Skip to Content

Earlier today, a major financial services provider entered into a consent order with the Office of the Comptroller of the Currency (OCC) for failing to keep its data secure. A 2019 data breach compromised the provider’s data of 100 million people.

Notably, the bank’s data security practices will end up costing the company a whopping $80 million in civil penalties.

What kinds of data practices were singled out?

According to the consent order, the civil penalty was justified thanks to several aspects of information technology and data management practices. 

  • “The Bank failed to establish effective risk assessment processes prior to migrating its information technology operations to the cloud operating environment.”
  • The Bank “failed to establish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.”
  • “The Bank’s internal audit failed to identify numerous control weaknesses and gaps in the cloud operating environment.” Further, the Bank’s internal audit failed to “effectively report on and highlight identified weaknesses and gaps to the Audit Committee.”
  • The Bank’s “Board failed to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses.” 

Because of these issues, the OCC concluded that “the Bank was in noncompliance with 12 C.F.R. Part 30, Appendix B, ‘Interagency Guidelines Establishing Information Security Standards,’ and engaged in unsafe or unsound practices that were part of a pattern of misconduct.”

Ouch. What can financial institutions learn from this order?  

  1. Data is a big deal. If your institution fails to adequately protect it and non-public personal information is released or obtained by hackers, criminals, or other unauthorized third parties, your financial institution will be forced to pay a lot of money to resolve the issue.
  2. Migrating from locally stored data to cloud-stored data is widely viewed as the way of the future. This does not mean you can cut corners in your handling (or your vendor’s handling) of data, or abdicate responsibility merely by transferring data to a vendor’s cloud environment. Make sure your agreements properly allocate the risk for these scenarios and adequately address the “what ifs” – the foreseeable events related to your data.
  3. An institution’s audit team and board of directors must be focused and involved with data decisions. In the case of this financial institution, the OCC found that a lack of engagement from both the audit team and the Board were part of the problem. Focus on data security should come from the top, and Boards must educate themselves on the risks associated with data privacy and security. Failure to do so may even subject a Board to shareholder derivative suits.

Read the consent order here.