ING DIRECT has announced that it has partnered with Trusteer to become the first US bank to offer Trusteer’s Rapport consumer Identity Theft protection software free to all of its customers.   » Continue Reading

The latest U.S. results of the Unisys Security Index find that Americans are more concerned than they were seven months ago about national security issues and health epidemics and are increasingly concerned about financial security issues and worries about identity theft.   » Continue Reading

Sarah D. Scalet writes for CSO Magazine about the Payment Card Industry - Data Security Standard (PCI-DSS) standard - calling it "corporate America's most ambitious effort yet to prove that it can self-regulate."

Eight federal regulators have released a notice of proposed rulemaking (NPR) requesting comment on a model privacy form that financial institutions can use for their privacy notices to consumers required by the Gramm-Leach-Bliley Act (GLB Act).   » Continue Reading

Damon Darlin writes for the New York Times about efforts to try to get Social Security numbers removed from web sites, etc. “The problem is every dentist’s office has Social Security numbers. Every doctor’s office has them. How secure are these?”

In an article titled 'New Credit Cards May Leak Personal Information," Erik Larkin writes for PC World writes about the privacy aspects of new contactless credit cards - including a discussion of new "second generation" specifications from Visa that require the issuer not include the cardholder name in the data transmitted by the contactless card's chip.

The Federal Deposit Insurance Corporation's latest quarterly Supervisory Insights newsletter features an article titled "Incident Response Programs: Don't Get Caught Without One". From the abstract: "A security incident can damage corporate reputations, cause financial losses, and foster identity theft, and banks are increasingly becoming targets for attack because they hold valuable data that, when compromised, allow criminals to steal an individual's identity and drain financial accounts. To mitigate the effects of security breaches, organizations are finding it necessary to develop formal incident response programs (IRPs). This article highlights the importance of IRPs to a bank's information security program and provides information on required content and best practices banks may consider when developing effective response programs."

Thomas J. Smedinghoff writes us with news about a new paper he's written titled "Where We're Headed — New Developments and Trends in the Law of Information Security" that's available online. Smedinghoff is a partner at the law firm of Wildman Harrold, in Chicago, and a member of the firm's Privacy, Data Security, and Information Law Practice. In the paper, he writes that "three legal trends are rapidly shaping the information security landscape for most companies." These include a continuing expansion of the duty to provide security, the emergence of a legal standard for compliance - a definition of "reasonable security", and the imposition of a duty to warn.

Bruce V. Bigelow of the San Diego Union-Tribune writes a profile of Beth Givens, founding director of the Privacy Rights Clearinghouse, a San Diego nonprofit group "dedicated to helping consumers deal with the darker disadvantages of the information age."

Glenbrook's Russ Jones comments on the release a few weeks ago by six federal agencies (Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Federal Trade Commission, National Credit Union Administration, Office of the Comptroller of the Currency, and the Securities and Exchange Commission) of a new report titled "Evolution of a Prototype Financial Privacy Notice" (pdf).   » Continue Reading

Federal regulators have announced the release of Evolution of a Prototype Financial Privacy Notice, a report by Kleimann Communication Group summarizing consumer research commissioned by the regulators as part of their ongoing efforts to develop improved financial privacy notices.   » Continue Reading

Edward Epstein reports for the San Francisco Chronicle on legislation pending in the House that would mandate certain uniform national standards for consumer notifications in the event of breaches of personal financial data, thereby pre-empting various state laws that are in effect dealing with notification requirements.   » Continue Reading

NPR's Morning Edition had an interview this morning with Jeff Jonas, chief scientist with IBM's Entity Analytic Solutions, in which he talks about the future of privacy protection.   » Continue Reading

The Federal Trade Commission has announced that CardSystems Solutions, Inc. and its successor, Solidus Networks, Inc., doing business as Pay By Touch Solutions, have agreed to settle Federal Trade Commission charges that CardSystems' failure to take appropriate security measures to protect the sensitive information of tens of millions of consumers was an unfair practice that violated federal law.   » Continue Reading

Bill Husted writes from tomorrow's Atlanta Journal-Constitution about what a difference a year has made to suburban Atlanta-based ChoicePoint.   » Continue Reading

