|
March 9, 2003
FYI
- Hackers broke into a University of Texas database and stole the
names, Social Security numbers and e-mail addresses of more than
55,000 students, former students and employees, officials said.
http://www.salon.com/tech/wire/2003/03/06/crackers/index.html?x
FYI CLIENTS - GAO report on the Critical Infrastructure Protection:
Efforts of the Financial Services Sector to Address Cyber http://www.gao.gov/new.items/d03173.pdf
FYI - GAO report on Information Technology Training:
Practices of Leading Private-Sector Companies. http://www.gao.gov/new.items/d03390.pdf
INTERNET
COMPLIANCE - Electronic
Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the
Official Staff Commentary (OSC,) an example of a consumer's
authorization that is not in the form of a signed writing but is,
instead, "similarly authenticated," is a consumer's
authorization via a home banking system.
To satisfy the regulatory requirements, the institution must
have some means to identify the consumer (such as a security code)
and make a paper copy of the authorization available (automatically
or upon request). The
text of the electronic authorization must be displayed on a computer
screen or other visual display that enables the consumer to read the
communication from the institution. Only the consumer may authorize
the transfer and not, for example, a third-party merchant on behalf
of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A
financial institution may receive correspondence through an
electronic medium concerning an unauthorized transaction, loss, or
theft of an access device. Therefore,
the institution should ensure that controls are in place to review
these notifications and also to ensure that an investigation is
initiated as required.
INTERNET SECURITY - We continue our
coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Customer Access."
Risk Mitigation Components - Wireless Internet Devices
For wireless customer access, the financial institution should
institute policies and standards requiring that information and
transactions be encrypted throughout the link between the customer
and the institution. Financial institutions should carefully
consider the impact of implementing technologies requiring that a
third party have control over unencrypted customer information and
transactions.
As wireless application technologies evolve, new security and
control weaknesses will likely be identified in the wireless
software and security protocols. Financial institutions should
actively monitor security alert organizations for notices related to
their wireless application services. They should also consider
informing customers when wireless Internet devices that require the
use of communications protocols deemed insecure will no longer be
supported by the institution.
The financial institution should consider having regular independent
security testing performed on its wireless customer access
application. Specific testing goals would include the verification
of appropriate security settings, the effectiveness of the wireless
application security implementation and conformity to the
institution's stated standards. The security testing should be
performed by an organization that is technically qualified to
perform wireless testing and demonstrates appropriate ethical
behavior.
PRIVACY
- We continue our coverage of the various issues in the "Privacy of
Consumer Financial Information" published by the financial
regulatory agencies.
Financial Institution Duties ( Part 1 of 6)
The regulations establish specific duties and limitations for a
financial institution based on its activities. Financial
institutions that intend to disclose nonpublic personal information
outside the exceptions will have to provide opt out rights to their
customers and to consumers who are not customers. All financial
institutions have an obligation to provide an initial and annual
notice of their privacy policies to their customers. All financial
institutions must abide by the regulatory limits on the disclosure
of account numbers to nonaffiliated third parties and on the
redisclosure and reuse of nonpublic personal information received
from nonaffiliated financial institutions.
A brief summary of financial institution duties and limitations
appears below. A more complete explanation of each appears in the
regulations.
Notice and Opt Out Duties to Consumers:
If a financial institution intends to disclose nonpublic
personal information about any of its consumers (whether or not they
are customers) to a nonaffiliated third party, and an exception does
not apply, then the financial institution must provide to the
consumer:
1) an initial notice of its privacy policies;
2) an opt out notice (including, among other things, a
reasonable means to opt out); and
3) a reasonable opportunity, before the financial institution
discloses the information to the nonaffiliated third party, to opt
out.
The financial institution may not disclose any nonpublic personal
information to nonaffiliated third parties except under the
enumerated exceptions unless these notices have been provided and
the consumer has not opted out. Additionally, the institution must
provide a revised notice before the financial institution begins to
share a new category of nonpublic personal information or shares
information with a new category of nonaffiliated third party in a
manner that was not described in the previous notice.
Note that a financial institution need not comply with the initial
and opt-out notice requirements for consumers who are not customers
if the institution limits disclosure of nonpublic personal
information to the exceptions. |
