Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Similar documents
Regulation P & GLBA Training

Annual Report on the Status of the Information Security Program

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

( Utility Name ) Identity Theft Prevention Program

Red Flag Policy and Identity Theft Prevention Program

[Utility Name] Identity Theft Prevention Program

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Online Privacy & Security for the Mortgage Industry

Post-Secondary Institution Data-Security Overview and Requirements

Red Flags/Identity Theft Prevention Policy: Purpose

Summary Comparison of Current Data Security and Breach Notification Bills

Incident Response Guidelines

Prevention of Identity Theft in Student Financial Transactions AP 5800

Identity Theft Prevention Policy

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Seattle University Identity Theft Prevention Program. Purpose. Definitions

Credit Card Data Compromise: Incident Response Plan

IDENTITY THEFT PREVENTION Policy Statement

Policy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT

GLBA, information security and incident response a compliance perspective

Identity Theft Prevention Program. Effective beginning August 1, 2009

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

SECURITY & PRIVACY DOCUMENTATION

City of New Haven Water, Sewer and Natural Gas Utilities Identity Theft Prevention Program

Keeping It Under Wraps: Personally Identifiable Information (PII)

Information Security Incident Response Plan

Information Security Incident Response Plan

NYDFS Cybersecurity Regulations

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Employee Security Awareness Training Program

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Why you MUST protect your customer data

Cybersecurity in Higher Ed

FDIC InTREx What Documentation Are You Expected to Have?

Incident Policy Version 01, April 2, 2008 Provided by: CSRSI

Managing Cybersecurity Risk

Ouachita Baptist University. Identity Theft Policy and Program

Identity Theft Policies and Procedures

Cybersecurity It Matters to SMB

University of North Texas System Administration Identity Theft Prevention Program

Lakeshore Technical College Official Policy

security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.

Red Flags Program. Purpose

Checklist: Credit Union Information Security and Privacy Policies

Demonstrating Compliance in the Financial Services Industry with Veriato

Financial Regulations, Enforcement & Cybersecurity

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Putting It All Together:

Security Breaches: How to Prepare and Respond

What To Do When Your Data Winds Up Where It Shouldn t

01.0 Policy Responsibilities and Oversight

Document Title: Electronic Data Protection and Encryption Policy. Revision Date Authors Description of Changes

Agreements & Contracts: Electronic Documents User Agreement CUSTOMER SERVICE SKOWHEGAN SAVINGS

Data Compromise Notice Procedure Summary and Guide

LCU Privacy Breach Response Plan

Table of Contents. PCI Information Security Policy

Access to University Data Policy

HIPAA Security and Privacy Policies & Procedures

Seven Requirements for Successfully Implementing Information Security Policies and Standards

First aid toolkit for the management of data breaches. Mary Deligianni Senior Associate 15 February 2018

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

FFIEC CONSUMER GUIDANCE

EXHIBIT A. - HIPAA Security Assessment Template -

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

Security and Privacy Breach Notification

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

GLBA. The Gramm-Leach-Bliley Act

Version 1/2018. GDPR Processor Security Controls

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Information Technology General Control Review

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

Customer Proprietary Network Information

Regulatory Notice 10-21

DETAILED POLICY STATEMENT

Schedule Identity Services

June 2012 First Data PCI RAPID COMPLY SM Solution

HPE DATA PRIVACY AND SECURITY

Privacy & Information Security Protocol: Breach Notification & Mitigation

What to do if your business is the victim of a data or security breach?

ASSESSMENT LAYERED SECURITY

COMMENTARY. Information JONES DAY

INFORMATION SECURITY AND SECURITY BREACH NOTIFICATION GUIDANCE Preventing, Preparing for, and Responding to Breaches of Information Security

Consolidated Privacy Notice

Texas Department of Banking United States Secret Service January 25, 2012

Presented by: Jason C. Gavejian Morristown Office

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

FFIEC CONSUMER GUIDANCE

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Cybersecurity The Evolving Landscape

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

Data Privacy and Cybersecurity

Subject: University Information Technology Resource Security Policy: OUTDATED

IDENTITY THEFT PREVENTION PROGRAM

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

Development Authority of the North Country Governance Policies

Transcription:

Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Background GLBA Gramm-Leach-Bliley Act of 1999 Protect customer financial information Enforcement by Federal and State agencies Examination guidance (2001)

Background Where It Applies Guidelines apply only to non-public personal information of customers Customer is an individual (or the individual s legal representative) who: Obtains or has obtained a financial product or service from the institution, that is to be used primarily for personal, family household purposes; and Has or had a continuing relationship with the institution GLBA requirements do not apply to: Information relating to the institution Business customers

Background Covered Institutions GLBA 501(b) applies to: Banks (Regulation H) Bank holding companies (Regulation Y) Edge corporations, agreement corporations, and uninsured state-licensed branches or agencies of foreign banks (Regulation K)

Background Exceptions GLBA 501(b) is not applicable to: Broker-dealers Persons providing insurance Investment companies and advisors

