FYI - Hannaford hit by class-action lawsuits in wake of data-breach disclosure - Hannaford gets hits with lawsuits. How ready are you for one? - In a likely precursor of what's to come, a Philadelphia law firm and an attorney in Maine have filed class-action lawsuits against Hannaford Bros. Co., the Scarborough, Maine-based supermarket chain that this week disclosed a data security breach involving the potential compromise of 4.2 million credit and debit cards. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9070281&source=rss_topic17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - NIH told patients about security breach weeks after incident - The National Heart, Lung and Blood Institute, part of the National Institutes of Health, informed patients on March 20 that a laptop computer containing their unencrypted personal data was stolen from a researcher's car on Feb. 29 -- nearly three weeks after the incident occurred.
http://www.govexec.com/dailyfed/0308/032408bb2.htm
http://www.scmagazineus.com/NIH-laptop-theft-prompts-security-questions/article/108294/?DCMP=EMC-SCUS_Newswire

FYI - Stolen PC had Agilent workers' personal data - A laptop containing sensitive and unencrypted personal data on 51,000 current and former employees of Agilent Technologies was stolen from the car of an Agilent vendor March 1 in San Francisco, the company said in a letter mailed to former employees this week. http://www.mercurynews.com/peninsula/ci_8660115?nclick_check=1

FYI - Lasell College Identifies Unauthorized Access to Campus Computer Network - Lasell College officials today announced that an employee of the College obtained unauthorized access to data on the campus computer network. The data inappropriately accessed contains some personal information, including names and Social Security numbers of current and former students, faculty, staff and alumni. http://www.lasell.edu/admission/adm_news_story.asp?iNewsID=563&strBack=/about/adm_news_archive.asp

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

The goal of logical and administrative access control is to restrict access to system resources. Access should be provided only to authorized individuals whose identity is established, and their activities should be limited to the minimum required for business purposes. Authorized individuals (users) may be employees, TSP employees, vendors, contractors, customers, or visitors.

An effective control mechanism includes numerous controls to safeguard and limit access to key information system assets. This section addresses logical and administrative controls, including access rights administration and authentication through network, operating system, application, and remote access. A subsequent section addresses physical security controls.

ACCESS RIGHTS ADMINISTRATION (1 of 5)

Action Summary - Financial institutions should have an effective process to administer access rights. The process should include the following controls:

1)  Assign users and system resources only the access required to perform their required functions,

2)  Update access rights based on personnel or system changes,

3)  Periodically review users' access rights at an appropriate frequency based on the risk to the application or system, and

4)  Design appropriate acceptable-use policies and require users to sign them.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

11. Determine that biometric systems

• Have an adequately strong and reliable enrollment process,

• Adequately protect against the presentation of forged credentials (e.g. address replay attacks), and

• Are appropriately tuned for false accepts/false rejects.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

22. Does the institution provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means:

a. check-off boxes prominently displayed on the relevant forms with the opt out notice; [§7(a)(2)(ii)(A)]

b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]

c. an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the institution's web site, if the consumer agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)] or

d. a toll-free telephone number? [§7(a)(2)(ii)(D)]

(Note: the institution may require the consumer to use one specific means, as long as that means is reasonable for that consumer. [§7(a)(iv)])