What You Need To Know About Privacy and Why - PowerPoint PPT Presentation

About This Presentation
Title:

What You Need To Know About Privacy and Why

Description:

Title: GLBA Overview Author: E103350 Last modified by: Terry Louise Branch Created Date: 5/25/2005 6:31:41 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:78
Avg rating:3.0/5.0
Slides: 44
Provided by: E1036
Learn more at: https://www.thefirma.org
Category:
Tags: blanket | fire | know | need | privacy | using

less

Transcript and Presenter's Notes

Title: What You Need To Know About Privacy and Why


1
What You Need To Know About Privacy and Why
  • Lynn A. Goldstein
  • April 16, 2007

2
Federal GrammLeachBliley Act
3
GLBA Overview
  • Section 501(a) requires financial institutions to
    respect the privacy of their customers and to
    protect the security and confidentiality of those
    customers nonpublic information, and section
    501(b) requires the establishment of appropriate
    standards relating to administrative, technical
    and physical safeguards
  • to insure the security and confidentiality of
    customer records and information
  • to protect against any anticipated threats or
    hazards to the security or integrity of such
    records and
  • to protect against unauthorized access to or use
    of such records or information which could result
    in substantial harm or inconvenience to any
    customer.
  • Section 503 requires financial institutions to
    provide customers with notice of their privacy
    policies and practices
  • Financial institutions are required to provide
    initial notice of privacy policies and practices
    in 2 circumstances
  • For customers, notice must be provided at time of
    establishing customer relationship, i.e., when
    bank and consumer enter into continuing
    relationship
  • For consumers who are not customers, notice must
    be provided prior to disclosing nonpublic
    personal information about consumer to
    nonaffiliated third party
  • Financial institutions are required to provide
    notice of privacy policies and practices at least
    annually to customers during continuation of
    customer relationship

4
The Fair and Accurate Credit Transactions Act of
2003
  • Section 216 requires final regulations (which are
    consistent with the requirements of and
    regulations issued pursuant to GLBA) to be issued
    requiring any person that maintains or otherwise
    possesses consumer information, or any
    compilation of consumer information, derived from
    consumer reports for a business purpose to
    properly dispose of such information or
    compilation.

5
The Privacy Regulations Under GLBA
  • The Privacy Regulations govern the treatment of
    nonpublic personal information about consumers by
    a financial institution. They
  • Require a financial institution to provide notice
    to customers about its privacy polices and
    practices
  • Describe the conditions under which a financial
    institution may disclose nonpublic personal
    information about consumers to third parties and
  • Provide a method for consumers to prevent a
    financial institution from disclosing that
    information to most nonaffiliated third parties
    by opting out of that disclosure subject to
    certain exceptions.
  • The Privacy Regulations apply only to nonpublic
    personal information about individuals who obtain
    financial products or services primarily for
    personal, family, or household purposes
  • They do not apply to information about
    individuals who obtain financial products and
    services for business, commercial, or
    agricultural purposes.

6
When Privacy Policy Needs to be Provided to
Customer
  • Customer relationship is established when bank
    and consumer enter into continuing relationship
  • Loan
  • When bank originates loan to consumer for
    personal, family or household purposes
  • If bank subsequently transfers servicing rights
    to loan to another financial institution,
    customer relationship transfers with servicing
    rights
  • Other situations. Bank establishes customer
    relationship when consumer
  • Opens credit card account with bank
  • Executes contract to open deposit account with
    bank, obtains credit from bank, or purchases
    insurance from bank
  • Agrees to obtain financial, economic or
    investment advisory services from bank for fee
  • Becomes banks client for purpose of banks
    providing credit counseling or tax preparation
    services
  • Initial notice may be provided within reasonable
    time after bank establishes customer relationship
    if
  • Establishing customer relationship is not at
    customers election
  • If bank acquires customers deposit liability or
    servicing rights to customers loan from another
    financial institution and customer does not have
    choice about banks acquisition

