Complying with the. Federal Trade Commission Rule. Concerning. Standards for Safeguarding Customer Information

Transcription

1 Complying with the Federal Trade Commission Rule Concerning Standards for Safeguarding Customer Information March 2010 This document is presented for general informational purposes only. The goal of this document is not to provide specific legal advice. New laws, judicial interpretations of laws, and regulations adopted after the publication of this document may affect the accuracy of the general information presented. The National Pawnbrokers Association urges members to seek the advice of their local counsel before making any specific decisions concerning the legality of their specific OFAC compliance procedures and their particular actions in individual situations governed by the laws and regulations enforced by OFAC. This document is protected by copyright, National Pawnbrokers Association. All rights reserved. Reproduction in any form of any portion of this document and any attachments or accompanying materials is strictly prohibited without the express written consent of the National Pawnbrokers Association. 3/10fb

2 Table of Contents I. Why Should Pawnbrokers Care about the FTC Safeguards Rule? II. What are the Basic Requirements of the Safeguards Rule? III. Conclusion 1. Evaluating the risks to the security of all customer information you receive from any customer or from others in the course of a transaction with a customer or that you send to any service provider; 2. Developing, implementing, and maintaining a written information security policy for your company that covers every consumer financial product your company offers; 3. Ensuring that your information security policy includes administrative, technical, and physical safeguards for all of the customer information you have or share with your service provider; 4. Selecting appropriate service providers and enter into or amend your contract with service providers to implement and maintain safeguards themselves; 5. Ensuring that the safeguards are appropriate to the size and complexity of your company and the consumer financial products you offer, the nature and scope of the activities in which your company engages, and the sensitivity of any customer information in your possession; 6. Training your employees about your information security policies and procedures, and re-training them as policies and procedures change; 7. Monitoring compliance and developing and implementing changes to your information security policies as your monitoring of risks, upgrading technology, or modifying programs as new laws or regulations law may require; and, 8. Managing and responding to system failures, including intentional releases of customer information or computer attacks on your customer information. IV. Where to Get Help with Your Information Security Program

3 I. Why Should Pawnbrokers Care about the FTC Safeguards Rule? Every pawnbroker in the United States must comply with two regulations promulgated by the Federal Trade Commission (FTC) that focus on the privacy and security of information provided by consumers. 1 The first of these rules is the Rule Concerning the Privacy of Customer Information ( Privacy Rule ), 16 C.F.R. Part 313, which went into full effect on July 1, This rule requires pawnbrokers and others who meet the definition of financial institution under the Gramm-Leach-Bliley Financial Services Modernization Act of 1999 (GLBA) to provide notices to their consumer customers about their privacy policies and to use and share information only in accordance with the policies they describe in those notices or in the exceptions provided in the rule. Pawnbrokers should be complying with this FTC rule already. The second rule, entitled Standards for Safeguarding Customer Information ( Safeguards Rule ), 16 C.F.R. Part 314, became effective on May 23, This rule requires that all GLBA financial institutions including their service providers who receive customer information from financial institutions have written policies and procedures demonstrating their administrative, technical, and physical safeguards for customer information. If you are required to comply with the Privacy Rule, you should be complying with the Safeguards Rule as well. The Safeguards Rule also requires financial institutions, including pawnbrokers, to have contractual arrangements with their service providers concerning the service providers administrative, technical, and physical safeguards for customer information they receive from the financial institution that deals directly with the consumer. For all contracts that financial institutions entered into after June 24, 2002, pawnbrokers should have reviewed and renegotiated their service contracts before May 23, However, for any contracts with service providers entered into before June 24, 2002, the Safeguards Rule provided a deferred effective date of May 24, 2004 for compliance with this provision. In other words, pawnbrokers had a longer time to renegotiate their contracts if they had entered into those contracts prior to June 24, At this time, all contracts that pawnbrokers may have with service providers should contain appropriate provisions for administrative, technical, and physical information security safeguards in compliance with the FTC s Safeguards Rule. Failure to comply with the Privacy Rule and the Safeguards Rule constitute violations for which the Federal Trade Commission ( FTC ) can sue persons and companies under its jurisdiction to enforce and can obtain injunctive relief and civil penalties from the non-complying financial institution or service provider, or both as appropriate. These civil penalties can be substantial. Remedies accompanying an FTC final order or a court-ordered injunction, such as individual notices and repair of records and certification of compliance by a certified information security professional can be very expensive. Accordingly, compliance with the Privacy Rule and the Safeguards Rule should get appropriate attention from the board of directors of a corporation owning pawn stores or from the partners or owners of a pawn store operating under a partnership or sole proprietorship. In November, 2004, the FTC announced its first two enforcement actions against mortgage companies whose information security practices did not comply with the Safeguards Rule. These enforcement actions were filed against Nationwide Mortgage Group, Inc., a mortgage broker based in Fairfax, Virginia, and Sunbelt Lending Services, Inc., a subsidiary of Cendant Mortgage Corporation based in Clearwater, Florida. Both companies were part of a major investigation by the FTC to determine compliance by mortgage companies and automobile dealers with the Safeguards Rule. The FTC also charged both companies with violating the Privacy Rule by failing to provide required privacy notices to some or all of their customers. 1 All pawnbrokers also must comply with the federal Truth in Lending Act that the FTC enforces against non-depositary lenders including pawnbrokers.