Ponemon Institute and Vontu, Inc. have announced the results of their 2006 Privacy Trust Study for Retail Banking concluding that National City and US Bank tied for first place.   » Continue Reading

The Federal Trade Commission has announced that ChoicePoint, Inc., which last year acknowledged that the personal financial records of more than 163,000 consumers in its database had been compromised, will pay $10 million in civil penalties and $5 million in consumer redress to settle FTC charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws.   » Continue Reading

Visa International has released the results of new global survey of consumer attitudes concluding that the theft or loss of personal and financial information is the No. 1 concern of consumers worldwide (64 percent). A media backgrounder on the survey results (PDF) is available online.   » Continue Reading

MasterCard has announced several new merchant-related initiatives: incentives for merchants to adopt MasterCard SecureCode payer authentication, free network vulnerability scans of merchant systems, and new education for merchants on security and data protection issues. MasterCard has also launched a new merchant website focused on security at www.mastercardsecurity.com.

Patrik Jonsson writes for the Christian Science Monitor about the potential risks to customer and bank data associated with banks offshoring certain jobs.   » Continue Reading

Joseph Menn reports for the Los Angeles Times on efforts by various data brokers to support federal rules to safeguard personal information - preferring a consistent federal standard vs. a range of potentially tougher and more varied state laws.   » Continue Reading

PGP Corporation has announced the results of two surveys of customer response to incidents of data breaches. The surveys reported that almost 20 percent of customers immediately terminated their accounts with vendors that lost their information, and an additional 40 percent considered termination. Companies participating in a parallel study estimated incurring an average cost of $14 million per breach incident, with costs ranging as high as $50 million. The reports are available online from PGP.   » Continue Reading

David Birch of Consult Hyperion writes for Principia on contactless payments and how they deliver appropriate levels of security and privacy.

In a typical retail environment the retailer's point-of-sale (POS) terminal and the payment token both contain a microprocessor; the microprocessors communicate using a payment protocol (on top of the ISO 14443 protocol for basic data exchange).

When it is time to pay, the customer brings their tag close to the POS terminal. The terminal interrogates the card and gets back the serial number and a cryptogram (a one-time code calculated inside the token). It feeds these to the acquiring bank, which passes them back to the issuer. From the serial number, the issuer knows which account to authorise and from the cryptogram the issuer knows that the token is valid.

The cryptogram is made up from the serial number and a transaction counter, encrypted using the token security key. This key is inserted in the token during manufacturing; it is derived from the serial number and a bank master key. Once in the token, it is never divulged.

From an article by Eric Dash in today's New York Times on data privacy:

Switzerland, for example, requires every employee who handles sensitive data like credit information to "sign a very draconian document," Ted Crooks, vice president of global fraud solutions for Fair Isaac, a data analytics company, said of data protection laws in that country.

"You don't mess with Swiss data," he said.

Eric Dash reports for the New York Times on the use of security features by card associations and card issuers in their advertising efforts.

"As it becomes a bigger consumer issue, more companies are going to talk about it," said David Sigel, the Citigroup account director at Fallon Worldwide in Minneapolis, a division of the Publicis Group. "It's a very competitive category, and you are looking to make your product as relevant as it can to consumers."

Hiawatha Bray writes for the Boston Globe on concerns of private investigators about legislation that may limit the sale of Social Security Numbers in the wake of data security and information access breaches.

'We're under a lot of pressure to minimize the availability of Social Security numbers," said LexisNexis spokeswoman Mary Dale Walters.

Marco Piovesan, vice president of business services at ChoicePoint, said that his company has discussed the issue with private investigators, but has decided not to sell them Social Security numbers. ''We restrict that information to a large number of business types, including the PI group," Piovesan said.

Joe Nocera writes for the New York Times about data theft-- looking back at the actions twenty years ago led by Sen. William Proxmire that changed the way credit card issuers had to deal with consumers and why Bruce Schneier is recommending similar changes today to deal with data theft or data loss.

What we need right now is someone in power who can put the burden for this problem right where it belongs: on the financial and other institutions who collect this data. Let's face it: by the time even the most vigilant consumer discovers his information has been used fraudulently, it's already too late.

"When people ask me what can the average person do to stop identity theft, I say, 'nothing,' " said Bruce Schneier, the chief technology officer of Counterpane Internet Security. "This data is held by third parties and they have no impetus to fix it."

IBM has announced the formation of a Data Governance Council.   » Continue Reading

Paul Nowell reports for the Associated Press about the risks of data loss from bank insiders.

"About 70 [percent] to 80 percent of the risk is from insiders, although not all of them are as malicious as the case in New Jersey," said Steve Roop, vice president of marketing at San Francisco-based Vontu, a firm specializing in data-loss prevention.

M.P. Dunleavey reports for the New York Times on a personal experience with debit card data theft.

Unfortunately, although there are steps you can take to protect yourself - and you should - there are no guarantees. "You cannot protect yourself completely," said Edmund Mierzwinski, consumer program director at the U.S. Public Interest Research Group in Washington. "The best thing you can do is react swiftly if it does happen."

Eric Dash reports for the New York Times on the vulnerabilities of the payment system and, in particular, the recent card data security breach at CardSystems Solutions.

And if CardSystems could have its data compromised, might it happen to another processor elsewhere? Industry experts say the likely answer is yes, given how lax Visa and MasterCard have been about enforcing rules with suspensions or fines. Visa and MasterCard maintain that their standards are rigorous, but they need to allow the processor companies time to upgrade systems.

Charles Kenney and Kristina Hickerson of law firm Morrison and Foerster write about two recent data security cases: BJ's Wholesale Club and shoe retailer DSW.

What is noteworthy is that for the first time, the FTC has acted against a company that gave no assurances to the public concerning its handling of customer information. After the BJ’s case, companies that say nothing about their data security practices are just as vulnerable to enforcement actions as those that do. This marks an aggressive shift in the FTC’s enforcement strategy and raises the bar for companies that store and handle customer information.

TowerGroup this morning reported on new research regarding enterprise fraud management in financial services firms - asserting that while many financial institutions fight fraud effectively in certain areas of their business, many do so poorly - if at all - across their full spectrum of products and services.   » Continue Reading

Jonathan Krim reports for the Washington Post on 2005, the "year of the data breach."

"We've used weak practices for some time," said Chuck Wade, an Internet security and commerce consultant. "The vulnerabilities are well known, and we have not been improving the security measures . . . as we should have been."

Eric Dash reports for the New York Times on an investigation begun last week by the Federal Financial Institutions Examining Council into the security breach at CardSystems Solutions.

Tony Adams of the Columbus, GA Ledger-Enquirer profiles TSYS' risk management efforts.

At his company's annual meeting in April, TSYS Chief Executive Officer Phil Tomlinson bluntly told shareholders the credit-card processor fends off 100,000 hacking attempts each week.

Tom Zeller Jr. reports for the New York Times in Tuesday's edition on the illicit trading in stolen credit card data that takes place on the Internet.

"There's so much to this," said Jim Melnick, a former Russian affairs analyst for the Defense Intelligence Agency who is now the director of threat development at iDefense, a company in Reston, Va., that tracks cybercrime.

"The story that needs to be told is the larger, long-term threat to the American financial industry. It's a cancer. It's not going to kill you now, but slowly, over time."

Robin Sidel and Mitchell Pacelle report for the Wall St. Journal in Tuesday's edition on the banking industry implications of the security breach reported last Friday involving up to 40 million cardholders.

In the end, banks often conclude that it is more expensive to replace compromised cards than to step up account monitoring and absorb fraud losses when they occur. Visa estimates that when breaches do happen, only 2% of the exposed cards end up with any fraudulent charges on them.

AFP reported tonight on some of the implications for cardholders in Asia-Pacific following last Friday's announcement by MasterCard of a security breach at CardSystems Solutions.

In Australia, about 50,000 Mastercard and another 77,000 Visa card holders are believed to have been at risk, ABC radio reported Tuesday. However, the banks issuing the cards said that most of those affected have already been issued with replacements after irregular transactions were picked up as early as last December.

Eric Dash reports in Monday's New York Times on the card security breach reported on Friday by MasterCard.

The chief of the credit card processing company whose computer system was penetrated by data thieves, exposing 40 million cardholders to a risk of fraud, acknowledged yesterday that the company should not have been retaining those records.

MasterCard yesterday said that a much smaller number of card accounts are at risk from the security breach it announced Friday at CardSystems Solutions.

