Personal Information

Personal Information

Leakage of personal information has a knock-on to Reputational Risk and Legal Risk, as explored in the section below. As noted in the BOK activities addressing supply chain security, incorporating secure development into the Software Development Lifecycle is therefore also a compliance issue.

Intersection With Open Source

• Tools like Google Docs, Twitter, StackOverflow and GitHub may be rendered inaccessible from within a financial organisation to comply with Data Protection and Security policies, since each presents a venue where client data might be deliberately or accidentally exfiltrated.

See:

• DLP Software

Controls

• Publication Activity. Specifically: don't allow publication of data in open source contributions.
• Surveillance Activity.
• Training

Relevant Regulations

GLBA

The Gramm-Leach-Bliley Act (GLBA) also known as the Financial Services Modernization Act of 1999, is a federal law enacted in the United States to control the ways financial institutions deal with the private information of individuals. The Act consists of three provisions:

• The Financial Privacy Rule, which regulates the collection and disclosure of private financial information. Under the Privacy Rule, financial institutions must provide privacy notices to consumers. They must provide this notice at the time the consumer relationship is established and on an annual basis going forward.
• The Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information. It requires financial institutions to implement security protocols (both logical and physical), and it requires financial institutions to provide breach notifications when customers’ Non-Public Information (NPI) becomes compromised.
• and the Pretexting provisions, which prohibit the practice of pretexting, or accessing private information using false pretenses:

Pretexting (sometimes referred to as "social engineering") occurs when someone tries to gain access to personal nonpublic information without proper authority to do so. This may entail requesting private information while impersonating the account holder, by telephone, by mail, by e-mail, or even by "phishing" (i.e., using a phony website or email to collect data). GLBA encourages the organizations covered by GLBA to implement safeguards against pretexting. - Gramm-Leach-Bliley Act, Wikipedia

Example: In 2019, Equifax, Inc. agreed to pay at least $575 million, and potentially up to $700 million, as part of a global settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states and territories to settle allegations that the credit reporting company's failed to take reasonable steps to secure its network.

GDPR

Any software (including open source) used by an organisation operating within the EU needs to be General Data Protection Regulation (GDPR) compliant:

The regulation applies if the data controller (an organisation that collects data from EU residents), or processor (an organisation that processes data on behalf of a data controller like cloud service providers), or the data subject (person) is based in the EU. Under certain circumstances,[3] the regulation also applies to organisations based outside the EU if they collect or process personal data of individuals located inside the EU. The regulation does not apply to the processing of data by a person for a "purely personal or household activity and thus with no connection to a professional or commercial activity." - GDPR, Wikipedia

Example: During the pandemic in 2020, many banks started using Zoom for video conferencing, but this ran afoul of the GDPR regulations (German language). More recent versions of the software aim to remedy this.

PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements designed to protect cardholder data and ensure the secure processing, storage, and transmission of payment card information. Established by major credit card companies, the standard applies to all entities involved in payment card processing, including merchants, processors, and service providers. Compliance with PCI DSS helps minimize the risk of data breaches and safeguard sensitive payment card information from theft and fraud.