4 Sunbelt has agreed to settle these charges by entering into a proposed consent agreement with the FTC. This proposed agreement requires Sunbelt to get its information security program certified by an independent firm within six months and to submit to annual re-certification processes annually for the next ten years. The certification professional must be certified by one of three major information security certification groups or by the FTC. It can become a final order after the expiration of a 60-day public comment period. The enforcement action against Nationwide is proceeding as of November 22, If the FTC follows past enforcement approaches, its staff will conduct reviews of compliance of other major segments of the consumer financial services industry and also will select enforcement targets based on consumer complaints. This means there are likely to be more investigations and more enforcement actions in future. It is not clear whether any investigation involving a pawnbroker is ongoing as of November, If you get a request for information from the FTC, please inform the NPA office as soon as possible. In addition to the FTC Safeguards Rule, numerous states have enacted or are considering laws to impose liability on financial institutions and others, including service providers, for information security breaches. Developing, implementing, and maintaining an information security program appropriate to the location, size, and range of financial products offered by your company is the best way to avoid liability for information security breaches both under the FTC s Rule and laws or rules adopted by the states. This compliance document discusses all of the features of the Safeguards Rule and particularly the features that relate to contracting with service providers in order to ensure that you have appropriate administrative, technical, and physical safeguards for all customer information delivered to you in any form. See the Table of Contents for the subjects covered and the page or pages on which each topic is presented. This document does not cover state-enacted information security regulations or laws.

5 II. What are the basic requirements of the Safeguards Rule? The Safeguards Rule requires financial institutions including non-depositary providers of consumer financial products such as pawnbrokers to evaluate the risks to the security of customer information that are present internally in their businesses and externally from service providers and outside attack or natural disaster. In addition, the Rule requires providers of consumer financial products to create and maintain appropriate policies and procedures in place to protect the security, confidentiality, and integrity of the nonpublic personal information they obtain from consumer customers. The Safeguards Rule requires that each affected business document those policies and procedures in writing. The Safeguards Rule also requires that businesses contract with their service providers so that the business is confident that the service provider has adequate safeguards for customer information that the business sends to the service provider. The Safeguard Rule has seven basic requirements that apply to every pawnbroker and every service provider that receives customer information from pawnbrokers. To comply, pawnbrokers should: 1. Evaluate the risks to the security of all customer information you receive from any customer or from others in the course of a transaction with a customer or that you send to any service provider with whom you deal; 2. Develop, implement, and maintain a written information security policy for your company that covers every consumer financial product your company offers; 3. Ensure that your information security policy includes administrative, technical, and physical safeguards for all of the customer information you have or share with your service provider; 4. Select appropriate service providers and enter into or amend your contract with service providers to implement and maintain safeguards themselves; 5. Ensure that the safeguards are appropriate to the size and complexity of your company and the consumer financial products you offer, the nature and scope of the activities in which your company engages, and the sensitivity of any customer information in your possession or in the possession of service providers to which you transfer sensitive customer information; 6. Train your employees about your information security policies and procedures, and re-train them as policies and procedures change; and, 7. Monitor compliance and develop and implement changes to your information security policies, and those of your service providers, as your monitoring of risks, advances in information technology, or changes in regulatory requirements may require. The Safeguards Rule allows considerable flexibility for you to design an information security program that fits your precise business situation. It does not mandate state-of-the-art security measures. Rather, you can satisfy the Safeguards Rule s requirements by (a) using general security measures much like you already may already have for the security of collateral they hold and information about your pawn customer, (b) restricting use of customer information to employees who are authorized to handle it and who have received training in the company s procedures, (c) training employees in how to handle and protect customer information, and (d) ensuring that every service provider to whom you may transfer sensitive customer information also has an adequate Safeguards Rule compliance program in place.

