Regulators Provide Online Privacy Notice Builder to Help Financial Institutions Comply with Gramm Leach Bliley Act

Posted on April 22, 2010 by Gabriel M. Helmer

Last week a number of federal regulatory agencies rolled out an online privacy notice builder for financial institutions subject to one or more of the Gramm Leach Bliley Act (GLBA) regulations.   The agencies involved include the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), Office of Comptroller of Currency (OCC), Federal Deposit Insurance Corporation (FDIC ), Board of Governors of the Federal Reserve System (FRB), Office of Thrift Supervision (OTS), the National Credit Union Administration (NCUA) and the Commodity Futures Trading Commission (CFTC)

The GLBA regulations issued by these agencies require financial institutions to provide initial and annual privacy notices to customers.  On December 1, 2009, the agencies adopted a Model Form (.pdf) based on length quantitative testing and research to provide financial institutions with a safe harbor for compliance with the privacy notice requirement.  Financial institutions are still free to draft their own privacy notices, but are responsible for making sure that their own notices contain all the required elements. 

The online form builder consists of a linked set of instruction (.pdf) that leads financial institutions to one of four forms that are filled out depending on whether the company is providing customers with a right to opt-out or elects to allow affiliate marketing. 

GLBA Privacy Notice Forms:

 

Tags: , , , , , , , , , , , , ,

Incident of the Week: NCUA Issues Fraud Alert Based On Fake NCUA Fraud Alert (Which Turns Out To Be Part of Security Consultant's Penetration Testing)

Posted on September 3, 2009 by Gabriel M. Helmer

The National Credit Union Administration (NCUA) issued an official NCUA Fraud Alert on August 25, 2009 reporting that someone was sending around a fake NCUA Fraud Alert (.pdf) with CDs purporting to contain security software updates, but instead contained malware.  The NCUA warned "Should you receive this package or a similar package DO NOT run the CDs."  The NCUA, which regulates federally insured credit unions, was tipped off to the fake Fraud Alert by a single credit union. 

As it turns out, the credit union was undergoing security penetration testing and the security firm involved, MicroSolved, Inc., put together the fake Fraud Alert to test whether the credit union was secure against this sort of social engineering scam.  When it learned of this wrinkle, the NCUA issued an update to its Fraud Alert stating:

This was an unauthorized and improper use of the NCUA logo, and also included a falsified signature of then-Chairman Michael Fryzel. The bogus alert was forwarded to NCUA, prompting the issuance of the August 25 Fraud Alert. The false Fraud Alert appears to be confined to that credit union, and is not wide-spread.

It appears that the original credit union passed its security test with flying colors. ComputerWorld obtained a number of noteworthy comments in its article on the subject, but one that stands out is from SANS Institute security researcher, Johannes Ullrich, who observed that the tactic of sending fraudulent regulatory alerts with malware was something seemingly invented by security consultants.  "I thought, 'Finally this is in the wild, because I've only seen it in pen tests before.'"

Tags: , , , , , , , , ,