There's an important word that seems to have been missing amid the breathless discussions around client data security: purge.
Protect is usually front and center (“How do you protect against unauthorized data access,” for example) and so is monitor (“How do you monitor for unauthorized connections?”). The same rings true with other data security buzzwords, like identify and assess.
But for enterprise financial institutions, responsible for safeguarding confidential information, the most important question for third-party tech vendors is often overlooked: Will you purge my data once our engagement is over?
It should be. Here’s why: All the protecting and monitoring and identifying and assessing can’t guarantee the security and privacy of your information.
There’s a difference.
Security is about protecting your data against illegal attempts to access or corrupt it. Privacy, a higher bar, means taking steps to keep your data away from the reach of unauthorized individuals. Let’s say you’re evaluating technology vendors for the purpose of automating processes you now do manually. On the security front, what you’ll want to know from these vendors is this: Where will you store my data, how will you protect it, how will you know that it’s safe?
And on the privacy front, the key questions are: What data do you collect? How do you use it? With whom do you share it? And how long do you keep it?
But there’s only one question that cuts to the heart of whether a third-party technology vendor will secure your data and keep it private. Do you purge?
“But we have granular access control,” a vendor may respond, referring to security policies that regulate not just who can see your files, but exactly what they’re permitted to see.
Not good enough. Why? Because no matter how comprehensive, detailed, or successful your own security practices may be, once you hand data off your own controls become meaningless. And if your hand-off is to a vendor who employs third-party affiliates, your vulnerability only increases.
That’s why it’s vital that third parties who will be handling your data not only agree to protect it, but also be able to demonstrate that they are doing so. You’ll hear this from many risk-management professionals.
I would take it a step further: Before engaging any third-party tech vendor with whom you or your firm will be sharing data, demand that they purge it once the engagement is over. Because you’re more than a financial fiduciary.
In a day when information is the lifeblood of business, you’re an information fiduciary as well.