On Jan. 23, TechCrunch reported that more than 24 million mortgage and banking documents were left exposed on the internet in an unprotected environment for approximately two weeks. Ascension, which provides data analytics and document management services to the financial industry, stored sensitive documents, some of which were a decade old, on an unprotected server that anyone with an internet connection could potentially access. The exposed documents were part of a service provided by Ascension where it converts paper documents to electronic format.
These documents belonged to customers of some of the largest banks in the country, including Wells Fargo, Citigroup, and Capital One. The information exposed included sensitive personally identifiable information such as customer names; addresses; dates of birth; social security numbers; and account numbers. It is unclear at this time whether hackers accessed this treasure trove of data and sold it on the black market.
This incident illustrates three key concepts that banks should implement to mitigate the loss of sensitive customer data and reduce risk.
First, banks should focus on developing policies that promote data storage minimization. If the bank stores less data, especially personally identifiable information (“PII”), the risk and resulting impact of a breach decreases. Data disposal is also required under Alabama law. Specifically, Alabama’s Breach Notification Law (“SB318”) requires businesses to dispose of records containing sensitive PII pursuant to law, business need, or regulation.
Implementing a solid data disposal policy also makes breach notification easier on the back-end. For example, the Ascension breach exposed documents going back to 2010. If the bank and/or its vendors unnecessarily maintain records of former customers, and do not maintain those customers’ current contact information post-breach, the bank runs the risk of having to notify those customers by publication through major media outlets and the bank’s website. This method can be costly and a public relations nightmare. For the data and records that the bank must maintain pursuant to law or business need, the key is properly storing that data and maintaining updated customer contact information.
Second, the bank should encrypt PII that the bank or its vendors store electronically. This is one of the best methods to protect data because even if a hacker obtains access to encrypted files, customers’ PII remains protected in many cases. The records exposed in the Ascension breach were not encrypted, thus the data was free for a hacker to download with minimal effort. Had Ascension encrypted the data with a secure encryption key, a hacker would have been required to jump through significant hoops in order to unlock the data. With such a barrier in place, the transaction cost is high, and a hacker is likely to focus on an easier target.
Like data disposal, encryption is helpful on the back-end of a breach. Under most states’ breach notification laws (e.g., SB318), encrypted data is exempt from reporting and notification requirements unless there is reason to believe the encryption key was also misappropriated.
Third, as part of the bank’s vendor management program, the bank should make sure that agreements with third-party vendors that process or store customer data include indemnification provisions so the bank is indemnified from any liability in connection with the loss of data while under the vendors’ custody or control. Vendors should be required to represent that they will adhere to state, federal, and international privacy laws (if applicable). Ideally, vendors should also agree to: (i) implement data protection programs and maintain robust data security policies and procedures; (ii) maintain adequate cybersecurity insurance; and (iii) report any breach and/or handle breach response, including any breach notification or reporting requirements.
While the three takeaways above are not an exhaustive approach to mitigate liability and prevent intrusions, they should be considered by banks that are interested in protecting customer data.
Fob James is an attorney in Burr & Forman LLP’s Birmingham office where he practices in the firm’s Cybersecurity and General Commercial Litigation practice groups.
