Since the 1920s banks have collected personal data, oftenclumsily, inefficiently and rarely centralized given that therelationship with most customers was often a local one. Bankingclients relied on their local broker, teller, or advisor to haveenough knowledge about them to make sound advice and offerpersonalized service. A client's personal information often wasentrusted in the hands of a few local bank employees and kept in asecured cabinet or server, backed up centrally as a precaution. Therelationship between bank and local client was respectfullyconfidential, and that confidentiality was a function of localpeople's good judgment to practice data discretion and privacyrespect. In fact, any compromise of a client's personal data wasoften a local event, a local story at most, and contained torelatively few players. For decades it was the George Baileyphilosophy of managing and protecting people's personalinformation. That world no longer exists.

With almost every bank collecting unprecedented volumes ofpersonal data and centrally storing it, the new risks of BankingCIO's have shifted from low radar, fairly contained data leaks tohigh profile, national data spills with growing waves of privacylitigation, crisis expenses, and regulatory costs in their wake. Sowhy are today's banks collecting so much personal data? Well,because they can and because they have to.

Banks can because:

1. Data storage costs have gone so low that banks can afford tostore almost unlimited data about their customers
2. The IT economies of scale are such that centralizing personaldata storage offers the most cost efficiency
3. Banks are more profitable with lower cost IT automation fortransactions, marketing, and service
4. Personal data is currency.

They have to because:

1. Bank customers expect to be able to "self-service" theiraccounts at ATM's, web sites, and kiosks
2. Other industries are doing it
3. Oversight of a large bank's operations is more manageable
4. Personal data is a liability.

In 2008 banks do not lose personal data, computers do. In 2001 theBrookings Institution book, "Unseen Wealth," predicted the rapidgrowth of "information assets" as companies--especiallybanks--would amass more data than ever about their customers andmake more money from that data. The predictions of the book werelargely true as they related to the increasing value of personaldata. As evidenced by the recent growth in identity thefts, onecould surmise that personal data is in fact currency and soughtafter by data brokers, data markets and data thieves. This realitysuggests that banks need to completely change the paradigm of howthey view their professional liability and IT related businessrisks. Are CIOs insured for their banks' information malpracticesand do they even know what that is?

Professional liability for banks is transitioning rapidly fromhuman error to technology error as a result of IT dependence andgrowth in privacy exposures. IT affords great efficiency and scaleon one hand, but the downside of IT dependence is an organizationwith a greater concentration of risk. All the data assets in oneplace also means all the data liabilities in the same place.

The steady growth of IT security solutions suggests that theprevailing CIO response to technology risk is to throw moretechnology at the problem by trying to protect data better. Thisapproach is wise and advisable. But with a record number of privacyincidents in 2008, especially in banks, one should begin to realizethat technology alone is not the only solution. Technology risk hasbecome a major business problem with direct implications to brand,customer confidence, and stock price. Technology risk requires adeeper understanding of IT economics and quantifying the downsideof IT catastrophes. When most bank CIOs perform this analysis andthey layer on the growing regulatory exposures for personal dataloss, they realize that more technology in itself is not the onlypath to minimizing risk.

Personal data leaks and massive data spills are the new andirreversible risks for any bank, large or small. Business-mindedCIO's should consider cyber liability insurance as an essentialcomponent of their risk management strategies for data privacy,network security and Internet liability.

Personal data is not just a new currency for banks; it is alsopotentially their biggest liability.

This article is provided for information purposes only, andis not intended to substitute for individual legal counsel oradvice.

The views expressed herein are those of the author and notnecessarily those of The Hartford Financial Services Group, Inc.,its subsidiaries or affiliates.