What You Need To Know About Privacy and Why

1
What You Need To Know About Privacy and Why

• Lynn A. Goldstein
• April 16, 2007

2
Federal GrammLeachBliley Act
3
GLBA Overview

• Section 501(a) requires financial institutions to
  respect the privacy of their customers and to
  protect the security and confidentiality of those
  customers nonpublic information, and section
  501(b) requires the establishment of appropriate
  standards relating to administrative, technical
  and physical safeguards
• to insure the security and confidentiality of
  customer records and information
• to protect against any anticipated threats or
  hazards to the security or integrity of such
  records and
• to protect against unauthorized access to or use
  of such records or information which could result
  in substantial harm or inconvenience to any
  customer.
• Section 503 requires financial institutions to
  provide customers with notice of their privacy
  policies and practices
• Financial institutions are required to provide
  initial notice of privacy policies and practices
  in 2 circumstances
• For customers, notice must be provided at time of
  establishing customer relationship, i.e., when
  bank and consumer enter into continuing
  relationship
• For consumers who are not customers, notice must
  be provided prior to disclosing nonpublic
  personal information about consumer to
  nonaffiliated third party
• Financial institutions are required to provide
  notice of privacy policies and practices at least
  annually to customers during continuation of
  customer relationship

4
The Fair and Accurate Credit Transactions Act of
2003

• Section 216 requires final regulations (which are
  consistent with the requirements of and
  regulations issued pursuant to GLBA) to be issued
  requiring any person that maintains or otherwise
  possesses consumer information, or any
  compilation of consumer information, derived from
  consumer reports for a business purpose to
  properly dispose of such information or
  compilation.

5
The Privacy Regulations Under GLBA

• The Privacy Regulations govern the treatment of
  nonpublic personal information about consumers by
  a financial institution. They
• Require a financial institution to provide notice
  to customers about its privacy polices and
  practices
• Describe the conditions under which a financial
  institution may disclose nonpublic personal
  information about consumers to third parties and
• Provide a method for consumers to prevent a
  financial institution from disclosing that
  information to most nonaffiliated third parties
  by opting out of that disclosure subject to
  certain exceptions.
• The Privacy Regulations apply only to nonpublic
  personal information about individuals who obtain
  financial products or services primarily for
  personal, family, or household purposes
• They do not apply to information about
  individuals who obtain financial products and
  services for business, commercial, or
  agricultural purposes.

6
When Privacy Policy Needs to be Provided to
Customer

• Customer relationship is established when bank
  and consumer enter into continuing relationship
• Loan
• When bank originates loan to consumer for
  personal, family or household purposes
• If bank subsequently transfers servicing rights
  to loan to another financial institution,
  customer relationship transfers with servicing
  rights
• Other situations. Bank establishes customer
  relationship when consumer
• Opens credit card account with bank
• Executes contract to open deposit account with
  bank, obtains credit from bank, or purchases
  insurance from bank
• Agrees to obtain financial, economic or
  investment advisory services from bank for fee
• Becomes banks client for purpose of banks
  providing credit counseling or tax preparation
  services
• Initial notice may be provided within reasonable
  time after bank establishes customer relationship
  if
• Establishing customer relationship is not at
  customers election
• If bank acquires customers deposit liability or
  servicing rights to customers loan from another
  financial institution and customer does not have
  choice about banks acquisition

7
When Privacy Policy Needs to be Provided to
Customer cont.

• Would substantially delay customers transaction
  and customer agrees to receive notice at later
  time
• Bank and individual agree over telephone to enter
  into customer relationship involving prompt
  delivery of financial product or service, or
• Bank establishes customer relationship with
  individual under student loan programs where loan
  proceeds are disbursed promptly without prior
  communication between bank and customer
• Would not substantially delay customers
  transaction when relationship is initiated in
  person at banks office or through other means by
  which customer may view notice, such as on web
  site

