New Banking Regs (FDIC, Fed, OCC, OTS) Address Privacy - Today's Wash Post

[David Farber <dave () farber net>]

------ Forwarded Message
From: Frank Nickerson <salesman44-clark () yahoo com>
Reply-To: Frank Nickerson <salesman44-clark () yahoo com>
Date: Thu, 24 Mar 2005 13:59:05 -0500
To: <dave () farber net>
Subject: New Banking Regs (FDIC, Fed, OCC, OTS) Address Privacy - Today's
Wash Post

Dave,

For posting if you desire:

Banking Rules Address Theft Of Customers' Private Data

By Jonathan Krim
Washington Post Staff Writer
Thursday, March 24, 2005; Page E01

Banks and some other financial institutions will be required to tell
customers if their private information has been obtained by hackers or
identity thieves and is likely to be misused, under rules approved this week
and announced yesterday.

Under the new regulations, breaches of private information must be reported
to people affected if the financial institution determines that data have
been, or could be, illicitly used. The rules take effect immediately for
federal and state-chartered banks, and savings and loans.

The rules come at a time of growing public fears about identity theft. In
the past several weeks, two large information brokers had breaches that
resulted in records on roughly 175,000 consumers falling into the hands of
identity thieves. The new rules, however, do not apply to such brokers, or
to credit unions or credit-reporting agencies.

The rules cover thousands of financial institutions regulated by four
agencies that coordinated their rulemaking: the Federal Deposit Insurance
Corp., the Federal Reserve, the Office of the Comptroller of the Currency
and the Office of Thrift Supervision.

That would include organizations such as Bank of America Corp., which
disclosed recently that it had lost computer tapes containing financial data
on more than 1.2 million federal workers, including members of Congress.

Under the new rules, part of several measures implemented since the passage
of a banking modernization law in 1999, financial institutions must
immediately report security breaches to their regulators and to law
enforcement agencies.

Disclosure to consumers, however, has an exception. After industry lobbying,
the rules were modified to allow an institution to investigate whether a
breach would be likely to result in misuse of the data. If the organization
determines that misuse is unlikely, it need not report the breach to its
customers.

Financial-services firms were concerned that they might be burdened by
expensive reporting requirements and could subject consumers to needless
worry if systems were breached but the data had not been taken by identity
thieves.

Some privacy advocates fear that allowing the institutions to decide whether
a threat to consumers exists could diminish their incentive to improve
security.

"If people are doing a good job [of security], there should be no notices"
of breaches, said Deirdre K. Mulligan, director of the Samuelson Law,
Technology & Public Policy Clinic at the University of California at
Berkeley.

She said data could be compromised in ways not immediately apparent to the
companies that have been breached.

Security breaches have been publicized by several organizations whose
systems are compromised, but computer-security experts say many more are not
because companies do not want customers to be worried that their systems are
vulnerable.

Until now, the only requirement that consumers be told that their data might
have been stolen is a California law that forces notification by any company
that has customers in the state. But the recent breaches have prompted
several members of Congress, the head of the Federal Trade Commission and
some industry groups to call for national notification legislation.

A spokesman for the National Credit Union Administration said he expects the
organization to develop notification guidelines in the next two months.


------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/