FYI - Reports of federal security breaches double in four months - Federal agencies report an average of 30 incidents a day in which Americans' personally identifiable information is exposed, double the number of incidents reported early this summer, according to the top information technology executive in the Bush administration. http://www.govexec.com/story_page.cfm?articleid=38348

FYI - TJX breach was twice as big as admitted, banks say - The world's largest credit card heist may be bigger than we thought. Much bigger. According to court documents filed by a group of banks, more than 94 million accounts fell into the hands of criminals as a result of a massive security breach suffered by TJX, the Massachusetts-based retailer.
http://www.theregister.co.uk/2007/10/24/tjx_breach_estimate_grows/print.html
http://www.scmagazineus.com/Banks-TJX-lost-twice-as-much-data-as-reported/article/58194/

FYI - Is the media letting banks off the hook on payment card security? - Gartner analyst Avivah Litan has a bone to pick with the media. She wants reporters to stop beating up on TJX and other retailers over security problems and for a change start focusing more on why banks and credit card companies aren't doing more to fix payment system security. http://computerworld.com/blogs/node/6446

FYI - NIST drafts guidance on risk management - The National Institute of Standards and Technology has issued a draft of a new report that may become essential reading for government managers, who all must be sure their information technology systems are compliant with the Federal Information Security Management Act.
Article: http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=45302
Report: http://csrc.nist.gov/publications/drafts/800-39/SP-800-39-ipd.pdf

FYI - Password-cracking chip causes security concerns - A technique for cracking computer passwords using inexpensive off-the-shelf computer graphics hardware is causing a stir in the computer security community. http://technology.newscientist.com/article.ns?id=dn12825&feedId=online-news_rss20

FYI - GAO - Critical Infrastructure Protection: Sector-Specific Plans' Coverage of Key Cyber Security Elements Varies.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-08-113
Highlights - http://www.gao.gov/highlights/d08113high.pdf

FYI - Shell Station Customers 'Pay by Touch' - Chicago drivers have a new way to pay for gasoline: with their fingertips. Ten Shell gas stations in the Windy City are testing biometric systems that let consumers walk up to the pump, scan their fingertips on a device and fill up their vehicles. http://ap.google.com/article/ALeqM5imXrDCNKoSTtHtigvB8UMp0-O6-QD8SKLD3O0 

MISSING COMPUTERS/DATA

FYI - Court leaks info of alleged ID thief - Timothy Scott Short, this is just not your week - Things just aren't going well for Timothy Scott Short. Just days after a pair of tech support calls he made to printer manufacturer Digimarc Corp. resulted in his arrest, he now finds himself on the receiving end of a data breach with his Social Security number and birthdate accidentally made public via the federal court's Electronic Case Files (ECF) system. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9044020&source=rss_topic17

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 4 of  6)

Supervisory Action

As a result of guidelines issued by the FDIC, together with other federal agencies, financial institutions are required to develop and implement a written program to safeguard customer information, including the proper disposal of consumer information (Security Guidelines).5 The FDIC considers this programmatic requirement to be one of the foundations of identity theft prevention. In guidance that became effective on January 1, 2007, the federal banking agencies made it clear that they expect institutions to use stronger and more reliable methods to authenticate the identity of customers using electronic banking systems. Moreover, the FDIC has also issued guidance stating that financial institutions are expected to notify customers of unauthorized access to sensitive customer information under certain circumstances. The FDIC has issued a number of other supervisory guidance documents articulating its position and expectations concerning identity theft. Industry compliance with these expectations will help to prevent and mitigate the effects of identity theft.

Risk management examiners trained in information technology (IT) and the requirements of the Bank Secrecy Act (BSA) evaluate a number of aspects of a bank's operations that raise identity theft issues. IT examiners are well-qualified to evaluate whether banks are incorporating emerging IT guidance into their Identity Theft Programs and GLBA 501(b) Information Security Programs; responsibly overseeing service provider arrangements; and taking action when a security breach occurs. In addition, IT examiners will consult with BSA examiners during the course of an examination to ensure that the procedures institutions employ to verify the identity of new customers are consistent with existing laws and regulations to prevent financial fraud, including identity theft.

The FDIC has also issued revised examination procedures for the Fair Credit Reporting Act (FCRA), through the auspices of the Federal Financial Institutions Examination Council's (FFIEC) Consumer Compliance Task Force.  These procedures are used during consumer compliance examinations and include steps to ensure that institutions comply with the FCRA's fraud and active duty alert provisions. These provisions enable consumers to place alerts on their consumer reports that require users, such as banks, to take additional steps to identify the consumer before new credit is extended. The procedures also include reviews of institutions' compliance with requirements governing the accuracy of data provided to consumer reporting agencies. These requirements include the blocking of data that may be the result of an identity theft. Compliance examiners are trained in the various requirements of the FCRA and ensure that institutions have effective programs to comply with the identity theft provisions. Consumers are protected from identity theft through the vigilant enforcement of all the examination programs, including Risk Management, Compliance, IT and BSA.

The Fair and Accurate Credit Transactions Act directed the FDIC and other federal agencies to jointly promulgate regulations and guidelines that focus on identity theft "red flags" and customer address discrepancies. As proposed, the guidelines would require financial institutions and creditors to establish a program to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The proposed joint regulation would require financial institutions and creditors to establish reasonable policies to implement the guidelines, including a provision requiring debit and credit card issuers to assess the validity of a request for a change of address. In addition, the agencies proposed joint regulations that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when the user receives a notice of address discrepancy. When promulgated in final form, these joint regulations and guidelines will comprise another element of the FDIC's program to prevent and mitigate identity theft.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

System Architecture and Design 

Measures to address access control and system security start with the appropriate system architecture. Ideally, if an Internet connection is to be provided from within the institution, or a Web site established, the connection should be entirely separate from the core processing system. If the Web site is placed on its own server, there is no direct connection to the internal computer system. However, appropriate firewall technology may be necessary to protect Web servers and/or internal systems. 

Placing a "screening router" between the firewall and other servers provides an added measure of protection, because requests could be segregated and routed to a particular server (such as a financial information server or a public information server). However, some systems may be considered so critical, they should be completely isolated from all other systems or networks.  Security can also be enhanced by sending electronic transmissions from external sources to a machine that is not connected to the main operating system.

Return to the top of the newsletter

IT SECURITY QUESTION:  IT insurance maintained:

a. Blanket bond
b. Equipment and Facilities insurance
c. Media Reconstruction insurance
d. Electronic Funds Transfer insurance
e. Business Interruptions insurance
f. Errors and Omissions insurance
g. Extra Expense and/or Backup Site Expense insurance
h. Items in Transit insurance
i. Internet banking coverage

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

2)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in §§14 or 15? [§4(a)(2)]?