6 Let s look at each of these requirements separately. The numbering system in this list continues through this document, and corresponds to the seven requirements listed in the Table of Contents. 1. What Steps Should My Company Take to Evaluate the Information Security Risks that Affect the Customer Information My Company Obtains From Customers or From Others? Pawnbrokers should consider the risks to the security of customer information for your location, for every area of your operations, and for every consumer financial product you offer. These risks may be considerably different from area to area and financial product to financial product. Your written information security policies and procedures should identify the risks you have identified and explain your assessment of those risks. Your assessment should cover all customer information in your possession. This includes all information you receive directly or indirectly from the customer, from another financial institution, and from a service provider with whom you have contracted for support services or information you transfer to a service provider. For purposes of this rule, two key definitions apply: Customer Information includes any record containing nonpublic personal information as defined in 16 C.F.R (n), about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates. 16 C.F.R (b). For pawn and purchase transactions, customer information will include information you obtain from your customers, including name, address, date of birth, nationality, ethnicity, identification document number, and the like, whether you record and maintain it on paper or in electronic form; information in the form of signatures, and thumb- or finger-prints; and, * information you share with your service provider(s) who assist you in your business, or information you must report to law enforcement or your primary regulator. Service provider includes any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a financial institution that is subject to [the Safeguards Rule]. 16 C.F.R (d). Service providers include companies that help you with marketing your products, companies that help you run software programs that you use in your business, and firms such as l.e.a.d.s.online and l.e.a.p.s. that handle information that you obtain from consumer customers. Independent auditors who can access individual consumers files also would qualify as service providers under this definition. Let s look at the components of information security risk assessments: A. What types of information do you receive from customers? How sensitive is that information? Pawnbrokers receive highly sensitive information from their consumer customers. In most states, this information includes dates of birth,

7 identification document numbers (driver s license, passport, cedula or matricular consular identification number where allowed by state or local law, and the like), addresses, names, and descriptions of collateral and loan amount. This information without more is sufficient to facilitate identity theft and other forms of property theft if it falls into the wrong hands. In other words, this information is highly sensitive. The Safeguards Rule requires you to have administrative, technical, and physical procedures to protect it. In addition, the fact that a particular consumer is a pawn customer or the whereabouts of the customer may be sensitive information as far as the customer is concerned. For example, a person fleeing an abusive spouse or other person may wish to have their location treated as confidential. Or, the customer may not wish friends, relatives or business associates to know that they are pawning personal property because they need to procure medical treatment or to pay for important family obligations. Thus, the source of the funds they receive from you may be sensitive to your customers.

