1 / 43

What You Need To Know About Privacy and Why

Understand the key regulations and requirements for privacy protection in financial institutions, including GLBA and the Fair and Accurate Credit Transactions Act.

raymondbutler
Download Presentation

What You Need To Know About Privacy and Why

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What You Need To Know About Privacy and Why Lynn A. Goldstein April 16, 2007

  2. Federal Gramm–Leach–Bliley Act

  3. GLBA Overview • Section 501(a) requires financial institutions to respect the privacy of their customers and to protect the security and confidentiality of those customers’ nonpublic information, and section 501(b) requires the establishment of appropriate standards relating to administrative, technical and physical safeguards • to insure the security and confidentiality of customer records and information; • to protect against any anticipated threats or hazards to the security or integrity of such records; and • to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. • Section 503 requires financial institutions to provide customers with notice of their privacy policies and practices • Financial institutions are required to provide initial notice of privacy policies and practices in 2 circumstances: • For customers, notice must be provided at time of establishing customer relationship, i.e., when bank and consumer enter into continuing relationship • For consumers who are not customers, notice must be provided prior to disclosing nonpublic personal information about consumer to nonaffiliated third party • Financial institutions are required to provide notice of privacy policies and practices at least annually to customers during continuation of customer relationship

  4. The Fair and Accurate Credit Transactions Act of 2003 • Section 216 requires final regulations (which are consistent with the requirements of and regulations issued pursuant to GLBA) to be issued “requiring any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose to properly dispose of such information or compilation.”

  5. The Privacy Regulations Under GLBA • The Privacy Regulations govern the treatment of nonpublic personal information about consumers by a financial institution. They: • Require a financial institution to provide notice to customers about its privacy polices and practices; • Describe the conditions under which a financial institution may disclose nonpublic personal information about consumers to third parties; and • Provide a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure subject to certain exceptions. • The Privacy Regulations apply only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes • They do not apply to information about individuals who obtain financial products and services for business, commercial, or agricultural purposes.

  6. When Privacy Policy Needs to be Provided to Customer • Customer relationship is established when bank and consumer enter into continuing relationship • Loan • When bank originates loan to consumer for personal, family or household purposes • If bank subsequently transfers servicing rights to loan to another financial institution, customer relationship transfers with servicing rights • Other situations. Bank establishes customer relationship when consumer • Opens credit card account with bank • Executes contract to open deposit account with bank, obtains credit from bank, or purchases insurance from bank • Agrees to obtain financial, economic or investment advisory services from bank for fee • Becomes bank’s client for purpose of bank’s providing credit counseling or tax preparation services • Initial notice may be provided within reasonable time after bank establishes customer relationship if • Establishing customer relationship is not at customer’s election • If bank acquires customer’s deposit liability or servicing rights to customer’s loan from another financial institution and customer does not have choice about bank’s acquisition

  7. When Privacy Policy Needs to be Provided to Customer – cont. • Would substantially delay customer’s transaction and customer agrees to receive notice at later time • Bank and individual agree over telephone to enter into customer relationship involving prompt delivery of financial product or service, or • Bank establishes customer relationship with individual under student loan programs where loan proceeds are disbursed promptly without prior communication between bank and customer • Would not substantially delay customer’s transaction when relationship is initiated in person at bank’s office or through other means by which customer may view notice, such as on web site

  8. When Privacy Policy Needs to be Provided to Non-Customer • Notice must be provided prior to disclosing nonpublic personal information about consumer to nonaffiliated third party • “non-public personal information” means “personally identifiable financial information” and any list, description or other grouping of consumers derived using any personally identifiable financial information that is not publicly available • “personally identifiable financial information” means any information • consumer provides to bank to obtain financial product or service from bank • about consumer resulting from any transaction involving financial product or service between bank and consumer or • bank otherwise obtains about consumer in connection with providing financial product or service to that consumer

  9. Information To Be Included in Initial and Annual Privacy Notices • GLBA identifies items of information that must be included in financial institution’s initial and annual notices • Categories of nonpublic personal information bank collects. Bank satisfies this requirement if it lists following categories, as applicable: • Information from consumer • Information about consumer’s transactions with bank or its affiliates • Information about consumer’s transactions with non-affiliated third parties and • Information from consumer reporting agency • Categories of nonpublic personal information bank discloses. Bank satisfies this requirement if it lists: • Categories of nonpublic personal information bank collects, as applicable, and • Some examples to illustrate types of information in each category • Categories of affiliates and nonaffiliated third parties to whom bank discloses nonpublic personal information. Bank satisfies this requirement if it lists following categories, as applicable and few examples to illustrate types of third parties in each category: • Financial service providers • Non-financial companies, and • Others

