The case for CSR/ Sustainability Reporting Done Responsibly


IDENTIFY - MEASURE - MANAGE - CHANGE

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Insights on how you can protect the environment, maintain and increase the value of your company, through a structured process.

Home / case studies / Case study: How State Street promotes client data protection and privacy

Case study: How State Street promotes client data protection and privacy

As a global leader in asset management, and as the second oldest financial institution in the United States, with over 30,000 employees and offices in 30 countries around the globe, State Street is committed to protecting and properly handling sensitive client information  Tweet This!, through a range of information security and customer privacy programs and tools.

This case study is based on the 2016 Corporate Responsibility Report by State Street published on the Global Reporting Initiative Sustainability Disclosure Database that can be found at this link. Through all case studies we aim to demonstrate what CSR/ sustainability reporting done responsibly means. Essentially, it means: a) identifying a company’s most important impacts on the environment, economy and society, and b) measuring, managing and changing.

Layout 1

Abstract

Building trust and confidence with clients, not leasτ by making sure client data is handled responsibly over its entire life cycle, is a top priority for State Street. In order to promote client data protection and privacy State Street took action to:

  • use a software data classification tool
  • implement a Data Loss Protection Program
  • employ endpoint protection software

What are the material issues the company has identified?

In its 2016 Corporate Responsibility Report State Street identified a range of material issues, such as compliance and business ethics, talent recruitment, development and retention, client satisfaction, wealth and income creation in society, ESG products and services, fair competition, local job creation, responsible sourcing. Among these, promoting client data protection and privacy stands out as a key material issue for State Street.

Stakeholder engagement in accordance with the GRI Standards

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The organization should identify its stakeholders, and explain how it has responded to their reasonable expectations.”

Stakeholders must be consulted in the process s of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups State Street engages with:   

Stakeholder Group
Shareholders
Clients
Employees
Academics
NGOs
Investment analysts
Business partners

How stakeholder engagement was made to identify material issues

To identify and prioritize material topics State Street conducted an online survey among employees, clients, investors, suppliers, NGOs and academics. The survey was supplemented with in-person and online workshops for employees and follow-up interviews with external stakeholders.

What actions were taken by State Street to promote client data protection and privacy?

In its 2016 Corporate Responsibility Report State Street reports that it took the following actions for promoting client data protection and privacy:

  • Using a software data classification tool
  • As accurate data classification is highly important for State Street, a software tool that helps classify information assets is deployed. The tool requires that emails and most common user-created documents fall into one of the following classifications: Highly Confidential, Personal Sensitive Data, Confidential, Limited Access, Company Internal or General. All information has to be properly labeled, distributed, stored and disposed of on the basis of this classification.
  • Implementing a Data Loss Protection Program
  • To monitor and prevent data leakage, State Street implements a Data Loss Protection Program. The Data Loss Protection Program includes tools that prevent endpoint data loss, web proxy controls, file transfer protocol (FTP) monitoring and internet usage monitoring. In addition, State Street has developed a corporate Data Loss Protection strategy. This strategy will help standardize and streamline such programs across the company.
  • Employing endpoint protection software
  • To promote threat detection, as well as analysis of activities on endpoint devices (e.g. laptops, desktops, virtual desktops), State Street applies endpoint protection software. Additionally, through a Shadow IT identification program, State Street is able to detect and analyze data communicated to external sites, so as to further control unauthorized activity and data exfiltration.

Which GRI indicators/Standards have been addressed?

The GRI indicator addressed in this case is: G4-PR8: Total number of substantiated complaints regarding breaches of customer privacy and losses of customer data and the updated GRI Standard is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

 

References:

1) This case study is based on published information by State Street, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) http://www.fbrh.co.uk/en/global-reporting-initiative-gri-g4-guidelines-download-page

3) https://g4.globalreporting.org/Pages/default.aspx

4) https://www.globalreporting.org/standards/gri-standards-download-center/

 

Note to  State Street: With each case study we send out an email requesting a comment on this case study. If you have not received such an email please contact us.

X