Panel: Yet another GDPR "deadline" presents unique challenges for firms

Data privacy and cybersecurity should be top-of-mind for every financial advisor because the best efforts in every other aspect of a practice can be scuttled if a client’s account is hacked. Day one at Pershing's INSITE 2018 featured a panel to address industry trends and answer advisors questions about an aspect of their business that is evolving rapidly.

The panel featured Jodi Pinedo and Jeff Davis from Pershing, as well as FBI Supervisory Special Agent Jason Manar and topics ranged from basics like protecting account passwords to the recently implemented General Data Protection Regulations (GDPR).

Here are a few of the key takeaways:

A deadline related to GDPR you might not know: Most people’s inboxes have been bombarded with GDPR-related notices over the course of the last week, but one aspect of GDPR many people aren’t aware of is the 72-hour mandatory notification rule. Firms are supposed to notify accountholders whose data has been breached within 72 hours of when the breach is discovered.

That is not a lot of time.

Pinedo, who also chairs SIFMA’s Technology and Regulation Committee, said the tight deadline means firms will likely need to notify accountholders of the breach while the firm is still investigating the breach. Therefore, firms should have notification protocols in place and practice them before a breach occurs.

But, but, but … the FBI’s Manar said the 72-hour timeline represents yet another reason firms should collaborate with law enforcement on breaches because firms can be given a deadline extension. Manar made no promises and made it clear that all breaches are dealt with on a case-by-case basis, but explained that sometimes law enforcement will not want firms to announce they have been breached so hackers aren’t tipped off that law enforcement might be on their tail. An extension gives law enforcement more time to pursue their investigation.

As a happy side-effect, an extension also gives the breached firm time plan how it will handle the breach announcement and account-holder notifications.

Equifax continues to loom large: The massive data breach that occurred at Experian is still sending aftershocks throughout the data security landscape.

Equifax’s former chief information officer has been charged with insider trading for selling nearly $1 million in shares after the breach was discovered, but before it was made public. The case is being cited as one of the reason data breaches have been added to the list of events that qualify as material nonpublic information.

California is also weighing private right of action for citizens effected by data breaches. The proposal would eliminate the need for class-action suits and could see breached firms ordered to pay fines of $1000 per account hacked.

Departing employees pose an active and passive risk: Disgruntled employees are often the culprits for data breaches, but the panel detailed how departing employees also present a risk. Not only do these employees often know corporate account information, but sometimes their dormant credentials can be targeted by hackers. Without naming any specific companies, Manar said he has encountered numerous Fortune 500 during his days at the FBI that do an extremely poor job at closing out the credentials of departing employees. He urged the attendees to prioritize shutting down all access for employees immediately upon their departure.