In the financial services industry, the protection of customer data and internal financial statements is non-negotiable. With rising customer security sensitivity, motivated attackers, and an increasingly complex legal and regulatory environment, data needs to be protected at all times — while it is stored, transmitted and viewed.
An important part of a comprehensive data protection strategy is ensuring visual privacy — the protection of data from people who may be able to view the screen of employees or customers. Visual privacy is often overlooked but it is a critical layer in protecting data from exposure. The need for visual privacy has increased substantially over the past few years. Consider the following:
• A rise in the mobility of the workforce: Driven by a blurring line between work/life and advances in mobile technologies, the mobility of workers has increased dramatically. IT analyst firm IDC estimates that by 2015, the world’s mobile workforce population will reach 1.3 billion. Many of these workers will access corporate email/data in public areas through laptops and smartphones, putting that data at risk for exposure.
• Requirements to report data disclosures: Data breach notification laws have placed new requirements on corporations to notify customers if they reasonably believe that customer data was exposed to an unauthorized third party. Currently, 47 states have breach notification laws. Businesses have long concentrated on exposure through the compromise of a database or the loss of data that is stored on a laptop or on storage media. Another avenue of data loss that must be considered and protected is identifiable information displayed on the screens of employees, like social security numbers and home addresses.
• Ease of screen capture: The ability of the average onlooker to capture information they view has increased substantially. According to a recent survey, 46 percent of Americans are equipped with a smartphone that has the ability to take a high-resolution photo of data displayed onscreen.1 This means that most users have the ability to capture images, including images of another device’s screen, which increases the threat from snoopers.
Any comprehensive approach to safeguard data must include protecting that data while it is displayed on a screen. Visual privacy is critical to both protect information and to build a case of “due care” for auditors and regulators. A comprehensive protection strategy has to address the entire data lifecycle: entry, transmission, storage, use, display and disposal.
The information security industry has long recognized the importance of visual privacy. For example, passwords are typically masked as they are entered into an application or website. This need has been specifically called out for financial services. The Federal Trade Commission guidelines for complying with the Gramm-Leach-Bliley Act (GLBA) require “using password- activated screen savers to lock employee computers after a period of inactivity.” For financial services organizations the range of sensitive data that is entered, processed and viewed goes far beyond passwords, and steps must be taken to protect that data from opportunistic observers.
The GLBA specifically calls out the need for “administrative, technical and physical safeguards” to keep customer financial data safe from exposure to unauthorized third parties. Some companies have tried angling cubes/monitors in public areas or isolating computers that will have sensitive information to try to keep visual data safe. A privacy filter is a tool that gives organizations more flexibility to place workers where they want and need to be, maximizing productivity. Privacy filters go further in that they help protect data from side views for individuals who might enter what is considered a protected space.
3M, a leader in this category, offers a range of privacy filters which effectively block out side views, help reduce the risk of data exposure and protect an organization’s most valuable resource: its data. 3M™ Privacy Filters come in a range of sizes and styles to protect laptops, desktops and even smartphones. For more information visit: http://www.3Mscreens.com.
Privacy and Compliance in Financial Institutions: An Overview
Financial services organizations have seen a rise in regulatory and compliance standards around customer and corporate data. While controls may be in place to defend this information as it is stored and transmitted, security is equally important for data as it is entered, processed and viewed. Some important laws/standards to consider are:
Gramm-Leach-Bliley Act (GLBA):
Breach notification laws: Currently, 47 states require that a customer be notified if a company suspects that his/her personally identifiable information (PII) has been exposed to an unauthorized third party.
Payment Card Industry Data Security
Standard (PCI DSS): Defines procedures for keeping payment card information secure. The PCI DSS is under constant revision and is being adapted to cover a wide range of threats.
Other standards/laws: Other laws and standards such as ISO 27001, ISO 27002, and Sarbanes Oxley have direct implications for data confidentiality. In practice, the litmus test of “due care” is being recalibrated to include protection beyond data storage and transmission.
Did you know?
• Taking pictures with a phone is no longer conspicuous. 83% of all phones in use are camera phones. Typical mobile users look at their mobile device 150 times per day.2
1Mobile Worker Population 2011-2015 forecast, IDC Worldwide, 2012.
2The Annual Mobile Industry Numbers & Stats Blog, Communities Dominate Brands, 2013.
3M is a trademark of 3M Company. ©2015, 3M. All rights reserved.