Regulators Provide Online Privacy Notice Builder to Help Financial Institutions Comply with Gramm Leach Bliley Act

Posted on April 22, 2010 by Gabriel M. Helmer

Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations.   The agencies involved include the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Office of Comptroller of Currency (OCC), Federal Deposit Insurance Corporation (FDIC ), Board of Governors of the Federal Reserve System (FRB), Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA) and the Commodity Futures Trading Commission (CFTC)

The GLBA regulations issued by these agencies require financial institutions to provide initial and annual privacy notices to customers.  On December 1, 2009, the agencies adopted a Model Form (.pdf) based on length quantitative testing and research to provide financial institutions with a safe harbor for compliance with the privacy notice requirement.  Financial institutions are still free to draft their own privacy notices, but are responsible for making sure that their own notices contain all the required elements. 

The online form builder consists of a linked set of instruction (.pdf) that leads financial institutions to one of four forms that are filled out depending on whether the company is providing customers with a right to opt-out or elects to allow affiliate marketing. 

GLBA Privacy Notice Forms:

 

Tags: , , , , , , , , , , , , ,

Incident of the Week: Russian Company Proves That WiFi/Wireless Networks No Longer Secure

Posted on October 15, 2009 by Gabriel M. Helmer

ElcomSoft Co. Ltd., a Moscow-based "password recovery" company, has announced that its  software can make an encrypted wireless network accessible using only a PC and the innovative computing power of consumer graphics cards from Nvidia.  This software would appear to allow anyone to intercept internet traffic over wireless networks encrypted with the WPA or WPA2 algorithms.  British security consultancy Global Secure Systems says that this is "extremely worrying" and has indicated that this means that WiFi networks are no longer secure.

Decrypting wireless traffic by guessing the encryption key, a "brute force" decryption, has been a possibility for some time; however, the computing power of most personal computers has prevented this from becoming a realistic threat (e.g., a computer attempting to guess the right password might take months or years to guess correctly).  New leaps in computing power has changed this landscape.  Computer graphics card companies like Nvidia have opened up the computing power bottleneck by allowing developers to run programs on high-powered parallel processors used in consumer graphics cards.  The end result is that buying a new video card and a $1,200 software package reportedly could speed up a brute force decryption 10,000 percent (and the same graphics card will let you play the newest PC games and speed up a variety of other, more innocent applications like Adobe Photoshop).  As a result, our use of wireless networks, everything from passwords to email, could be intercepted and decrypted relatively easily. 

David Hobson of Global Secure Systems indicates that anyone with a high-end graphics card has “a machine capable of tumbling wireless keys out of the ether and decrypting them in a matter of hours rather than months."  In an interview with SC Magazine, Hobson takes the view that additional security measures, such as running an encrypted VPN (Virtual Private Network), are now necessary to comply with the UK Data Protection Act. Similarly, U.S. companies in the EU Safe Harbor Program or complying with U.S. information security rules, such as Gramm Leach Blilely Act regulations, HIPAA or federal and state identity theft rules, need to consider whether their wireless networks are appropriately secured against this threat.  Businesses transferring regulated information on WiFi networks may need to adjust their information security programs and practices accordingly.

Links:

 

Tags: , , , , , , , , , , ,

Isn't There Already A Federal Standard Governing Information Security? -- Re-Examining the Gramm-Leach Bliley Act

Posted on January 21, 2009 by Foley Hoag LLP

* By Stacy Anderson and Gabriel M. Helmer.

As an ever-increasing number of states enact legislation governing identity theft, customer data and personal information, pressure for clear federal legislation governing information security has mounted. For example, in December 2008, the FTC joined the growing number of voices calling on Congress to enact a legislation to create a single federal standard for the handling of personal information. (See our report here.) As we see movement towards a unifying federal standard, we are also observing a growing insistence that such legislation be consistent with the customer data security requirements of the Gramm-Leach Bliley Financial Modernization Act of 1999 (GLBA) and its implementing regulations. As a result, even industries that are not required to comply with GLBA may wish to become familiar with its requirements.

Section 501(b) of GLBA requires agencies with oversight over financial institutions to establish standards relating to administrative, technical and physical safeguards for three purposes: 1) to insure the security and confidentiality of customer information, (2) to protect against any anticipated threats to the security of customer information, and (3) to protect against unauthorized access or use of customer information. 

In 2001, the Department of Treasury, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) issued Interagency Guidelines Establishing Standards for Safeguarding Customer Information. These guidelines require that financial institutions adopt an information security plan, which must be approved by the institution’s Board. The plan must assess, manage and control threats that could result in unauthorized disclosure of information. The risk guidelines are flexible – they do not require that institutions implement specific risk control or assessment systems, but rather encourage them to adopt measures appropriate to their circumstances. Institutions are then required to monitor the plan and report to the Board annually. In addition, they must also ensure that their service providers implement appropriate measures to secure customer information. In 2005, the Department of the Treasury, the Board of Governors of the Federal Reserve System, and the FDIC issued the “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.” This guidance requires that institutions develop a response plan to address unauthorized access to customer information. As part of this process, institutions must notify customers if sensitive customer information has been improperly accessed and misuse of that information has occurred or is likely to occur.

In 2002, the Federal Trade Commission (FTC) issued its “Standards for Safeguarding Customer Information,” commonly referred to as the Safeguards Rule. The rule apples to financial institutions over whom the FTC has oversight and resembles the interagency guidelines for safeguarding customer information. Like those guidelines, the Safeguards Rule affords institutions considerable flexibility in implementing safeguards. Unlike the guidelines, the Safeguards Rule does not require that the information security plan be approved by the institution’s board, and does not contain customer notification requirements such as those set out in the Guidance on Response Programs, although the FTC does encourage entities to consider notifying customers in the event of a breach. In considering these federal regulations, it is worth noting that the FTC’s recently issued Red Flag Rule implements the Fair and Accurate Credit Transactions Act of 2003 ("FACT Act"), and not GLBA, although the FTC does anticipate that many institutions may have implemented some of the practices required under the Red Flag Rule as part of their efforts to conform with GLBA.

Of course, it remains to be seen whether broad federal legislation governing customer data security will be enacted and if so, whether GLBA requirements will be used as a blueprint for such legislation. Regardless, an understanding of GLBA requirements and their effectiveness can help inform the debate around such legislation.

Links:

Tags: , , , , , , ,