Balancing Security and Convenience: The Key to Customer Trust in the Financial Industry

Financial institutions cannot exist without customer trust. As identity theft and the associated financial fraud become increasingly common, clearly customer trust cannot exist without rock-solid data security. Customers must be able to trust that their personal identifiable information (PII) is secure, and be sure that in if a breach places personal information at risk, that they will be swiftly notified. In fact, the Financial Services Authority (FSA) is driven by four statutory objectives to deal with this increasingly-important trust issue: ensure market confidence, ensure public awareness, ensure consumer protection, and work to reduce financial crime.

With the theft of a laptop from Nationwide Building Society and the FSA’s associated financial penalty of £980.000 being the latest in a long list of highly-publicised reports, breach notification has become a high-profile issue for all custodians of customer data in the UK and around the world. As a result, organisations no longer have to formulate a business case to justify safeguards in data protection, as breach notification clauses will mandate this as a prerequisite in information handling.

Yet, even though the European market has seen several high-profile data security breaches, survey after survey indicates that compliance with privacy and security regulations remains low – not only with European enterprises but with businesses worldwide.

This fact is underscored by the fact that the UK Information Commissioner Richard Thomas is asking the Commons home affairs committee for new authority that would allow his office to make spot checks on compliance with the 1998 Data Protection Act. Thomas is also calling for privacy impact statements that would require organizations to detail how they will reduce privacy threats and address the implications of new surveillance programs before implementation.

Recent surveys conducted by the European Commission (EC) show more than three-quarters of people in the UK expect to be informed if their personal data is lost, stolen or altered as the result of a corporate security breach. In fact, in previous studies report that 53 percent of UK shoppers would shun a company’s services if it failed to immediately communicate any security breaches. This is all the more worrying when you consider that 45 percent of respondents believe that banks and online retailers do not adequately protect personal information.

With the increasing consumer demand for protection against unauthorised access to PII one can expect breach notification clauses to increasingly be included in today’s data security regulations. With customers, partners and shareholders expecting organizations to demonstrate system security, regulatory compliance, and good governance, clearly breach notification clauses will be introduced into European privacy and security law.

So the question remains, are disruptive regulations having an impact on IT data security policies or is it disruptive data security technology that is impacting the manner in which organizations protect sensitive data?

With the exchange and access to sensitive data increasingly linked to corporate governance, enterprise architecture and compliance issues, senior executives worldwide are spending ever-more time overseeing regulatory compliance projects. A litany of complaints from senior executives express frustration over the added workload compliance pressures have brought to IT departments internationally.

Yet, regulations defining the manner in which businesses behave in the marketplace are not new. Businesses have long been regulated on how they market, how they report their financials, how they interact with their customer base, and how they produce and sell products and services. The management of PII is no different.

The simple reality is that worldwide privacy and security regulations, including the European Union Privacy Directive and Gramm-Leach-Bliley Act (GLBA) in the USA, are designed to drive strong data security adoption. Security breaches must be disclosed, and penalties include fines and/or criminal/civil action – although the severity of these penalties are inconsequential when compared to the negative impact bad publicity can have on customer trust and company profits.

Worldwide regulations relating to security and privacy are constantly being revised to meet new threats. The UK government has recently commissioned an independent review which will report on how its government agencies manage and protect data. Under the Central Sponsor for Information Assurance, part of the Cabinet office, The Information Assurance review is tasked with determining structured policies for information handling by the end of May.

Unfortunately, while well intended, most regulations protecting sensitive information simply do not possess the mandatory enforcement necessary to compel custodians of personal data to comply with the legislation. Starting with California Senate Bill 1386 in 2003, security breach notification clauses embedded within security and privacy legislation have given these measures real “teeth” in forcing organizations to disclose data breaches – with the exemption of data that has been encrypted or where disclosure may interfere with police investigations.

The Gramm-Leach-Bliley Act actually goes one step further as it does not exempt data encryption if the electronic key used to encrypt the data resides on the hard drive itself – making a clear case for two-factor end-user authentication or authentication that does not allow for keys or key files to be stored on the encrypted device’s hard drive.

The interesting observation here is not that breach notification clauses are now being incorporated within privacy and security regulations as they are revised, but rather that the breach notification clauses are defining the nature of the electronic encryption key or keys to be implemented to exclude oneself from breach disclosure.

How can organizations ensure their employees adhere to endpoint security practices? The best approach is to make the entire process completely transparent to the user. This does not mean that policies surrounding the care of laptops and mobile devices should be ignored, but rather organizations should understand that simply implementing a sound policy does not mean it will be adhered to at all times.

Data encryption is the ideal method of controlling access to PII whether it is data at rest, data in transit, or data in use. But, in order to enable organizations to comply with new data security legislation without negatively impacting user productivity, encryption vendors must ensure solutions keep pace with ever-changing regulatory policies. This would include encrypting the entire hard drive at pre-boot, which would make it simple to integrate single or multi-factor end-user authentication, and ensuring organizations can manage keys/key files to easily comply with privacy and security regulations. As a result, today’s encryption solutions have to be able to provide transparent data security that is robust and flexible enough to enable organizations to customise security to meet changing standards.

WinMagic’s SecureDoc prevents any unauthorized user seeking to start the Windows operating system, or seeking to gain access to the same encrypted hard drive installed as a slave drive, from viewing files stored on the protected drive. Access to the hard drive can only be obtained at pre-boot through end-user authentication via any combination of password, USB hardware token possessing, PKI (Public Key Infrastructure), smart card, or biometrics. Once the hard drive is encrypted, data is simultaneously encrypted and decrypted as information is being written and read from the hard drive. During this process users will not notice any performance difference between encrypted and non-encrypted hard drives.

Looking back at the last five years, almost all of the innovation seen in today’s disk encryption arena has been delivered by WinMagic. Its comprehensive solutions are robust and yet flexible enough to meet the unique processes inherent with corporate governance from organization to organization. As thought leaders and innovators, WinMagic works towards open standards by supporting the adoption of security enhancing technologies like the Trusted Platform Module. Other examples of pioneering innovation include being the first full-disk encryption developer to support biometric pre-boot authentication, removable media, hibernation, imaging software like Ghost, and disk utilities like defragmentation.

In order to ensure all data is protected, it is important for enterprises to drive the convergence of IT business processes and business security, as well as their associated expenditures. However, this convergence should not come at the expense of end-user productivity and hard drive robustness, or limit the functionality of imaging software or disk utilities. Equally, any technology deployed without taking into consideration corporate governance and unique security requirements is doomed to fail because it will not account for the non-technical processes related to securing data at rest.

For example in addressing the specific requirements of the National Security Agency, WinMagic had to provide dual pre-boot authentication via crypto tokens and PKI integration as a pre-requisite of doing business. While other vendors failed in meeting this requirement, WinMagic delivered a solution in record time that addressed all issues relating to compliance with encryption open standards, compliance with security and privacy legislation, and adhesion to the human element wrapped in corporate governance.

In conclusion, when purchasing technology, organizations must seek encryption solutions that allow for multi-factor authentication, effective key file management, and policy controls for disk and removable media encryption in order to easily comply with privacy and security regulations. And now, thanks to WinMagic’s innovative functionality, it is easy for organizations to protect all data at all times with full-disk encryption while still complying with national and international privacy and security regulations.