Author: Deborah Matthews, firstname.lastname@example.org
In the financial services world, privacy concerns and regulation covering the use personal data are nothing new. The Gramm-Leach-Bliley Act requires FIs to allow consumers to opt-out of sharing personal information for third-party marketing. The Telephone Consumer Protection Act and CAN-SPAM legislation prohibit unsolicited commercial text messages and emails. Yet to be determined… how the CFPB it will wield its authority in the privacy arena. (Stay tuned.)
CRM systems have been around for years, helping FIs refine data to promote targeted product offers. In the contemporary revenue compressed environment, some FIs are using tools to drive personalized offers that drive cross-selling and deliver additional revenue opportunities, such as merchant funded rewards (MFR) programs. These MFR programs are designed to use data that is aggregated and fully anonymous in order to determine which offers to present, and are positioned to be mutually advantageous for both the FI and their customers.
But what happens when the broader universe of data is used in ways that impact consumers’ ability to access credit or insurance? Today many insurance companies review credit ratings in order to “score” clients and set premiums. A recent article in The Economist predicts insurance companies will analyze card transactions at grocery stores to determine insurability (advice: pay cash if you are going to buy junk food!) What will come next? Will information gathered from posts on social networks, and intelligence purchased from data brokers, be considered in credit and lending decisions? Movenbank publicly stated that they will use information gathered from Twitter, Facebook and other social networks for lending decisions and pricing a customer’s relationship with the bank.
Here’s another area where it gets interesting. FIs face a privacy paradox because they are required to both restrict and use customer data. FIs have long been required to “Know Your Customer.” This is accomplished through analysis of data from both historical interactions with the FI and other sources.
The expanded FFIEC guidance on layered security calls for enhanced authentication processes. FIs are required to understand customers’ “normal” financial behavior in order to identify anomalous activity. There is an evolving expectation for what is “commercially reasonable” for layered security: in a high-profile corporate account take-over case, the lack of behavioral analytics was a key factor that led the judge to rule against the bank. And in another twist, technologies that some perceive as encroaching on privacy actually help protect: proximity/location can be used as a security validation layer.
Privacy is almost inseparable from the issue of security, because of the threat of information falling into the wrong hands, the risks associated with fraudulent activity due to breaches and the growing specter of identity theft. This is an epic issue for FIs even when the responsibility for a breach lies elsewhere; FIs are frequently impacted in some measure, ranging from diminished consumer confidence to operational burdens to financial implications.
Many FIs have a chief security officer, or house that duty within the responsibilities of the chief compliance officer or the chief information officer role. Maybe it’s time for FIs to consider adding a chief privacy officer. FIs should ensure that their customers are clearly advised as to how their personal information will be collected and used. In his recent blog, Javelin Strategy & Research’s Mark Schwanhausser cautions FIs to consider their approach carefully to the inexorably linked issues of data mining, privacy, security and trust:
“FIs not only have an opportunity to profitably mine data, but they also have a trust edge over rivals. Nonetheless, they must mine data in a manner that protects customer privacy, enables customers to understand when and how they will benefit from sharing information and access, and errs on the side of transparency. ..Building trust takes time. Destroying trust takes only an instant.”
Author: Deborah Matthews, email@example.com
There’s a meme that compares data to oil. Just like oil, data is most valuable when it is refined.
As a former marketer, I understand the “Infonomics” imperative to harness customer data from multiple sources to create relevant offers and incentives that transform interest into purchases and “enhance the customer experience.” Many businesses understand that information is an economic asset and are aggressively looking for ways to monetize it.
As a consumer, however, I am personally concerned about the ease in which businesses accumulate diverse snippets of information about me from a variety of sources. I worry about my children’s generation’s cavalier attitude about posting to the digital world all sorts of information without consideration of the potential perils of oversharing. Given that many sites’ T&C stipulate they “own” whatever is posted, and assuming that everything remains online or in the cloud in perpetuity, what can be known about each of us has changed forever. Everything from poor fashion choices, impetuous remarks to youthful indiscretions will live forever. Anonymity no longer exists, and society will become numb to the plethora of personal data.
Yet I must confess; I am often guilty of intentionally surrendering my personal information and privacy in exchange for greater convenience, discounts, coupons and access without contemplating if the recipient can or will protect my information.