Examinations Every examination cycle requires an assessment of GLBA compliance Failure to adhere to the guidelines can result in regulatory violations

Elements of a Sound Program Documented written plan Involve board of directors Risk assessment - identify and assess risks to customer information Training Testing Oversee service providers Adjust program Review, approve, and annual reporting

Documented Plan Written information security program or policy Specifics outlined in Interagency Guidelines for establishing Safeguarding Customer Information that implements GLBA 501(b) under SR 01-1515

Involve Board of Directors Review and approve information security program Oversee development, implementation and maintenance Assign specific responsibility for implementation Review reports from management

Risk Assessment Identify & Assess Risk to Customer Information Identify where customer information exists Hard copy - loan files, signature cards, applications, miscellaneous reports, garbage, etc. Electronic - databases, workstations, servers, diskettes, CDs, transmissions, backup tapes. Assess risk Identify reasonably foreseeable internal and external threats Assess the likelihood and damage of the threats Assess the sufficiency of policies and procedures to control risk

Training and Testing Employees must be trained to implement the bank s information security program Tests must be conducted of key controls, systems, and procedures Security tests Keep critical systems and application software patched Maintain current awareness of new vulnerabilities and emerging threats Business continuity plans Conducted and reviewed by independent party

Oversee Service Providers Due diligence in selection Require by contract to implement appropriate safeguarding measures Ongoing monitoring Notifying bank of security breaches

Adjust the Program Monitor, evaluate, and adjust program Changes in: Technology Business processes Changes in products or services Sensitivity of information Internal or external threats Business arrangements

Board Approval & Annual Reporting At least annually Overall status of information security program Discuss material matters Address various issues Risk assessment Service provider arrangements Test results Security breaches and violations Recommendations for changes

Customer Notification

Response Program Effective March 29, 2005 The OCC, Board, FDIC, and OTS published an interpretation of the Gramm-Leach-Bliley Act (GLBA) and the Interagency Guidelines Establishing Information Security Standards (Security Guidelines) to include the development and implementation of a response program to address unauthorized access to, or use of customer information that could result in substantial harm or inconvenience to a customer.

Response Program At a minimum, the program should contain procedures for the following: Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused Notifying its primary Federal regulator as soon as possible when there is an incident involving sensitive customer information

Response Program Filing a Suspicious Activity Report ( SAR ) and notifying law enforcement authorities when necessary Containing and controlling the incident to prevent further unauthorized Notifying customers when warranted

Customer Notification An institution should notify affected customers when It becomes aware of an incident of unauthorized access to sensitive customer information AND Misuse of customer information has occurred or is reasonably possible

Customer Notification Law enforcement may delay notification if Law enforcement believes that notification may interfere with a criminal investigation, AND A written request is provided to the institution, but Notification must be made as soon as this is no longer the case

Customer Notification Notification must be clear and conspicuous Should be delivered in any manner designed to ensure that a customer can reasonably be expected to receive it.

Sensitive Customer Information Identifying information (customer name, address, telephone number) together with SSN/TIN, driver s license number, credit/debit card number, personal identification number or account number; OR Any combination of customer information that would allow access to the customer s account (username and password)

When to Notify? The institution must notify if misuse is reasonably possible not reasonably probable Awareness is the trigger for regulatory notification, not extent of incident, culpability of institution, or likelihood of misuse

When to Notify? Notification is not required for incidents outside the institution s control Accidental disclosure by customer Disclosure by servicer independent of institution (credit card merchant processor) Many institutions notify anyway

Content of Customer Notice Description of the incident in general terms What kind of customer information was compromised What the institution has done to protect customers from further unauthorized access Telephone number to call for assistance Reminder to remain vigilant over the next 12 to 24 months

Customer Notice Recommendation to review account activity and report any suspicious activity Description of fraud alerts and how to place them in consumer credit reports Reminder to obtain credit reports and have fraudulent activity deleted Explanation of how to retrieve a credit report free of charge

Customer Notice FTC provides information on identity theft protection How to use online guidance How to report incidents of identity theft Contact information

Supervisory Considerations Reasonably Possible vs. Reasonably Probable Definition of sensitive customer information Identifying affected customers may be an ongoing process

Supervisory Considerations Service providers For notification to be required, service providers must maintain customer information by or on behalf of financial institutions Institutions don t have to trace back through chain of vendor relationships, but Institutions may want to notify anyway because of public perception

Best Practices Make customer whole in the event of actual fraud arising from misuse Assist customers in pulling credit reports Monitor account activity Implement anti-fraud monitoring technology Notification through multiple media Publicize positive steps taken to protect customers DO NOT include sensitive customer information in the notification

More Information Standards for Safeguarding Customer Information (SR Letter 01-15) 15) http://www.federalreserve.gov/boarddocs/srletters/20 01/sr0115.htm Response Programs for Unauthorized Access to Customer Information and Customer Notice (SR Letter 05-23) http://www.federalreserve.gov/boarddocs/srletters/20 05/sr0523.htm

Questions? Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback