The Privacy Officer's Changing RoleNew Skills Needed to Protect Bank Customers' Information
Chief privacy officers and their teams are charged with safeguarding the privacy of customer information within their organizations.
The privacy team I lead at U.S. Bank works daily with our bank employees to balance the customer's need for privacy with our workforce's need to use that information to conduct our daily business. But as banking becomes increasingly digital and the technology we use evolves at a rapid pace, our roles require us to be ever nimble. The job has changed considerably, particularly in response to today's cyberthreats.
Banks handle a large volume of customer information, but not all employees need access.
In addition to dealing with day-to-day privacy issues, today's privacy officers must be:
Collaborators. Reaching out to different business and operational areas within the company to learn how we can help those functions safeguard customer information is a critical task for CPOs. Maintaining good relationships across the organization is a key component in integrating privacy into business processes. Collaboration is also important as the lines between privacy, information security, physical security, risk management, data governance and compliance become blurred with increasing overlap. Bad actors look for gaps, and collaboration helps identify missed coverage.
Designers. It's more important than ever that CPOs have a hand in bank branch and office design. Take visual hacking, for example - a low-tech method used to visually capture sensitive, confidential and private information for unauthorized use. A malicious party enters the bank and is able to capture a log-in credential from a computer display at which an employee is working.
This information could possibly get a hacker deep into the network, enough to launch a large-scale data breach of customer information. Ensuring that devices are angled so data is not visible to snoopers or equipping screens with privacy filters can combat visual hacking. Other design considerations that can combat visual hacking include placing printers and copiers away from unauthorized eyes, close placement of secured destruction containers for physical documents; and enacting a clean desk policy.
Gatekeepers. Banks handle a large volume of customer information, but not all employees need access. In fact, it's much safer for the organization to limit what data any one person can access, and CPOs should champion access controls across their organization based on job description and information risk factors. For example, don't allow employees to look at sensitive information for 100 or 1,000 customers at a time, but rather one record at any given time, to reduce the likelihood of an insider threat. Ask employees to self-identify if they're working with too little or too much data and call for the company to install capabilities to monitor for suspicious activity, beginning with excessive inquiries.
Teachers and Learners. Privacy is constantly changing. New threats and new solutions appear all the time. It's important for CPOs to network with each other, as well as leadership from other functions, to learn new ways to safeguard customer information within their own organizations. For example, when I heard about a campaign called "Refrain, Remove, Redact" at a conference, I decided to introduce a similar concept to help limit information at the source. If a report doesn't need a certain piece of customer information, don't put it in; if it does need to be there, make sure it is redacted to minimize risk.
Communicators. It's important for company policies and procedures to include language on privacy and the safeguarding of customer information. But it's equally important to make sure that bank employees are aware of and are following these guidelines. CPOs and their business line partners should create comprehensive education and communication plans to roll out to the workforce. This can include training sessions, weekly bulletins, podcasts, blogs and vlogs.
Strategizers. With headlines buzzing about cyber-attacks and malware, it's prudent for organizations to invest in the latest data security solutions. However, it's now more important than ever to also up the investment on the everyday controls against low-tech threats. Dumpster diving, shoulder surfing, visual hacking and spear phishing can be just as detrimental to a company's confidential information as high-tech attacks. A defense-in-depth plan incorporates both high-tech and low-tech threats with multiple layers of defense.
First Responders. When there is a data privacy issue, many people think to go first to the chief information security officer, but the CPO should be just as involved when responding to threats. It's also important for CPOs to have allies throughout the company in various roles and functions. These "privacy champions" receive additional training and certifications and can help ensure engagement with and commitment to privacy programs and standards.
As chief privacy officers, we wear many hats. However, there is one key theme throughout our many roles: We need to work together with others in our organizations to ensure that customer and company data remains secure throughout the pipeline: data at rest, data in motion, data in use and data in view.
Daniel Burks, chief privacy officer of U.S. Bank, is a member of the Visual Privacy Advisory Council, a panel of privacy and security experts that promotes tools and process to mitigate visual hacking.