more on A critical look at new bank "security breach" requirements [priv]

[David Farber <dave () farber net>]

------ Forwarded Message
From: Ross Stapleton-Gray <ross () stapleton-gray com>
Date: Thu, 24 Mar 2005 14:51:09 -0800
To: <dave () farber net>, <declan () well com>
Subject: Re: [IP] A critical look at new bank "security breach" requirements
[priv]

At 12:16 PM 3/24/2005, Declan wrote:
> A brief digression: The new guidelines seem to make sense, but it's
> difficult to figure out whether they go too far or not far enough.
> Normally consumers can shop around and choose products based on a whole
> range of different options.
>
> For instance, a hypothetical BankSuperSecure might employ only bonded
> employees with government security clearances and hire armed guards to
> watch these employees all the time. Those security measures would
> probably reduce the chance of insider shenanigans -- but would come at a
> substantial cost that would be passed on to consumers in the form of
> lower interest rates on savings accounts and higher interest rates on
> loans and credit cards.
>
> Its hypothetical competitor CheapDiscountBank might take less rigorous
> security mechanisms but offer far better terms on savings accounts and
> loans. In this scenario (let's assume that the banks were required to
> disclose their respective approaches to security), consumers could
> choose what risks they're willing to take and companies could
> experiment. Because that process doesn't exist today, we end up with a
> one-size-fits-all rule that sets both a security floor and also a de
> facto ceiling that banks seem unwilling to exceed. It's difficult to
> know whether that security "level" is the best one for consumers.

The guidelines, as described, focus on incidence response, particularly re
notice.  They seem to be inspired by what the State of California did in
amending its Information Practices Act in 2002 (SB 1386 and AB 700 were the
bills in the State legislature, and "SB 1386" is what I'd known this new
requirement for notice as, and how to find it if you're googling the
issue).  The crux of that amendment was to require anyone who suffered a
breach of California residents' personal information (defined as a
combination of name, and any of 1) SSN; 2) CA driver's license or ID; 3)
financial account AND a PIN/password for it... I suspect that the credit
card companies lobbied to avoid having a mere credit card number w/name
count) to notify the victims; the final form of the bill, which was a
sleepy bit of legislation originally, was inspired by a breach at the
State's Teale Data Center, and a lack of any protocols for informing those
affected.

The focus is entirely on the consequences of breaches, and how victims
might be assisted, e.g., in avoiding subsequent identity theft, through
timely notice.

Nothing in that legislation, nor in the guidelines described by Declan, say
anything about precautionary safeguards... presumably a bank or brokerage
could say, "We will certainly meet guidelines re notifying you in the case
of a breach, but we don't believe you or we will go through that grief,
because...," and supply a description of their defenses.  (If consumers
really care about that, they'd presumably opt to receive lower savings
rates, or pay higher loan fees, but I'm not sure that consumers really do
care.)

I could see some interesting entrepreneurial opportunities here, in fact,
e.g., for notification services that could be your proxy with credit
institutions: when you get a Citibank account, you tell Citibank, "If
anything happens to put me at risk, please notify SuperNoticeCo with my
account number... that will constitute effective notice to
me."  SuperNoticeCo offers services to either inform you, through whatever
means you might choose--including IMing you, or a call to your
cellphone--and/or take actions on your behalf, e.g., putting holds on
various credit sources, etc.; SuperNoticeCo security analysts would work
with the affected bank or other institution, to provide appropriate notice
to its (SuperNoticeCo's) customers.  (SuperNoticeCo could also maintain a
thorough knowledge of all of the financial institutions it deals with, and
provide ratings: "You have chosen to bank at Foo Bank... Foo Bank has had
to provide notice of customer information breach 3 times in the past four
years, requiring notice to be provided to 250,000 customers.  Foo Bank has
a rating of 57 out of 100, for institutions rated by SuperNoticeCo.")

(Say, if anyone would like to charter a business like SuperNoticeCo, let me
know! :-)

Ross



-----

Ross Stapleton-Gray, Ph.D., CISSP
Stapleton-Gray & Associates, Inc.
http://www.stapleton-gray.com




------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/