January 10, 2006 11:59 AM PST

Feds to banks: Put security policies in writing

Even if federal law doesn't explicitly say so, all companies that handle personal information for their customers should have written security policies, a computer security attorney said Tuesday.

Last month, the Federal Reserve Board, which governs the U.S. banking industry, issued a new guide stating that all banks and other financial institutions must take certain steps to safeguard the personal data they handle.

Among other things, those entities are expected to tightly control who can access their customer information systems. The are also called on to monitor physical storage of paper records, set up monitoring systems to detect intruders and provide written contracts outlining how they will respond to suspected breaches.

The new Federal Reserve guidelines don't actually set forth new rules, but they do attempt to clarify some of the legalese contained in the 1999 Graham-Leach-Bliley Act, which outlined data security standards for financial institutions.

"I believe this guidance is useful for a guidepost in enterprises outside of finance," Benjamin Wright, a frequent speaker on information security and e-commerce, said during a presentation hosted by the SANS Institute.

The evidence, he said, lies in recent situations in which courts or the federal government held nonfinancial companies to the same "reasonableness" standard as they did entities expected to follow Graham-Leach-Bliley.

The Federal Trade Commission, for instance, found that shoe retailer DSW's failure to implement "reasonable security measures" led to hackers to gaining access to the financial information of more than 1.4 million customers.

"A written policy is the first step for establishing we are taking reasonable steps within our enterprise to ensure security," Wright said.

In the wake of several high-profile breaches last year, at both financial and nonfinancial firms, Congress considered a number of proposals intended to broaden data security laws. None of those measures advanced to consideration by the full legislative body.

Wright predicted a new round of congressional action in 2006, particularly to set uniform federal standards amid those adopted by individual states.

But for now, many companies must decide for themselves how best to safeguard their systems.

Federal regulations, Wright said, "don't specifically say, 'You need a firewall,' they don't specifically say, 'You need to use x, y, and z encryption'...The guidance is focused much more on saying you need to have a process, and that process needs to have a written policy, and that policy needs to be alive...But one size does not fit all."


Join the conversation!
Add your comment
Data Security Rules Nothing New
Data security shouldn't be something businesses run from, it should be a matter of doing DUE DILIGENCE by implementing BEST PRACTICES to protect customer information from abuse. I believe 2006 will be the year that consumers stop doing business with companies who cannot demonstrate a written data security program or who have had public security breaches that could have been mitigated. Especially when laws exist that require minimum steps to show good faith efforts of data security.

For example, effective May 23, 2003, all financial service providers (regardless of size) were required to be compliant with the Federal Trade Commission Information Safeguards Rule under the Gramm-Leach-Bliley Act. Under the Safeguard Rule, covered financial service businesses are required to implement a written 5-POINT safeguard program and employee safeguard training that protects private customer information from unauthorized access and abuse such as identity theft and fraud.

The FTC Safeguards Rule applies to (but not limited to):

- and investment advisors

- mortgage lenders / brokers

- loan officers

- insurance agents

- automobile dealers

- CPAs and tax preparers

- real estate title agents

- real estate settlement services

- real estate appraisers

- check cashers / payday lenders

- debt collectors, and

- college / university student loan offices

The FTC is checking for violators and enforcing the law. During a recent nationwide compliance sweep the FTC has charged several mortgage companies and retail stores for non-compliance, deceptive business practices and failure to implement appropriate safeguards. More compliance enforcement action is underway right now and you can be sure more will follow.

The FTC currently requires that every data security program, at a minimum, contain these five objectives that need to be in place before one of your customers or an auditor asks for proof of compliance:

1. Designation of a Safeguard Program Coordinator or Coordinators;

2. A thorough analysis of the potential internal and external risks to the security, confidentiality, and integrity of customer information;

3. Design and implementation of safeguards to control the identified risks;

4. Confidentiality agreements between third-party service providers who handle your customer's information; and

5. Provisions for the monitoring, regular evaluation, and adjustment of the Program to accommodate changing business practices or other circumstances

More information about what a responsible data security program looks like and how to implement one go to www.safeguardprogram.com. You can also take a free data security risk assessment at www.safeguardprogram.com/free_risk_assessment.htm.

Lawyers are starting to bring (and winning)lawsuits to companies who have been negligent in the area of data security practices which resulted in identity theft or fraud. I believe this will steer the pace of data security practices across every industry that handles personal information.
Posted by ceebee513 (11 comments )
Reply Link Flag
Right encryption would be a good start!!
I think that introducing right policies and strong and most important FAST encryption would resolve most of the problem. Our company www.cipher.com has a method of encryption data using RSA algorithm with speed (for now)up to 1GB/s! using software solution. RSA is today the most reliable crypto algorithm that has one major limitation- speed. For last twenty years many people were trying to increase its speed(now up 2 MB/s on hardware).No luck until now. We have such technology. We are waiting for industry to have a closer look at our technology and stop complaining about missing data and exposure its clients. Data properly secure is a good beginning to fix the problem. If somebody would like to get more information please visit our website at www.cipherflux.com/technology.
Posted by CIPHERFLUX (2 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.