Sensitive Information in Financial Services - PowerPoint PPT Presentation

About This Presentation
Title:

Sensitive Information in Financial Services

Description:

February 2003: 8 Million credit card numbers stolen by hackers from the computer ... Paypal.com) and requests users to enter passwords or other account information. ... – PowerPoint PPT presentation

Number of Views:60
Avg rating:3.0/5.0
Slides: 21
Provided by: gusfu
Learn more at: https://zoo.cs.yale.edu
Category:

less

Transcript and Presenter's Notes

Title: Sensitive Information in Financial Services


1
Sensitive Information in Financial Services
  • November 14th, 2003
  • CS 457a
  • G. Fuldner

2
Why is Sensitive Information Important in
Financial Services?
  • It is an information-based industry
  • Almost all information generated in financial
    services is potentially sensitive/private
  • There is often potential for significant monetary
    loss due to lack of privacy

3
Outline
  • Regulations
  • Current Problems
  • Possible Solutions

4
Regulations
5
Graham Leach Bliley
  • Official Title The Financial Modernization Act
    of 1999
  • Ends depression-era separation of investment and
    commercial banking
  • Establishes financial privacy rules and
    safeguards that must be followed to protect
    financial data

6
Definition Nonpublic Personal Information
  • Nonpublic personal information is personally
    identifiable financial information
  • Provided by a consumer to a financial institution
  • Resulting from any transaction with the consumer
    or any service performed for the consumer or
  • Otherwise obtained by the financial institution
  • Publicly available information is not included
  • Any list, description, or other grouping of
    consumers (and publicly available information
    pertaining to them) that is derived using any
    nonpublic personal information is also defined as
    nonpublic personal information.

7
GLB Privacy Rule
  • A financial institution may not disclose
    nonpublic personal information to a nonaffiliated
    third party unless
  • The institution has disclosed to the consumer in
    writing or electronic form that the information
    may be disclosed to a third party.
  • The consumer has been given the opportunity to
    opt-out.
  • Financial institutions are furthermore required
    to provide customers with annual notices of
    privacy policies including a listing of the types
    of nonpublic personal information that it gathers.

8
GLB Privacy Rule II
  • A financial institution is free to disclose
    nonpublic personal information to nonaffiliated
    third parties under many exceptions
  • To effect, administer, or enforce a transaction
    requested or authorized by the consumer
  • To service or maintain a consumers account
  • In connection with a securitization or sale of a
    consumers account
  • At the direction of the consumer
  • To prevent fraud or unauthorized transactions
  • For credit reporting purposes
  • In connection with the sale of the the
    institution or a business unit
  • At the request of law enforcement

9
GLB Who must comply?
  • Businesses that are significantly engaged in
    providing financial products or services to
    consumers
  • For Example
  • Banks/Credit Unions
  • Mortgage or Credit Card Lenders
  • Securities Brokers
  • Investment Advisors
  • Insurers
  • Check-Cashers
  • Credit Reporting Agencies
  • ATM Operators

10
GLB Safeguards
  • Financial regulators define standards for the
    financial institution relating to administrative,
    technical, and physical safeguards
  • (1) to insure the security and confidentiality of
    customer records and information
  • (2) to protect against any anticipated threats or
    hazards to the security or integrity of such
    records and
  • (3) to protect against unauthorized access to or
    use of such records or information which could
    result in substantial harm or inconvenience to
    any customer.

11
GLB Safeguards II
  • Data Safeguard Standards (FTC Example)
  • Designate an information security coordinator
  • Identify reasonably foreseeable internal and
    external risks to unauthorized disclosure of
    nonpublic information.
  • Employee training
  • Information systems design risk assessment
  • Intrusion detection and system monitoring
  • Appropriate vendor and service provider oversight

12
Effects of GLB
  • Lots of small type privacy disclosure forms
  • Financial institutions must think about privacy
    as a part of their broader regulatory compliance
    process
  • Actual IT process impact is limited to the
    margins.
  • Common compliance efforts include
  • Firewalls
  • Network penetration testing / Security audits
  • SSL in website communications
  • VPNs for internal corporate communication

13
Other Relevant Legislation
  • USA Patriot Act
  • Requires banks to positively identify new
    customers and check names against lists of known
    terrorists.
  • NOTE the identification requirement makes
    anonymity-based customer privacy schemes
    impossible
  • Bank Secrecy Act
  • Gives law enforcement broad powers to access
    nonpublic financial information
  • Requires banks to report suspicious activity

14
Current Problems
15
Information Risk Factors
  • High dependence on information transfer between
    economic agents to conduct financial transaction
  • Industry consolidation has created large
    conglomerates (ex. Citigroup, BofA) with large
    distributed IT infrastructures
  • Large numbers of customer service and back-office
    workers (ex. Tellers, Call Center Reps) have
    broad access to sensitive customer data.
  • Increased use of outsourcing distributes
    sensitive customer data to third-parties who have
    lower incentives to preserve customer privacy.

16
Some Recent Failures
  • May 2002 A teller at a Bank One sells lists of
    customer information to an identity theft ring.
  • February 2003 8 Million credit card numbers
    stolen by hackers from the computer system of a
    Nebraska transaction processor.
  • Phishing - An emerging spam problem where users
    get a malicious e-mail that looks like a
    financial institution website (ex. Paypal.com)
    and requests users to enter passwords or other
    account information.

Sources SmartMoney, CNN
17
Basic Problems Still Exist
  • 66 of large financial institutions studied by
    IBM and Watchfire had one or more Web forms that
    collected personally identifiable information but
    did not use SSL encryption.
  • 91 of the companies supported allowed weak forms
    of SSL (ex. 40-bit RSA) in their websites while
    128-bit is recommended by Federal bank
    regulators.

18
Possible Solutions
19
Industry Needs
  • Secure methods for institutions to identify
    customers (ex. a replacement for SS and mothers
    maiden name).
  • Secure methods for customers to identify
    institutions electronically (ex. a means of
    verifying the authenticity of a bank website)
  • Data access control systems that restrict access
    to nonpublic personal information to those that
    need to know and provide an audit trail of access
    policy exceptions
  • Standard methods of enforcing data-use policies
    with third-party service providers.

20
Resources
  • Watchfire (www.watchfire.com) - a suite of IT
    infrastructure privacy monitoring software tools
    and consulting services.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Sensitive Information in Financial Services" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!