8
When Privacy Policy Needs to be Provided to
Non-Customer

• Notice must be provided prior to disclosing
  nonpublic personal information about consumer to
  nonaffiliated third party
• non-public personal information means
  personally identifiable financial information
  and any list, description or other grouping of
  consumers derived using any personally
  identifiable financial information that is not
  publicly available
• personally identifiable financial information
  means any information
• consumer provides to bank to obtain financial
  product or service from bank
• about consumer resulting from any transaction
  involving financial product or service between
  bank and consumer or
• bank otherwise obtains about consumer in
  connection with providing financial product or
  service to that consumer

9
Information To Be Included in Initial and Annual
Privacy Notices

• GLBA identifies items of information that must be
  included in financial institutions initial and
  annual notices
• Categories of nonpublic personal information bank
  collects. Bank satisfies this requirement if it
  lists following categories, as applicable
• Information from consumer
• Information about consumers transactions with
  bank or its affiliates
• Information about consumers transactions with
  non-affiliated third parties and
• Information from consumer reporting agency
• Categories of nonpublic personal information bank
  discloses. Bank satisfies this requirement if it
  lists
• Categories of nonpublic personal information bank
  collects, as applicable, and
• Some examples to illustrate types of information
  in each category
• Categories of affiliates and nonaffiliated third
  parties to whom bank discloses nonpublic personal
  information. Bank satisfies this requirement if
  it lists following categories, as applicable and
  few examples to illustrate types of third parties
  in each category
• Financial service providers
• Non-financial companies, and
• Others

10
Information To Be Included in Initial and Annual
Privacy Notices - cont.

• Categories of nonpublic personal information
  about banks former customers bank discloses and
  categories of affiliates and nonaffiliated third
  parties to whom bank discloses nonpublic personal
  information about banks former customers
• If bank discloses nonpublic personal information
  to nonaffiliated third party to perform services
  for bank or functions on banks behalf, separate
  statement of categories of information bank
  discloses and categories of third parties with
  whom bank has contracted. Bank satisfies this
  requirement if it
• Lists categories of nonpublic personal
  information it discloses, and
• States whether third party is
• Service provider that performs marketing services
  on banks behalf or on behalf of bank and another
  financial institution or
• Financial institution with whom bank has joint
  marketing agreement
• Explanation of consumers right to opt out of
  disclosure of nonpublic personal information to
  nonaffiliated third parties, including methods by
  which consumer may exercise that right at that
  time
• Any disclosure bank makes under FCRA, i.e.,
  notices regarding ability to opt out of
  disclosures of information among affiliates

11
Information To Be Included in Initial and Annual
Privacy Notices cont.

• Banks policies and practices with respect to
  protecting confidentiality and security of
  nonpublic personal information. Bank satisfies
  this requirement if it does both of the
  following
• Describes in general terms who is authorized to
  have access to information, and
• States whether bank has security practices and
  procedures in place to ensure confidentiality of
  information in accordance with banks policy
• Any disclosures it makes to other nonaffiliated
  third parties as permitted by law
• If bank is going to disclose nonpublic personal
  information to nonaffiliated third parties (which
  is not otherwise permitted by exception), notice
  must state
• Bank discloses or reserves right to disclose
  nonpublic personal information about consumer to
  nonaffiliated third party
• Consumer has right to opt out of that disclosure
• Opt out means direction by consumer that bank not
  disclose nonpublic personal information about
  that consumer to nonaffiliated third party unless
  otherwise permitted

12
Information To Be Included in Initial and Annual
Privacy Notices - cont.

• Reasonable means by which consumer may exercise
  opt out right
• Designates check-off boxes in prominent position
  on relevant forms with opt out notice
• Includes reply form together with opt out notice
• Provides electronic means to opt out if consumer
  agrees to electronic delivery of information or
• Provides toll-free telephone number that consumer
  may call to opt out
• How bank will treat opt out direction by joint
  consumers