8 B. What Risks to the Security, Confidentiality, and Integrity of Customer Information Do You Reasonably Foresee? Your task for this evaluation is to identify the reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information. In addition, you should assess the sufficiency of any safeguards in place to control such risks. o Security covers freedom from the risk of theft, misuse or misappropriation as well as from loss by fire, storm, or electrical or equipment failure. o Confidentiality covers freedom from disclosure, publication, humiliation, and the like. o Integrity covers freedom from having the information changed without approval, such as changes in address, account numbers, passwords, and the like. Although each aspect of the information security policies, procedures and programs are important, the Safeguards Rule emphasizes three areas of risk assessment for particular attention: (1) employee management and training; (2) information systems; and (3) responses to and management of systems failure. The second category includes password protection and safe storage of the databases that you use. It also covers the functions of the computer system and software that you use. The third category generally relates to what you do or might do if you had a systems failure and someone obtained access to the customer information stored in your computer system. C. What Types of Internal Risks Exist to the Security of the Customer Information You Receive, Maintain, and Report? Because pawn stores are secure locations of necessity, pawnbrokers normally conduct multi-level assessments of the internal risks to the security of their premises. These assessments should include ongoing assessments of risks to the security of customer information. Risks that are common to every provider of consumer financial products include: o Risks that customer information in paper or electronic form will be stolen or destroyed by storm, fire or the like.

9 o Risks that your own databases are vulnerable to hacking from the inside that is, risks that an employee or customer will get unauthorized access to customer information. o Risks that employees can access your databases of customer information from their cell phones, PDA s, or laptop computers offsite. Theft or loss of the cell phone, PDA, or laptop computer would create a major security risk for your information systems. Cell phones, PDA s, and laptop computers should be programmed so that they cannot access customer information. o Risks that your employees can move data on floppy disks or CDrom s in order to work on it, and then might lose the disk or CDrom, or that the disk or CD-rom might fail. o Risks that current or former employees will intercept customer information and misuse it whether for personal gain or for revenge against the company. o Risks that improper disposal of customer information will allow an employee or an outsider to capture customer information and later to misuse it. o Risks that your business databases will fail without appropriate back-up of the data, or that the back-up itself is vulnerable to the failure. This portion of the risk assessment also should evaluate which employees have access to customer information and how employees with access could expose customer information to risks whether intentionally or unintentionally. Generally, it is not wise to allow any employee to access customer information from any location or through any computer outside of the business s location except when the back-up data and location are involved. D. What External Risks Exist to the Security of the Customer Information You Receive, Maintain, and Report? In addition to internal risks that you may identify in the previous stage of the risk assessment process, you need to evaluate the external risks to the security of customer information you receive, maintain, and report. These risks fall into the following types: o Risks in transferring customer information to service providers both in the process of transfer or once it reaches the service provider. o Risks that the service provider s database is not protected by stateof-the-art security devices including encryption and other programs, and storage protections. o Risks that the service provider s employees can access its databases from their cell phones, PDA s or laptop computers off-

10 site, or when they are off-duty. Theft or loss of the cell phone, PDA, or laptop computer would create a major security risk to the customer information the service provider received from you. o Risks that the service provider s employees can move information on floppy disks or CD-rom s to use off-site, or when they are offduty, and that the disk or CD-rom might be lost, or that the disk or CD-rom might fail. o Risks that current or former employees of your service providers who receive customer information from you will intercept information and misuse it whether for personal gain or for revenge. o Risks that the service provider will share your customer s nonpublic personal information with persons or companies you would not or could not share information with under the requirements of the FTC s Privacy Rule. Information sharing beyond the exceptions to the Privacy Rule violates the Rule and could subject you to an enforcement action brought by the FTC. o Risks that law enforcement agencies or state regulators to whom you are required to report customer information will be hacked and that your customer information will be obtained from them. This risk applies to service providers that law enforcement use, including those service providers that law enforcement requires you to use. Note: The FTC staff has told NPA representatives that once a pawnbroker transfers the information to a regulatory agency or a law enforcement agency or its agent(s) pursuant to a law, warrant, subpoena, or regulatory examination, the pawnbroker is relieved of liability for the security of that information. E. What security policies, equipment, programs, and procedures do you use? How do these policies, equipment, programs, and procedures relate to: o Employee training and management; o Information security systems, including software design and network design, and information processing, storage, transmission, and disposal; o Employee recruitment, reviews, and retention or termination; and o Preparation to transfer and transfer to law enforcement agencies to which you are required to report customer information. Risk assessments should take into account the locations at which you conduct your business, the range of financial products you offer to customers, and the organizational structure of your company. For example, it may be harder or easier to secure paper records in some parts of the country, or power outages may be more or less frequent in