Are businesses entitled to know about us (beyond our transactional history) just because they can? The dividing line between personalized offers and offensive invasiveness is both ambiguous and fluid. We assume that data is analyzed in aggregate, but it appears that sensitive identifying information about individuals can be discerned. Remember when Netflix sponsored a contest to improve its recommendation system? Insufficiently anonymous customer viewing data was disclosed and researchers from the University of Texas successfully identified customers based on the information. Netflix was sued by a customer whose identity and sexual orientation was revealed.
Here’s another fascinating example: Target sent baby product coupons to a teenager, much to her father’s ire. He withdrew his complaint when he discovered his daughter was, in fact, pregnant. Target’s statistician predicts, “Just wait. We’ll be sending you coupons for things you want before you even know you want them.”
In 1999, the CEO of Sun Microsystems declared consumer privacy DOA: "You have zero privacy anyway. Get over it."
Today, however, there is mounting discontent over “unfair and deceptive practices” concerning the use and aggregation of personal information that have grown more pervasive, as online and mobile interactions become increasingly ubiquitous. The focus on privacy will become more intense, if these events are any indication:
- In February, the White House unveiled a Privacy Bill of Rights to protect online consumers. Six pillars support the blueprint:
- Respect for context,
- Accuracy focused collection, and
- The FTC issued a voluminous report in March, calling for corporate self-regulation and proposing a framework which included three best practices:
Sen. Al Franken, chairman of the Senate subcommittee on Privacy, Technology, and the Law, advocates more rigorous privacy legislation. “You are not their client, you are their product,” he stated, admonishing Google and Facebook.
The FCC is soliciting public comments on telcom protection of data collected by smartphones.
The House of Representatives recently passed the Cyber Intelligence Sharing and Protection Act, which grants government agencies authority to gather information in the name of cybersecurity. Opponents fear that this may diminish citizen’s privacy rights.
Breaches such as the recent LinkedIn incident catalyze lack of confidence in the ability to secure data.
- Privacy by design: Build in privacy at every stage of development,
- Simplified choice: Allowing customers to make decisions about use of their data relative to context; and deployment of “Do Not Track” mechanism, and
- Greater transparency.
Stayed tuned for part two of my blog post, where we’ll look a few implications of the evolving privacy, security and trust issues for financial institutions.
Privacy Rights Clearinghouse:
Privacy Basics and Opt-out Strategies
Online Information Brokers List
Network Advertising Initiative
The Future of Privacy Forum
Author: Kyle Cooper, firstname.lastname@example.org
Unless you are a middle-eastern nation state with a rogue nuclear program, chances are you have not been targeted by the authors of the latest “big thing” in information security: the Flame virus. There has been a lot of hype surrounding its discovery and complexity. Let’s delve through the fear, uncertainty and doubt (FUD) surrounding the facts and point out the important features of this event that are most likely to affect the actual landscape of malware going forward.
New Attack Vectors
The Flame malware achieved the “Holy Grail” of hacks by including a module which is able to spoof a Windows Update Server, allowing it to silently infect devices on the network under the guise of installing Microsoft patches. To achieve this, the malware authors included counterfeit Microsoft certificates. These certs are supposed to protect updates by providing machines with a way to authenticate their source. Although this technique has not been spotted in the wild outside of Flame, you can bet the bad guys are hard at work researching how they can incorporate this attack into malware targeting the everyday computer user.
New Design Possibilities
Due to its design, Flame has been called the “All in one virus-trojan-backdoor.” The core of Flame is 6 megabytes (MB), which is roughly the average file size typical of malware we observe daily. However, Flame is designed in a modular manner, allowing it’s controller to grow it to up to 20MB. This is a huge piece of malware, allowing it to contain practically any feature needed by the controller. Flame contains modules for network sniffing, recording audio, key logging, anti-virus detection and more, including modules researchers haven’t determined uses for yet. Flame’s modular additions give attackers much more flexibility than current available malware products. This is a design technique others are sure to mimic going forward.
Invocation Occurs Across All Sectors
A virus from two years ago called Stuxnet was recently revealed to have been developed by the United States and Israel. Iranian nuclear facilities were targeted in an attempt to avoid kinetic warfare with Iran over its unsanctioned nuclear program. By some expert accounts, the malware delayed the program by two years, biding the time needed to continue international discussions. However, the program leaked out onto the internet. Stuxnet showed that even nation states with good intentions and unlimited budgets can lose control of their creations. While Stuxnet was designed only to affect very specific software controlling nuclear reactors, Flame has much broader uses that anyone with malicious intent may find useful. As nation states get better at cyber offense, that innovation will eventually trickle down to those who will use it for less than honorable purposes.