MasterCard International spokeswoman Jessica Antle confirmed Saturday only about 68,000 of its cardholders are at "higher levels of risk."

Thomas Stauffer, Joe Burchell and Lynda Edwards report for Tucson's Arizona Daily Star on yesterday's announcement by MasterCard that the Tucson operations center of CardSystems Solutions was responsible for a security breach that could have exposed information on up to 40 million cardholders.

The company's technology staff identified the security breach on May 22, said Linda Ford, CardSystems' vice president and general counsel.

The FBI was notified the next day, and the bureau instructed the company to discuss the breach only on a "need-to-know" basis, Ford said at an impromptu press briefing Friday outside the company's office.

MasterCard gave CardSystems no warning of its Friday announcement, Ford said.

Also in today's morning papers, Carrie Kirby and Jenny Strasburg report for the San Francisco Chronicle on fresh questions being raised as a result of yesterday's announcement of a security breach involving payment card information on up to 40 million consumers.

In this case, victims should not be at risk for identity theft, because the information stolen appears to be transaction data taken from the strip on the back of cards, which generally does not include sensitive details such as Social Security number and date of birth that can be used to open new accounts in a person's name.

Late this afternoon, MasterCard announced it had identified a serious security breach of card information at CardSystems Solutions, Inc., a third-party processor of payment card data.

According to MasterCard's press release, the breach potentially exposed more than 40 million cards of all brands to fraud. MasterCard estimates approximately 13.9 millon MasterCard-branded cards may be affected.   » Continue Reading

The Federal Trade Commission announced today that BJ's Wholesale Club has agreed to settle FTC charges that it failed to take appropriate security measures to protect sensitive customer information.

According to the FTC, this information was used by an unauthorized person or persons to make millions of dollars of fraudulent purchases. The settlement will require BJ’s to implement a comprehensive information security program and obtain audits by an independent third party security professional every other year for 20 years.

"Consumers must have the confidence that companies that possess their confidential information will handle it with due care and appropriately provide for its security,” said Deborah Platt Majoras, Chairman of the FTC. “This case demonstrates our intention to challenge companies that fail to protect adequately consumers’ sensitive information.”

Carrie Kirby reports for the San Francisco Chronicle on the online underworld where private personal information is quickly and easily sold over the Internet.

The credit card numbers, bank account numbers, eBay accounts and other data sold there are stolen in corporate security breaches like the one at ChoicePoint, through offline crime like old-fashioned pickpocketing, and through scams known as "phishing" attacks, in which criminals trick people into revealing account information with slick-looking fake e-mails.

In a related story, Kirby reports on the latest kinds of phishing attacks.

William Safire reports in the New York Times Book Review on a couple of recent books about privacy -- or, rather, the loss of privacy.

Robert O'Harrow Jr.'s ''No Place to Hide'' might just do for privacy protection what Rachel Carson's ''Silent Spring'' did for environmental protection nearly a half-century ago.

Jonathan Krim writes for the Washington Post about the ease of online access to sensitive personal information.

Although Social Security numbers are one of the most powerful pieces of personal information an identity thief can possess, they remain widely available and inexpensive despite public outcry and the threat of a congressional crackdown after breaches at large information brokers.

Daniel Solove of the George Washington University Law School and Chris Jay Hoofnagle of the Electronic Privacy Information Center have written a paper discussing an approach to privacy protection.

In the aftermath of the ChoicePoint debacle, both of us have been asked by Congressional legislative staffers, state legislative policymakers, journalists, academics, and others about what specifically should be done to better regulate information privacy. In response to these questions, we believe that it is imperative to have a discussion of concrete legislative solutions to privacy problems. What appears below is our attempt at such an endeavor.

David Bank and Christopher Conkey report in the Wall St. Journal on the recent action by federal bank regulators telling banks they should notify customers of security breaches.   » Continue Reading

Following up on a posting by the OCC last Friday, today the Federal Reserve and other federal bank and thrift regulatory agencies announced publication of new guidance to financial institutions regarding procedures they should follow in addressing security breaches involving customer information.   » Continue Reading

American Express has announced the launch of Identity Theft Assistance, a new no-cost benefit available to all American Express cardholders. More information about the new program is available online.

