Federal Regulator Implicated in Data Breach at California Credit Union
The regulatory issues financial services companies face may increase in 2015. The rules require that sensitive data be shared with examiners and agencies.
14 January 2015
To paraphrase the proverb: “Regulator, heal thyself.”
All it takes is one external flash drive to compromise an entire business. It appears that in October 2014, a federal regulator performed a routine audit on a California credit union. In the process, the credit union’s key customer data was downloaded on to a portable flash drive. Then, this thumb drive was lost, stolen, or destroyed, says an article in the Credit Union Times.
It’s unclear if the institution, the National Credit Union Administration auditor, or a combination of both were the cause of the disappearance. Naturally, an investigation is ongoing. "At this time we do not know if the external drive has been inadvertently destroyed or if it was acquired by an unauthorized person," stated the Credit Union Times. "All we know is that it is lost."
Crying Over Spilled Data
An article from Bank Info Security asks how “such an egregious breach” could occur. This is the wrong question. We know from experience that such manually-based technologies and processes are inherently flawed.
The correct question to ask is: How often are such errors occurring under the radar? If regulators are using risky processes to gather and share data, what are rank-and-file employees doing? Secure email and file sharing might have avoided this problem. Highly secure email (with the message scrambled) or end point encryption can reduce vulnerabilities.
But, in the first place, the Bank Info Security article notes, small financial institutions typically don’t use secure email. And these sorts of encryption technologies hinder usability, which will discourage adoption. Needless to say, regular email can incur risks, especially if it involves mobile access by end users — who may have inadequate protection on their devices.
Security Technologies Are Here Now
Ironically, the regulatory issues financial services companies endure are only going to increase in 2015. The rules require that more and more sensitive data be shared with a network of examiners and agencies. Financial reporting requirements such as CCAR will also increase data reporting loads. Finding a safe, simple and secure mechanism for sharing data is a strategic necessity.
No industry can tolerate the potential brand damage, sanctions, customer loss, etc., that a breach can cause. We have existing (and easily adoptable) procedures and technologies that make data loss or theft almost impossible.
- Two-factor authentication
- Complete encryption at rest, in motion, and when in use in an application
- Customer Managed Encryption Keys
- Automated data transmission
- Information Rights Management — which protects and controls data, and informs owners where and how often data is being accessed, in real time
Certainly, enterprises need not tolerate portable storage media and unsecure email for document storage and sharing another minute. Why should we bother with an archaic risk, when with proper resources, we can have the highest grade of security? That, and with the ability to share and unshare data and files, even after they have left our networks? With a little effort, we need not see a repeat of such a data loss.
Daren Glenister is the Field CTO for Intralinks. In his role, he acts as a customer advocate, working with enterprise organizations to evangelize data collaboration solutions and translate customer business challenges into product requirements, helping to steer Intralinks’ product road map and the evolving secure collaboration market. Daren brings over 20 years of industry experience and leadership in security, compliance, secure collaboration and enterprise software having worked with many of the Fortune 1000 companies helping to turn business challenges into real world solutions.