[Abstract]
The purpose of this document is to analyze why many financial institutions assess privacy as a compliance issue as opposed to a risk management issue. Included within this document are two different current regulations to help consumers protect their privacy. Also included within this document is an example of the primary causes of network threats to an individual’s privacy. An assessment of organizations or governments should do to prevent these threats is included. Finally, a difficult single privacy threat is identified and a proposal to how organizations can counter it.
[Content]
Many financial institutions view safeguarding personal information as a compliance issue as opposed to a risk management issue. Government regulations, like the Gramm-Leach-Bliley Act, dictate how financial institutions safeguard consumer’s private information (Board of Governors of the Federal Reserve System, 2002). Many federal regulations do not supersede state laws, but rather work in conjunction with them. Financial institutions have strict directives from both state and federal levels of government that they have to adhere to when handing consumer’s nonpublic information. The structured human activities that follow how uncertainty towards a threat is managed are exactly what risk management is. Risk management is a slower process that may require more personnel or resources. In the business world time is money so many companies may take a government compliance approach as opposed to a proactive risk management approach.
Two different active regulations that are currently being used to ensure personal non-public information is being safeguarded are the Gramm-Leach-Bliley Act and the Privacy Act of 1974. The Gramm-Leach-Bliley Act is meant to ensure that financial institutions do not release consumer’s personal information without notifying the consumer first. The Gramm-Leach-Bliley Act also governs how financial institutions’ handle consumer’s information and prevents financial institutions from reusing or redisplaying consumer’s information to a 3rd party (Board of Governors of the Federal Reserve System, 2002). The Privacy Act of 1974 states that no personal information in part or in whole will be released to any persons or organizations without written consent. There is an exception to the Privacy Act that states that the consensus bureau can use personal information for statistical uses, routine government uses within an agency, law enforcement purposes, and other administrative purposes are all allowable uses of personal information without consent (United States Department of Justice, 2003). The Gramm-Leach-Bliley Act and the Privacy Act of 1974 have been put in place to protect people or consumers from having their information disseminated intentionally or unintentionally by unauthorized people or organizations.
The primary cause of network threats, as they pertain to privacy, ironically does not come from the network, but rather is a human error from improper configuration of devices. A major privacy concern for users on any network is ensuring that only authorized personnel have access to private or personal information. Improper configuration of a user account or a group account can unintentionally give unauthorized users access to personal information. Improperly configured file permissions can give unauthorized access to private information. Improper configuration of networking devices, both wired or wireless, can allow unauthorized hosts on a network in which they can gain access to nonpublic information. Firewalls that are not properly configured can allow unauthorized access to network resources and information from threats that reside on different networks. System and network administrators making improper configurations of hosts or devices on a network poses a primary cause of network threats.
Organizations and governments can ensure the primary cause of network threats are minimized by ensuring accountability. In order to ensure accountability organizations or governments need to first put a policy in place to ensure everybody is aware that they are responsible for their actions and misconfigurations are not acceptable. Next organizations and governments should ensure all necessary personnel are properly trained. Organizations or governments can ensure accountability by withholding access to computer system log files and periodically reviewing the files to ensure all policies and procedures are being met. Log files should also be reviewed for any and all networking devices like routers or switches. Finally when an incident is found and traced back to an individual, that individual needs to be held accountable by either being terminated or handed over to the proper authorities based upon the severity of the incident.
One of the most difficult privacy threats that exists, is how others who are not in your control handle your private information, however there are ways to minimize the risk. Working with only trusted people, organizations, or governments ensures that private information is going to be handled in the correct manner. In the event that an e-mail that contains private information is sent to a 3rd party, encrypting or digitally signing the e-mail ensures that only authorized access is granted to that information. Maintaining physical control of any computers or digital media ensures no unauthorized access is allowed. In the event that physical control cannot be maintained, digitally encrypting private information on that computer or digital media can help ensure only authorized access is allowed to that information. Something as simple as securing any documentation, media, or computers can keep private data out of the reach of 3rd party people, like janitors, who may have access to an office, but do not need access to the information. By working with trusted sources, securing any and all private data, and ensuring encryption is being used on physical or electronic media are ways that companies or governments can counter privacy threats.
References
1. (2002, June). Small-Entity Compliance Guide. Regulation P: Privacy of Consumer Financial Information, Retrieved January 7th, 2008, from http://www.federalreserve.gov/regulations/cg/reg_p_cg.pdf
2. (2003, September 26th). THE PRIVACY ACT OF 1974, 5 U.S.C. ¬ß 552a — As Amended. Retrieved January 7, 2009, from THE PRIVACY ACT OF 1974, 5 U.S.C. ¬ß 552a — As Amended Web site: [URL Removed Broken link]