described below, other federal statutes deal mainly with specific sectors, such as financial services or health care. At the same time, state-level laws protecting a wide range of individual citizens' privacy rights also differ significantly from one state to another, which cover areas as varied as securing library records to keeping homeowners safe from drone surveillance.
Which Authorities Responsible for Data Protection?
Although the United States does not have a plenary data protection regulator, the jurisdiction of the FTC is extensive. It often sets the tone on issues of federal privacy and data security. In addition, several other agencies oversee data protection by sector regulations, including the Currency Control Office, the Health and Human Services Department, the Securities and Exchange Commission, the Federal Communications Commission, the Consumer Financial Protection Bureau, and the Commerce Department.
Principal Rights Individuals Have Concerning Processing Their Personal Data
Right to access data or copies of data
These are statute-specific rights. For example, workers are entitled to receive copies of data held by employers, under certain circumstances. In certain circumstances, parents are entitled to obtain copies of information from their children under the age of 13, collected online. Under HIPAA, people can request copies of the medical information kept by a provider of health services. Also, the FCRA allows individuals to receive a copy of consumer reporting records collected by a consumer reporting agency. Also, the CCPA gives California residents a right of access to personal information held by a resident-related business.
Right to rectification of errors
Many regulations, such as the FCRA, give consumers the right to review consumer data kept by an agency, and ask for changes to flaws in that data. At the state level, credit reports, as well as information on criminal justice, employment records, and medical records, are generally added to the right to accurate information.
Right to deletion
By way of an example of federal law, COPPA allows parents the ability to access and remove information about their children. It may also require the removal of data even in the absence of a subpoena. Many state laws, like the CCPA, provide California residents with a right to termination, with certain exceptions.
Right to object to processing
These are statute-specific rights. Individuals are entitled to opt-out from receiving commercial (advertising) emails under CAN-SPAM and to refrain from receiving other types of calls to residential or mobile telephone numbers without express TCPA consent. Some states give individuals the right not to have telephone calls registered without either parties' consent to the call or one party's consent to it.
Right to restrict processing
Many laws restrict how an agency can treat customer data. For example, the CCPA allows residents of California to forbid a business from selling the personal information of that individual.
Right to data portability
These are statute-specific rights. Under I-IIPAA, there are examples of consumer rights to data portability where patients are entitled to request the medical information retained by a health service provider be moved to another health service provider. Additionally, the CCPA provides California residents with the right to data portability.
Right to withdraw consent
These are statute-specific rights. For example, the TCPA allows individuals to withdraw consent to receive some types of calls to residential or mobile telephone lines.
Right to object to marketing
Various laws allow consumers to limit marketing practices that include their personal data. For example, under CAN-SPAM, people can opt-out of receiving promotional (advertising) emails.
Under the TCPA, one must provide express written consent to accept mobile telephone lines marketing calls/texts. California's Shine the Light Act requires businesses that share personal information for the direct marketing purposes of the user to either provide an opt-out or reveal to the customer what information is being exchanged with and with whom.
Right to register complaints with relevant data protection authorities
For instance, individuals can report unwanted or misleading commercial email ("spam") directly to the FTC, and violations of telemarketing directly to the Federal Communications Commission (FCC). Likewise, anyone with the Department of Health and Human Services (HHS) can file a HIPAA complaint directly. At the state level, residents of California will report suspected CCPA violations to the Attorney General of California.
Technology to combat Data Privacy
Alongside technological solutions and security features, good practices for ensuring consumer and data protection can be enforced:
- Strong authentication and identification of customers, eg. Two-factor verification checks
- Having critical information pieces or items stored within a protected platform/infrastructure
- Use of secure identities for user verification
- Another way to improve protection, data transparency, and user control is through APIs
- Real-time redaction and masking (e.g., to protect credit card information)
- Withdrawal of consent — Applications should be updated to reflect the request of the customer and block access to such data immediately.
- Consents availability for download and open
- Data expiry due to consumer inactivity or termination
- Safe, reliable third-party services
- Retriggering consents every year to ensure that users understand what they have consented to OR retrigger consent whenever the language of consent has been revised
- Make data collected about individuals anonymous to avoid identification
- Notification of any consumer information breaches and being clear about data breaches — within 72 hours — how did the breach occur, what was compromised, who was affected, etc.
- Restricting access to specific data for some staff.
- The use of unsecured networks to transfer financial transactions at any bank or financial institution should be considered unacceptable.
A new balance has yet to be reached between legitimate data access and subject security, but it could be achieved by through the use of GDPR-compliant software to allow Subject Access Requests (SARs) or requests under the Freedom of Information Act (FOIA) requests for footage to verify incidents in a wide variety of situations, such as assaults, injuries, and store thefts.
According to the Information Commissioner's Office, businesses have a responsibility to comply with the law, including the use of redaction techniques to protect third-party privacy and facilitate the fulfillment of legitimate SARs and FOIA requests.
Redaction solutions such as CaseGuard Studio offer a cost-effective route to compliance via automated in-house handling of footage.