13
Delivery of Annual Privacy Notices

• Bank must provide notice so that each consumer
  can reasonably be expected to receive actual
  notice in writing or, if consumer agrees,
  electronically
• Hand-delivers printed copy of notice to consumer
• Mails printed copy of notice to last known
  address of consumer
• For consumer who conducts transactions
  electronically, posts notice on electronic site
  and requires consumer to acknowledge receipt of
  notice as necessary step to obtaining particular
  financial product or service
• For isolated transaction with consumer, such as
  ATM transaction, posts notice on ATM screen and
  requires consumer to acknowledge receipt of
  notice as necessary step to obtaining particular
  financial product or service
• Bank is not required to provide annual notice to
  customer if customer relationship has been
  discontinued.
• Bank is not required to provide annual notice to
  former customer
• Customer is former customer if
• Deposit account is inactive
• Closed-end loan has been paid in full, has been
  charged off or sold off and bank has not retained
  servicing rights
• Credit card relationship or other open-end credit
  relationship and
• Bank no longer provides any statements or notices
  to customer concerning relationship or
• Bank sells credit card receivables without
  retaining servicing rights
• Bank has not communicated with customer about
  relationship for 12 consecutive months

14
How/When Initial Privacy Policies Are Distributed
to Customers
PRODUCT CONTACT DISTRIBUTION
Checking Account Branch Account Opening Kit
Mortgage Branch Online Early Disclosure (3-day) Documents
Mortgage Wholesale Loan Welcome Package
Mortgage Bulk Acquisition First billing statement or solo mail if more than month
Credit Card Phone, Mail, Online Welcome Kit (with card)
Private Label Credit Card Store At store and in mail with Welcome Kit
Investment Advisory Services Inperson, Phone, Online Agreements that accompany application
Auto Loan Auto Dealer First set of coupons or standalone if no coupons
Student Loan School Application or new account documents
15
Interagency Guidelines Establishing Standards for
Safeguarding Customer Information

• Standards for Safeguarding Customer Information
• Information Security Program
• Each bank shall implement a comprehensive written
  information security program that includes
  administrative, technical and physical safeguards
  appropriate to the size and complexity of the
  bank and the nature and scope of its activities
• While all parts of the bank are not required to
  implement a uniform set of policies, all elements
  of the information security program must be
  coordinated
• Objectives. A banks information security
  program shall be designed to
• Ensure the security and confidentiality of
  customer information
• Protect against any anticipated threats or
  hazards to the security or integrity of such
  information
• Protect against any unauthorized access to or use
  of such information that could result in
  substantial harm or inconvenience to any
  customer and
• Ensure the proper disposal of customer
  information and consumer information.
• Development and Implementation of Information
  Security Program
• Involve the Board of Directors. The directors or
  an appropriate committee of the board of each
  bank shall
• Approve the banks written information security
  program and

16
Safeguards Guidelines - cont'd

• Oversee the development, implementation, and
  maintenance of the banks information security
  program, including assigning specific
  responsibility for its implementation and
  reviewing reports from management.
• Assess Risk. Each bank shall
• Identify reasonably foreseeable internal and
  external threats that could result in
  unauthorized disclosure, misuse, alteration, or
  destruction of customer information or customer
  information systems.
• Assess the likelihood and potential damage of
  these threats, taking into consideration the
  sensitivity of customer information
• Assess the sufficiency of policies, procedures,
  customer information systems, and other
  arrangements in place to control risks.
• Manage and Control Risk. Each bank shall
• Design its information security program to
  control identified risks, commensurate with the
  sensitivity of the information as well as the
  complexity and scope of the banks activities.
  Each bank must consider whether the following
  security measures are appropriate for the bank
  and, if so, adopt those measures the bank
  concludes are appropriate
• Access controls on customer information systems,
  including controls to authenticate and permit
  access only to authorized individuals and
  controls to prevent employees from providing
  customer information to unauthorized individuals
  who may seek to obtain this information through
  fraudulent means

