Incident Response Guidelines

Similar documents
Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

( Utility Name ) Identity Theft Prevention Program

Regulation P & GLBA Training

Identity Theft Policies and Procedures

Red Flag Policy and Identity Theft Prevention Program

Privacy: Pre- and Post-Breach

IDENTITY THEFT PREVENTION Policy Statement

Incident Policy Version 01, April 2, 2008 Provided by: CSRSI

Federal Deposit Insurance Corporation th Street NW Washington, DC

Policy 24 Identity Theft Prevention Program IDENTITY THEFT PREVENTION PROGRAM OF WEBB CREEK UTILITY DISTRICT

City of New Haven Water, Sewer and Natural Gas Utilities Identity Theft Prevention Program

NYDFS Cybersecurity Regulations

Prevention of Identity Theft in Student Financial Transactions AP 5800

Credit Card Data Compromise: Incident Response Plan

Red Flags Program. Purpose

[Utility Name] Identity Theft Prevention Program

What To Do When Your Data Winds Up Where It Shouldn t

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Federal Trade Commission Protecting Consumer Privacy. J. Howard Beales, III, Director Bureau of Consumer Protection Federal Trade Commission

Privacy & Information Security Protocol: Breach Notification & Mitigation

The Southern Baptist Theological Seminary IDENTITY THEFT RED FLAGS AND RESPONSE INSTRUCTIONS IDENTITY THEFT AND PREVENTION PROGRAM As of June 2010

SECURITY & PRIVACY DOCUMENTATION

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

GLBA, information security and incident response a compliance perspective

Data Compromise Notice Procedure Summary and Guide

THE CCPA AND PREPARING FOR STATE PRIVACY LEGISLATION. Nathan Taylor Morrison & Foerster LLP

Identity Theft Prevention Program. Effective beginning August 1, 2009

STOCKTON UNIVERSITY PROCEDURE DEFINITIONS

ASSESSMENT LAYERED SECURITY

Cybersecurity in Higher Ed

Demonstrating Compliance in the Financial Services Industry with Veriato

Ouachita Baptist University. Identity Theft Policy and Program

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Summary Comparison of Current Data Security and Breach Notification Bills

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

Red Flags/Identity Theft Prevention Policy: Purpose

Identity Theft Prevention Policy

Managing Cybersecurity Risk

UCOP Guidelines for Protection of Electronic Personal Information Data and for Security Breach Notification

Breach Notification Assessment Tool

LCU Privacy Breach Response Plan

PCI Compliance. What is it? Who uses it? Why is it important?

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Seattle University Identity Theft Prevention Program. Purpose. Definitions

Information Security Incident Response Plan

Keeping It Under Wraps: Personally Identifiable Information (PII)

Cybersecurity and Data Protection Developments

Universal Representation of a Consumer's Identity Is it Possible? Presenter: Rob Harris, VP of Product Strategy, FIS

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

HIPAA-HITECH: Privacy & Security Updates for 2015

Security Breaches: How to Prepare and Respond

Question 1: What steps can organizations take to prevent incidents of cybercrime? Answer 1:

ma recycle GDPR Privacy Policy .com Rely and Comply... Policy Date: 24 May 2018

Presented by: Jason C. Gavejian Morristown Office

What to do if your business is the victim of a data or security breach?

Information Security Incident Response Plan

Security Breach Notification Reflections on the U.S. Experience

Navigating Regulatory Impacts of a Financial Services Data Breach

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Data Breach Preparation and Response. April 21, 2017

University of North Texas System Administration Identity Theft Prevention Program

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

DATA BREACH NUTS AND BOLTS

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Authentication and Fraud Detection Buyer s Guide

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Post-Secondary Institution Data-Security Overview and Requirements

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

NY DFS Cybersecurity Regulations August 8, 2017

Automotive Privacy. A discussion of privacy and security legal compliance for the automotive industry

What is a Breach? 8/28/2017

University of Pittsburgh Security Assessment Questionnaire (v1.7)

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

From the Lab to the Boardroom; Forensics goes mainstream

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

Breach Notification Remember State Law

COMMENTARY. Information JONES DAY

STATEMENT SECURITIES INDUSTRY AND FINANCIAL MARKETS ASSOCIATION ( SIFMA ) BEFORE THE

Employee Security Awareness Training Program

Standard for Security of Information Technology Resources

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

Why you MUST protect your customer data

The HIPAA Omnibus Rule

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

January 23, Online Banking Risk Management: A Multifaceted Approach for Commercial Customers

Security and Privacy Breach Notification

Credit Union Cyber Crisis: Gaining Awareness and Combatting Cyber Threats Without Breaking the Bank

Putting It All Together:

Cybersecurity The Evolving Landscape

Direct Access Registration

Integrating HIPAA into Your Managed Care Compliance Program

Upcoming PIPEDA Changes What is changing and what to do about it

PTLGateway Data Breach Policy

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

Data Breach Incident Management Policy

Grid Security Policy

Pakistan's Strategic Export Controls (Latest Developments)

