1 / 20

Sensitive Information in Financial Services

Sensitive Information in Financial Services November 14th, 2003 CS 457a G. Fuldner Why is Sensitive Information Important in Financial Services? It is an information-based industry Almost all information generated in financial services is potentially sensitive/private

dominick
Télécharger la présentation

Sensitive Information in Financial Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sensitive Information in Financial Services November 14th, 2003 CS 457a G. Fuldner

  2. Why is Sensitive Information Important in Financial Services? • It is an information-based industry • Almost all information generated in financial services is potentially sensitive/private • There is often potential for significant monetary loss due to lack of privacy

  3. Outline • Regulations • Current Problems • Possible Solutions

  4. Regulations

  5. Graham Leach Bliley • Official Title: The Financial Modernization Act of 1999 • Ends depression-era separation of investment and commercial banking • Establishes financial privacy rules and safeguards that must be followed to protect financial data

  6. Definition: Nonpublic Personal Information • “Nonpublic personal information” is personally identifiable financial information: • Provided by a consumer to a financial institution • Resulting from any transaction with the consumer or any service performed for the consumer; or • Otherwise obtained by the financial institution • Publicly available information is not included • Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information is also defined as nonpublic personal information.

  7. GLB: Privacy Rule • A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless • The institution has disclosed to the consumer in writing or electronic form that the information may be disclosed to a third party. • The consumer has been given the opportunity to opt-out. • Financial institutions are furthermore required to provide customers with annual notices of privacy policies including a listing of the types of nonpublic personal information that it gathers.

  8. GLB: Privacy Rule II • A financial institution is free to disclose nonpublic personal information to nonaffiliated third parties under many exceptions • “To effect, administer, or enforce a transaction requested or authorized by the consumer” • To service or maintain a consumer’s account • In connection with a securitization or sale of a consumer’s account • At the direction of the consumer • To prevent fraud or unauthorized transactions • For credit reporting purposes • In connection with the sale of the the institution or a business unit • At the request of law enforcement

  9. GLB: Who must comply? • Businesses that are “significantly engaged” in providing financial products or services to consumers • For Example • Banks/Credit Unions • Mortgage or Credit Card Lenders • Securities Brokers • Investment Advisors • Insurers • Check-Cashers • Credit Reporting Agencies • ATM Operators

  10. GLB: Safeguards • Financial regulators define standards for the financial institution relating to administrative, technical, and physical safeguards • (1) to insure the security and confidentiality of customer records and information; • (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and • (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

  11. GLB: Safeguards II • Data Safeguard Standards (FTC Example) • Designate an information security coordinator • Identify reasonably foreseeable internal and external risks to unauthorized disclosure of nonpublic information. • Employee training • Information systems design risk assessment • Intrusion detection and system monitoring • Appropriate vendor and service provider oversight

  12. Effects of GLB • Lots of small type privacy disclosure forms • Financial institutions must think about privacy as a part of their broader regulatory compliance process • Actual IT process impact is limited to the margins. • Common compliance efforts include • Firewalls • Network penetration testing / Security audits • SSL in website communications • VPNs for internal corporate communication

  13. Other Relevant Legislation • USA Patriot Act • Requires banks to positively identify new customers and check names against lists of known terrorists. • NOTE: the identification requirement makes anonymity-based customer privacy schemes impossible • Bank Secrecy Act • Gives law enforcement broad powers to access nonpublic financial information • Requires banks to report suspicious activity

  14. Current Problems

  15. Information Risk Factors • High dependence on information transfer between economic agents to conduct financial transaction • Industry consolidation has created large conglomerates (ex. Citigroup, BofA) with large distributed IT infrastructures • Large numbers of customer service and back-office workers (ex. Tellers, Call Center Reps) have broad access to sensitive customer data. • Increased use of outsourcing distributes sensitive customer data to third-parties who have lower incentives to preserve customer privacy.

  16. Some Recent Failures • May 2002: A teller at a Bank One sells lists of customer information to an identity theft ring. • February 2003: 8 Million credit card numbers stolen by hackers from the computer system of a Nebraska transaction processor. • Phishing - An emerging spam problem where users get a malicious e-mail that looks like a financial institution website (ex. Paypal.com) and requests users to enter passwords or other account information. Sources: SmartMoney, CNN

  17. Basic Problems Still Exist • 66% of large financial institutions studied by IBM and Watchfire had one or more Web forms that collected personally identifiable information but did not use SSL encryption. • 91% of the companies supported allowed weak forms of SSL (ex. 40-bit RSA) in their websites while 128-bit is recommended by Federal bank regulators.

  18. Possible Solutions

  19. Industry Needs • Secure methods for institutions to identify customers (ex. a replacement for SS# and mother’s maiden name). • Secure methods for customers to identify institutions electronically (ex. a means of verifying the authenticity of a bank website) • Data access control systems that restrict access to nonpublic personal information to those that need to know and provide an audit trail of access policy exceptions • Standard methods of enforcing data-use policies with third-party service providers.

  20. Resources • Watchfire (www.watchfire.com) - a suite of IT infrastructure privacy monitoring software tools and consulting services.

More Related