FYI - Data losses to incur fines of up to £500,000 - The new statute was laid before Parliament on 12 January. The Information Commissioner's Office will be able to issue fines of up to £500,000 for serious data security breaches. http://news.bbc.co.uk/2/hi/technology/8455123.stm

FYI - Connecticut AG uses HITECH to sue over patient data breach - Connecticut Attorney General (AG) Richard Blumenthal announced Wednesday that he is suing Health Net of Connecticut for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers exposed by the security breach.
http://www.scmagazineus.com/connecticut-attorney-general-sues-over-breach/article/161382/
http://www.healthimaging.com/index.php?option=com_articles&view=article&id=20197:connecticut-ag-uses-hitech-to-sue-over-patient-data-breach

FYI - U.S. plans to issue official protest to China over attack on Google - The United States will issue an official protest to the Chinese government over a major espionage attack targeting Google's computer systems and rights activists' e-mail accounts that the search-engine giant said originated in China. http://www.washingtonpost.com/wp-dyn/content/article/2010/01/15/AR2010011503917_pf.html

FYI - Google China insiders may have helped with attack - by Elinor Mills Font size Print E-mail Share 48 comments Yahoo! BuzzShare10 Google is looking into whether employees in its China office were involved in the attacks on its network that led to theft of intellectual property, according to CNET sources. http://news.cnet.com/8301-27080_3-10436618-245.html?part=rss&subj=news&tag=2547-1_3-0-20

FYI - Poisoned PDF pill used to attack US military contractors - Yet more cyber-espionage shenanigans - Unidentified hackers are running an ongoing cyber-espionage attack targeting US military contractors. http://www.theregister.co.uk/2010/01/18/booby_trapped_pdf_cyber_espionage/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - U.S. Army Website Hacked - SQL injection, plain-text passwords leave databases exposed - Romanian hackers continue to have a field day with SQL injection flaws in major Website applications: A vulnerability in a U.S. Army Website that leaves the database wide open to an attacker has now been exposed. http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=222300588&subSection=Application+Security

FYI - Hackers pluck 8,300 customer logins from bank server - New variation on an old theme scheme - Hackers have stolen the login credentials for more than 8,300 customers of small New York bank after breaching its security and accessing a server that hosted its online banking system.
http://www.theregister.co.uk/2010/01/12/bank_server_breached/
http://www.scmagazineus.com/ny-based-suffolk-county-national-bank-server-hacked/article/161235/

FYI - Stolen external drive contained Kaiser Permanente patient info - An external drive containing the sensitive data of thousands of patients was stolen from an employee of health insurance provider Kaiser Permanente. http://www.scmagazineus.com/stolen-external-drive-contained-kaiser-permanente-patient-info/article/161266/

FYI - Financial firm notifies 1.2M after password mistake - A Concord, N.H., financial services company is sending data breach notification letters to customers after discovering that shared passwords, set up to simplify administrative functions nearly 10 years ago, could have exposed the private data of 1.2 million customers.
http://www.computerworld.com/s/article/9145240/Financial_firm_notifies_1.2M_after_password_mistake?taxonomyId=17
http://www.scmagazineus.com/financial-services-firm-notifies-12-million-of-breach/article/161681/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs.  (4 of 12)

Reaction Procedures

Assessing security incidents and identifying the unauthorized access to or misuse of customer information essentially involve organizing and developing a documented risk assessment process for determining the nature and scope of the security event. The goal is to efficiently determine the scope and magnitude of the security incident and identify whether customer information has been compromised.

Containing and controlling the security incident involves preventing any further access to or misuse of customer information or customer information systems. As there are a variety of potential threats to customer information, organizations should anticipate the ones that are more likely to occur and develop response and containment procedures commensurate with the likelihood of and the potential damage from such threats. An institution's information security risk assessment can be useful in identifying some of these potential threats. The containment procedures developed should focus on responding to and minimizing potential damage from the threats identified. Not every incident can be anticipated, but institutions should at least develop containment procedures for reasonably foreseeable incidents.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Non-repudiation 

Non-repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. To ensure that a transaction is enforceable, steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communications or transactions. 

Access Control / System Design 

Establishing a link between a bank's internal network and the Internet can create a number of additional access points into the internal operating system. Furthermore, because the Internet is global, unauthorized access attempts might be initiated from anywhere in the world. These factors present a heightened risk to systems and data, necessitating strong security measures to control access. Because the security of any network is only as strong as its weakest link, the functionality of all related systems must be protected from attack and unauthorized access. Specific risks include the destruction, altering, or theft of data or funds; compromised data confidentiality; denial of service (system failures); a damaged public image; and resulting legal implications. Perpetrators may include hackers, unscrupulous vendors, former or disgruntled employees, or even agents of espionage. 

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

SUBPART C - Exception to Opt Out Requirements for Service Providers and Joint Marketing

47.  If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised notice requirements in §8, not apply because:

a.  the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]

b.  the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and

c.  the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §14 or §15 in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]