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

Texas Department of Banking United States Secret Service January 25, 2012

Transcription:

New Orleans, La November 17, 2006 LBA 2006 Bank Counsel Conference Data Breaches, FFIEC Requirements and Incident Response Guidelines Remarks by Richard Riese, Director ABA Center for Regulatory Compliance rriese@aba.com

Scope of Data Breaches

Many yportions of the business and governmental community have been breached Retailers credit and debit card processors have had their computer systems breached while keeping customer transactional ti ldata in violation of card network rules. Information brokers have either sold data to unauthorized users or experienced a breach of their computer system allowing unauthorized access to data. Third party couriers and airline baggage handlers have lost the data tapes of financial services companies while in transit itto storage or to a credit ditbureau.

Consumers are still confident that financial institutions protect their information. EDS/Ipsos-Reid Online Banking Privacy Survey, September 2005

yet that confidence is eroding by fears of security breaches Consumer perceptions of Internet banking drawbacks EDS/Ipsos-Reid Online Banking Privacy Survey, September 2005

What Consumers Would Do After a Security Breach EDS/Ipsos-Reid Online Banking Privacy Survey, September 2005

What Consumers Did Do After a Security Breach White & Case\Ponemon Institute National Survey on Data Security Breach Notification, September 2005

How Breaches Affect Trust White & Case\Ponemon Institute National Survey on Data Security Breach Notification, September 2005

Privacy and Data Security GLBA and FCRA/FACTA Breach and Customer Notification Authentication Guidance Mdi Medical lif Information Credit Report Accuracy ID Theft Red Flags Data Breach Legislation Relation to GLBA Pre-emption Enforcement Authority GAO Report on Experience

Regulatory Agency Response Security breach notification guidelines. Multi-factor authentication guidance. ID Theft Red Flag Proposal Increased focus on third-party due diligence.

Interagency Expectations for Customer Response Program Develop an incident response team Assess the nature and scope of an incident Take steps to contain and control the incident Notify the institution s primary federal regulator File SAR and work with law enforcement Notify customers and provide assistance Trigger notice if misuse of information has occurred or is reasonably possible to occur

Security Breach Notification Guidelines Retailer breaches Do the guidelines apply? How should FIs notify the agencies of a breach? How can we raise the bar for others to our level? How should data in transit be protected?

ID Theft Definition Identity theft = the misuse of another individual s personal information to commit fraud. Includes: Generating new fraudulent accounts Obtaining benefits or licenses in name of victim Gaining unauthorized access to existing legitimate accounts

ID Theft Risk and Red Flag Proposal FACT Act Mandate Regulatory Obligation i to Risk Assess Assess considering size and complexity Consider red flag guidelines Board approved program! Required dtraining i Red Flag Guidelines

ID Theft Task Force Report DOJ and FTC with input from FFIEC Released November 10 th Salient Banking Related Points: Decrease unnecessary use of SSNs Extend legislative protections preserving GLBA Increase investigations, prosecutions and improve remedies Empower State AG enforcement, but with FBA carve-out Establish National Identity Theft Center Evaluate FACT Act and credit ditfreeze impact

Multi-Factor co Authentication Guidance The Key Point: Where single-factor authentication is inadequate, FIs should implement multifactor t authentication, layered security, or other comparable controls reasonably calculated l to mitigate the risks.

What Does This Mean to the Industry? Regulators expect financial institutions to step it up a notch in terms of online security. FIs have an obligation to secure a delivery channel they build and have made available to consumers. Time-frame for compliance is aggressive, but reasonable. Examiners will review compliance efforts on a case-by-case basis..

What Does This Mean to the Industry? Guidance is flexible; does not mandate a specific technology solution. Regulators expect new technologies to continue to be introduced. Special considerations for FIs affected by recent hurricanes.

FAQs Is there an approved list of solutions? Is the Appendix an exclusive list of solutions? Can an FI just complete its risk assessment by year-end end 2006? Do the regulators expect FIs to run out and buy hardware tokens for all their customers? Is there a template for the risk assessment?

FAQs Are agencies considering additional guidance? Can an FI decide that stronger authentication t is unnecessary? Can an FI rely on its service provider s risk assessment? Can an FI permit customers to opt-out of the stronger authentication? Does the guidance cover telephone banking?

Third-Party Due Diligence Third-party breaches Have they impacted examiner expectations? How are third parties such as Digital Insight examined? How can FIs buttress their third party How can FIs buttress their third party oversight?

New Orleans, La November 17, 2006 2006 LBA Bank Counsel Conference For materials mentioned in these remarks go to www.aba.com/compliance/lba2006.htm Other Compliance Contact Info Authentication expert Don Rhodes: drhodes@aba.com ID Theft experts Doug Johnson, djohnson@aba.com or Nessa Feddis, nfeddis@aba.com compliance@aba.com or compmail@aba.com 1-800-551-2572 Your hotline for support! Thank you.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback