Rebecca Herold is a nationally-known author and consultant who won national awards for her successful risk management and information protection programs while directing the information security program for Principal Financial Group. She shares her experience building effective information protection programs and also highlights management responsibilities and liabilities if the program is not developed correctly. You will learn:

(1) What regulatory penalties senior management might incur if data is lost or unsecured
(2) How to rebuild or rejuvenate a risk management program
(3) The five most common ways data leaks from organizations
(4) Best practices for developing and securing employee buy-in for a successful enterprise level information protection program

Swart: I would like to start by talking about what are the personal risks that executives of financial institutions face if they fail to implement effective security or to comply with IT security regulations.

Herold: Well, there are many. It is first important though for the financial institution leaders to understand that there are many laws and regulations requiring information security programs and these programs must be built based upon risk assessments directly related to safeguarding customer information. Some of the laws and regulations include the U.S.A. Patriot Act, the Sarbanes-Oxley Act, the Gramm-Leach-Bliley Act, the Fair and Accurate Credit Transactions Act. Also the FFIEC IT Examination Handbook, the FDIC IT Examination Workpaper, the OTC Consumer Regulations Handbook and various other oversight agencies guidance requires and emphasizes the importance and responsibilities of executive leaders to ensure security is in place.

Besides those, there are at least 39 state level breach notice laws along with hundreds of other state laws that address and require institutions to provide data protection activities. And then, if your organization has offices outside the U.S., there are over 100 data protection laws within countries throughout the world.