It’s important to keep perspective on this issue. Learning what we can from these situations and preparing for the future is the only effective response. Falling prey to hysteria will only leave you unprepared for the challenge of moving forward. Patch, monitor your network proactively and have an incident response plan intact for your worst case scenario.
Author: James Key, JKey@jackhenry.com
For the past several years, one popular "buzz phrase" that is consistently mentioned when discussing technology is that of "Unified Communications (UC)." UC can mean many different things to different people and if you were to ask 25 different people "What is your definition of Unified Communications?” you would undoubtedly get 25 different and diverging replies. This is particularly true with the various UC vendors who feel that their products offer the most definitive solution. Although Unified Communications is sometimes described as an "umbrella" term and can be difficult to define, the generally accepted industry definition is as follows:
Unified Communications (UC) is the integration of non-real-time communication services such as unified messaging (integrated voicemail, e-mail, short message service [SMS], and fax) with real-time communication services such as IP Telephony (VoIP), instant messaging (chat), presence information, and video conferencing.
It's important to note, that UC is not merely defined as any single technology but as a set of technologies that provides a consistent unified interface and user experience across multiple devices and media types. This can include (but not limited to) unified messaging, presence, instant messaging, video, and what may arguably be the foundation of UC, IP telephony (VoIP).
Let's take a brief look at these 5 areas which generally play an important role in any UC deployment.
1. IP Telephony (VoIP)
IP telephony is typically the building block in any UC deployment and integrates voice capabilities with other modes of communications such as integrating voicemail with email inboxes and extending telephony from standard desk phones to end user PCs in the form of various software applications (softphones for example). It can also provide end users with several telephony features such as individualized call control settings, unified corporate directories, conference calling, and mobility to name a few. One great example of a mobility feature often utilized is that of "Single Number Reach" (SNR). SNR allows a user to receive business calls to their designated direct inward dial (DID) number wherever they may want to be reached at any given moment, whether that be at their desk, at home, or on their mobile phone. In addition, this feature also allows the transfer of a call from a desk phone to a mobile phone, and back again, without anyone on the other end ever knowing this change occurred. With the growing adoption of IP telephony, UC is finally becoming a practical proposition for most businesses. For those businesses that have already implemented IP telephony, they are well on the way towards creating a UC environment since their phone system can easily join other forms of IP-based communications on an enterprise data network.
2. Unified Messaging
UC also incorporates unified messaging, which integrates email, voicemail, and faxes into one single inbox that can then be accessed from a client such as Microsoft Outlook. This can also include advanced voicemail functionality such as text to speech, speech to text, and visual voicemail.
Presence is one of the more significant features within any UC environment and can particularly be important to companies that have a widely dispersed and mobile work force. Moment by moment, presence will share an end user's availability, location, and possibly the preferred method of contact. Other end users can immediately see if the person with whom they need to connect is available and the best way to reach that person. Presence indicators can be delivered by different means whether that is software running on a desktop PC or on an end user's mobile phone.
4. Instant Messaging (IM)
Once the province of anonymous people "conversing" in chat rooms on the internet, IM has made its way to the enterprise and is now becoming a corporate mainstay. IM is usually integrated tightly with presence and is rapidly becoming a viable replacement for overflowing voicemail and email inboxes. If you need to get through to a busy co-worker, IM is becoming the fastest and most effective method of communication.
In a quest to try and slash travel costs, businesses have increasingly been turning to video for meetings with remote workers, training sessions, and more. UC solutions should therefore integrate with the various modes of video such as desktop webcams, video enabled IP phones, and video Multipoint Control Units (MCU) which are utilized in larger environments such as conference, training, and board rooms and where multi-site conferencing may be a requirement.
There are many advantages of adopting Unified Communications and one will certainly include cost savings, but a big part of your Return on Investment (ROI) will be realized through improved business processes, such as helping your employees work more productively and efficiently and will definitely give the potential to transform the way your company does business.
What advantages has your institution seen from adopting Unified Communications?