Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

The case for reconsidering personally identifiable information policies

Sia Nam Chie, Governor, The Institute of Internal Auditors, Singapore | Jan. 2, 2015
Besides having comprehensive policies that cover PII in its physical and electronic forms, banks should also have in place the measures outlined here.

A bank's market reputation and customer satisfaction can be badly affected if its IT systems are breached and personally identifiable information (PII) is lost. PII covers information that can be used to identify, contact or locate a person. Such information could include credit card numbers, birthdates and NRIC numbers, all of which banks would routinely possess in employee and customer records. The stakes are high when PII leaks can lead to financial losses in penalties and compensation.The affected institution is also likely to lose customers and find it difficult to attract new ones.

Banks typically have comprehensive PII policies that cover PII in its physical and electronic forms, within bank premises as well as during transmissions. Basic IT defences against PII theft for banks include:

  • Protecting user-friendly technologies such as the mobile web and cloud storage. These are popular hacking targets.
  • Restricting access to PII on a 'need to know' basis to reduce the likelihood of unauthorised staff making use of it for criminal purposes.
  • Encrypting the bank's website over the Internet (so the URL says HTTPS:// and not HTTP://) to protect data.
  • Placing the bank's web servers behind firewalls.
  • Ensuring the bank complies with the Personal Data Protection Act (PDPA) in the retention of PII.

Banks employ internal auditors to provide an additional line of defence against risks, including the potential misuse or loss of PII. Internal auditors can point out situations where PII needs to be protected, and evaluate the data privacy or security policies and procedures for appropriateness. Despite existing PII policies, financial institutions can overlook several aspects of PII data management. An internal auditor can help weed out these potential risk factors.

For example, all software, hardware, reports and anything else which may contain PII should be listed in an up-to-date data inventory to allow the bank to determine what information exists, where it resides, what it is used for, and ultimately, if it is well protected. An audit, whether conducted by an auditor or by the IT department, is only as good as the inventory. Internal auditors sometimes find that PII that is 'at rest' is overlooked as opposed to data that is 'in motion'. Data 'at rest' refers to data in backups, whereas data 'in motion', being transferred from point A to point B, is typically secured with encryption.

Another blind spot is in securing the PII of prospective customers and employees, such as candidates who did not join the company or customers who are no longer active. All PII should be secured, as it falls within the ambit of the law.Whichever safeguards are implemented by banks must be robust to meet applicable laws and regulations, and internal auditors provides assurance that the bank complies with the laws and regulations.


1  2  Next Page 

Sign up for CIO Asia eNewsletters.