Fed to Banks: Put Security Policies in Writing
CNET News.com - January 10, 2006
Even if federal law doesn't explicitly say so, all companies that handle personal information for their customers should have written security policies, a computer security attorney said Tuesday. Last month, the Federal Reserve Board, which governs the U.S. banking industry, issued a new guide stating that all banks and other financial institutions must take certain steps to safeguard the personal data they handle.
The Chapell View
By issuing new guidelines for financial institutions, the Federal Reserve hasn't actually made any new rules, just cleared up ambiguity over a 1999 act that determined data governance for these institutions. Even so, much of what a business under these guidelines is required to do is dependent upon the company, sector and a host of other factors. The only well defined new requirement appears to be that financial institutions have some process in place for data governance, and that they put this in writing - i.e., have a formalized privacy policy.
Although only one part of providing privacy protections, a written privacy policy is an important one. And often, it seems, an overlooked one. Chapell & Associates conducted a survey in December 2005 with the Cutter Benchmark Review where far fewer organizations than we expected reported having put a formalized privacy policy in place (look for specific survey results later this year). Moreover, although a new study by the Customer Respect Group found that a majority of companies had a posted privacy policy, not all of these were transparent or at all clear about the businesse' privacy practices.
Putting clear and accurate privacy policies in place is a good place to start for most organizations looking to improve their privacy practices. It can alleviate consumer worry and boost consumer engagement while also providing an incentive for businesses to improve their actual policies - since they are, after all, open to the public. Of course, the Federal Reserve's guidelines only apply to financial institutions. But if efforts to pass privacy legislation heat up in 2006 – as they look like they might - it's not a bad place to begin.
Even if federal law doesn't explicitly say so, all companies that handle personal information for their customers should have written security policies, a computer security attorney said Tuesday. Last month, the Federal Reserve Board, which governs the U.S. banking industry, issued a new guide stating that all banks and other financial institutions must take certain steps to safeguard the personal data they handle.
The Chapell View
By issuing new guidelines for financial institutions, the Federal Reserve hasn't actually made any new rules, just cleared up ambiguity over a 1999 act that determined data governance for these institutions. Even so, much of what a business under these guidelines is required to do is dependent upon the company, sector and a host of other factors. The only well defined new requirement appears to be that financial institutions have some process in place for data governance, and that they put this in writing - i.e., have a formalized privacy policy.
Although only one part of providing privacy protections, a written privacy policy is an important one. And often, it seems, an overlooked one. Chapell & Associates conducted a survey in December 2005 with the Cutter Benchmark Review where far fewer organizations than we expected reported having put a formalized privacy policy in place (look for specific survey results later this year). Moreover, although a new study by the Customer Respect Group found that a majority of companies had a posted privacy policy, not all of these were transparent or at all clear about the businesse' privacy practices.
Putting clear and accurate privacy policies in place is a good place to start for most organizations looking to improve their privacy practices. It can alleviate consumer worry and boost consumer engagement while also providing an incentive for businesses to improve their actual policies - since they are, after all, open to the public. Of course, the Federal Reserve's guidelines only apply to financial institutions. But if efforts to pass privacy legislation heat up in 2006 – as they look like they might - it's not a bad place to begin.