17
Safeguards Guidelines - cont'd

• Access restrictions at physical locations
  containing customer information, such as
  buildings, computer facilities, and records
  storage facilities, to permit access only to
  authorized individuals
• Encryption of electronic customer information,
  including while in transit or in storage on
  networks or systems to which unauthorized
  individuals may have access
• Procedures designed to ensure that customer
  information system modifications are consistent
  with the banks information security programs
• Dual control procedures, segregation of duties,
  and employee background checks for employees with
  responsibilities for or access to customer
  information
• Monitoring systems and procedures to detect
  actual and attempted attacks on or intrusions
  into customer information systems
• Response programs that specify actions to be
  taken when the bank suspects or detects that
  unauthorized individuals have gained access to
  customer information systems, including
  appropriate reports to regulatory and law
  enforcement agencies and
• Measures to protect against destruction, loss, or
  damage of customer information due to potential
  environmental hazards, such as fire and water
  damage or technological failures.

18
Safeguards Guidelines cont'd

• Train staff to implement the banks information
  security program
• Regularly test the key controls, systems and
  procedures of the information security program.
• The frequency and nature of such tests should be
  determined by the banks risk assessment.
• Tests should be conducted or reviewed by
  independent third parties or staff independent of
  those that develop or maintain the security
  programs.
• Develop, implement, and maintain as part of its
  information security program, appropriate
  measures to properly dispose of customer
  information and consumer information in
  accordance with each of the requirements for the
  development and implementation of an information
  security program.
• Oversee Service Provider Arrangements. Each Bank
  shall
• Exercise appropriate due diligence in selecting
  its service providers
• Require its service providers by contract to
  implement appropriate measures designed to meet
  the objectives of these Guidelines and
• Where indicated by the banks risk assessment,
  monitor its service providers to confirm that
  they have satisfied their obligations as required
  above.

19
Safeguards Guidelines cont'd

• As part of this monitoring, a bank should review
  audits, summaries of test results, or other
  equivalent evaluations of its service providers.
• Adjust the Program. Each bank shall
• Monitor, evaluate, and adjust, as appropriate,
  the information security program in light of
• Any relevant changes in technology,
• The sensitivity of its customer information,
• Internal or external threats to information, and
• The banks own changing business arrangements,
  such as
• Mergers and acquisitions,
• Alliances and joint ventures,
• Outsourcing arrangements, and
• Changes to customer information systems.
• Report to the Board
• Each bank shall report to its board or an
  appropriate committee of the board at least
  annually.
• This report shall describe the overall status of
  the information security program and the banks
  compliance with these Guidelines.
• The reports should discuss material matters
  related to its program, addressing issues such
  as

20
Safeguards Guidelines cont'd

• Risk assessment
• Risk management and control decisions
• Service provider arrangements
• Results of testing
• Security breaches or violations and managements
  responses and
• Recommendations for changes in the information
  security program.
• Implement the Standards
• Effective Date. Each bank must have already
  implemented an information security program
  pursuant to these Guidelines.
• Exception for Existing Agreements with Service
  Providers Relating to the Disposal of Consumer
  Information.
• A banks contracts with its service providers
  that have access to consumer information and that
  may dispose of consumer information, entered into
  before July 1, 2005, must have complied with the
  provisions of the Guidelines relating to the
  proper disposal of consumer information by July
  1, 2006.

21
Interagency Guidance on Response Programs for
Unauthorized Access to Customer Information and
Customer Notice

• This is an interpretation of the requirements of
  section 501(b) of GLBA and the Safeguards
  Guidelines to include the development and
  implementation of a response program to address
  unauthorized access to, or use of, customer
  information that could result in substantial harm
  or inconvenience to a customer.
• Components of a Response Program. Every
  financial institution should develop and
  implement a riskbased response program to
  address incidents of unauthorized access to
  customer information in customer information
  systems maintained by the financial institution
  itself or by its domestic and foreign service
  providers.
• At a minimum, an institutions response program
  should contain procedures for the following
• Assessing the nature and scope of an incident,
  and identifying what customer information systems
  and types of customer information have been
  accessed or misused
• Notifying its primary Federal regulator as soon
  as possible when the institution becomes aware of
  an incident involving unauthorized access to or
  use of sensitive customer information, as defined
  below
• Consistent with the Agencies Suspicious Activity
  Report (SAR) regulations, notifying appropriate
  law enforcement authorities, in addition to
  filing a timely SAR in situations involving
  Federal criminal violations requiring immediate
  attention, such as when a reportable violation is
  ongoing

