The New Currency of Personal Data, and a Bank's Growing Risk of Losing It

Since the 1920s banks have collected personal data, often clumsily, inefficiently and rarely centralized given that the relationship with most customers was often a local one. Banking clients relied on their local broker, teller, or advisor to have enough knowledge about them to make sound advice and offer personalized service. A client's personal information often was entrusted in the hands of a few local bank employees and kept in a secured cabinet or server, backed up centrally as a precaution. The relationship between bank and local client was respectfully confidential, and that confidentiality was a function of local people's good judgment to practice data discretion and privacy respect. In fact, any compromise of a client's personal data was often a local event, a local story at most, and contained to relatively few players. For decades it was the George Bailey philosophy of managing and protecting people's personal information. That world no longer exists.

With almost every bank collecting unprecedented volumes of personal data and centrally storing it, the new risks of Banking CIO's have shifted from low radar, fairly contained data leaks to high profile, national data spills with growing waves of privacy litigation, crisis expenses, and regulatory costs in their wake. So why are today's banks collecting so much personal data? Well, because they can and because they have to.

Banks can because:

1. Data storage costs have gone so low that banks can afford to store almost unlimited data about their customers
2. The IT economies of scale are such that centralizing personal data storage offers the most cost efficiency
3. Banks are more profitable with lower cost IT automation for transactions, marketing, and service
4. Personal data is currency.

They have to because:

1. Bank customers expect to be able to "self-service" their accounts at ATM's, web sites, and kiosks
2. Other industries are doing it
3. Oversight of a large bank's operations is more manageable
4. Personal data is a liability.

In 2008 banks do not lose personal data, computers do. In 2001 the Brookings Institution book, "Unseen Wealth," predicted the rapid growth of "information assets" as companies--especially banks--would amass more data than ever about their customers and make more money from that data. The predictions of the book were largely true as they related to the increasing value of personal data. As evidenced by the recent growth in identity thefts, one could surmise that personal data is in fact currency and sought after by data brokers, data markets and data thieves. This reality suggests that banks need to completely change the paradigm of how they view their professional liability and IT related business risks. Are CIOs insured for their banks' information malpractices and do they even know what that is?

Professional liability for banks is transitioning rapidly from human error to technology error as a result of IT dependence and growth in privacy exposures. IT affords great efficiency and scale on one hand, but the downside of IT dependence is an organization with a greater concentration of risk. All the data assets in one place also means all the data liabilities in the same place.

The steady growth of IT security solutions suggests that the prevailing CIO response to technology risk is to throw more technology at the problem by trying to protect data better. This approach is wise and advisable. But with a record number of privacy incidents in 2008, especially in banks, one should begin to realize that technology alone is not the only solution. Technology risk has become a major business problem with direct implications to brand, customer confidence, and stock price. Technology risk requires a deeper understanding of IT economics and quantifying the downside of IT catastrophes. When most bank CIOs perform this analysis and they layer on the growing regulatory exposures for personal data loss, they realize that more technology in itself is not the only path to minimizing risk.

Personal data leaks and massive data spills are the new and irreversible risks for any bank, large or small. Business-minded CIO's should consider cyber liability insurance as an essential component of their risk management strategies for data privacy, network security and Internet liability.

Personal data is not just a new currency for banks; it is also potentially their biggest liability.

This article is provided for information purposes only, and is not intended to substitute for individual legal counsel or advice.

The views expressed herein are those of the author and not necessarily those of The Hartford Financial Services Group, Inc., its subsidiaries or affiliates.