Distinction between the Security Guidelines and the Privacy Rule
The requirements of the Security Guidelines and the interagency regulations regarding financial privacy (Privacy Rule)8 both relate to the confidentiality of customer information. However, they differ in the following key respects:
- The Security Guidelines address safeguarding the confidentiality and security of customer information and ensuring the proper disposal of customer information. They are directed toward preventing or responding to foreseeable threats to, or unauthorized access or use of, that information. The Security Guidelines provide that financial institutions must contractually require their affiliated and non-affiliated third party service providers that have access to the financial institution's customer information to protect that information.
- The Privacy Rule limits a financial institution's disclosure of nonpublic personal information to unaffiliated third parties, such as by selling the information to unaffiliated third parties. Subject to certain exceptions, the Privacy Rule prohibits disclosure of a consumer's nonpublic personal information to a nonaffiliated third party unless certain notice requirements are met and the consumer does not elect to prevent, or "opt out of," the disclosure. The Privacy Rule requires that privacy notices provided to customers and consumers describe the financial institution's policies and practices to protect the confidentiality and security of that information. It does not impose any other obligations with respect to safeguarding customers' or consumers' information.
3rd Party marketers of financial institutions are preparing for new audits of the their information securtiy controls and processes. Slicing and dicing customer information utilizing pscyhograpics and demographics is a normal task. Mailing millions of pieces annually with new offers from collaborating internal companies and external partners creates significant challenges in managing sensitive customer information. This increased exposure to potential data loss and other threats warrants additional scrutiny with supply chain companies that interface with the marketing department.
One way to find out how ready your partners would be for a formal audit is to ask them when was the last time they had an independent audit of their information security controls. Many organizations today serve multiple financial institutions in the same region and therefore are consistently being asked for evidence of a SAS 70 audit opinion. SAS 70 is not a predetermined set of standards that an organization must satisfy in order to “pass” the audit. In a SAS 70 audit, the service organization is responsible for describing its control objectives and control activities that might be of interest to auditors in user organizations. SAS 70 objectives can be non-specific for an audit and may have large gaps in real-time day to day operations.