22
Response Programs Guidance - cont'd

• Taking appropriate steps to contain and control
  the incident to prevent further unauthorized
  access to or use of customer information, for
  example, by monitoring, freezing, or closing
  affected accounts, while preserving records and
  other evidence and
• Notifying customers when warranted.
• Where an incident of unauthorized access to
  customer information involves customer
  information systems maintained by an
  institutions service providers, it is the
  responsibility of the financial institution to
  notify the institutions customers and regulator.
• An institution may authorize or contract with its
  service provider to notify the institutions
  customers or regulator on its behalf.
• Customer Notice. Notifying customers of a
  security incident involving the unauthorized
  access to or use of the customers information in
  accordance with the standard set forth below is a
  key part of a financial institutions affirmative
  duty to protect their customers information
  against unauthorized access or use
• Standard for Providing Notice
• When a financial institution becomes aware of an
  incident of unauthorized access to sensitive
  customer information, the institution should
  conduct a reasonable investigation to determine
  the likelihood that the information has been or
  will be misused.

23
Response Programs Guidance - cont'd

• Under the Security Guidelines, an institution
  must protect against unauthorized access to or
  use of customer information that could result in
  substantial harm or inconvenience to any
  customer.
• Substantial harm or inconvenience is most likely
  to result from improper access to sensitive
  customer information because this type of
  information is most likely to be misused, as in
  the commission of identity theft.
• For purposes of this Guidance, sensitive customer
  information
• Means a customers name, address, or telephone
  number, in conjunction with the customers social
  security number, drivers license number, account
  number, credit or debit card number, or a
  personal identification number or password that
  would permit access to the customers account,
  and
• Includes any combination of components of
  customer information that would allow someone to
  log onto or access the customers account, such
  as user name and password or password and account
  number.
• If the institution determines that misuse of its
  information about a customer has occurred or is
  reasonably possible, it should notify the
  affected customer as soon as possible.

24
Response Programs Guidance - cont'd

• If a financial institution, based upon its
  investigation, can determine from its logs or
  other data precisely which customers information
  has been improperly accessed, it may limit
  notification to those customers with regard to
  whom the institution determines that misuse of
  their information has occurred or is reasonably
  possible.
• There may be situations where the institution
  determines that a group of files has been
  accessed improperly but is unable to identify
  which customers information has been accessed.
• If the circumstances of the unauthorized access
  lead the institution to determine that misuse of
  the information is reasonably possible, it should
  notify all customers in the group.
• Customer notice may be delayed if an appropriate
  law enforcement agency determines that
  notification will interfere with a criminal
  investigation and provides the institution with a
  written request for the delay.
• The institution should notify its customers as
  soon as notification will no longer interfere
  with the investigation.
• Content of Customer Notice
• Customer notice should be given in a clear and
  conspicuous manner
• The notice should
• Describe the incident in general terms and the
  type of customer information that was the subject
  of unauthorized access or use

25
Response Programs Guidance - cont'd

• Generally describe what the institution has done
  to protect the customers information from
  further unauthorized access
• Include a telephone number that customers can
  call for further information and assistance
• Remind customers of the need to
• Remain vigilant over the next twelve to
  twenty-four months, and
• To promptly report incidents of suspected
  identity theft to the institution
• Include the following additional items, when
  appropriate
• A recommendation that the customer review account
  statements and immediately report any suspicious
  activity to the institution
• A description of fraud alerts and an explanation
  of how the customer may place a fraud alert in
  the customers consumer reports to put the
  customers creditors on notice that the customer
  may be a victim of fraud
• A recommendation that the customer periodically
  obtain credit reports from each nationwide credit
  reporting agency and have information relating to
  fraudulent transactions deleted
• An explanation of how the customer may obtain a
  credit report free of charge and
• Information about the availability of the FTCs
  online guidance regarding steps a consumer can
  take to protect against identity theft. The
  notice should

26
Response Programs Guidance - cont'd

• Encourage the customer to report any
  incidents of identity theft to the FTC, and
• Provide the FTCs Web site address and
  toll-free telephone number that customers may
  use to obtain the identity theft guidance and
  report suspected incidents of identity theft.
• Financial institutions are encouraged to notify
  the nationwide consumer reporting agencies prior
  to sending notices to a large number of customers
  that include contact information for the
  reporting agencies.
• Delivery of Customer Notice
• Customer notice should be delivered in any manner
  designed to ensure that a customer can reasonably
  be expected to receive it.
• For example, the institution may choose to
  contact all customers affected by telephone or by
  mail, or by electronic mail for those customers
  for whom it has a valid e-mail address and who
  have agreed to receive communications
  electronically.

27
STATE SECURITY BREACHNOTIFICATION LAWS
28
Generally

• 35 states plus the District of Columbia and
  Puerto Rico have adopted security breach
  notification laws
• Notification is required when there has been an
  unauthorized acquisition of unencrypted
  computerized personal information
• Personal information means an individuals
  first name or first initial and last name in
  combination with any one or more of the
  following
• Social Security Number
• Drivers license or state identification card
  number
• Account, credit or debit card number in
  combination with required security code, access
  code or password that would permit access to an
  individuals financial account
• Written or electronic, or under limited
  circumstances substitute, notice is allowed
• Disclosure should be made in most reasonable time
  possible and without unreasonable delay
• Notification may be delayed if a law enforcement
  agency determines that notification will impede a
  criminal investigation

29
Differences

• In some states (e.g. HI, IN, NC, WI) and New York
  City, paper data as well as computerized data is
  covered
• In some states, definition of personal
  information includes
• Medical information (e.g. AK, DE)
• Biometric data or fingerprints (e.g. NC, WI and
  New York City)
• Date of birth (e.g. ND)
• Mothers maiden name (e.g. ND and New York City)
• Employer identification number (e.g. ND)
• Financial account number, credit or debit card
  number alone (e.g. GA, ME, VT)
• Some states require notification of state/local
  agencies (e.g. HI, ME, NH, NJ, NY, NC, and Puerto
  Rico and New York City)
• Some states require coordination with consumer
  reporting agencies (e.g. CO, DC, FL, GA, HI, IN,
  KS, ME, MI, MN, MT, NV, NH, NJ, NY, NC, OH, PA,
  TN, TX, VT, WI)
• Some states require notice to be given with 45
  days (e.g. FL, OH)
• Some states have specific content requirements
  for the notice (e.g. HI, MI, NH, NY, NC, VT, WI)
• Some states allow telephone notice (e.g. AZ, CO,
  CT, DE, HI, ID, IN, MI, MN, MT, NE, NV, NH, NJ,
  NY, NC, UT, VT)

30
Differences cont.

• IL does not allow a delay in notification if law
  enforcement requests it
• Some state laws do not apply to financial
  institutions (or GLBA is deemed compliance with
  that states law) (AZ, AK, CO, CT, DE, FL, GA,
  HI, ID, IN, KS, LA, MI, MN, NE, NV, NH, NC, ND,
  OH, OK, PA, RI, TN, UT, VT, WI)

31
Risks for Financial Institutions
32
Outside Service Providers with Possession of or
Access to Personal Information

• Confidential Information, Firm Data, and Personal
  Information
• Define these terms
• Limit access to and maintain confidentiality of
  such information
• Require establishment and maintenance of
  appropriate safeguards regarding such information
• Require prompt notice if OSP becomes aware of
• Breach of information security procedures
• Loss or unauthorized access to or use of such
  information
• Any attempt to access, disclose, use, alter,
  destroy such information
• Prohibit use of such information to contact any
  person
• Require compliance with applicable privacy and
  data protection laws
• Require cooperation with relevant authorities
  with respect to such information
• Security
• Require compliance with all of firms safety and
  security procedures and standards
• Require compliance with ISO/IEC 17799
  (Information Technology-Code of Practice for
  Information Security Management)
• Require a report by an independent third party
  audit firm describing OSP control policies and
  procedures (may be satisfied by a Type II SAS 70
  Report) to be provided

