Number of reported cyber incidents jumps - Federal civilian agencies
reported three times as many cyber-related incidents in fiscal 2008
as they did in fiscal 2006 to the Homeland Security Department's
office that coordinates defenses and responses to cyberattacks.
Meanwhile, an official says the office suspects the actual number of
cyber incidents is higher.
Fugitive hacker indicted for running VoIP scam - U.S. seeks
extradition of Miami man who was on the run for more than 2 years -
Just days after his apprehension in Mexico following two years on
the run from law enforcement authorities, an alleged hacker was
indicted this week by a federal grand jury for hacking into the
computer networks of voice-over-IP service providers.
CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA
Privacy Case - The U.S. Department of Health and Human Services
(HHS) and the Federal Trade Commission (FTC) today announced that
CVS, the nation's largest retail pharmacy chain, will pay the U.S.
government a $2.25 million settlement and take corrective action to
ensure it does not violate the privacy of its millions of patients
when disposing of patient information such as identifying
information on pill bottle labels.
Starbucks sued after laptop data breach - A Chicago-area Starbucks
employee has brought a class-action lawsuit against the coffee
retailer, claiming damages from an October 2008 data breach.
Former staff swipe confidential company data - More than half - 59
per cent - of US workers made redundant or who left their job last
year admitted swiping confidential corporate data, such as customer
list, before they left, a new study claims.
Comprehensive health care security with ISO 27001 - Security is an
ongoing concern for most health care providers -- witness the recent
fight over electronic health care records (EHRs) in the debate over
the stimulus bill as it wended its way through Congress.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hackers steal thousands of Wyndham credit card numbers - The company
estimates that 41 Wyndham hotels and resorts were affected - Hackers
broke into a computer at Wyndham Hotels and Resorts last July and
stole tens of thousands of customer credit card numbers, the hotel
chain has warned.
Visa confirms another payment processor breach - Another payment
processor has fallen victim to hackers, Visa confirmed. Visa and
MasterCard are notifying banks about accounts impacted by a "major
compromise," unrelated to the massive Heartland Payment Systems
incident announced last month, according to a number of credit
unions and banking associations.
Government travel site hacked, remains shuttered - A government
website used by a dozen federal agencies to book travel was hacked,
redirecting federal employees to a site capable of downloading
malware. The site, GovTrip.com, remained offline as of Thursday
Three months, three breaches at the Univ. of Florida-Gainesville -
The latest exposes data on more than 97,000 students, faculty, staff
- For the second time in three months, the University of Florida,
Gainesville, has acknowledged a major data breach -- and a statement
posted on the university's Web site indicated that there was a
third, less-public breach discovered by the school during the same
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction
involving stored value products is covered by Regulation E when the
transaction accesses a consumer's account (such as when value is
"loaded" onto the card from the consumer's deposit account
at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule
was issued on March 20, 1998 that allows depository institutions to
satisfy the requirement to deliver by electronic communication any
of these disclosures and other information required by the act and
regulations, as long as the consumer agrees to such method of
Financial institutions must ensure that consumers who sign up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not specifically mentioned in the commentary, this
applies to all new banking services including electronic financial
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
Malicious code is any program that acts in unexpected and
potentially damaging ways. Common types of malicious code are
viruses, worms, and Trojan horses. The functions of each were once
mutually exclusive; however, developers combined functions to create
more powerful malicious code. Currently malicious code can replicate
itself within a computer and transmit itself between computers.
Malicious code also can change, delete, or insert data, transmit
data outside the institution, and insert backdoors into institution
systems. Malicious code can attack institutions at either the server
or the client level. It can also attack routers, switches, and other
parts of the institution infrastructure. Malicious code can also
monitor users in many ways, such as logging keystrokes, and
transmitting screenshots to the attacker.
Typically malicious code is mobile, using e - mail, Instant
Messenger, and other peer-to-peer (P2P) applications, or active
content attached to Web pages as transmission mechanisms. The code
also can be hidden in programs that are downloaded from the Internet
or brought into the institution on diskette. At times, the malicious
code can be created on the institution's systems either by intruders
or by authorized users. The code can also be introduced to a Web
server in numerous ways, such as entering the code in a response
form on a Web page.
Malicious code does not have to be targeted at the institution to
damage the institution's systems or steal the institution's data.
Most malicious code is general in application, potentially affecting
all Internet users with whatever operating system or application the
code needs to function.
Return to the top of the
F. PERSONNEL SECURITY
3. Determine if the institution requires personnel with
authority to access customer information and confidential
institution information to sign and abide by confidentiality
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties only under Sections 14 and/or 15.
Note: This module applies only to customers.
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with
nonaffiliated third parties and obtain a sample of data shared
between the institution and the third party.
a. Compare the data shared and with whom the data were shared
to ensure that the institution accurately states its information
sharing practices and is not sharing nonpublic personal information
outside the exceptions.
B. Presentation, Content, and Delivery of Privacy Notices
1) Obtain and review the financial institution's initial and
annual notices, as well as any simplified notice that the
institution may use. Note that the institution may only use the
simplified notice when it does not also share nonpublic personal
information with affiliates outside of Section 14 and 15 exceptions.
Determine whether or not these notices:
a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));
b. Accurately reflect the policies and practices used by the
institution (§§4(a), 5(a)(1)). Note, this includes practices
disclosed in the notices that exceed regulatory requirements; and
c. Include, and adequately describe, all required items of
2) Through discussions with management, review of the
institution's policies and procedures, and a sample of electronic or
written customer records where available, determine if the
institution has adequate procedures in place to provide notices to
customers, as appropriate. Assess the following:
a) Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and
b. Reasonableness of the method of delivery (e.g., by hand; by
mail; electronically, if the customer agrees; or as a necessary step
of a transaction) (§9) and accessibility of or ability to retain
the notice (§9(e)).