3 strategies for lenders to mitigate internal threats to consumer data security

With the enactment of the California Consumer Privacy Act of 2018 and the barrage of copycat legislation in other states, there has been significant focus on consumer data and privacy issues from the vantagepoint of the consumer: what information is collected and how consumers can direct companies what to do — or not do — with that information. While the discussion has largely centered on data security within the context of protections from external threats, auto lenders’ loss–mitigation efforts need to consider internal threats to consumer data, as well.  

Lenders big and small that amass consumer data are made up of employees — employees with access to data. So, how should a company protect itself against this internal threat to data security? This article outlines three steps lenders can implement to manage how employees access data and plan for corrective action. 

1. Control Access. Evaluate the different types of data your business collects and who has access to that information. Not all employees should have access to all kinds of data. There should be controls around which levels of authority within the company should have access to data (depending on the type of data) and, then within each level, which individual employees. Each employee should have a level of access that corresponds to the role and responsibility of the position. Clear organization charts and detailed job descriptions will go a long way in helping lenders determine which levels of authority and which individual employees should have access to which types of data. Additionally, robust policies and procedures will support lenders’ efforts to document and implement data-management processes. 

2. Check and Double-Check. Once data access controls are in place, auto lenders should conduct audits and ongoing monitoring to ensure that the right employees are accessing the correct data for the right purpose. This testing should be done according to a predetermined schedule but should also be conducted randomly. Testing should cover the types of data that are being accessed, the people that are accessing the data, and the use of the data after it is accessed. It should also identify access attempts by unauthorized employees and access by authorized employees whose use of the data is improper or beyond the scope of the employee’s authority. 

3. Be Prepared to Take Action. If testing reveals unauthorized access to or improper use of consumer data, companiesneed to be prepared to take action. The action could be against the offender — including additional training and disciplinary action, even termination. The severity of the action will depend on the sensitivity of the data at issue and seriousness of the data usage. Or, the action could be taken at the company level. After discovering internal access breaches, lenders should strengthen access controls and improve company policies and procedures. Gaps revealed during an audit test of data access should be addressed to eliminate or minimize future access issues. 

Susan Chylik is a Member in McGlinchey Stafford’s consumer financial services compliance team and can be contacted at SChylik@mcglinchey.com or (216) 378-9913. McGlinchey Stafford is the Compliance Partner of Auto Finance Excellence (AutoFinanceExcellence.org), a sister service of Auto Finance News.