33
Outside Service Providers with Possession of or
Access to Personal Information contd.

• Require certificate of compliance with SEI CMM
  Level 5 to be delivered
• Require firm to be notified of any events that
  adversely affect OSPs ability to perform its
  obligations
• Allow firm to conduct ethical hack
• Take all reasonable precautions against hacker
  attempts
• Subcontractors
• Prohibit use of subcontractor without firms
  prior written consent
• Require subcontractor to protect Confidential
  Information, Firm Data, and Personal Information
  in manner substantially equivalent to that of OSP
  
• Audit Rights
• Require auditors, regulators and outside auditors
  to be provided access for the purpose of
  performing audits or on-site inspections
• Ownership
• Require firm to be exclusive owner of and to hold
  and retain all right, title and interest in and
  to Firms Data
• Security Reporting
• Require firm to be immediately informed of any
  breaches or attempted breaches in security
• Require performance of a root cause analysis in
  event of a security breach, provision of a report
  detailing cause of such breach and within
  specified time period remedy of such breach

34
Outside Service Providers with Possession of or
Access to Personal Information contd.

• Require current report by an independent third
  party audit firm describing OSP control policies
  and procedures (may be satisfied by a Type II SAS
  70 Report)
• Require independent third party nonfinancial
  reports and, if available, internal audit
  reports.
• Require written periodic reports on
• System and network security incidents and access
  violations and remediation or actions plans
• Confidential Information, Firm Data and Personal
  Information incidents and breaches and
  remediation or action plans
• Security vulnerability scans or penetration tests
  and remediation or action plans
• Insurance
• Workers Compensation and Employers Liability
• Commercial General Liability
• Automobile Liability
• All Risk Motor Truck Cargo Insurance
• Commercial Blanket Bond
• Computer Software Design Errors and Omissions or
  Similar Professional Liability/Errors and
  Omissions Liability
• Dispute Resolution
• Business Continuity/Disaster Recovery
• Scope of services and service level agreements

35
Phishing

• A form of social engineering in which an
  attacker, also known as a phisher, attempts to
  fraudulently retrieve legitimate users
  confidential or sensitive credentials by
  mimicking electronic communications from a
  trustworthy or public organization in an
  automatic fashion
• Such communications are frequently done through
  emails that direct users to fraudulent websites
  that in turn collect the credentials in question
  for the purpose of theft, fraud, and
  money-laundering
• Examples of credentials frequently of interest to
  phishers are passwords, credit card numbers,
  social security and other national identification
  numbers, and bank account details
• The word phishing is an evolution of the word
  fishing by hackers who frequently replace the
  letter f with the letters ph
• The word arises from the fact that users, or
  phish, are lured by the mimicked communication to
  a trap or hook that retrieves their confidential
  information
• - Steven Myers, Phishing and
  Countermeasurers (2007)

36
Identity Theft

• The term identity theft means a fraud committed
  or attempted using the identifying information of
  another person without authority
• The term identifying information means any name
  or number that may be used, alone or in
  conjunction with any other information, to
  identify a specific person, including any
• name, social security number, date of birth,
  official State or government issued drivers
  license or identification number, alien
  registration number, government passport number,
  employer or taxpayer identification number
• unique biometric data, such as fingerprint, voice
  print, retina or iris image, or other unique
  physical representation
• unique electronic identification numbers,
  address, or routing code or
• telecommunication identifying information access
  device
• - 16 CF6 603.2

37
Removable Media

• Computer storage devices which are not fixed
  inside a computer
• Examples
• Compact Flash
• CDs
• External hard Drives
• Floppy Disks
• MultiMedia Cards
• SD Cards
• USB Flash Drives
• xD Picture Card
• - Wikipedia

38
What the Future Might Bring
39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
(No Transcript)
43
(No Transcript)