Federal Regulators Issue Final Model Privacy Notice Form - Eight
federal regulatory agencies today released a final model privacy
notice form that will make it easier for consumers to understand how
financial institutions collect and share information about
consumers. Under the Gramm-Leach-Bliley Act, institutions must
notify consumers of their information-sharing practices and inform
consumers of their right to opt out of certain sharing practices.
The model form issued today can be used by financial institutions to
comply with these requirements.
Third of Agency Report Daily Cyber Incidents - Survey: 44% of
Agencies Had More Security Incidents in Past Year - Nearly one-third
of federal agencies report at least one cybersecurity incident each
day, with more than half reporting such occurrences weekly,
according to a survey released Tuesday of 300 federal information
security professionals conducted by CDW-Government, a provider of IT
How to DDOS a federal wiretap - Researchers at the University of
Pennsylvania say they've discovered a way to circumvent the
networking technology used by law enforcement to tap phone lines in
MoJ consults on £500k data breach fines - Companies that suffer
serious data breaches could be fined up to £500,000 under government
plans announced this week.
Attack tool can hijack data off unlocked iPhones - Hackers can steal
data off jailbroken iPhones by leveraging the same vulnerability
that currently is being used to spread a mischievous worm.
GAO - Cybersecurity: Continued Efforts Are Needed to Protect
Information Systems from Evolving Threats.
Little to Show for $45 MM Infosec Investment - GAO: Security
Weaknesses at Los Alamos Lab's Classified Network - Los Alamos
National Laboratory has spent $45 million to secure its classified
computer network between fiscal years 2001 and 2008, according to a
report issued Friday by the Government Accountability Office, yet
significant weaknesses remain in safeguarding the confidentiality,
integrity and availability of information stored on and transmitted
over its classified computer network.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Indian police arrest company boss accused of selling medical records
of British patients - The head of an Indian outsourcing company has
been arrested for selling confidential medical records of patients
treated at one of Britain's top private hospitals.
Eight charged in $9.5m payment processor hack - Gone in 12 hours -
Eight men connected to an international crime ring have been charged
with hacking into Atlanta-based bank card processor RBS WorldPay and
stealing more than $9m in 12 hours.
Fraud 'hits' follow local data breach - School employees' Social
Security, bank information stolen - Social Security numbers of
Vancouver Public Schools' 3,000-plus employees are assumed to be
stolen, district officials said.
Blue Cross Blue Shield Data Breach Investigated - Connecticut's
attorney general is looking for tougher protection for healthcare
providers after records, which could be useful to identity thieves,
were lost. Connecticut Attorney General Richard Blumenthal is
investigating Blue Cross Blue Shield's loss of confidential
information, including tax identification and Social Security
numbers, for 800,000 healthcare providers nationwide.
Gang sentenced for UK bank trojan - Alert Print Post commentAlmost
£600,000 siphoned - A British court has sentenced four men to prison
after they admitted they used sophisticated trojan software to steal
almost £600,000 from bank accounts and send it to Eastern Europe.
Settlement OK'd over hacking into financial firm - A federal judge
approved a settlement Thursday in a class action lawsuit against
D.A. Davidson & Co. over clients' information that was compromised
by a computer hacker almost two years ago.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Sound Practices for Managing Outsourced E-Banking Systems
(Part 2 of 3)3. Banks should adopt appropriate procedures for ensuring the
adequacy of contracts governing e-banking. Contracts governing
outsourced e-banking activities should address, for example, the
a) The contractual liabilities of the respective parties as well as
responsibilities for making decisions, including any sub-contracting
of material services are clearly defined.
b) Responsibilities for providing information to and receiving
information from the service provider are clearly defined.
Information from the service provider should be timely and
comprehensive enough to allow the bank to adequately assess service
levels and risks. Materiality thresholds and procedures to be used
to notify the bank of service disruptions, security breaches and
other events that pose a material risk to the bank should be spelled
c) Provisions that specifically address insurance coverage, the
ownership of the data stored on the service provider's servers or
databases, and the right of the bank to recover its data upon
expiration or termination of the contract should be clearly defined.
d) Performance expectations, under both normal and contingency
circumstances, are defined.
e) Adequate means and guarantees, for instance through audit
clauses, are defined to insure that the service provider complies
with the bank's policies.
f) Provisions are in place for timely and orderly intervention and
rectification in the event of substandard performance by the service
g) For cross-border outsourcing arrangements, determining which
country laws and regulations, including those relating to privacy
and other customer protections, are applicable.
h) The right of the bank to conduct independent reviews and/or
audits of security, internal controls and business continuity and
contingency plans is explicitly defined.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
the next few weeks, we will cover the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Financial institutions are actively evaluating and implementing
wireless technology as a means to reach customers and reduce the
costs of implementing new networks. In light of this fast-developing
trend, the Federal Deposit Insurance Corporation (FDIC) is providing
financial institutions with the following information about the
risks associated with wireless technology and suggestions on
managing those risks. Please share this information with your Chief
Wireless Technology and the Risks of Implementation
Wireless networks are rapidly becoming a cost-effective
alternative for providing network connectivity to financial
institution information systems. Institutions that are installing
new networks are finding the installation costs of wireless networks
competitive compared with traditional network wiring. Performance
enhancements in wireless technology have also made the adoption of
wireless networks attractive to institutions. Wireless networks
operate at speeds that are sufficient to meet the needs of many
institutions and can be seamlessly integrated into existing
networks. Wireless networks can also be used to provide connectivity
between geographically close locations without having to install
Wireless Internet access to banking applications is also becoming
attractive to financial institutions. It offers customers the
ability to perform routine banking tasks while away from the bank
branch, automated teller machines or their own personal computers.
Wireless Internet access is a standard feature on many new cellular
phones and hand-held computers.
Many of the risks that financial institutions face when implementing
wireless technology are risks that exist in any networked
environment (see FIL-67-2000, "Security Monitoring of Computer
Networks," dated October 3, 2000, and the 1996 FFIEC
Information Systems Examination Handbook, Volume 1, Chapter 15).
However, wireless technology carries additional risks that financial
institutions should consider when designing, implementing and
operating a wireless network. Common risks include the potential:
1) Compromise of customer information and transactions over
the wireless network;
2) Disruption of wireless service from radio transmissions of
other wireless devices;
3) Intrusion into the institution's network through wireless
network connections; and
4) Obsolescence of current systems due to rapidly changing
These risks could ultimately compromise the bank's computer system,
1) Financial loss due to the execution of unauthorized
2) Disclosure of confidential customer information, resulting
in - among other things - identity theft (see FIL-39-2001,
"Guidance on Identity Theft and Pretext Calling," dated
May 9, 2001, and FIL-22-2001, "Guidelines Establishing
Standards for Safeguarding Customer Information," dated March
3) Negative media attention, resulting in harm to the
institution's reputation; and
4) Loss of customer confidence.
the top of the newsletter
IT SECURITY QUESTION:
Does the institution have
an internal auditor?
Does internal auditor audit the IT operations?
Does the institution have an external financial auditor?
Does the institution have an external IT auditor?
Does the auditor report IT auditing activities to the Board of
Directors or a committee thereof?
Does the internal auditor have any conflicting duties?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
38. For customers only, does the institution ensure that the
initial, annual, and revised notices may be retained or obtained
later by the customer in writing, or if the customer agrees,