REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Report to the Congress - Report to the Congress on the Use of
the ACH System and Other Payment Mechanisms for Remittance Transfers
to Foreign Countries.
- CISPA 'dead' in Senate, privacy concerns cited - The chairman of a
key Senate committee cited "insufficient" privacy protections in the
cybersecurity bill, recently passed by the House. A new report says
the Senate is drafting separate bills.
- DoJ Secretly Granted Immunity to Companies that Participated in
Monitoring Program - The Justice Department agree to grant internet
service providers that participated in a new cybersecurity
monitoring program legal authorization to monitor and intercept
communications traffic, according to documents obtained by the
Electronic Privacy Information Center.
- Judge rejects FBI's bid to hack computer of suspect in attempted
cyberheist - Warrant request too broad, fails to meet 4th amendment
standards - A federal court in Houston has rejected an FBI request
for a warrant to hack into the computer of a suspect in an attempted
- Here’s a Good Reason to Encrypt Your Data - There’s many reasons
to password-protect - or encrypt - one’s digital data. Foremost
among them is to protect it during a security breach.
Text of Ruling:
- DDoS attacks increase across industries - While distributed
denial-of-service (DDoS) attacks aimed at major banks have recently
garnered the majority of headlines around the nation, finance isn't
the only industry grappling with the challenges of the prevalent
threat, according to a new study.
- Panel seeks to fine tech companies for noncompliance with wiretap
orders - A government task force is preparing legislation that would
pressure companies such as Facebook and Google to enable law
enforcement officials to intercept online communications as they
occur, according to current and former U.S. officials familiar with
- U.S. response to bank cyberattacks reflects diplomatic caution,
vexes bank industry - The United States, concerned that Iran is
behind a string of cyberattacks against U.S. banking sites, has
considered delivering a formal warning through diplomatic channels
but has not pursued the idea out of fears that doing so could
escalate hostilities, according to American officials.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- AP Twitter hack looks like a security tipping point - Getting
hacked on Twitter is fast becoming a rite of passage for big
corporations, but Tuesday's attack on the Associated Press could be
a tipping point and shows that social networks must do more to keep
their users safe, security experts said.
- LivingSocial updates encryption practices after password breach
affects 50m - After a massive breach impacted more than 50 million
of its customers, the daily-deal website LivingSocial has updated
its password encryption method to bolster security.
- Syrian Hacktivists Hit Guardian Twitter Feeds - The Syrian
Electronic Army (SEA) announced Sunday that it took over 11 Twitter
feeds belonging to Britain's Guardian newspaper, including its book,
film, photography and travel feeds, as well as multiple journalists'
- LivingSocial hacked; 50 million affected - Hackers target
LivingSocial, stealing the personal data of more than 50 million
people in an enormous security breach. Daily deals Web site
LivingSocial is the latest database target for hackers, who have
compromised the personal information of more than 50 million people.
- Army database housing sensitive data on major US dams breached -
The U.S. Army Corps of Engineers (USACE) has confirmed that a
national database, which contains sensitive information on
potentially hazardous U.S. dams, was accessed by an “unauthorized
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services
Due Diligence in Selecting a Service Provider - Contract Issues
Business Resumption and Contingency Plans
The contract should address the service provider’s responsibility
for backup and record protection, including equipment, program and
data files, and maintenance of disaster recovery and contingency
plans. Responsibilities should include testing of the plans and
providing results to the institution. The institution should
consider interdependencies among service providers when determining
business resumption testing requirements. The service provider
should provide the institution with operating procedures the service
provider and institution are to implement in the event business
resumption contingency plans are implemented. Contracts should
include specific provisions for business recovery timeframes that
meet the institution’s business requirements. The institution should
ensure that the contract does not contain any provisions that would
excuse the service provider from implementing its contingency plans.
Sub-contracting and Multiple Service Provider Relationships
Some service providers may contract with third-parties in providing
services to the financial institution. To provide accountability, it
may be beneficial for the financial institution to seek an agreement
with and designate a primary contracting service provider. The
institution may want to consider including a provision specifying
that the contracting service provider is responsible for the service
provided to the institution regardless of which entity is actually
conducting the operations. The institution may also want to consider
including notification and approval requirements regarding changes
to the service provider’s significant subcontractors.
The contract should fully describe fees and calculations for base
services, including any development, conversion, and recurring
services, as well as any charges based upon volume of activity and
for special requests. Cost and responsibility for purchase and
maintenance of hardware and software may also need to be addressed.
Any conditions under which the cost structure may be changed should
be addressed in detail including limits on any cost increases.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our
review of the OCC Bulletin about Infrastructure Threats and
Intrusion Risks. This week we review Suspicious Activity Reporting.
National banks are required to report intrusions and other computer
crimes to the OCC and law enforcement by filing a Suspicious
Activity Report (SAR) form and submitting it to the Financial Crimes
Enforcement Network (FinCEN), in accordance with 12 USC 21.11. This
reporting obligation exists regardless of whether the institution
has reported the intrusion to the information-sharing organizations
discussed below. For purposes of the regulation and the SAR form
instructions, an "intrusion" is defined as gaining access to the
computer system of a financial institution to remove, steal, procure
or otherwise affect information or funds of the institution or
customers. It also includes actions that damage, disable, or
otherwise affect critical systems of the institution. For example,
distributed denial of service attaches (DDoS) attacks should be
reported on a SAR because they may temporarily disable critical
systems of financial institutions.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 1 of 3)
Note: Financial institutions whose practices fall within this
category engage in the most expansive degree of information sharing
permissible. Consequently, these institutions are held to the most
comprehensive compliance standards imposed by the Privacy
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with nonaffiliated
third parties and obtain a sample of data shared between the
institution and the third party both inside and outside of the
exceptions. The sample should include a cross-section of
relationships but should emphasize those that are higher risk in
nature as determined by the initial procedures. Perform the
following comparisons to evaluate the financial institution's
compliance with disclosure limitations.
a. Compare the categories of data shared and with whom the data
were shared to those stated in the privacy notice and verify that
what the institution tells consumers (customers and those who are
not customers) in its notices about its policies and practices in
this regard and what the institution actually does are consistent
b. Compare the data shared to a sample of opt out directions and
verify that only nonpublic personal information covered under the
exceptions or from consumers (customers and those who are not
customers) who chose not to opt out is shared (§10).
2) If the financial institution also shares information under
Section 13, obtain and review contracts with nonaffiliated third
parties that perform services for the financial institution not
covered by the exceptions in section 14 or 15. Determine whether the
contracts prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather" provisions of
Section 18 apply to certain of these contracts (§13(a)).