New Orleans, La November 17, 2006 LBA 2006 Bank Counsel Conference Data Breaches, FFIEC Requirements and Incident Response Guidelines Remarks by Richard Riese, Director ABA Center for Regulatory Compliance rriese@aba.com
Scope of Data Breaches
Many yportions of the business and governmental community have been breached Retailers credit and debit card processors have had their computer systems breached while keeping customer transactional ti ldata in violation of card network rules. Information brokers have either sold data to unauthorized users or experienced a breach of their computer system allowing unauthorized access to data. Third party couriers and airline baggage handlers have lost the data tapes of financial services companies while in transit itto storage or to a credit ditbureau.
Consumers are still confident that financial institutions protect their information. EDS/Ipsos-Reid Online Banking Privacy Survey, September 2005
yet that confidence is eroding by fears of security breaches Consumer perceptions of Internet banking drawbacks EDS/Ipsos-Reid Online Banking Privacy Survey, September 2005
What Consumers Would Do After a Security Breach EDS/Ipsos-Reid Online Banking Privacy Survey, September 2005
What Consumers Did Do After a Security Breach White & Case\Ponemon Institute National Survey on Data Security Breach Notification, September 2005
How Breaches Affect Trust White & Case\Ponemon Institute National Survey on Data Security Breach Notification, September 2005
Privacy and Data Security GLBA and FCRA/FACTA Breach and Customer Notification Authentication Guidance Mdi Medical lif Information Credit Report Accuracy ID Theft Red Flags Data Breach Legislation Relation to GLBA Pre-emption Enforcement Authority GAO Report on Experience
Regulatory Agency Response Security breach notification guidelines. Multi-factor authentication guidance. ID Theft Red Flag Proposal Increased focus on third-party due diligence.
Interagency Expectations for Customer Response Program Develop an incident response team Assess the nature and scope of an incident Take steps to contain and control the incident Notify the institution s primary federal regulator File SAR and work with law enforcement Notify customers and provide assistance Trigger notice if misuse of information has occurred or is reasonably possible to occur
Security Breach Notification Guidelines Retailer breaches Do the guidelines apply? How should FIs notify the agencies of a breach? How can we raise the bar for others to our level? How should data in transit be protected?
ID Theft Definition Identity theft = the misuse of another individual s personal information to commit fraud. Includes: Generating new fraudulent accounts Obtaining benefits or licenses in name of victim Gaining unauthorized access to existing legitimate accounts
ID Theft Risk and Red Flag Proposal FACT Act Mandate Regulatory Obligation i to Risk Assess Assess considering size and complexity Consider red flag guidelines Board approved program! Required dtraining i Red Flag Guidelines
ID Theft Task Force Report DOJ and FTC with input from FFIEC Released November 10 th Salient Banking Related Points: Decrease unnecessary use of SSNs Extend legislative protections preserving GLBA Increase investigations, prosecutions and improve remedies Empower State AG enforcement, but with FBA carve-out Establish National Identity Theft Center Evaluate FACT Act and credit ditfreeze impact
Multi-Factor co Authentication Guidance The Key Point: Where single-factor authentication is inadequate, FIs should implement multifactor t authentication, layered security, or other comparable controls reasonably calculated l to mitigate the risks.
What Does This Mean to the Industry? Regulators expect financial institutions to step it up a notch in terms of online security. FIs have an obligation to secure a delivery channel they build and have made available to consumers. Time-frame for compliance is aggressive, but reasonable. Examiners will review compliance efforts on a case-by-case basis..
What Does This Mean to the Industry? Guidance is flexible; does not mandate a specific technology solution. Regulators expect new technologies to continue to be introduced. Special considerations for FIs affected by recent hurricanes.
FAQs Is there an approved list of solutions? Is the Appendix an exclusive list of solutions? Can an FI just complete its risk assessment by year-end end 2006? Do the regulators expect FIs to run out and buy hardware tokens for all their customers? Is there a template for the risk assessment?
FAQs Are agencies considering additional guidance? Can an FI decide that stronger authentication t is unnecessary? Can an FI rely on its service provider s risk assessment? Can an FI permit customers to opt-out of the stronger authentication? Does the guidance cover telephone banking?
Third-Party Due Diligence Third-party breaches Have they impacted examiner expectations? How are third parties such as Digital Insight examined? How can FIs buttress their third party How can FIs buttress their third party oversight?
New Orleans, La November 17, 2006 2006 LBA Bank Counsel Conference For materials mentioned in these remarks go to www.aba.com/compliance/lba2006.htm Other Compliance Contact Info Authentication expert Don Rhodes: drhodes@aba.com ID Theft experts Doug Johnson, djohnson@aba.com or Nessa Feddis, nfeddis@aba.com compliance@aba.com or compmail@aba.com 1-800-551-2572 Your hotline for support! Thank you.