  10. Information To Be Included in Initial and Annual Privacy Notices - cont. • Categories of nonpublic personal information about bank’s former customers bank discloses and categories of affiliates and nonaffiliated third parties to whom bank discloses nonpublic personal information about bank’s former customers • If bank discloses nonpublic personal information to nonaffiliated third party to perform services for bank or functions on bank’s behalf, separate statement of categories of information bank discloses and categories of third parties with whom bank has contracted. Bank satisfies this requirement if it • Lists categories of nonpublic personal information it discloses, and • States whether third party is • Service provider that performs marketing services on bank’s behalf or on behalf of bank and another financial institution or • Financial institution with whom bank has joint marketing agreement • Explanation of consumer’s right to opt out of disclosure of nonpublic personal information to nonaffiliated third parties, including methods by which consumer may exercise that right at that time • Any disclosure bank makes under FCRA, i.e., notices regarding ability to opt out of disclosures of information among affiliates

  11. Information To Be Included in Initial and Annual Privacy Notices – cont. • Bank’s policies and practices with respect to protecting confidentiality and security of nonpublic personal information. Bank satisfies this requirement if it does both of the following: • Describes in general terms who is authorized to have access to information, and • States whether bank has security practices and procedures in place to ensure confidentiality of information in accordance with bank’s policy • Any disclosures it makes to other nonaffiliated third parties as permitted by law • If bank is going to disclose nonpublic personal information to nonaffiliated third parties (which is not otherwise permitted by exception), notice must state: • Bank discloses or reserves right to disclose nonpublic personal information about consumer to nonaffiliated third party • Consumer has right to opt out of that disclosure • Opt out means direction by consumer that bank not disclose nonpublic personal information about that consumer to nonaffiliated third party unless otherwise permitted

  12. Information To Be Included in Initial and Annual Privacy Notices - cont. • Reasonable means by which consumer may exercise opt out right • Designates check-off boxes in prominent position on relevant forms with opt out notice • Includes reply form together with opt out notice • Provides electronic means to opt out if consumer agrees to electronic delivery of information or • Provides toll-free telephone number that consumer may call to opt out • How bank will treat opt out direction by joint consumers

  13. Delivery of Annual Privacy Notices • Bank must provide notice so that each consumer can reasonably be expected to receive actual notice in writing or, if consumer agrees, electronically: • Hand-delivers printed copy of notice to consumer • Mails printed copy of notice to last known address of consumer • For consumer who conducts transactions electronically, posts notice on electronic site and requires consumer to acknowledge receipt of notice as necessary step to obtaining particular financial product or service • For isolated transaction with consumer, such as ATM transaction, posts notice on ATM screen and requires consumer to acknowledge receipt of notice as necessary step to obtaining particular financial product or service • Bank is not required to provide annual notice to customer if customer relationship has been discontinued. • Bank is not required to provide annual notice to former customer • Customer is former customer if: • Deposit account is inactive • Closed-end loan has been paid in full, has been charged off or sold off and bank has not retained servicing rights • Credit card relationship or other open-end credit relationship and • Bank no longer provides any statements or notices to customer concerning relationship or • Bank sells credit card receivables without retaining servicing rights • Bank has not communicated with customer about relationship for 12 consecutive months

  14. How/When Initial Privacy Policies Are Distributed to Customers

  15. Interagency Guidelines Establishing Standards for Safeguarding Customer Information • Standards for Safeguarding Customer Information • Information Security Program • Each bank shall implement a comprehensive written information security program that includes administrative, technical and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities • While all parts of the bank are not required to implement a uniform set of policies, all elements of the information security program must be coordinated • Objectives. A bank’s information security program shall be designed to: • Ensure the security and confidentiality of customer information; • Protect against any anticipated threats or hazards to the security or integrity of such information; • Protect against any unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and • Ensure the proper disposal of customer information and consumer information. • Development and Implementation of Information Security Program • Involve the Board of Directors. The directors or an appropriate committee of the board of each bank shall: • Approve the bank’s written information security program; and

