Compliance With The Red Flag Rules

This article reports that less than-third of US banks will be compliant with the Red Flag rules by the November 1 deadline. All told, U.S. financial institutions are expected to spend more than $200 million on compliance with the rules. For more on the Red Flag rules, see these posts.

Deadline For Red Flag Rules Approaching

With the so-called Red Flag rules set to become effective on Nov. 1, the FTC is beginning a campaign to help educate the public on the details of the new regs. The FTC recently published an Alert to help companies better understand the law. The Red Flag rules require certain types of companies to implement identity theft prevention programs. See this previous post for more info.

Vulnerabilities of Printers and Copiers

This AP article, quoting the European Network and Information Security Agency, warns that printers and copiers could be the weak link in a company's cyber defense program. For more on this, see this post by Bruce Schneier responding to a presentation by Brendan O'Connor.

FTC Announces Settlement With TJX, Lexis

The FTC agreed to settle charges with discount retailer TJX and data broker Reed Elsevier. The FTC had sued each of the companies for failing to adequately protect the security of consumer data. Both of the FTC's suits were brought under the unfair trade practices theory under Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a). The TJX Complaint is available here; the Reed Elsevier Complaint is available here.

Patient Data Exposed Online

Today's Baltimore Sun reports on an incident involving Dental Network, a CareFirst BlueCross BlueShield dental HMO, in which the company accidentally exposed personal information, including Social Security numbers, of about 75,000 members on a public website. A Maryland Law (SB 194) enacted last year requires that businesses notify consumers of a breach of their personal information "as soon as reasonably practicable after the business discovers or is notified of the breach." In this case, it took 3 weeks before CareFirst notified customers of the breach.

Goal Financial Settles Charges Of Failing To Safeguard Sensitive Information

Student loan company Goal Financial LLC has agreed to settle with the FTC over charges that it failed to adequately safeguard sensitive customer information. The FTC's Complaint alleges a number of violations, including violations of the Commission’s Standards for Safeguarding Customer Information Rule, 16 C.F.R. Part 314, and the Commission’s Privacy of Customer Financial Information Rule, 16 C.F.R. Part 313. Also see the Consent Order Agreement.

Identity Theft At Major Financial Institutions

Until recently, there has been no way to compare the relative incidence of identity theft at major financial institutions. Chris Hoofnagle's study "Measuring Identity Theft at Top Banks" uses a novel approach: he compared complaint data from various banks submitted by victims of identity theft, obtained through FOIA requests. The study makes clear that the incidence of identity theft is alarmingly high at our major financial institutions, but that some institutions faired better than others.

More Data Breach Resources

CSOonline has a number of interesting articles on the subject of security breach legislation. First, check out their interactive map of security breach legislation. Also see their articles "What's New With Disclosure Legislation?" (interview with Proskauer Rose attorney Tanya Forsheit) and "The Dos And Don'ts of Disclosure Letters." Finally, see this blog posting on what a federal databreach law would look like.

Red Flag Regulations

The most recent National Law Journal features an article entitled "Scrambing With ID Theft Programs" (subscription) discussing the so-called "Red Flag Regulations" which implement two sections of the Fair and Accurate Credit Transactions Act. The regulations, formally termed
"Identity Theft Red Flags and Address Discrepancies under the Fair and Accurate Credit Transactions Act of 2003," require financial institutions and companies offering consumer credit to institute identity theft prevention programs to detect "red flags" which might signal possible foul play. The regs go into effect Nov. 1 of this year.

Costs Of A Data Breach

A new study of 35 companies that incurred a data breach demonstrates how expensive thse incidents are to companies. The study reports that the average total cost per reporting company was more than $6.3 million per breach and ranged from $225,000 to almost $35 million. The study also indicates that these costs are increasing each year and that financial service firms are impacted the most.

Guide For Businesses On Protecting Personal Information

Entitled “Protecting Personal Information: A Guide for Business,” this new tutorial from the FTC outlines a framework businesses can use to implement a data security plan. The framework offered in the tutorial is built on 5 principles:

1. Take stock
2. Scale down.
3. Lock it.
4. Pitch it.
5. Plan ahead.

'07 Global Security Survey

Deloitte recently published it's annual review of the state of information security in the financial services industry. The survey includes data from 169 global financial institutions in 32 countries. Key findings include: companies are moving away from a sole focus on shoring up infrastructure against external breaches and are focusing instead on a a layered approach of preventative, detective and corrective controls; respondents identified access and identity management (50%) as their top operational initiative; generic countermeasures (encryption, access control, and network security) are proving inadequate at protecting on-line applications; and in an organization’s attempt to prevent security breaches, people remain the weakest link.

GAO Report On Cybercrime

GAO recently published a new report entitled "Public and Private Entities Face Challenges in Addressing Cyber Threats." From the Executive Summary: "Cybercrime has significant economic impacts and threatens U.S. national security interests. Various studies and experts estimate the direct economic impact from cybercrime to be in the billions of dollars annually. The annual loss due to computer crime was estimated to be $67.2 billion for U.S. organizations, according to a 2005 Federal Bureau of Investigation (FBI) survey."

iPhone Vulernable To Hackers

This AP article reports on a vulnerability within Apple's iPhone which could make it susceptible to hackers.

State Security Freeze Laws

This page from the World Privacy Forum provides an overview of state security freeze laws, as well as a list of states with enacted security freeze legislation. Each entry includes a link to the full text of the that state's security freeze statute.