Sensitive Information in Financial Services - PowerPoint PPT Presentation

About This Presentation
Title:

Sensitive Information in Financial Services

Description:

February 2003: 8 Million credit card numbers stolen by hackers from the computer ... Paypal.com) and requests users to enter passwords or other account information. ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 21
Provided by: gusfu
Learn more at: https://zoo.cs.yale.edu
Category:

less

Transcript and Presenter's Notes

Title: Sensitive Information in Financial Services


1
Sensitive Information in Financial Services
  • November 14th, 2003
  • CS 457a
  • G. Fuldner

2
Why is Sensitive Information Important in
Financial Services?
  • It is an information-based industry
  • Almost all information generated in financial
    services is potentially sensitive/private
  • There is often potential for significant monetary
    loss due to lack of privacy

3
Outline
  • Regulations
  • Current Problems
  • Possible Solutions

4
Regulations
5
Graham Leach Bliley
  • Official Title The Financial Modernization Act
    of 1999
  • Ends depression-era separation of investment and
    commercial banking
  • Establishes financial privacy rules and
    safeguards that must be followed to protect
    financial data

6
Definition Nonpublic Personal Information
  • Nonpublic personal information is personally
    identifiable financial information
  • Provided by a consumer to a financial institution
  • Resulting from any transaction with the consumer
    or any service performed for the consumer or
  • Otherwise obtained by the financial institution
  • Publicly available information is not included
  • Any list, description, or other grouping of
    consumers (and publicly available information
    pertaining to them) that is derived using any
    nonpublic personal information is also defined as
    nonpublic personal information.

7
GLB Privacy Rule
  • A financial institution may not disclose
    nonpublic personal information to a nonaffiliated
    third party unless
  • The institution has disclosed to the consumer in
    writing or electronic form that the information
    may be disclosed to a third party.
  • The consumer has been given the opportunity to
    opt-out.
  • Financial institutions are furthermore required
    to provide customers with annual notices of
    privacy policies including a listing of the types
    of nonpublic personal information that it gathers.

8
GLB Privacy Rule II
  • A financial institution is free to disclose
    nonpublic personal information to nonaffiliated
    third parties under many exceptions
  • To effect, administer, or enforce a transaction
    requested or authorized by the consumer
  • To service or maintain a consumers account
  • In connection with a securitization or sale of a
    consumers account
  • At the direction of the consumer
  • To prevent fraud or unauthorized transactions
  • For credit reporting purposes
  • In connection with the sale of the the
    institution or a business unit
  • At the request of law enforcement

9
GLB Who must comply?
  • Businesses that are significantly engaged in
    providing financial products or services to
    consumers
  • For Example
  • Banks/Credit Unions
  • Mortgage or Credit Card Lenders
  • Securities Brokers
  • Investment Advisors
  • Insurers
  • Check-Cashers
  • Credit Reporting Agencies
  • ATM Operators

10
GLB Safeguards
  • Financial regulators define standards for the
    financial institution relating to administrative,
    technical, and physical safeguards
  • (1) to insure the security and confidentiality of
    customer records and information
  • (2) to protect against any anticipated threats or
    hazards to the security or integrity of such
    records and
  • (3) to protect against unauthorized access to or
    use of such records or information which could
    result in substantial harm or inconvenience to
    any customer.

11
GLB Safeguards II
  • Data Safeguard Standards (FTC Example)
  • Designate an information security coordinator
  • Identify reasonably foreseeable internal and
    external risks to unauthorized disclosure of
    nonpublic information.
  • Employee training
  • Information systems design risk assessment
  • Intrusion detection and system monitoring
  • Appropriate vendor and service provider oversight

12
Effects of GLB
  • Lots of small type privacy disclosure forms
  • Financial institutions must think about privacy
    as a part of their broader regulatory compliance
    process
  • Actual IT process impact is limited to the
    margins.
  • Common compliance efforts include
  • Firewalls
  • Network penetration testing / Security audits
  • SSL in website communications
  • VPNs for internal corporate communication

13
Other Relevant Legislation
  • USA Patriot Act
  • Requires banks to positively identify new
    customers and check names against lists of known
    terrorists.
  • NOTE the identification requirement makes
    anonymity-based customer privacy schemes
    impossible
  • Bank Secrecy Act
  • Gives law enforcement broad powers to access
    nonpublic financial information
  • Requires banks to report suspicious activity

14
Current Problems
15
Information Risk Factors
  • High dependence on information transfer between
    economic agents to conduct financial transaction
  • Industry consolidation has created large
    conglomerates (ex. Citigroup, BofA) with large
    distributed IT infrastructures
  • Large numbers of customer service and back-office
    workers (ex. Tellers, Call Center Reps) have
    broad access to sensitive customer data.
  • Increased use of outsourcing distributes
    sensitive customer data to third-parties who have
    lower incentives to preserve customer privacy.

16
Some Recent Failures
  • May 2002 A teller at a Bank One sells lists of
    customer information to an identity theft ring.
  • February 2003 8 Million credit card numbers
    stolen by hackers from the computer system of a
    Nebraska transaction processor.
  • Phishing - An emerging spam problem where users
    get a malicious e-mail that looks like a
    financial institution website (ex. Paypal.com)
    and requests users to enter passwords or other
    account information.

Sources SmartMoney, CNN
17
Basic Problems Still Exist
  • 66 of large financial institutions studied by
    IBM and Watchfire had one or more Web forms that
    collected personally identifiable information but
    did not use SSL encryption.
  • 91 of the companies supported allowed weak forms
    of SSL (ex. 40-bit RSA) in their websites while
    128-bit is recommended by Federal bank
    regulators.

18
Possible Solutions
19
Industry Needs
  • Secure methods for institutions to identify
    customers (ex. a replacement for SS and mothers
    maiden name).
  • Secure methods for customers to identify
    institutions electronically (ex. a means of
    verifying the authenticity of a bank website)
  • Data access control systems that restrict access
    to nonpublic personal information to those that
    need to know and provide an audit trail of access
    policy exceptions
  • Standard methods of enforcing data-use policies
    with third-party service providers.

20
Resources
  • Watchfire (www.watchfire.com) - a suite of IT
    infrastructure privacy monitoring software tools
    and consulting services.
Write a Comment
User Comments (0)
About PowerShow.com