7
When Privacy Policy Needs to be Provided to
Customer cont.
  • Would substantially delay customers transaction
    and customer agrees to receive notice at later
    time
  • Bank and individual agree over telephone to enter
    into customer relationship involving prompt
    delivery of financial product or service, or
  • Bank establishes customer relationship with
    individual under student loan programs where loan
    proceeds are disbursed promptly without prior
    communication between bank and customer
  • Would not substantially delay customers
    transaction when relationship is initiated in
    person at banks office or through other means by
    which customer may view notice, such as on web
    site

8
When Privacy Policy Needs to be Provided to
Non-Customer
  • Notice must be provided prior to disclosing
    nonpublic personal information about consumer to
    nonaffiliated third party
  • non-public personal information means
    personally identifiable financial information
    and any list, description or other grouping of
    consumers derived using any personally
    identifiable financial information that is not
    publicly available
  • personally identifiable financial information
    means any information
  • consumer provides to bank to obtain financial
    product or service from bank
  • about consumer resulting from any transaction
    involving financial product or service between
    bank and consumer or
  • bank otherwise obtains about consumer in
    connection with providing financial product or
    service to that consumer

9
Information To Be Included in Initial and Annual
Privacy Notices
  • GLBA identifies items of information that must be
    included in financial institutions initial and
    annual notices
  • Categories of nonpublic personal information bank
    collects. Bank satisfies this requirement if it
    lists following categories, as applicable
  • Information from consumer
  • Information about consumers transactions with
    bank or its affiliates
  • Information about consumers transactions with
    non-affiliated third parties and
  • Information from consumer reporting agency
  • Categories of nonpublic personal information bank
    discloses. Bank satisfies this requirement if it
    lists
  • Categories of nonpublic personal information bank
    collects, as applicable, and
  • Some examples to illustrate types of information
    in each category
  • Categories of affiliates and nonaffiliated third
    parties to whom bank discloses nonpublic personal
    information. Bank satisfies this requirement if
    it lists following categories, as applicable and
    few examples to illustrate types of third parties
    in each category
  • Financial service providers
  • Non-financial companies, and
  • Others

10
Information To Be Included in Initial and Annual
Privacy Notices - cont.
  • Categories of nonpublic personal information
    about banks former customers bank discloses and
    categories of affiliates and nonaffiliated third
    parties to whom bank discloses nonpublic personal
    information about banks former customers
  • If bank discloses nonpublic personal information
    to nonaffiliated third party to perform services
    for bank or functions on banks behalf, separate
    statement of categories of information bank
    discloses and categories of third parties with
    whom bank has contracted. Bank satisfies this
    requirement if it
  • Lists categories of nonpublic personal
    information it discloses, and
  • States whether third party is
  • Service provider that performs marketing services
    on banks behalf or on behalf of bank and another
    financial institution or
  • Financial institution with whom bank has joint
    marketing agreement
  • Explanation of consumers right to opt out of
    disclosure of nonpublic personal information to
    nonaffiliated third parties, including methods by
    which consumer may exercise that right at that
    time
  • Any disclosure bank makes under FCRA, i.e.,
    notices regarding ability to opt out of
    disclosures of information among affiliates

11
Information To Be Included in Initial and Annual
Privacy Notices cont.
  • Banks policies and practices with respect to
    protecting confidentiality and security of
    nonpublic personal information. Bank satisfies
    this requirement if it does both of the
    following
  • Describes in general terms who is authorized to
    have access to information, and
  • States whether bank has security practices and
    procedures in place to ensure confidentiality of
    information in accordance with banks policy
  • Any disclosures it makes to other nonaffiliated
    third parties as permitted by law
  • If bank is going to disclose nonpublic personal
    information to nonaffiliated third parties (which
    is not otherwise permitted by exception), notice
    must state
  • Bank discloses or reserves right to disclose
    nonpublic personal information about consumer to
    nonaffiliated third party
  • Consumer has right to opt out of that disclosure
  • Opt out means direction by consumer that bank not
    disclose nonpublic personal information about
    that consumer to nonaffiliated third party unless
    otherwise permitted

12
Information To Be Included in Initial and Annual
Privacy Notices - cont.
  • Reasonable means by which consumer may exercise
    opt out right
  • Designates check-off boxes in prominent position
    on relevant forms with opt out notice
  • Includes reply form together with opt out notice
  • Provides electronic means to opt out if consumer
    agrees to electronic delivery of information or
  • Provides toll-free telephone number that consumer
    may call to opt out
  • How bank will treat opt out direction by joint
    consumers