  16. Safeguards Guidelines - cont'd • Oversee the development, implementation, and maintenance of the bank’s information security program, including assigning specific responsibility for its implementation and reviewing reports from management. • Assess Risk. Each bank shall: • Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems. • Assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information • Assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. • Manage and Control Risk. Each bank shall: • Design its information security program to control identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the bank’s activities. Each bank must consider whether the following security measures are appropriate for the bank and, if so, adopt those measures the bank concludes are appropriate: • Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means;

  17. Safeguards Guidelines - cont'd • Access restrictions at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities, to permit access only to authorized individuals; • Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access; • Procedures designed to ensure that customer information system modifications are consistent with the bank’s information security programs; • Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information; • Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems; • Response programs that specify actions to be taken when the bank suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and • Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.

  18. Safeguards Guidelines – cont'd • Train staff to implement the bank’s information security program • Regularly test the key controls, systems and procedures of the information security program. • The frequency and nature of such tests should be determined by the bank’s risk assessment. • Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs. • Develop, implement, and maintain as part of its information security program, appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements for the development and implementation of an information security program. • Oversee Service Provider Arrangements. Each Bank shall: • Exercise appropriate due diligence in selecting its service providers; • Require its service providers by contract to implement appropriate measures designed to meet the objectives of these Guidelines; and • Where indicated by the bank’s risk assessment, monitor its service providers to confirm that they have satisfied their obligations as required above.

  19. Safeguards Guidelines – cont'd • As part of this monitoring, a bank should review audits, summaries of test results, or other equivalent evaluations of its service providers. • Adjust the Program. Each bank shall: • Monitor, evaluate, and adjust, as appropriate, the information security program in light of: • Any relevant changes in technology, • The sensitivity of its customer information, • Internal or external threats to information, and • The bank’s own changing business arrangements, such as: • Mergers and acquisitions, • Alliances and joint ventures, • Outsourcing arrangements, and • Changes to customer information systems. • Report to the Board • Each bank shall report to its board or an appropriate committee of the board at least annually. • This report shall describe the overall status of the information security program and the bank’s compliance with these Guidelines. • The reports should discuss material matters related to its program, addressing issues such as:

  20. Safeguards Guidelines – cont'd • Risk assessment; • Risk management and control decisions; • Service provider arrangements; • Results of testing; • Security breaches or violations and management’s responses; and • Recommendations for changes in the information security program. • Implement the Standards • Effective Date. Each bank must have already implemented an information security program pursuant to these Guidelines. • Exception for Existing Agreements with Service Providers Relating to the Disposal of Consumer Information. • A bank’s contracts with its service providers that have access to consumer information and that may dispose of consumer information, entered into before July 1, 2005, must have complied with the provisions of the Guidelines relating to the proper disposal of consumer information by July 1, 2006.

  21. Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice • This is an interpretation of the requirements of section 501(b) of GLBA and the Safeguards Guidelines to include the development and implementation of a response program to address unauthorized access to, or use of, customer information that could result in substantial harm or inconvenience to a customer. • Components of a Response Program. Every financial institution should develop and implement a risk–based response program to address incidents of unauthorized access to customer information in customer information systems maintained by the financial institution itself or by its domestic and foreign service providers. • At a minimum, an institution’s response program should contain procedures for the following: • Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused; • Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below; • Consistent with the Agencies’ Suspicious Activity Report (“SAR”) regulations, notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing;

  22. Response Programs Guidance - cont'd • Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; and • Notifying customers when warranted. • Where an incident of unauthorized access to customer information involves customer information systems maintained by an institution’s service providers, it is the responsibility of the financial institution to notify the institution’s customers and regulator. • An institution may authorize or contract with its service provider to notify the institution’s customers or regulator on its behalf. • Customer Notice. Notifying customers of a security incident involving the unauthorized access to or use of the customer’s information in accordance with the standard set forth below is a key part of a financial institution’s affirmative duty to protect their customers’ information against unauthorized access or use • Standard for Providing Notice • When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that the information has been or will be misused.

  23. Response Programs Guidance - cont'd • Under the Security Guidelines, an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. • Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information because this type of information is most likely to be misused, as in the commission of identity theft. • For purposes of this Guidance, sensitive customer information: • Means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account, and • Includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number. • If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.

