U.S. banks balk at data classification

A Canadian initiative for security leads the way

An initiative by several leading Canadian banks to develop standards for data classification has shined an unwanted spotlight on U.S. banks, which appear to be unwilling to follow suit.

A working draft of Canada's common data-sensitivity classification scheme is expected to be released by year's end, said Robert Garigue, coordinator of the initiative and chief information security officer at Toronto-based Bank of Montreal.

The goal is to come up with a standard that "embodies a minimum set of expectations around information classification and controls," he explained.

But there is no similar effort under way in the U.S., despite a growing recognition of the need for a common standard for data labeling here as well, several analysts said.

Standards for information classification will not only help service providers, but will also allow banks to more efficiently retrieve data for regulators—something that today is an arduous and expensive process, said Richard DeLotto, an analyst at Gartner Inc.

The question is, "How would you pull that off in the U.S.?" said Steven Schutze, director of e-strategies at the American Bankers Association in Washington.

The Canadian initiative will give banks and third parties, such as market research companies and check-processing firms, a standard way of labeling and protecting public, internal, regulated and highly sensitive data, Garigue said.

Unlike in Canada, where the country's five major banks are regulated only by the federal government, dozens of major U.S. banks fall under the regulatory purview of state and federal agencies, making it far more difficult to develop standards, DeLotto said.

An executive-level source within a large U.S. financial services consortium, who spoke on condition of anonymity, said the topic of a common data-classification scheme has been widely discussed within the banking industry over the past year. But he said banks are unwilling to speak openly about it for fear that regulators will take over the initiative and force it on the industry.

"Having standards in security practices between our industry and service providers is something that's viewed pretty universally as an area that needs to advance," the source acknowledged.

"It doesn't seem to me that the financial sector here would embrace a single standard unless it was something mandated by the government," said Adam Stone, a security management analyst who asked that his company not be named.

Bob Foster, staff director for the House Financial Services Committee, said it's likely that the issue of data classification for banks will be debated once Congress is back in session next month. "It's safe to say if we're talking about consolidating oversight, then we'll be talking about the mechanisms to do that," Foster said.

"The compliance obligations that banks will have as it relates to managing and measuring operational risk under Basel II" international financial regulations make it a good idea to have a data classification standard, Stone said.

According to Garigue, an agreed-upon industrywide data-classification scheme will enable better interoperability, integrated services and use of data. For example, common business-to-business applications across several banks can be standardized with respect to password management and role-based access to client information, he said.

"We know a lot of banks also have a lot of problems getting their [CRM] programs together because of bad data hygiene," DeLotto said, which makes data classification standards a necessity.


Class Act

Canada's data classification standard aims to:

Allow third-party service providers such as check-processing firms to apply more consistent controls to different categories of data.

Enable better information sharing between banks and third parties.

Enable better processes for data capture, retention schedules, access, sharing and eventual disposal.

Copyright © 2004 IDG Communications, Inc.

Shop Tech Products at Amazon