11 some parts of the country. Pawnbrokers may already have finished the risk assessment phase of this process. If you have finished, then proceed to the next phase. 2. Develop, implement, and maintain a written information security policy for your company that covers every consumer financial product your company offers. Once you complete the risk assessment described above, it is time to develop and implement a written information security policy that covers every aspect of consumer information you receive and every consumer financial product your company offers. In addition, the Safeguards Rule requires that you maintain the information security policy, which means keeping it up-to-date as your products, risks, needs, technology, or the law may change. If any aspect of your transactional reporting changes, review your information security program. Using the information you have gathered, consider what additional steps, if any, you need to take to implement and maintain safeguards for the customer information you receive. Your information security program should include: administrative safeguards, technical safeguards, and physical safeguards. Pawnbrokers already maintain certain administrative, technical, and physical safeguards because of the generally secure environments that characterize pawn stores nationwide. By undertaking periodic reviews of your information security procedures and policies, you should be able to identify parts of your administrative, technical, and physical safeguards that may need change. Document any needed changes you have identified and what steps you took to make the changes whose need you have identified. Examples of administrative safeguards you might use to secure customer information include: designating one or more persons to supervise and monitor your information security program; training supervisors and employees; monitoring the information security habits of all personnel and take appropriate action if someone exposes customer information to risks, including retraining, reduced access to customer information, sanctions, and termination. establishing procedures for access to customer information; establishing procedures to ensure that any representative of law enforcement or your primary regulator to whom you turn over or report customer information is authorized to receive it;

12 checking employee references prior to hiring employees who will have access to customer information in any form (paper or electronic) and in any documentation attached to the collateral; check references for any employee moving up to a position in which they will have access to customer information if you did not check references for the employee s original position; requiring every employee to sign an agreement to follow your confidentiality and security standards for handling customer information; training employees to observe basic security measures to maintain the security, confidentiality, and integrity of customer information, including: o locking rooms and file cabinets where records are stored; o using password-activated screen-savers for computers storing customer information; o changing passwords periodically; o not posting employees passwords near computers or where visitors to the store can see them; o encrypting customer information when transmitted over networks inside or outside the company or stored online; o referring calls or law enforcement requests for customer information to designated employees who have safeguards training; and, o recognizing any attempt to obtain customer information by any unauthorized person and reporting it to the Safeguards Rule compliance officer and to appropriate law enforcement authorities. adopting Fair Information Practices so that when customer information is collected, it is used only for the purpose intended or as required by law or duly authorized warrant or subpoena. (For more information about Fair Information Practices, please see Where Can Pawnbrokers Get Help Complying with the Safeguards Rule? on the last page of this compliance document.)

13 Examples of technical safeguards that you could use in your information security program depend on how you obtain, store, and report customer information to law enforcement or primary regulators: If all of the records you keep, store, and report are in paper form, the technical safeguards you might employ could be minimal. They might include: o Not allowing personnel to copy this information for any purpose not authorized by the owner or senior management of the company; and o Ensuring safe disposal of paper records, including shredding paper records when no longer require to be maintained under federal, state, or local law. If some or all of the customer information is in electronic form, check your policies, procedures, and safeguards for every computer, PDA, or other electronic data-storage devices so that you have appropriate technical safeguards. These may include: o Passwords, encryption technology, physical and electronic firewalls, and security updates for your computers and operational software; and o Restrictions on or specific authorizations for personnel who may have access to the customer information you receive, store, and report. o Encryption of customer information as it leaves your business bound either for a service provider or a law enforcement agency to which you are required by law or a duly authorized warrant or subpoena or request from your primary regulator. This can be by encrypted disk or encrypted Internet transmission. o Monitor controls that you have in place; o Undertake not to release information except as provided for in your Privacy Policy disclosed to customers or as required by law; o Limit access only to authorized personnel; o Terminate passwords and access to customer information when an employee leaves your employ, whether voluntarily or not, as promptly as possible;

14 o Ask branch stores and service providers to alert you to receipt of subpoenas, warrants, or requests from your primary regulator, including the Federal Trade Commission, unless prohibited by law from doing so. Note: some provisions of the Bank Secrecy Act, the Right to Financial Privacy Act, and the Patriot Act restrict the ability of persons or entities receiving requests related to Suspicious Activity Reports and counter-terrorism and intelligence activities from revealing the fact of the reports or requests. Your service providers should be willing to take the following steps to ensure their own compliance with the Safeguards Rule: Maintain status as a reputable enterprise and follows business practices otherwise acceptable to you; o Sign an appropriate contract with you that undertakes to comply with all applicable law; and, o Protect against disclosures of customer information in connection with civil cases as required by Section 521 of Title V (Privacy) of the Gramm-Leach-Bliley Act and the FTC s Privacy Rule, 15 U.S.C Examples of physical safeguards that pawnbrokers may use include: Secure the physical space where you keep customer information, including where you keep paper records, computers, and any server or servers that support your computers to be certain that they can be protected from theft, interception, or interruption. Is this space secure from outsiders and unauthorized insiders? How do persons obtain access to this space? How do insiders and outsiders gain access to these spaces? Keys, passwords, camera surveillance? Review the procedures by which personnel get access to the paper records, computers, and servers that support the computers what passwords or other security procedures are in place? Review procedures pertaining to the disposal of paper or electronic records that contain customer information. What how does your company control disposal of

15 customer information? Which employees are designated to handle disposal of customer information? Have these employees received special training in record disposal? Review procedures for delivering reports of customer information to law enforcement under federal, state, or local laws, and in response to grand jury subpoenas, warrants, civil subpoenas, or regulatory inquiry. What type of receipts does your company get for information it provides to law enforcement under state or local laws or in response to grand jury subpoenas, warrants, civil subpoenas, or regulatory inquiries? Be certain that the person to whom you deliver customer information is authorized to receive it. 3. Write policies, procedures, and programs that reflect each aspect of the administrative, technical, and physical security elements of your information security program, and keep them in written form easy to show a federal or state investigator evaluating your compliance with the Safeguards Rule. Write down the results of Steps 1 and 2. Keep these written assessments and policies where you can show them to your licensing agency or investigators from the FTC. Be certain that appropriate individuals within your business have access to parts of the policies, procedures, and programs that their job requires. The Safeguards Rule requires that you have your whole program in writing, but allows it to be in one or more readily accessible parts. This permission allows you, for example, to keep the most sensitive portions of your program in the hands of owners or senior company personnel or service providers in charge of information security, and to distribute less sensitive parts to a wider group of employees who handle customer information. Your written information security policy should provide details of the duties of the person or persons in charge of compliance and monitoring your information security program. It also should include the names and contract information for every service provider who is allowed access to any location or computer that stores customer information, including firms that market your products to your customers and firms that keep your Privacy Rule opt-out database.

16 4. Select appropriate service providers. Choose service providers who can provide appropriate protections for the security, confidentiality, and integrity of customer information and will undertake in their agreement with you to protect your customer information. This element of your information security program has three parts (1) service providers to help you run your day-to-day businesses, to keep track of customers who opted out of information-sharing under the Privacy Rule, to market your products, to manage data you must maintain, to manage data you must report to law enforcement or your primary regulator, and for any other business purpose; (2) service providers who run other aspects of your businesses including tracking inventory and sales of goods (new or out of pawn); and (3) service providers that local or state governments may require you to use. Each of these categories covers different information security risks to your businesses. A. Select service provides who have appropriate administrative, technical, and physical safeguards for your customer information. B. Write contractual commitments for the service provider s obligation to maintain the security of customer information, prompt receipt of notice if the service provider s security is breached in any manner that might affect the security of your customer information, and receipt of appropriate indemnification from the service provider for any liability you may suffer as a result of the security breach. C. If a state or local government requires you to use a specific security provider, once you deliver the information that state or local law requires to be delivered, your liability ends. If that service provider has a security breach, it is the responsibility of the service provider or the state or local government that selected them they carry all of the liability for information security breach. In dealing with state or local governments who select service providers for the pawn industry, you are entitled to make clear that they will bear the financial and legal liability for all security breaches involving customer information that occur once you transfer or report customer information to them. 5. Ensure that the safeguards are appropriate to the size and complexity of your company and the consumer financial products you offer, the nature and scope of the activities in which your company engages, and the sensitivity of any customer information in your hands.

