Interesting People mailing list archives
more on A critical look at new bank "security breach" requirements [priv]
From: David Farber <dave () farber net>
Date: Thu, 24 Mar 2005 19:15:23 -0500
------ Forwarded Message From: Ross Stapleton-Gray <ross () stapleton-gray com> Date: Thu, 24 Mar 2005 14:51:09 -0800 To: <dave () farber net>, <declan () well com> Subject: Re: [IP] A critical look at new bank "security breach" requirements [priv] At 12:16 PM 3/24/2005, Declan wrote:
A brief digression: The new guidelines seem to make sense, but it's difficult to figure out whether they go too far or not far enough. Normally consumers can shop around and choose products based on a whole range of different options. For instance, a hypothetical BankSuperSecure might employ only bonded employees with government security clearances and hire armed guards to watch these employees all the time. Those security measures would probably reduce the chance of insider shenanigans -- but would come at a substantial cost that would be passed on to consumers in the form of lower interest rates on savings accounts and higher interest rates on loans and credit cards. Its hypothetical competitor CheapDiscountBank might take less rigorous security mechanisms but offer far better terms on savings accounts and loans. In this scenario (let's assume that the banks were required to disclose their respective approaches to security), consumers could choose what risks they're willing to take and companies could experiment. Because that process doesn't exist today, we end up with a one-size-fits-all rule that sets both a security floor and also a de facto ceiling that banks seem unwilling to exceed. It's difficult to know whether that security "level" is the best one for consumers.
The guidelines, as described, focus on incidence response, particularly re notice. They seem to be inspired by what the State of California did in amending its Information Practices Act in 2002 (SB 1386 and AB 700 were the bills in the State legislature, and "SB 1386" is what I'd known this new requirement for notice as, and how to find it if you're googling the issue). The crux of that amendment was to require anyone who suffered a breach of California residents' personal information (defined as a combination of name, and any of 1) SSN; 2) CA driver's license or ID; 3) financial account AND a PIN/password for it... I suspect that the credit card companies lobbied to avoid having a mere credit card number w/name count) to notify the victims; the final form of the bill, which was a sleepy bit of legislation originally, was inspired by a breach at the State's Teale Data Center, and a lack of any protocols for informing those affected. The focus is entirely on the consequences of breaches, and how victims might be assisted, e.g., in avoiding subsequent identity theft, through timely notice. Nothing in that legislation, nor in the guidelines described by Declan, say anything about precautionary safeguards... presumably a bank or brokerage could say, "We will certainly meet guidelines re notifying you in the case of a breach, but we don't believe you or we will go through that grief, because...," and supply a description of their defenses. (If consumers really care about that, they'd presumably opt to receive lower savings rates, or pay higher loan fees, but I'm not sure that consumers really do care.) I could see some interesting entrepreneurial opportunities here, in fact, e.g., for notification services that could be your proxy with credit institutions: when you get a Citibank account, you tell Citibank, "If anything happens to put me at risk, please notify SuperNoticeCo with my account number... that will constitute effective notice to me." SuperNoticeCo offers services to either inform you, through whatever means you might choose--including IMing you, or a call to your cellphone--and/or take actions on your behalf, e.g., putting holds on various credit sources, etc.; SuperNoticeCo security analysts would work with the affected bank or other institution, to provide appropriate notice to its (SuperNoticeCo's) customers. (SuperNoticeCo could also maintain a thorough knowledge of all of the financial institutions it deals with, and provide ratings: "You have chosen to bank at Foo Bank... Foo Bank has had to provide notice of customer information breach 3 times in the past four years, requiring notice to be provided to 250,000 customers. Foo Bank has a rating of 57 out of 100, for institutions rated by SuperNoticeCo.") (Say, if anyone would like to charter a business like SuperNoticeCo, let me know! :-) Ross ----- Ross Stapleton-Gray, Ph.D., CISSP Stapleton-Gray & Associates, Inc. http://www.stapleton-gray.com ------ End of Forwarded Message ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on A critical look at new bank "security breach" requirements [priv] David Farber (Mar 24)