Security

11:00 AM
Lisa McLaughlin
Lisa McLaughlin
Commentary
50%
50%

A Secure Approach to Data Privacy

With the increasing importance of information security and recent cyber attacks, it's time for businesses to make strategic privacy decisions.

Given the increasing importance of information security and privacy, the prominence they have taken on in both the business world and the media, and considering the recent market conditions surrounding cyber attacks, the question arises whether strategic privacy considerations to run your business have been made.

To effectively address cyber security risks and reduce their potential impact, at SS&C Technologies we have adopted an in-depth defense approach while implementing baseline controls that are aligned with industry best-practices. This is a coupled approach containing management and technical controls that support each other at different levels within a network, system, or application. Among our controls are the following: external technical assessments, security audits and vendor due diligence, perimeter security, segregation of networks, application security, end-point security, awareness training, security incident reporting, management, and data loss prevention.

The world models of data protection encompass more than 80 countries -- each nation has different data protection models all drawn upon its own laws, markets, technology, and self-regulation as sources of protection in varying degrees. When it comes to financial institutions and insurance companies serving as the collectors of information, the individual would be considered a data controller.

As a privacy-savvy professional, in my view data privacy is an effort to empower and bring awareness to online users to protect their own privacy, identity, and digital footprint. As SS&C makes security, privacy, and cyber security strategic considerations to run its business, we start by educating our employees in responsible ways to handle and process data. This is accomplished through awareness training, which is mandatory for all system users around the globe. Our 2015 Awareness Training course is already underway.

[Elite 8 2013: Where Are They Now?]

Defining privacy, security, and legal considerations
Security must address the increasing interconnectivity of business today, which exposes information to a wide number of threats. Protecting information is accomplished through security controls -- vulnerability programs, access controls, encryption, and IS policies governed under law. Information security is the protection or safeguarding of privacy in order to prevent loss of, unauthorized access to, or misuse of confidential information. If security is breached, then privacy controls will not be effective.

SS&C’s mission toward a robust security program includes these main attributes:

  • Confidentiality, integrity, and availability of the information
  • Retention of our customers', employees', and investors' information in confidence
  • The trust and controls around restricting the modification of data to authorized users
  • The availability of data, as needed at will by those who are authorized to access it

Security and privacy are similar and overlap in several aspects. Information privacy and security both concern the use, confidentiality, and access to personal or confidential information.

Information privacy
Information privacy concerns a strict set of rules that govern the collection and handling of personal information such as laws, regulations, and compliance. Businesses around the world should pay close attention to these rules as they can be governed by several areas, especially by the leading legislation in the US. Information privacy also involves peoples' right to control their data, such as rights to notice and choice (e.g., principles such as opt in/out) or their expectations of protecting information.

The data controller is an organization that has the authority to decide how and why personal information is processed. SS&C collects this information under written agreement from banking or insurance clients, and here we are considered a data processor, or an organization that is entrusted with confidential information on behalf of the data controller. We are committed to maintaining the confidentiality of all such information and limiting its use to that which is lawful and necessary for its business activities.

The cross-over happens through compliance (IS policies) language in contracts, customer contacts, and a majority of the RFPs and due diligence in an effort to protect customers’ information assets, their private and confidential information that SS&C is entrusted with. Privacy, security, and legal considerations are directly related through existing compliance and regulatory rules (e.g., privacy laws, federal laws, and breach notification laws). To minimize these business and legal risks, companies should be reminded to always conduct periodic risk assessments or privacy impact assessments (PIAs).

The information highway transports data freely around the world.  We must be vigilant and proactive about securing confidential information and respecting privacy. At the end of the day, it is essential to embed data privacy into the design aligned with the lifecycle principals in mind. Protecting customer privacy should be entrenched in running your business, assessing what information needs to be secured, as well as where it's located and why it was collected. The intended use and determination of the information can be shared, keeping the consent and choice rights of the subjects in mind.

Lisa is a qualified security and privacy professional with a strong foundation in risk management, cybersecurity and compliance. She also has extensive experience in security laws, regulations and the understanding of legal requirements for the responsible transfer of ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
LisaM734
50%
50%
LisaM734,
User Rank: Apprentice
12/11/2014 | 2:16:04 PM
Re: Data security
Hi Kelly - thank you, I do agree that companies ideally should make privacy & security strategic considerations to run their busineses. Privacy does cross over the Security as well as the legal side. Having a strong foundation is key but also your users acting like a human firewall (on going training) definately lowers the threat landscape signficantly. Thank you for your comment.
Kelly22
50%
50%
Kelly22,
User Rank: Author
11/21/2014 | 12:12:28 PM
Data security
Thanks, Lisa. This is an especially important topic now, with the growth of big data and rise of cyberattacks. Given the extent of sensitive information insurers handle, it's especially important for them to ensure the right measures are in place to ensure data security. As you note, educating employees is a key part of that.
Register for Insurance & Technology Newsletters
White Papers
Current Issue
Insurance & Technology Digital Issue
Innovation? Check. Core modernization? Check. Security? Check. Today's insurance IT challenges don't stump this year's Elite 8.
Slideshows
Video