17 Check your progress to be certain that the safeguards you have adopted are appropriate to the size and complexity of your company and the consumer financial products you offer (pawn, check cashing, payday loans, money transmission, and the like), the nature and scope of your company (one location, multiple locations, many locations in more than one state), and the sensitivity of customer information in your hands. 6. Train your employees about your information security policies and procedures, and re-train them as policies and procedures change. Basic employee training involves several steps. These may include: locking rooms and file cabinets or other storage facilities where records are kept; using password-activated computers and screen-savers; changing passwords periodically, and not positing passwords where unauthorized persons or other employees can see them; encrypting customer information when it is transmitted electronically over networks or stored online; * not allowing employees to take home or to access from home customer s private information; referring calls or other requests for customer information to deisngated individuals who have had safeguards training; and recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies. 7. Monitor compliance and develop and implement changes to your information security policies as your monitoring of risks, upgrades in technology, or modifications to your compliance program that changes in the law may require. Monitoring compliance is an ongoing responsibility. You should check your procedures periodically and develop and implement changes you decide to make, including them in amendments to your written policies and adding them to your training programs. Every time you change the person or persons in charge of your Safeguards Rule compliance program, you should note the change in your amended Information Security Program. Document any other changes you make to your program remembering that you are required to have it in writing, but that you may have it in several documents so long as each document is readily accessible as may be needed by your compliance officers or senior management or by your primary regulator or the FTC. Monitoring your information security program includes identifying alleged security breaches, responding to customer complaints, and evaluating workplace or service provider vulnerabilities and incidents that threaten the security of

18 customer information. Monitoring includes the duty to recommend and implement changes to your information security program. 8. Manage and Response to System Failures. No information security program is perfect. The FTC recommends that your information security program should have contingency plans for system failures. The following are examples of ways to prevent system failures or to limit their effect: III. Conclusion Include contingency plans and procedures for addressing system failures that occur in your business or in those of every service provider you use. This part of your program should include pretext use of your customer information use by someone who has no legitimate reason to have access to this information and who is obtaining it or trying to obtain it under false pretenses, fictitious documents, or forgery. The pretexting provisions of the Gramm-Leach-Bliley Act are at 15 U.S.C (2003). The FTC enforces these provisions against persons in its jurisdiction. Check your software vendors regularly to obtain and install patches that resolve software vulnerabilities. Use anti-virus software preferably that updates itself frequently, or that you update manually on a frequent basis. Maintain up-to-date firewalls, physical and electronic, to protect your records from access by unauthorized persons and from access by off-duty personnel. Make someone responsible for the security tools you use and for communicating updates about security risks or breaches and new procedures. Pawnbrokers already had many security procedures for protecting the security of customer information before the FTC published its Safeguards Rule. One important aspect of your information security program is that it should be a program that your employees can follow. Develop a program that your company can follow. If the program is more than your employees and service providers can handle, an injured consumer customer will argue that the company was not following its own policy and, as a result, was liable for its failure to comply with a written policy. So, after you go through the steps outlined in this compliance document, make a sensible policy, write it down and distribute it to employees who have responsibilities for carrying out specific policies or who will supervise its overall implementation, and see that your employees and service providers comply with the program you develop, and that those who will not are re-trained, sanctioned, or terminated as is appropriate.

19 IV. Where to get help on questions concerning the Safeguards Rule: From the NPA, if you are a member; From your local lawyer; From the FTC s business education materials; and From Fair Information Practices Professionals. Some of these groups include those offering the Certified Information Security Professional (CISSP), Certified Information Auditor (CISA), or Global Information Assurance Certificate (GIAG); the latter certificate is offered by the SysAdmin, Audit, Network, Security Institute (SANS).