sensitive information in financial services l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Sensitive Information in Financial Services PowerPoint Presentation
Download Presentation
Sensitive Information in Financial Services

Loading in 2 Seconds...

play fullscreen
1 / 20

Sensitive Information in Financial Services - PowerPoint PPT Presentation


  • 281 Views
  • Uploaded on

Sensitive Information in Financial Services November 14th, 2003 CS 457a G. Fuldner Why is Sensitive Information Important in Financial Services? It is an information-based industry Almost all information generated in financial services is potentially sensitive/private

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Sensitive Information in Financial Services' - dominick


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
sensitive information in financial services

Sensitive Information in Financial Services

November 14th, 2003

CS 457a

G. Fuldner

why is sensitive information important in financial services
Why is Sensitive Information Important in Financial Services?
  • It is an information-based industry
  • Almost all information generated in financial services is potentially sensitive/private
  • There is often potential for significant monetary loss due to lack of privacy
outline
Outline
  • Regulations
  • Current Problems
  • Possible Solutions
graham leach bliley
Graham Leach Bliley
  • Official Title: The Financial Modernization Act of 1999
  • Ends depression-era separation of investment and commercial banking
  • Establishes financial privacy rules and safeguards that must be followed to protect financial data
definition nonpublic personal information
Definition: Nonpublic Personal Information
  • “Nonpublic personal information” is personally identifiable financial information:
    • Provided by a consumer to a financial institution
    • Resulting from any transaction with the consumer or any service performed for the consumer; or
    • Otherwise obtained by the financial institution
    • Publicly available information is not included
  • Any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information is also defined as nonpublic personal information.
glb privacy rule
GLB: Privacy Rule
  • A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless
    • The institution has disclosed to the consumer in writing or electronic form that the information may be disclosed to a third party.
    • The consumer has been given the opportunity to opt-out.
  • Financial institutions are furthermore required to provide customers with annual notices of privacy policies including a listing of the types of nonpublic personal information that it gathers.
glb privacy rule ii
GLB: Privacy Rule II
  • A financial institution is free to disclose nonpublic personal information to nonaffiliated third parties under many exceptions
    • “To effect, administer, or enforce a transaction requested or authorized by the consumer”
    • To service or maintain a consumer’s account
    • In connection with a securitization or sale of a consumer’s account
    • At the direction of the consumer
    • To prevent fraud or unauthorized transactions
    • For credit reporting purposes
    • In connection with the sale of the the institution or a business unit
    • At the request of law enforcement
glb who must comply
GLB: Who must comply?
  • Businesses that are “significantly engaged” in providing financial products or services to consumers
  • For Example
    • Banks/Credit Unions
    • Mortgage or Credit Card Lenders
    • Securities Brokers
    • Investment Advisors
    • Insurers
    • Check-Cashers
    • Credit Reporting Agencies
    • ATM Operators
glb safeguards
GLB: Safeguards
  • Financial regulators define standards for the financial institution relating to administrative, technical, and physical safeguards
    • (1) to insure the security and confidentiality of customer records and information;
    • (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
    • (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
glb safeguards ii
GLB: Safeguards II
  • Data Safeguard Standards (FTC Example)
    • Designate an information security coordinator
    • Identify reasonably foreseeable internal and external risks to unauthorized disclosure of nonpublic information.
    • Employee training
    • Information systems design risk assessment
    • Intrusion detection and system monitoring
    • Appropriate vendor and service provider oversight
effects of glb
Effects of GLB
  • Lots of small type privacy disclosure forms
  • Financial institutions must think about privacy as a part of their broader regulatory compliance process
  • Actual IT process impact is limited to the margins.
  • Common compliance efforts include
    • Firewalls
    • Network penetration testing / Security audits
    • SSL in website communications
    • VPNs for internal corporate communication
other relevant legislation
Other Relevant Legislation
  • USA Patriot Act
    • Requires banks to positively identify new customers and check names against lists of known terrorists.
    • NOTE: the identification requirement makes anonymity-based customer privacy schemes impossible
  • Bank Secrecy Act
    • Gives law enforcement broad powers to access nonpublic financial information
    • Requires banks to report suspicious activity
information risk factors
Information Risk Factors
  • High dependence on information transfer between economic agents to conduct financial transaction
  • Industry consolidation has created large conglomerates (ex. Citigroup, BofA) with large distributed IT infrastructures
  • Large numbers of customer service and back-office workers (ex. Tellers, Call Center Reps) have broad access to sensitive customer data.
  • Increased use of outsourcing distributes sensitive customer data to third-parties who have lower incentives to preserve customer privacy.
some recent failures
Some Recent Failures
  • May 2002: A teller at a Bank One sells lists of customer information to an identity theft ring.
  • February 2003: 8 Million credit card numbers stolen by hackers from the computer system of a Nebraska transaction processor.
  • Phishing - An emerging spam problem where users get a malicious e-mail that looks like a financial institution website (ex. Paypal.com) and requests users to enter passwords or other account information.

Sources: SmartMoney, CNN

basic problems still exist
Basic Problems Still Exist
  • 66% of large financial institutions studied by IBM and Watchfire had one or more Web forms that collected personally identifiable information but did not use SSL encryption.
  • 91% of the companies supported allowed weak forms of SSL (ex. 40-bit RSA) in their websites while 128-bit is recommended by Federal bank regulators.
industry needs
Industry Needs
  • Secure methods for institutions to identify customers (ex. a replacement for SS# and mother’s maiden name).
  • Secure methods for customers to identify institutions electronically (ex. a means of verifying the authenticity of a bank website)
  • Data access control systems that restrict access to nonpublic personal information to those that need to know and provide an audit trail of access policy exceptions
  • Standard methods of enforcing data-use policies with third-party service providers.
resources
Resources
  • Watchfire (www.watchfire.com) - a suite of IT infrastructure privacy monitoring software tools and consulting services.