REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Florida health department employees stole data, committed tax
fraud - Two former Orange County Health Department employees and an
accomplice have been arrested in Florida and charged with using
information from thousands of electronic patient records to commit
- Chicago Fed Letter - Bitcoin: A Primer - Bitcoin is a digital
currency that was launched in 2009, and it has attracted much
attention recently. This article reviews the mechanics of the
currency and offers some thoughts on its characteristics.
- Los Angeles creates 'Cyber Intrusion Command Center' - Los Angeles
Mayor Eric Garcetti, citing warnings by President Barack Obama and
National Intelligence Director James Clapper about the threat of
attacks on computer networks, on Wednesday announced the creation of
the city's first "Cyber Intrusion Command Center."
- ICE Hacked Its Own Employees to Teach Self-Defense in Cyberspace -
One federal agency is replacing workforce security awareness
tutorials with real world hack attempts to test employee reflexes.
So far, 80 percent of the personnel trained have successfully fought
off potential cyberspies.
- Switzerland to set up 'Swiss cloud' free of NSA, GCHQ snooping (it
hopes) - Swisscom, the Swiss telco that's majority owned by its
government, will set up a "Swiss cloud" hosted entirely in the land
of cuckoo clocks and fine chocolate – and try to make the service
impervious to malware and uninvited spooks.
- Thanks to a False Sense of Security, Small Businesses Are Skipping
Cyber-Protection - Small and medium-sized businesses (SMB) should be
paying more attention to the growing threat of cybercrime - but they
The Federal Financial Institutions Examination Council today
issued a Press Release concerning Microsoft’s discontinuation of
support for its Windows XP operating system as of April 8, 2014.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Adobe Breach Impacted At Least 38 Million Users - The recent data
breach at Adobe that exposed user account information and prompted a
flurry of password reset emails impacted at least 38 million users,
the company now says.
- Finland’s Foreign Ministry gets pwned by worse-than-Red October
malware - Nordic nation suspects Chinese, Russian intel services
behind attack. Citing unnamed sources, Finnish television channel
MTV3 reports (Google Translate) that the Finnish Ministry of Foreign
Affairs was penetrated by malware over a period of four years.
- Hackers Take Limo Service Firm for a Ride - A hacker break in at a
U.S. company that brokers reservations for limousine and Town Car
services nationwide has exposed the personal and financial
information on more than 850,000 well-heeled customers, including
Fortune 500 CEOs, lawmakers, and A-list celebrities.
- Thousands of cards compromised in classic skimming operation -
Four Romanian nationals have been arrested and charged with
targeting MTA Long Island Rail Road ticket vending machines in a
classic skimming operation that netted the suspects thousands of
credit and debit card numbers, along with PIN codes.
- Cleveland hospital's unencrypted hard drive stolen, thousands
affected - More than 7,100 patients who received care at University
Hospitals of Cleveland are being notified that an unencrypted hard
drive containing their data has been stolen.
- Unencrypted laptop stolen, 11,000 dialysis patients impacted -
More than 11,000 patients and some employees of Colorado-based
kidney care company DaVita are being alerted after an unencrypted
laptop containing their personal data was stolen from a staffer's
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Truth in Lending Act (Regulation Z)
The commentary to regulation Z was amended recently to clarify that
periodic statements for open-end credit accounts may be provided
electronically, for example, via remote access devices. The
regulations state that financial institutions may permit customers
to call for their periodic statements, but may not require them to
do so. If the customer wishes to pick up the statement and the plan
has a grace period for payment without imposition of finance
charges, the statement, including a statement provided by electronic
means, must be made available in accordance with the "14-day rule,"
requiring mailing or delivery of the statement not later than 14
days before the end of the grace period.
Provisions pertaining to advertising of credit products should be
carefully applied to an on-line system to ensure compliance with the
regulation. Financial institutions advertising open-end or
closed-end credit products on-line have options. Financial
institutions should ensure that on-line advertising complies with
the regulations. For on-line advertisements that may be deemed to
contain more than a single page, financial institutions should
comply with the regulations, which describe the requirements for
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Public Key Infrastructure (Part 1 of 3)
Public key infrastructure (PKI), if properly implemented and
maintained, may provide a strong means of authentication. By
combining a variety of hardware components, system software,
policies, practices, and standards, PKI can provide for
authentication, data integrity, defenses against customer
repudiation, and confidentiality. The system is based on public key
cryptography in which each user has a key pair - a unique electronic
value called a public key and a mathematically related private key.
The public key is made available to those who need to verify the
The private key is stored on the user's computer or a separate
device such as a smart card. When the key pair is created with
strong encryption algorithms and input variables, the probability of
deriving the private key from the public key is extremely remote.
The private key must be stored in encrypted text and protected with
a password or PIN to avoid compromise or disclosure. The private key
is used to create an electronic identifier called a digital
signature that uniquely identifies the holder of the private key and
can only be authenticated with the corresponding public key.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Content of Privacy Notice
18. If the institution, in its privacy policies, reserves the
right to disclose nonpublic personal information to nonaffiliated
third parties in the future, does the privacy notice include, as
a. categories of nonpublic personal information that the financial
institution reserves the right to disclose in the future, but does
not currently disclose; [§6(e)(1)] and
b. categories of affiliates or nonaffiliated third parties to whom
the financial institution reserves the right in the future to
disclose, but to whom it does not currently disclose, nonpublic
personal information? [§6(e)(2)]