personal data has been stolen."> personal data has been stolen."> Home :: Newsletters :: RSS Feeds :: About Us :: Advertise     
The Industry Standard News and Analysis for the Internet Economy
NEWS
METRICS
BLOGS
JOBS
EVENTS
        Internet News for Internet Business Monday, 04th of April, 2005   

  TOPICS
Technology
Media
Money
Politics
Opinion and Blogs


  Newsletter/RSS
Sign up today for the daily email newsletter:

Internet News
Metrics
Blogs
Jobs
Events
Trackback
What is this?


  BLOGS
Denise Howell
JD Lasica
Esme Vos
Scott Rafer
Ross Mayfield
Doc Searls
Seth Godin
Ashlee Vance
Matt McAlister
Tom Hespos
Mark Jones
Jen Muehlbauer
Cringe Worthy
Mark Frauenfelder
Declan McCullagh
Julene Snyder
Mark Glaser
Rafat Ali
Thomas Goetz
Mike Butcher
Jimmy Guterman

>> RSS Feed



  Archive

June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004

Recent Entries:
Few details in eBay's Shopping.com plans
Skype, VOIP handsets on show at Computex
Microsoft plans mobile e-mail push upgrade
EBay buys Shopping.com for $620 million
New .xxx domain will be reserved for porn



Previous Story: Court orders blogger to stop posting patient data
Next Story: Trend Micro to guard 100M e-mail accounts for Sina

New federal rules dictate bank ID theft notifications
By Todd R. Weiss, Computerworld

The U.S. Federal Reserve Board Wednesday issued new rules requiring banks and other financial institutions to notify consumers "as soon as possible" when their personal data has been stolen.

In an announcement, the Federal Reserve and three other government banking agencies, including the Federal Deposit Insurance Corp. (FDIC), unveiled their "guidance" on how banks must treat personal information theft under federal laws enacted in 2003.

The rules come at a time when several companies have acknowledged that consumers' personal and sensitive information has either been stolen or accessed inappropriately.

David Barr, a spokesman for the FDIC in Washington, said the agencies spent the past 18 months reviewing the Fair and Accurate Credit Transactions (FACT) Act. The review included input from government officials as well as from security, banking industry and consumer groups and other entities to create the specific rules.

A key requirement is that consumers must now be notified when personal information has been stolen or illegally accessed and there is reason to believe it will be misused. In such cases, the institution must conduct a "reasonable investigation" to determine if the security breach was significant enough to require notification of affected consumers.

"If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible," the rules say. Notice can be delayed, however, if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation.

Specific timelines on how quickly such notice should be given hasn't been established.

A financial institution is also expected to notify its primary federal regulator of a security breach involving sensitive customer information, whether or not the institution notifies its customers.

According to the rules, sensitive customer information includes a customer's name, address or telephone number, in conjunction with the customer's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. The rules also state that such data breaches would include the release of any combination of sensitive data that would allow someone to log into or access a customer's account, such as a username and password or a password and account number.

"The customer notification (provision) is brand new," Barr said. "Banks were not required to do that before, though many had. Now, there's an official mandate that they must."

The new rules took time to develop, Barr said, because they were issued by four agencies working together: the Federal Reserve, the FDIC, the Office of the Comptroller of the Currency and the Office of Thrift Supervision. "You have four voices instead of just one," he said. Building consensus meant a lot of deliberations, he said.

One of the greatest challenges for the agencies was determining where the legal bar should be set in terms of when consumers should be notified of breaches, he said. Some regulators thought notice should be given in all cases, while others thought notice should be given only if it was likely the data theft would bring harm to affected consumers.

The eventual standard is a reasonable one, he said, because it won't inundate consumers with notices unless there is evidence of a real data security threat. "If there were too many notices, consumers could be desensitized" to the real dangers of actual data security breaches, he said.

Under the new guidelines, the FDIC and other agencies can oversee financial institutions to ensure that they adhere to the notification procedures, Barr said. The agencies can issue enforcement orders if the regulations are not followed, he said.

Douglas Heller, executive director of The Foundation for Taxpayer and Consumer Rights, an advocacy group in Santa Monica, Calif., said the new rules are a good start for U.S. consumers. "At the very least, we should be be notified when our personal information has been stolen."

California is the only state in the nation where such notification is already mandated by law in cases of security breaches and financial or credit information.

But notification after the fact isn't really enough to protect consumers, he said.

"We really need to limit the scope of private information that is collected for resale" by companies that handle personal information, he said. "The only reasons that thieves have access to so much data is that the government hasn't stopped these companies from trading our personal information like it's a commodity."

Recent security breaches involving the theft or loss of sensitive consumer financial and credit data involve ChoicePoint Inc., Bank of America Corp. and LexisNexis.

Posted March 25, 2005 05:07 PM |



FREE Email Newsletter RSS Feeds
Sign up today for the
daily email newsletter:
Internet News
Metrics
Blogs
Jobs
Events
Trackback
What is this?





    ADDITIONAL RESOURCES:
    • Find reviews of digital cameras and download the latest graphics tools from PCWorld.
    • Astonish your colleagues with the latest technology news and trends from Computerworld.
    • Digital music that matters: chart-toppers and free audio files from Playlistmag.com.
    • Catch a daily glimpse behind the forces shaping the security business from CSOonline.com.
    • In-depth look at networking products, by Network World's team of independent reviewers.
    • Top reviews, analyses & evaluation of IT products by technology experts from InfoWorld.
    • Hot tech news with links to blogs and resources around the Internet on Lockergnome.

    MORE INTERNET NEWS LINKS


Home :: Newsletters :: RSS Feeds :: About TheStandard :: Advertise    
Copyright © 2004, TheStandard.com :: Terms and Conditions :: Privacy Policy