  24. Response Programs Guidance - cont'd • If a financial institution, based upon its investigation, can determine from its logs or other data precisely which customer’s information has been improperly accessed, it may limit notification to those customers with regard to whom the institution determines that misuse of their information has occurred or is reasonably possible. • There may be situations where the institution determines that a group of files has been accessed improperly but is unable to identify which customers’ information has been accessed. • If the circumstances of the unauthorized access lead the institution to determine that misuse of the information is reasonably possible, it should notify all customers in the group. • Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay. • The institution should notify its customers as soon as notification will no longer interfere with the investigation. • Content of Customer Notice • Customer notice should be given in a clear and conspicuous manner • The notice should: • Describe the incident in general terms and the type of customer information that was the subject of unauthorized access or use

  25. Response Programs Guidance - cont'd • Generally describe what the institution has done to protect the customers’ information from further unauthorized access • Include a telephone number that customers can call for further information and assistance • Remind customers of the need to: • Remain vigilant over the next twelve to twenty-four months, and • To promptly report incidents of suspected identity theft to the institution • Include the following additional items, when appropriate: • A recommendation that the customer review account statements and immediately report any suspicious activity to the institution; • A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer’s consumer reports to put the customer’s creditors on notice that the customer may be a victim of fraud; • A recommendation that the customer periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted; • An explanation of how the customer may obtain a credit report free of charge; and • Information about the availability of the FTC’s online guidance regarding steps a consumer can take to protect against identity theft. The notice should

  26. Response Programs Guidance - cont'd + Encourage the customer to report any incidents of identity theft to the FTC, and + Provide the FTC’s Web site address and toll-free telephone number that customers may use to obtain the identity theft guidance and report suspected incidents of identity theft. • Financial institutions are encouraged to notify the nationwide consumer reporting agencies prior to sending notices to a large number of customers that include contact information for the reporting agencies. • Delivery of Customer Notice • Customer notice should be delivered in any manner designed to ensure that a customer can reasonably be expected to receive it. • For example, the institution may choose to contact all customers affected by telephone or by mail, or by electronic mail for those customers for whom it has a valid e-mail address and who have agreed to receive communications electronically.

  27. STATE SECURITY BREACHNOTIFICATION LAWS

  28. Generally • 35 states plus the District of Columbia and Puerto Rico have adopted security breach notification laws • Notification is required when there has been an unauthorized acquisition of unencrypted computerized personal information • “Personal information” means an individual’s first name or first initial and last name in combination with any one or more of the following: • Social Security Number • Driver’s license or state identification card number • Account, credit or debit card number in combination with required security code, access code or password that would permit access to an individual’s financial account • Written or electronic, or under limited circumstances substitute, notice is allowed • Disclosure should be made in most reasonable time possible and without unreasonable delay • Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation

  29. Differences • In some states (e.g. HI, IN, NC, WI) and New York City, paper data as well as computerized data is covered • In some states, definition of personal information includes: • Medical information (e.g. AK, DE) • Biometric data or fingerprints (e.g. NC, WI and New York City) • Date of birth (e.g. ND) • Mother’s maiden name (e.g. ND and New York City) • Employer identification number (e.g. ND) • Financial account number, credit or debit card number alone (e.g. GA, ME, VT) • Some states require notification of state/local agencies (e.g. HI, ME, NH, NJ, NY, NC, and Puerto Rico and New York City) • Some states require coordination with consumer reporting agencies (e.g. CO, DC, FL, GA, HI, IN, KS, ME, MI, MN, MT, NV, NH, NJ, NY, NC, OH, PA, TN, TX, VT, WI) • Some states require notice to be given with 45 days (e.g. FL, OH) • Some states have specific content requirements for the notice (e.g. HI, MI, NH, NY, NC, VT, WI) • Some states allow telephone notice (e.g. AZ, CO, CT, DE, HI, ID, IN, MI, MN, MT, NE, NV, NH, NJ, NY, NC, UT, VT)

  30. Differences – cont. • IL does not allow a delay in notification if law enforcement requests it • Some state laws do not apply to financial institutions (or GLBA is deemed compliance with that state’s law) (AZ, AK, CO, CT, DE, FL, GA, HI, ID, IN, KS, LA, MI, MN, NE, NV, NH, NC, ND, OH, OK, PA, RI, TN, UT, VT, WI)

