January 10, 2006 11:59 AM PST
Feds to banks: Put security policies in writing
- Related Stories
H&R Block blunder exposes consumer dataJanuary 3, 2006
Bank customers willing to pay for online securityNovember 11, 2005
Hacking fears bog down online banking growthSeptember 6, 2005
Senators propose sweeping data-security billJune 29, 2005
Retailers feel security heatApril 22, 2005
Tech industry put on security noticeDecember 3, 2003
Law aims to reduce identity theftJune 30, 2003
Last month, the Federal Reserve Board, which governs the U.S. banking industry, issued a new guide stating that all banks and other financial institutions must take certain steps to safeguard the personal data they handle.
Among other things, those entities are expected to tightly control who can access their customer information systems. The are also called on to monitor physical storage of paper records, set up monitoring systems to detect intruders and provide written contracts outlining how they will respond to suspected breaches.
The new Federal Reserve guidelines don't actually set forth new rules, but they do attempt to clarify some of the legalese contained in the 1999 Graham-Leach-Bliley Act, which outlined data security standards for financial institutions.
"I believe this guidance is useful for a guidepost in enterprises outside of finance," Benjamin Wright, a frequent speaker on information security and e-commerce, said during a presentation hosted by the SANS Institute.
The evidence, he said, lies in recent situations in which courts or the federal government held nonfinancial companies to the same "reasonableness" standard as they did entities expected to follow Graham-Leach-Bliley.
The Federal Trade Commission, for instance, found that shoe retailer DSW's failure to implement "reasonable security measures" led to hackers to gaining access to the financial information of more than 1.4 million customers.
"A written policy is the first step for establishing we are taking reasonable steps within our enterprise to ensure security," Wright said.
In the wake of several high-profile breaches last year, at both financial and nonfinancial firms, Congress considered a number of proposals intended to broaden data security laws. None of those measures advanced to consideration by the full legislative body.
Wright predicted a new round of congressional action in 2006, particularly to set uniform federal standards amid those adopted by individual states.
But for now, many companies must decide for themselves how best to safeguard their systems.
Federal regulations, Wright said, "don't specifically say, 'You need a firewall,' they don't specifically say, 'You need to use x, y, and z encryption'...The guidance is focused much more on saying you need to have a process, and that process needs to have a written policy, and that policy needs to be alive...But one size does not fit all."
2 commentsJoin the conversation! Add your comment