Massachusetts Gets Tough on Data Security - This spring, the Bay
State will enact stringent technical and policy requirements on how
companies handle the personal information of Massachusetts
residents. As if banks didn't have enough on their plates with
compliance and regulation on the federal front, come May 1, they
will have to be mindful of strict new rules coming from the
Commonwealth of Massachusetts around data security.
Royal Navy warships lose email in virus infection - Windows for
Warships™ combat kit unaffected, says MoD - The Ministry of Defence
confirmed today that it has suffered virus infections which have
shut down "a small number" of MoD systems, most notably including
admin networks aboard Royal Navy warships.
NY policeman plunders US terror watchlist - A New York City Police
Department sergeant has admitted he illegally obtained a name
contained in an FBI terrorist watchlist and gave it to an
acquaintance to use in a child custody case.
NIST proposes risk-based approach to guarding personal data -
Federal agencies are required under various laws, regulations and
mandates to protect the privacy of citizens and secure the
personally identifiable information (PII) that they hold, but this
has not stopped breaches in IT systems that have potentially exposed
millions of personal records.
Privacy groups urge politicians to ensure safeguards for health IT -
Privacy and civil liberties advocates are urging lawmakers working
on the forthcoming economic stimulus package to ensure that any
language to spur adoption of electronic medical records includes
meaningful security safeguards.
IT security risks dismissed by boards, survey finds - A report
released this week by Carnegie Mellon University's CyLab,
illustrates the wide gap between boards of directors and those
responsible for information security in the enterprise, in
particular where board members who still aren't clear on the link
between IT risk and a company's overall risk posture.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Worm infects 1.1M Windows PCs in 24 hours - The computer worm that
exploits a months-old Windows bug has infected more than a million
PCs in the past 24 hours, a security company said.
Hackers affect debit and ATM networks - Leads Forcht Bank to disable
some customer debit cards - Forcht Bank disabled 8,500 customer
debit cards this week after learning they could have potentially
been hacked into by persons creating duplicate cards.
Payment Processor Breach May Be Largest Ever - A data breach last
year at Princeton, N.J., payment processor Heartland Payment Systems
may have compromised tens of millions of credit and debit card
transactions, the company said. If accurate, such figures may make
the Heartland incident one of the largest data breaches ever
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special
rules for multiple-page advertisements. It is not yet clear what
would constitute a single "page" in the context of the
Internet or on-line text. Thus, institutions should carefully review
their on-line advertisements in an effort to minimize compliance
In addition, Internet or other systems in which a credit application
can be made on-line may be considered "places of business"
under HUD's rules prescribing lobby notices. Thus, institutions may
want to consider including the "lobby notice,"
particularly in the case of interactive systems that accept
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
Encryption is used to secure communications and data storage,
particularly authentication credentials and the transmission of
sensitive information. It can be used throughout a technological
environment, including the operating systems, middleware,
applications, file systems, and communications protocols.
Encryption is used both as a prevention and detection control. As a
prevention control, encryption acts to protect data from disclosure
to unauthorized parties. As a detective control, encryption is used
to allow discovery of unauthorized changes to data and to assign
responsibility for data among authorized parties. When prevention
and detection are joined, encryption is a key control in ensuring
confidentiality, data integrity, and accountability.
Properly used, encryption can strengthen the security of an
institution's systems. Encryption also has the potential, however,
to weaken other security aspects. For instance, encrypted data
drastically lessens the effectiveness of any security mechanism that
relies on inspections of the data, such as anti - virus scanning and
intrusion detection systems. When encrypted communications are used,
networks may have to be reconfigured to allow for adequate detection
of malicious code and system intrusions.
Although necessary, encryption carries the risk of making data
unavailable should anything go wrong with data handling, key
management, or the actual encryption. The products used and
administrative controls should contain robust and effective controls
to ensure reliability.
Encryption can impose significant overhead on networks and computing
devices. A loss of encryption keys or other failures in the
encryption process can deny the institution access to the encrypted
Financial institutions should employ an encryption strength
sufficient to protect information from disclosure until such time as
the information's disclosure poses no material threat. For instance,
authenticators should be encrypted at a strength sufficient to allow
the institution time to detect and react to an authenticator theft
before the attacker can decrypt the stolen authenticators.
Decisions regarding what data to encrypt and at what points to
encrypt the data are typically based on the risk of disclosure and
the costs and risks of encryption. Generally speaking,
authenticators are always encrypted whether on public networks or on
the financial institution's network. Sensitive information is also
encrypted when passing over a public network, and also may be
encrypted within the institution.
Encryption cannot guarantee data security. Even if encryption is
properly implemented, for example, a security breach at one of the
endpoints of the communication can be used to steal the data or
allow an intruder to masquerade as a legitimate system user.
Return to the top of the
2. Determine whether sensitive data in both electronic and
paper form is adequately controlled physically through creation,
processing, storage, maintenance, and disposal.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 1 of 3)
Note: Financial institutions whose practices fall within this
category engage in the most expansive degree of information sharing
permissible. Consequently, these institutions are held to the most
comprehensive compliance standards imposed by the Privacy
A. Disclosure of Nonpublic Personal Information
1) Select a
sample of third party relationships with nonaffiliated third parties
and obtain a sample of data shared between the institution and the
third party both inside and outside of the exceptions. The sample
should include a cross-section of relationships but should emphasize
those that are higher risk in nature as determined by the initial
procedures. Perform the following comparisons to evaluate the
financial institution's compliance with disclosure limitations.
a. Compare the categories of data shared and with whom the
data were shared to those stated in the privacy notice and verify
that what the institution tells consumers (customers and those who
are not customers) in its notices about its policies and practices
in this regard and what the institution actually does are consistent
b. Compare the data shared to a sample of opt out directions
and verify that only nonpublic personal information covered under
the exceptions or from consumers (customers and those who are not
customers) who chose not to opt out is shared (§10).
2) If the financial institution also shares information under
Section 13, obtain and review contracts with nonaffiliated third
parties that perform services for the financial institution not
covered by the exceptions in section 14 or 15. Determine whether the
contracts prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather"
provisions of Section 18 apply to certain of these contracts (§13(a)).