FYI - Woman Sues Best Buy For $54 Million Over Lost Notebook - Raelyn Campbell says she filed the suit and started a blog to bring attention to the "reprehensible state of consumer property and privacy protection practices" at Best Buy. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206504123

FYI - Data Breach Notification Laws, State By State - Five years after California's landmark SB 1386, our interactive map shows you which 38 states have passed laws requiring companies to notify consumers whose personal information has been compromised. Part of an in-depth series about disclosing security breaches. http://www.csoonline.com/read/020108/ammap/ammap.html

FYI - San Jose councilman's former intern accused of hacking into city e-mail - An 18-year-old former intern to San Jose Councilman Sam Liccardo is facing a felony charge that he illegally hacked into the city's e-mail system more than 100 times looking for political dirt to spread about his former boss's girlfriend. http://www.mercurynews.com/valley/ci_8280565?nclick_check=1

FYI - GAO Information Security: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-496T
Highlights - http://www.gao.gov/highlights/d08496thigh.pdf

FYI - Société Générale trader hacked into computers - The rogue trader accused of the biggest fraud in banking history stayed "invisible" for weeks by hacking into his bank's computer system and removing all traces of his multi-billion pound losses, it has been claimed.
http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2008/01/25/nsocgen225.xml
http://www.businessweek.com/globalbiz/content/jan2008/gb20080128_400149.htm?campaign_id=rss_daily

FYI - Security policies? Workers ignore them, survey says - Even IT types disregard policies designed to protect corporate data - It's one thing to have a companywide information security policy in place. But it's a whole different ballgame to get employees to actually follow the policies -- even those that are IT types. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9051483&source=rss_topic17

FYI - CMS to check hospitals for HIPAA security compliance - The Centers for Medicare and Medicaid Services will begin on-site reviews of hospitals' compliance with security rules mandated by the Health Insurance Portability and Accountability Act of 1996. http://www.govhealthit.com/online/news/350176-1.html?type=pf

FYI - The hands-free way to steal a credit card - Adam Laurie, an RFID security expert, used the Black Hat DC 2008 conference here, to demonstrate a new Python script he's working on to read the contents of smart-chip-enabled credit cards. Without taking the card out of the volunteer's wallet, Laurie both read and displayed its contents on the presentation screen--the person's name, account number, and expiration clearly visible. http://www.news.com/8301-10789_3-9875961-57.html?tag=cd.blog

FYI - GAO Information Security: Protecting Personally Identifiable Information.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-343
Highlights - http://www.gao.gov/highlights/d08343high.pdf

FYI - Researchers Find Way to Steal Encrypted Data - Princeton-based researchers broke the encryption system by freezing memory chips, permitting them to read the software. A group led by a Princeton University computer security researcher has developed a simple method to steal encrypted information stored on computer hard disks. http://www.nytimes.com/2008/02/22/technology/22chip.html?_r=3&oref=slogin&oref=slogin&oref=slogin

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Tenet Healthcare warns 37,000 patients of data compromise - A former employee pleaded guilty to fraudulent use of patient information - Dallas-based Tenet Healthcare Corp. last week sent out notices to about 37,000 patients informing them about the potential compromise of their personal and financial data. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9064018&intsrc=hm_list

FYI - 320,000 IDs on blood bank's missing laptops - Two laptop computers containing data on 320,000 donors to Lifeblood, the Memphis region's blood bank, have gone missing and are presumed stolen, officials said. http://www.tennessean.com/apps/pbcs.dll/article?AID=/20080214/NEWS03/802140369/1017/NEWS01

FYI - Harvard grad school site hacked, files distributed on BitTorrent network - The website of Harvard University's Graduate School of Arts and Sciences (GSAS) apparently was hacked on Monday, with some of its database files made available on a peer-to-peer file sharing network by someone who said they wanted to "demonstrate" the alleged lack of security on the university's server. http://www.scmagazineus.com/Harvard-grad-school-site-hacked-files-distributed-on-BitTorrent-network/article/107028/

Return to the top of the newsletter

WEB SITE COMPLIANCE - The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:

When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services.  Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk.  The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed.  This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan.  This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements.  For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer.  The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

PRIORITIZE RESPONSES

This phase ranks the risk (outcomes and probabilities) presented by various scenarios produced in the analysis phase to prioritize management's response. Management may decide that since some risks do not meet the threshold set in their security requirement, they will accept those risks and not proceed with a mitigation strategy. Other risks may require immediate corrective action. Still others may require mitigation, either fully or partially, over time. Risks that warrant action are addressed in the information security strategy.

In some borderline instances, or if planned controls cannot fully mitigate the risk, management may need to review the risk assessment and risk ranking with the board of directors or a delegated committee. The board should then document its acceptance of the risk or authorize other risk mitigation measures.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

5. Determine if passwords are stored on any machine that is directly or easily accessible from outside the institution, and if passwords are stored in programs on machines, which query customer information databases.  Evaluate the appropriateness of such storage and the associated protective mechanisms.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

17. Does the institution provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as: 

a. a toll-free telephone number that the consumer may call to request the notice;  [§6(d)(4)(i)] or

b. for the consumer who conducts business in person at the institution's office, having copies available to provide immediately by hand-delivery?  [§6(d)(4)(ii)]