May 28, 2000
FYI - The Federal Reserve Board published proposed amendments to Regulation Z, Truth in Lending, revising the disclosure requirements for credit and charge card solicitations and applications. Comment is requested by July 18, 2000.
FYI - The Office of the Comptroller of the Currency issued updated guidance to national banks on how to prevent, detect and respond to intrusions into their computer systems. The guidance supplements an OCC bulletin on cyber- terrorism published last year and an alert on distributed denial of service attacks issued in February.
INTERNET SECURITY - We are reviewing the FDIC's December 1997 paper "Security Risks Associated with the Internet." In the last issue, we covered Data Privacy and Confidentiality and Data Integrity. This week we will cover FDIC's comments regarding Authentication, Non-repudiation, and Access Control/System Design.
Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, much like a telephone is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send e-mail which appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.
Non-repudiation involves creating proof of the origin or delivery of data to protect the sender against false denial by the recipient that the data has been received or to protect the recipient against false denial by the sender that the data has been sent. To ensure that a transaction is enforceable, steps must be taken to prohibit parties from disputing the validity of, or refusing to acknowledge, legitimate communications or transactions.
3) Access Control / System Design
Establishing a link between a bank's internal network and the Internet can create a number of additional access points into the internal operating system. Furthermore, because the Internet is global, unauthorized access attempts might be initiated from anywhere in the world. These factors present a heightened risk to systems and data, necessitating strong security measures to control access. Because the security of any network is only as strong as its weakest link, the functionality of all related systems must be protected from attack and unauthorized access. Specific risks include the destruction, altering, or theft of data or funds; compromised data confidentiality; denial of service (system failures); a damaged public image; and resulting legal implications. Perpetrators may include hackers, unscrupulous vendors, former or disgruntled employees, or even agents of espionage.
INTERNET COMPLIANCE - If visitors to Your Bank web site have their browsers configured to "text only," none of the pictures will appear including the FDIC insurance logo. If the web site only has the FDIC insurance logo as a picture, then visitors who use the "text only" will not know that Your Bank is an FDIC insured bank. While we do not know how the regulator's will view this situation, we suggest that you use the text "Member FDIC." However, if you want to use the FDIC insurance logo, include the text "Member FDIC" along with the logo. This will allow visitors that use the "text only" browser option to know that their deposits are FDIC insured.
PRIVACY STATEMENT - While the financial regulators have written regulations regarding privacy, we through you may be interested in what the Federal Trade Commission is doing regarding privacy on the internet.
The FTC's regulatory submitted a proposal to Congress this week titled "Fair Information Practices in the Electronic Marketplace." It is the result of findings from the 2000 Online Privacy Survey recently conducted by the agency. Results of this study were based on the extent to which sites surveyed implemented the four fair information practice principles outlined in the agency's 1998 report to Congress. These principles are defined as follows:
1) Notice: Web sites would be required to provide consumers clear and conspicuous notice of their information practices, including what information they collect and how they collect it.
2) Choice: Web sites would be required to offer consumers choices as to how their personal information is used beyond the use for which the information was provided.
3) Access: Web sites would be required to offer consumers reasonable access to the information they have collected about them, including a reasonable opportunity to review information and to correct inaccuracies or delete information.
4) Security: Web sites would be required to take reasonable steps to protect the security of the information they collect from consumers.
Up until now, the FTC's stance on consumer privacy protection has been to allow the Internet industry to self-regulate with respect to these four principles. However, the results of the commission's 2000 Survey have caused officials to change their tune. While 88% of 335 randomly selected Web sites posted privacy policies, the agency found that only 20% followed the choice, access, and security principles.
Citing the lackluster results, the FTC wasted no time in submitting its proposal to Congress on Monday, requesting legislation that would allow it to formally establish and
firmly enforce the four fair information practice principles.
Studies have shown that consumers" lack of trust in how their personal information will be handled has resulted in the substantial loss of online sales.
IN CLOSING - Next weekend there will not be a newsletter because I traveling to Nashville, Tennessee. On Tuesday June 6, I am giving a presentation at the American Bankers Association 's Regulatory Compliance Conference on Internet Compliance and Internet Security issues. I look forward to meeting those of you that will be attending.
We hope you had a good Memorial weekend,