An initiative by several leading Canadian banks to develop standards has shined an unwanted spotlight on U.S. banks, which appear to be unwilling to follow suit.
A working draft of Canada’s common data-sensitivity classification scheme is expected to be released by year’s end, said Robert Garigue, coordinator of the initiative and chief information security officer at Toronto-based Bank of Montreal. The goal is to come up with a standard that “embodies a minimum set of expectations around information classification and controls,” he explained.
But there is no similar effort under way in the U.S., despite a growing recognition of the need for a common standard for data labeling south of the border as well, several analysts said.
The Canadian initiative will give banks and third parties, such as market research companies and check-processing firms, a standard way of labeling and protecting public, internal, regulated and highly sensitive data, Garigue said.
Unlike in Canada, where the country’s five major banks are regulated only by the federal government, dozens of major U.S. banks fall under the regulatory purview of state and federal agencies, making it far more difficult to develop standards, said Richard DeLotto, an analyst at Gartner Inc.
“It doesn’t seem to me that the financial sector here would embrace a single standard unless it was something mandated by the government,” said Adam Stone, a security management analyst.