Partnering to Protect Privacy
This is the philosophy shared by Brian Dean, SVP of Privacy for KeyCorp in Cleveland, Ohio. "Sometimes less is a better strategy," Dean says. "If you limit the sensitive data, you limit the risk."
In an exclusive interview, Dean discusses:
- Today's top challenges to protecting privacy;
- How KeyCorp meets these challenges;
- Advice to consumers and businesses alike on how they can help protect themselves.
Dean is the current HIPAA officer and SVP of Privacy for KeyCorp, Cleveland, Ohio. He is also an adjunct professor at Bryant and Stratton College. He graduated with a Master Business Association degree from Baldwin Wallace in 2000 and received his bachelors of Computer Science from Bowling Green State University in 1987. Dean is a business professional with strong hands-on technology background focusing on delivering results; exemplified over 20 years of process re-engineering, application development, project management, policy establishment, management, and financial industry experience in competitive customer-centric market.
TOM FIELD: Brian, just to start out, why don't you tell us a little bit about yourself and your role at Key Bank, and maybe a little bit about the institution, as well, for the people that aren't as familiar with it.
BRIAN DEAN: Okay. Well, as you've mentioned, I am currently the Senior Vice President of Privacy at KeyCorp., and I'm also the HIPAA Officer. I've been in the privacy profession, really, since it began back in1999, with the advent of some federal law, called Graham-Leach-Bliley. My current team is tasked with monitoring trends in privacy, both domestically and internationally, and then we implement customer-based solutions.
FIELD: Brian, privacy -- it's a big term, but what does it really mean in the context of how you conduct business at Key today?
DEAN: Well, privacy is governing data collection and maintenance, and sharing use and retention of that data. It's really different from the information security role. You know, information security tends to emphasize access control, or keeping the bad guy out, whereas privacy's focus is "Do you need to collect that data?" "Is the data accurate?" "How long do we really need to retain the data?" And then, of course, respecting how customers want that data to be used.
FIELD: What do you see as your top challenges today in maintaining the privacy of that data?
DEAN: Well, the biggest challenge, really, is maintaining a legally compliant program, in light of the changing data privacy laws. I mean, to be successful, you must manage customer expectations, while the highly visible data breaches, such as the $130 million Heartland customer breach recently. It really teaches this: that nothing is bullet-proof. The real challenge is maintaining privacy, and to look at what data is being collected, who is collecting it, who has access to it, and how long it's retained. It's limiting the data stores, which limits the privacy risk.
FIELD: Brian, what do you see as the biggest threats to privacy today?
DEAN: Well, again, I think it's the data breach, or the loss of data. I mean, if you look at the Heartland example, you know, they settled with MasterCard for a little over $41 million, with Visa for $60 million, and American Express for over $3.5 million. I mean, that's not to mention the pending civil suits. These are real dollars. So, to be successful, privacy programs have to really leverage a multidisciplinary strategy to protect the customer data. In other words, we need to align logical security and physical security, content recovery, vendor management, and privacy strategies, to build a sustainable privacy program.
FIELD: So, talk with us, Brian, about what you've done at Key. What is the bank doing to meet the challenges that you've talked about, and to mitigate the threats that you've just outlined?
DEAN: Well, we aligned our multidisciplinary functions organizationally, so that we can manage the same priority queue. This better enables us to align the strategies to address these threats. It helps us when all the support areas work from the same playbook, and it keeps our program nimble.
FIELD: Now, when we talk about privacy at Key, Brian, give us a sense of what type of a landscape we're looking at. How big is the organization, and how many customer accounts are we talking about?
DEAN: Well, you know, Key is a large regional bank. It's the 12th largest bank in the nation. We have about $95 billion in assets. We are in over 26 countries, with a 13 state domestic footprint. So, a sizeable bank, therefore, for the bad guys out there, we're also a sizeable target.
FIELD: Sure. When you look at trends that involve privacy, in terms of legislation, future threats, other solutions, what are some of the things that are most on your mind these days, as a privacy officer?
DEAN: Well, legislation will continue unabated in the near future. You know, threats are on the increase, including international threats, and those who are perpetrating the crimes will continue to use more sophisticated techniques, more coordinated attacks. So, for example, today, it's not uncommon for a well-orchestrated attack to gain large quantities of sensitive credit card information, and then to perpetrate the fraud within minutes of the breach. So, solutions will need to be better coordinated, as well. And, industries will need to consider working together against these threats. You can see this in banking today. Banks will collaborate, and where possible, share a threat knowledge, to limit the overall industry to the risk.
FIELD: If you could boil it down to just a single piece of advice regarding privacy, for consumers and businesses alike, what would you tell them?
DEAN: Well, you can't boil the ocean, so it's really a risk-based approach. You know, at the end of the day, social engineering, hackers, disgruntled employees, and even inadvertent data loss -- these all pose a significant risk to both consumers and business privacy. Now, we can limit the risk by limiting the data that we collect. And as consumers, limiting the data that we provide. You know, if you recall, just a couple of years ago, business would routinely capture Social Security Numbers with no legitimate reason. In today's regulatory environment, just having SSNs stored could result in a costly data breach. So, in short, if the data isn't needed, don't collect it. And, if you're a consumer, don't feel bad questioning why certain data elements are being collected. You know, sometimes less is a better strategy, so if you limit the sensitive data, you limit the risk.