CMS to check hospitals for HIPAA security compliance - The Centers
for Medicare and Medicaid Services will begin on-site reviews of
hospitals' compliance with security rules mandated by the Health
Insurance Portability and Accountability Act of 1996.
Foreign hackers seek to steal Americans' health records - Foreign
hackers, primarily from Russia and China, are increasingly seeking
to steal Americans' health care records, according to a Department
of Homeland Security analyst.
FERC approves cybersecurity standards for power grid - The Federal
Energy Regulatory Commission (FERC) today approved eight mandatory
cybersecurity standards that extend to all entities connected to the
nation's power grid.
Cyber Espionage: A Growing Threat to Business - Cyber espionage is
getting renewed attention as fresh evidence emerges of online
break-ins at U.S. research labs and targeted phishing against
corporations and government agencies here and abroad.
Kansas City, Mo., lost IRS data - Federal investigators blame city
officials for the loss in 2006 of 26 IRS computer tapes containing
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
"Major Retailer's" Data Breach Results In Wave Of Credit Card Fraud?
- Anecdotal evidence suggests that a recently reported data breach
by an undisclosed "major retailer" has resulted in a jump in
consumers having their debit cards forcibly reissued, or calls from
their bank to verify their recent purchase history.
Carphone Warehouse in 'serious' data breach - The company may face
an unlimited fine after it exposed the personal details of thousands
of customers online - Carphone Warehouse has been warned it could
face prosecution for exposing the personal details of thousands of
customers online and, in some cases, inadvertently setting debt
collectors on them.
Personal info lost in Oldham - SENSITIVE personal information on
almost 150 NHS patients in the Oldham area has been `lost', health
bosses admitted. The Oldham NHS Primary Care Trust says two data
sticks containing highly personal assessment notes of 148 clients
who have been in contact with the trust's continuing care service
have been reported missing.
Credit issuer says data lost for 650,000 customers - Backup computer
tape stored by an information protection and storage company is
missing; customers of 230 retailers could be affected. A computer
tape containing personal data of 650,000 customers of about 230
retailers including J.C. Penney is missing, credit card issuer GE
Election Commission laptop harddrive found - Metro Police confirmed
late Thursday they have recovered the hard drive from the laptop
computer, containing names and complete Social Security numbers for
337,000 registered voters, that was stolen from the Election
Commission in December.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Several consumer regulations provide for disclosures and/or notices
to consumers. The compliance officer should check the specific
regulations to determine whether the disclosures/notices can be
delivered via electronic means. The delivery of disclosures
via electronic means has raised many issues with respect to the
format of the disclosures, the manner of delivery, and the ability
to ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
Disclosures are generally required to be "clear and
conspicuous." Therefore, compliance officers should
review the web site to determine whether the disclosures have been
designed to meet this standard. Institutions may find that the
format(s) previously used for providing paper disclosures may need
to be redesigned for an electronic medium. Institutions may find it
helpful to use "pointers " and "hotlinks" that
will automatically present the disclosures to customers when
selected. A financial institution's use solely of asterisks or
other symbols as pointers or hotlinks would not be as clear as
descriptive references that specifically indicate the content of the
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
The quality of security controls can significantly influence all
categories of risk. Traditionally, examiners and bankers recognize
the direct impact on operational/transaction risk from incidents
related to fraud, theft, or accidental damage. Many security
weaknesses, however, can directly increase exposure in other risk
areas. For example, the GLBA introduced additional legal/compliance
risk due to the potential for regulatory noncompliance in
safeguarding customer information. The potential for legal liability
related to customer privacy breaches may present additional risk in
the future. Effective application access controls can reduce credit
and market risk by imposing risk limits on loan officers or traders.
If a trader were to exceed the intended trade authority, the
institution may unknowingly assume additional market risk exposure.
A strong security program reduces levels of reputation and strategic
risk by limiting the institution's vulnerability to intrusion
attempts and maintaining customer confidence and trust in the
institution. Security concerns can quickly erode customer confidence
and potentially decrease the adoption rate and rate of return on
investment for strategically important products or services.
Examiners and risk managers should incorporate security issues into
their risk assessment process for each risk category. Financial
institutions should ensure that security risk assessments adequately
consider potential risk in all business lines and risk categories.
Information security risk assessment is the process used to identify
and understand risks to the confidentiality, integrity, and
availability of information and information systems. An adequate
assessment identifies the value and sensitivity of information and
system components and then balances that knowledge with the exposure
from threats and vulnerabilities. A risk assessment is a necessary
pre-requisite to the formation of strategies that guide the
institution as it develops, implements, tests, and maintains its
information systems security posture. An initial risk assessment may
involve a significant one-time effort, but the risk assessment
process should be an ongoing part of the information security
Risk assessments for most industries focus only on the risk to the
business entity. Financial institutions should also consider the
risk to their customers' information. For example, section 501(b) of
the GLBA requires financial institutions to 'protect against
unauthorized access to or use of customer information that could
result in substantial harm or inconvenience to any customer."
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
- Access Rights Administration
8. Determine if users are aware of the authorized uses of the
• Do internal users receive a copy of the authorized-use policy,
appropriate training, and signify understanding and agreement before
usage rights are granted?
• Is contractor usage appropriately detailed and controlled
through the contract?
• Do customers and Web site visitors either explicitly agree to
usage terms or are provided a disclosure, as appropriate?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
13. If the institution does not disclose nonpublic personal
information, and does not reserve the right to do so, other than
under exceptions in §14 and §15, does the institution provide a
simplified privacy notice that contains at a minimum:
a. a statement to this effect;
b. the categories of nonpublic personal information it collects;
c. the policies and practices the institution uses to protect the
confidentiality and security of nonpublic personal information; and
d. a general statement that the institution makes disclosures to
other nonaffiliated third parties as permitted by law? [§6(c)(5)]
(Note: use of this type of simplified notice is optional; an
institution may always use a full notice.)