  31. Risks for Financial Institutions

  32. Outside Service Providers with Possession of or Access to Personal Information • Confidential Information, Firm Data, and Personal Information • Define these terms • Limit access to and maintain confidentiality of such information • Require establishment and maintenance of appropriate safeguards regarding such information • Require prompt notice if OSP becomes aware of • Breach of information security procedures • Loss or unauthorized access to or use of such information • Any attempt to access, disclose, use, alter, destroy such information • Prohibit use of such information to contact any person • Require compliance with applicable privacy and data protection laws • Require cooperation with relevant authorities with respect to such information • Security • Require compliance with all of firm’s safety and security procedures and standards • Require compliance with ISO/IEC 17799 (Information Technology-Code of Practice for Information Security Management) • Require a report by an independent third party audit firm describing OSP control policies and procedures (may be satisfied by a Type II SAS 70 Report) to be provided

  33. Outside Service Providers with Possession of or Access to Personal Information – cont’d. • Require certificate of compliance with SEI CMM Level 5 to be delivered • Require firm to be notified of any events that adversely affect OSP’s ability to perform its obligations • Allow firm to conduct ethical hack • Take all reasonable precautions against “hacker” attempts • Subcontractors • Prohibit use of subcontractor without firm’s prior written consent • Require subcontractor to protect Confidential Information, Firm Data, and Personal Information in manner substantially equivalent to that of OSP • Audit Rights • Require auditors, regulators and outside auditors to be provided access for the purpose of performing audits or on-site inspections • Ownership • Require firm to be exclusive owner of and to hold and retain all right, title and interest in and to Firm’s Data • Security Reporting • Require firm to be immediately informed of any breaches or attempted breaches in security • Require performance of a root cause analysis in event of a security breach, provision of a report detailing cause of such breach and within specified time period remedy of such breach

  34. Outside Service Providers with Possession of or Access to Personal Information – cont’d. • Require current report by an independent third party audit firm describing OSP control policies and procedures (may be satisfied by a Type II SAS 70 Report) • Require independent third party nonfinancial reports and, if available, internal audit reports. • Require written periodic reports on • System and network security incidents and access violations and remediation or actions plans • Confidential Information, Firm Data and Personal Information incidents and breaches and remediation or action plans • Security vulnerability scans or penetration tests and remediation or action plans • Insurance • Workers’ Compensation and Employer’s Liability • Commercial General Liability • Automobile Liability • All Risk Motor Truck Cargo Insurance • Commercial Blanket Bond • Computer Software Design Errors and Omissions or Similar Professional Liability/Errors and Omissions Liability • Dispute Resolution • Business Continuity/Disaster Recovery • Scope of services and service level agreements

  35. Phishing • A form of social engineering in which an attacker, also known as a phisher, attempts to fraudulently retrieve legitimate user’s confidential or sensitive credentials by mimicking electronic communications from a trustworthy or public organization in an automatic fashion • Such communications are frequently done through emails that direct users to fraudulent websites that in turn collect the credentials in question for the purpose of theft, fraud, and money-laundering • Examples of credentials frequently of interest to phishers are passwords, credit card numbers, social security and other national identification numbers, and bank account details • The word phishing is an evolution of the word fishing by hackers who frequently replace the letter “f” with the letters “ph” • The word arises from the fact that users, or phish, are lured by the mimicked communication to a trap or hook that retrieves their confidential information ─ Steven Myers, Phishing and Countermeasurers (2007)

  36. Identity Theft • The term “identity theft” means a fraud committed or attempted using the identifying information of another person without authority • The term “identifying information” means any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any • name, social security number, date of birth, official State or government issued driver’s license or identification number, alien registration number, government passport number, employer or taxpayer identification number • unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation; • unique electronic identification numbers, address, or routing code; or • telecommunication identifying information access device ─ 16 CF6 § 603.2

  37. Removable Media • Computer storage devices which are not fixed inside a computer • Examples • Compact Flash • CDs • External hard Drives • Floppy Disks • MultiMedia Cards • SD Cards • USB Flash Drives • xD – Picture Card ─ Wikipedia

  38. What the Future Might Bring

More Related