13
Delivery of Annual Privacy Notices
  • Bank must provide notice so that each consumer
    can reasonably be expected to receive actual
    notice in writing or, if consumer agrees,
    electronically
  • Hand-delivers printed copy of notice to consumer
  • Mails printed copy of notice to last known
    address of consumer
  • For consumer who conducts transactions
    electronically, posts notice on electronic site
    and requires consumer to acknowledge receipt of
    notice as necessary step to obtaining particular
    financial product or service
  • For isolated transaction with consumer, such as
    ATM transaction, posts notice on ATM screen and
    requires consumer to acknowledge receipt of
    notice as necessary step to obtaining particular
    financial product or service
  • Bank is not required to provide annual notice to
    customer if customer relationship has been
    discontinued.
  • Bank is not required to provide annual notice to
    former customer
  • Customer is former customer if
  • Deposit account is inactive
  • Closed-end loan has been paid in full, has been
    charged off or sold off and bank has not retained
    servicing rights
  • Credit card relationship or other open-end credit
    relationship and
  • Bank no longer provides any statements or notices
    to customer concerning relationship or
  • Bank sells credit card receivables without
    retaining servicing rights
  • Bank has not communicated with customer about
    relationship for 12 consecutive months

14
How/When Initial Privacy Policies Are Distributed
to Customers
PRODUCT CONTACT DISTRIBUTION
Checking Account Branch Account Opening Kit
Mortgage Branch Online Early Disclosure (3-day) Documents
Mortgage Wholesale Loan Welcome Package
Mortgage Bulk Acquisition First billing statement or solo mail if more than month
Credit Card Phone, Mail, Online Welcome Kit (with card)
Private Label Credit Card Store At store and in mail with Welcome Kit
Investment Advisory Services Inperson, Phone, Online Agreements that accompany application
Auto Loan Auto Dealer First set of coupons or standalone if no coupons
Student Loan School Application or new account documents
15
Interagency Guidelines Establishing Standards for
Safeguarding Customer Information
  • Standards for Safeguarding Customer Information
  • Information Security Program
  • Each bank shall implement a comprehensive written
    information security program that includes
    administrative, technical and physical safeguards
    appropriate to the size and complexity of the
    bank and the nature and scope of its activities
  • While all parts of the bank are not required to
    implement a uniform set of policies, all elements
    of the information security program must be
    coordinated
  • Objectives. A banks information security
    program shall be designed to
  • Ensure the security and confidentiality of
    customer information
  • Protect against any anticipated threats or
    hazards to the security or integrity of such
    information
  • Protect against any unauthorized access to or use
    of such information that could result in
    substantial harm or inconvenience to any
    customer and
  • Ensure the proper disposal of customer
    information and consumer information.
  • Development and Implementation of Information
    Security Program
  • Involve the Board of Directors. The directors or
    an appropriate committee of the board of each
    bank shall
  • Approve the banks written information security
    program and

16
Safeguards Guidelines - cont'd
  • Oversee the development, implementation, and
    maintenance of the banks information security
    program, including assigning specific
    responsibility for its implementation and
    reviewing reports from management.
  • Assess Risk. Each bank shall
  • Identify reasonably foreseeable internal and
    external threats that could result in
    unauthorized disclosure, misuse, alteration, or
    destruction of customer information or customer
    information systems.
  • Assess the likelihood and potential damage of
    these threats, taking into consideration the
    sensitivity of customer information
  • Assess the sufficiency of policies, procedures,
    customer information systems, and other
    arrangements in place to control risks.
  • Manage and Control Risk. Each bank shall
  • Design its information security program to
    control identified risks, commensurate with the
    sensitivity of the information as well as the
    complexity and scope of the banks activities.
    Each bank must consider whether the following
    security measures are appropriate for the bank
    and, if so, adopt those measures the bank
    concludes are appropriate
  • Access controls on customer information systems,
    including controls to authenticate and permit
    access only to authorized individuals and
    controls to prevent employees from providing
    customer information to unauthorized individuals
    who may seek to obtain this information through
    fraudulent means

17
Safeguards Guidelines - cont'd
  • Access restrictions at physical locations
    containing customer information, such as
    buildings, computer facilities, and records
    storage facilities, to permit access only to
    authorized individuals
  • Encryption of electronic customer information,
    including while in transit or in storage on
    networks or systems to which unauthorized
    individuals may have access
  • Procedures designed to ensure that customer
    information system modifications are consistent
    with the banks information security programs
  • Dual control procedures, segregation of duties,
    and employee background checks for employees with
    responsibilities for or access to customer
    information
  • Monitoring systems and procedures to detect
    actual and attempted attacks on or intrusions
    into customer information systems
  • Response programs that specify actions to be
    taken when the bank suspects or detects that
    unauthorized individuals have gained access to
    customer information systems, including
    appropriate reports to regulatory and law
    enforcement agencies and
  • Measures to protect against destruction, loss, or
    damage of customer information due to potential
    environmental hazards, such as fire and water
    damage or technological failures.

18
Safeguards Guidelines cont'd
  • Train staff to implement the banks information
    security program
  • Regularly test the key controls, systems and
    procedures of the information security program.
  • The frequency and nature of such tests should be
    determined by the banks risk assessment.
  • Tests should be conducted or reviewed by
    independent third parties or staff independent of
    those that develop or maintain the security
    programs.
  • Develop, implement, and maintain as part of its
    information security program, appropriate
    measures to properly dispose of customer
    information and consumer information in
    accordance with each of the requirements for the
    development and implementation of an information
    security program.
  • Oversee Service Provider Arrangements. Each Bank
    shall
  • Exercise appropriate due diligence in selecting
    its service providers
  • Require its service providers by contract to
    implement appropriate measures designed to meet
    the objectives of these Guidelines and
  • Where indicated by the banks risk assessment,
    monitor its service providers to confirm that
    they have satisfied their obligations as required
    above.

19
Safeguards Guidelines cont'd
  • As part of this monitoring, a bank should review
    audits, summaries of test results, or other
    equivalent evaluations of its service providers.
  • Adjust the Program. Each bank shall
  • Monitor, evaluate, and adjust, as appropriate,
    the information security program in light of
  • Any relevant changes in technology,
  • The sensitivity of its customer information,
  • Internal or external threats to information, and
  • The banks own changing business arrangements,
    such as
  • Mergers and acquisitions,
  • Alliances and joint ventures,
  • Outsourcing arrangements, and
  • Changes to customer information systems.
  • Report to the Board
  • Each bank shall report to its board or an
    appropriate committee of the board at least
    annually.
  • This report shall describe the overall status of
    the information security program and the banks
    compliance with these Guidelines.
  • The reports should discuss material matters
    related to its program, addressing issues such
    as

20
Safeguards Guidelines cont'd
  • Risk assessment
  • Risk management and control decisions
  • Service provider arrangements
  • Results of testing
  • Security breaches or violations and managements
    responses and
  • Recommendations for changes in the information
    security program.
  • Implement the Standards
  • Effective Date. Each bank must have already
    implemented an information security program
    pursuant to these Guidelines.
  • Exception for Existing Agreements with Service
    Providers Relating to the Disposal of Consumer
    Information.
  • A banks contracts with its service providers
    that have access to consumer information and that
    may dispose of consumer information, entered into
    before July 1, 2005, must have complied with the
    provisions of the Guidelines relating to the
    proper disposal of consumer information by July
    1, 2006.

21
Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and
Customer Notice
  • This is an interpretation of the requirements of
    section 501(b) of GLBA and the Safeguards
    Guidelines to include the development and
    implementation of a response program to address
    unauthorized access to, or use of, customer
    information that could result in substantial harm
    or inconvenience to a customer.
  • Components of a Response Program. Every
    financial institution should develop and
    implement a riskbased response program to
    address incidents of unauthorized access to
    customer information in customer information
    systems maintained by the financial institution
    itself or by its domestic and foreign service
    providers.
  • At a minimum, an institutions response program
    should contain procedures for the following
  • Assessing the nature and scope of an incident,
    and identifying what customer information systems
    and types of customer information have been
    accessed or misused
  • Notifying its primary Federal regulator as soon
    as possible when the institution becomes aware of
    an incident involving unauthorized access to or
    use of sensitive customer information, as defined
    below
  • Consistent with the Agencies Suspicious Activity
    Report (SAR) regulations, notifying appropriate
    law enforcement authorities, in addition to
    filing a timely SAR in situations involving
    Federal criminal violations requiring immediate
    attention, such as when a reportable violation is
    ongoing

22
Response Programs Guidance - cont'd
  • Taking appropriate steps to contain and control
    the incident to prevent further unauthorized
    access to or use of customer information, for
    example, by monitoring, freezing, or closing
    affected accounts, while preserving records and
    other evidence and
  • Notifying customers when warranted.
  • Where an incident of unauthorized access to
    customer information involves customer
    information systems maintained by an
    institutions service providers, it is the
    responsibility of the financial institution to
    notify the institutions customers and regulator.
  • An institution may authorize or contract with its
    service provider to notify the institutions
    customers or regulator on its behalf.
  • Customer Notice. Notifying customers of a
    security incident involving the unauthorized
    access to or use of the customers information in
    accordance with the standard set forth below is a
    key part of a financial institutions affirmative
    duty to protect their customers information
    against unauthorized access or use
  • Standard for Providing Notice
  • When a financial institution becomes aware of an
    incident of unauthorized access to sensitive
    customer information, the institution should
    conduct a reasonable investigation to determine
    the likelihood that the information has been or
    will be misused.

23
Response Programs Guidance - cont'd
  • Under the Security Guidelines, an institution
    must protect against unauthorized access to or
    use of customer information that could result in
    substantial harm or inconvenience to any
    customer.
  • Substantial harm or inconvenience is most likely
    to result from improper access to sensitive
    customer information because this type of
    information is most likely to be misused, as in
    the commission of identity theft.
  • For purposes of this Guidance, sensitive customer
    information
  • Means a customers name, address, or telephone
    number, in conjunction with the customers social
    security number, drivers license number, account
    number, credit or debit card number, or a
    personal identification number or password that
    would permit access to the customers account,
    and
  • Includes any combination of components of
    customer information that would allow someone to
    log onto or access the customers account, such
    as user name and password or password and account
    number.
  • If the institution determines that misuse of its
    information about a customer has occurred or is
    reasonably possible, it should notify the
    affected customer as soon as possible.

24
Response Programs Guidance - cont'd
  • If a financial institution, based upon its
    investigation, can determine from its logs or
    other data precisely which customers information
    has been improperly accessed, it may limit
    notification to those customers with regard to
    whom the institution determines that misuse of
    their information has occurred or is reasonably
    possible.
  • There may be situations where the institution
    determines that a group of files has been
    accessed improperly but is unable to identify
    which customers information has been accessed.
  • If the circumstances of the unauthorized access
    lead the institution to determine that misuse of
    the information is reasonably possible, it should
    notify all customers in the group.
  • Customer notice may be delayed if an appropriate
    law enforcement agency determines that
    notification will interfere with a criminal
    investigation and provides the institution with a
    written request for the delay.
  • The institution should notify its customers as
    soon as notification will no longer interfere
    with the investigation.
  • Content of Customer Notice
  • Customer notice should be given in a clear and
    conspicuous manner
  • The notice should
  • Describe the incident in general terms and the
    type of customer information that was the subject
    of unauthorized access or use

25
Response Programs Guidance - cont'd
  • Generally describe what the institution has done
    to protect the customers information from
    further unauthorized access
  • Include a telephone number that customers can
    call for further information and assistance
  • Remind customers of the need to
  • Remain vigilant over the next twelve to
    twenty-four months, and
  • To promptly report incidents of suspected
    identity theft to the institution
  • Include the following additional items, when
    appropriate
  • A recommendation that the customer review account
    statements and immediately report any suspicious
    activity to the institution
  • A description of fraud alerts and an explanation
    of how the customer may place a fraud alert in
    the customers consumer reports to put the
    customers creditors on notice that the customer
    may be a victim of fraud
  • A recommendation that the customer periodically
    obtain credit reports from each nationwide credit
    reporting agency and have information relating to
    fraudulent transactions deleted
  • An explanation of how the customer may obtain a
    credit report free of charge and
  • Information about the availability of the FTCs
    online guidance regarding steps a consumer can
    take to protect against identity theft. The
    notice should

26
Response Programs Guidance - cont'd
  • Encourage the customer to report any
    incidents of identity theft to the FTC, and
  • Provide the FTCs Web site address and
    toll-free telephone number that customers may
    use to obtain the identity theft guidance and
    report suspected incidents of identity theft.
  • Financial institutions are encouraged to notify
    the nationwide consumer reporting agencies prior
    to sending notices to a large number of customers
    that include contact information for the
    reporting agencies.
  • Delivery of Customer Notice
  • Customer notice should be delivered in any manner
    designed to ensure that a customer can reasonably
    be expected to receive it.
  • For example, the institution may choose to
    contact all customers affected by telephone or by
    mail, or by electronic mail for those customers
    for whom it has a valid e-mail address and who
    have agreed to receive communications
    electronically.

27
STATE SECURITY BREACHNOTIFICATION LAWS
28
Generally
  • 35 states plus the District of Columbia and
    Puerto Rico have adopted security breach
    notification laws
  • Notification is required when there has been an
    unauthorized acquisition of unencrypted
    computerized personal information
  • Personal information means an individuals
    first name or first initial and last name in
    combination with any one or more of the
    following
  • Social Security Number
  • Drivers license or state identification card
    number
  • Account, credit or debit card number in
    combination with required security code, access
    code or password that would permit access to an
    individuals financial account
  • Written or electronic, or under limited
    circumstances substitute, notice is allowed
  • Disclosure should be made in most reasonable time
    possible and without unreasonable delay
  • Notification may be delayed if a law enforcement
    agency determines that notification will impede a
    criminal investigation

29
Differences
  • In some states (e.g. HI, IN, NC, WI) and New York
    City, paper data as well as computerized data is
    covered
  • In some states, definition of personal
    information includes
  • Medical information (e.g. AK, DE)
  • Biometric data or fingerprints (e.g. NC, WI and
    New York City)
  • Date of birth (e.g. ND)
  • Mothers maiden name (e.g. ND and New York City)
  • Employer identification number (e.g. ND)
  • Financial account number, credit or debit card
    number alone (e.g. GA, ME, VT)
  • Some states require notification of state/local
    agencies (e.g. HI, ME, NH, NJ, NY, NC, and Puerto
    Rico and New York City)
  • Some states require coordination with consumer
    reporting agencies (e.g. CO, DC, FL, GA, HI, IN,
    KS, ME, MI, MN, MT, NV, NH, NJ, NY, NC, OH, PA,
    TN, TX, VT, WI)
  • Some states require notice to be given with 45
    days (e.g. FL, OH)
  • Some states have specific content requirements
    for the notice (e.g. HI, MI, NH, NY, NC, VT, WI)
  • Some states allow telephone notice (e.g. AZ, CO,
    CT, DE, HI, ID, IN, MI, MN, MT, NE, NV, NH, NJ,
    NY, NC, UT, VT)

30
Differences cont.
  • IL does not allow a delay in notification if law
    enforcement requests it
  • Some state laws do not apply to financial
    institutions (or GLBA is deemed compliance with
    that states law) (AZ, AK, CO, CT, DE, FL, GA,
    HI, ID, IN, KS, LA, MI, MN, NE, NV, NH, NC, ND,
    OH, OK, PA, RI, TN, UT, VT, WI)

31
Risks for Financial Institutions
32
Outside Service Providers with Possession of or
Access to Personal Information
  • Confidential Information, Firm Data, and Personal
    Information
  • Define these terms
  • Limit access to and maintain confidentiality of
    such information
  • Require establishment and maintenance of
    appropriate safeguards regarding such information
  • Require prompt notice if OSP becomes aware of
  • Breach of information security procedures
  • Loss or unauthorized access to or use of such
    information
  • Any attempt to access, disclose, use, alter,
    destroy such information
  • Prohibit use of such information to contact any
    person
  • Require compliance with applicable privacy and
    data protection laws
  • Require cooperation with relevant authorities
    with respect to such information
  • Security
  • Require compliance with all of firms safety and
    security procedures and standards
  • Require compliance with ISO/IEC 17799
    (Information Technology-Code of Practice for
    Information Security Management)
  • Require a report by an independent third party
    audit firm describing OSP control policies and
    procedures (may be satisfied by a Type II SAS 70
    Report) to be provided

33
Outside Service Providers with Possession of or
Access to Personal Information contd.
  • Require certificate of compliance with SEI CMM
    Level 5 to be delivered
  • Require firm to be notified of any events that
    adversely affect OSPs ability to perform its
    obligations
  • Allow firm to conduct ethical hack
  • Take all reasonable precautions against hacker
    attempts
  • Subcontractors
  • Prohibit use of subcontractor without firms
    prior written consent
  • Require subcontractor to protect Confidential
    Information, Firm Data, and Personal Information
    in manner substantially equivalent to that of OSP
  • Audit Rights
  • Require auditors, regulators and outside auditors
    to be provided access for the purpose of
    performing audits or on-site inspections
  • Ownership
  • Require firm to be exclusive owner of and to hold
    and retain all right, title and interest in and
    to Firms Data
  • Security Reporting
  • Require firm to be immediately informed of any
    breaches or attempted breaches in security
  • Require performance of a root cause analysis in
    event of a security breach, provision of a report
    detailing cause of such breach and within
    specified time period remedy of such breach

34
Outside Service Providers with Possession of or
Access to Personal Information contd.
  • Require current report by an independent third
    party audit firm describing OSP control policies
    and procedures (may be satisfied by a Type II SAS
    70 Report)
  • Require independent third party nonfinancial
    reports and, if available, internal audit
    reports.
  • Require written periodic reports on
  • System and network security incidents and access
    violations and remediation or actions plans
  • Confidential Information, Firm Data and Personal
    Information incidents and breaches and
    remediation or action plans
  • Security vulnerability scans or penetration tests
    and remediation or action plans
  • Insurance
  • Workers Compensation and Employers Liability
  • Commercial General Liability
  • Automobile Liability
  • All Risk Motor Truck Cargo Insurance
  • Commercial Blanket Bond
  • Computer Software Design Errors and Omissions or
    Similar Professional Liability/Errors and
    Omissions Liability
  • Dispute Resolution
  • Business Continuity/Disaster Recovery
  • Scope of services and service level agreements

35
Phishing
  • A form of social engineering in which an
    attacker, also known as a phisher, attempts to
    fraudulently retrieve legitimate users
    confidential or sensitive credentials by
    mimicking electronic communications from a
    trustworthy or public organization in an
    automatic fashion
  • Such communications are frequently done through
    emails that direct users to fraudulent websites
    that in turn collect the credentials in question
    for the purpose of theft, fraud, and
    money-laundering
  • Examples of credentials frequently of interest to
    phishers are passwords, credit card numbers,
    social security and other national identification
    numbers, and bank account details
  • The word phishing is an evolution of the word
    fishing by hackers who frequently replace the
    letter f with the letters ph
  • The word arises from the fact that users, or
    phish, are lured by the mimicked communication to
    a trap or hook that retrieves their confidential
    information
  • - Steven Myers, Phishing and
    Countermeasurers (2007)

36
Identity Theft
  • The term identity theft means a fraud committed
    or attempted using the identifying information of
    another person without authority
  • The term identifying information means any name
    or number that may be used, alone or in
    conjunction with any other information, to
    identify a specific person, including any
  • name, social security number, date of birth,
    official State or government issued drivers
    license or identification number, alien
    registration number, government passport number,
    employer or taxpayer identification number
  • unique biometric data, such as fingerprint, voice
    print, retina or iris image, or other unique
    physical representation
  • unique electronic identification numbers,
    address, or routing code or
  • telecommunication identifying information access
    device
  • - 16 CF6 603.2

37
Removable Media
  • Computer storage devices which are not fixed
    inside a computer
  • Examples
  • Compact Flash
  • CDs
  • External hard Drives
  • Floppy Disks
  • MultiMedia Cards
  • SD Cards
  • USB Flash Drives
  • xD Picture Card
  • - Wikipedia

38
What the Future Might Bring
39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com