U.S. Senator Dianne Feinstein (D-Calif.) has released the text of a letter she's written to the US Comptroller of the Currency questioning various regulations adopted by the OCC that may invalidate some of the core protections of California's SB1 financial privacy law.

I cannot emphasize how concerned I am that your new regulations may very well wreak havoc with the privacy laws that California has established for its residents, and with the state's banking laws more generally. 

Jennifer Coleman reports in the San Francisco Chronicle on plans by banking industry groups to appeal yesterday's dismissal of a lawsuit attempting to block California's new financial privacy law from taking effect today.

The bankers contend the Fair and Accurate Credit Transactions Act, passed by Congress in 2003, pre-empts California's restrictions on how affiliated companies can share customer data.

"The court has ignored Congress, has ignored the FACT Act, and has used outdated cases to justify a poor decision," said Joe Belew, president of the Consumer Bankers Association. "We are confident that this flawed district court decision will be overturned on appeal."

Jennifer Coleman of the AP reports in the San Francisco Chronicle on a US District Court decision today that threw out a challenge by several banking associations to a new California financial privacy law scheduled to take effect tomorrow.   » Continue Reading

A brief article in CSO Magazine reports on the shift in how courts are viewing liability with respect to certain "foreseeable events".

Security breaches have never been more highly scrutinized by the courts and regulators, and they are redefining what companies should have seen coming—be it a stolen aircraft or a computer virus. Implementing the right policies, procedures and technology now can limit your company's liability in the future.

Anyone involved in protecting personal financial information of any kind should tune into what's happening with respect to higher standards being required to avoid potential downstream liability.

The PORTIA Project (Privacy, Obligations and Rights in Technologies of Information Assessment - funded by the National Science Foundation) is sponsoring a workshop on sensitive data in medical, financial and content-distribution systems at Stanford on July 8-9, 2004.

John Eby reports on a talk given last week by Lee Goehring, loss prevention manager for 1st Source Bank, South Bend, Ind., at the Dowagiac Rotary Club.

If inhabiting the shadowy side streets and shady cul-de-sacs of the information superhighway teach Lee Goehring anything, it's this:

Think like a thief.

When Goehring thinks like a thief it's to thwart bad guys who favor phishing, skimmers and spyware -- not to commit crimes, because he's vice president and loss prevention manager for 1st Source Bank in South Bend, Ind.

PayPal yesterday alerted customers in a press release that third parties may have obtained limited transaction information of selected customers through the PayPal site after obtaining the passwords of several PayPal merchants.   » Continue Reading

The American Banker this morning reports on legislation introduced by Senator Bill Nelson of Florida intending to better protect personal information sent overseas as part of offshore outsourcing activities.   » Continue Reading

Jeff Harrow takes a look at the potential privacy implications associated with deployment of RFID tags.

Dallas Morning News writer Pamela Yip takes a look at the Fair and Accurate Credit Transactions Act (FACT) passed last fall by Congress.

Simson Garfinkel writes in The Nation about the privacy aspects of RFID.   » Continue Reading

Wachovia Bank says it's the best at respecting its online customers based upon a study completed by the Customer Respect Group.   » Continue Reading

Phishing attacks are a rapidly growing problem on the Internet. I've just posted on the Glenbrook web site a recent analysis of phishing attacks which includes some implications for financial institutions, a recommended action plan, etc.

Loretta Kalb reports in the Sacramento Bee on a mailing error by a third party vendor that resulted in Bank of America sending tax documents to the wrong customers.

The customers received mailings addressed to them but containing 1099 tax forms meant for others. The bank attributed the blunder to a printer malfunction by a third-party vendor but would not identify the company. BofA spokeswoman Betty Riess said Wednesday that the bank will provide customers with a two-year credit-monitoring service called PrivacySource to help guard against identity theft. She added that customers would not be responsible for unauthorized account activity.

ComputerWorld reports on various initiatives to combat phishing attacks.

The rapid growth of so-called phishing scams has left IT managers, industry groups and technology vendors scrambling to deal with the e-mail fraud problem. A large part of the effort is focused on consumer awareness programs, cross-border law enforcement activities and improvements in information sharing between companies and authorities. But new tools and services that could help companies better detect and respond to such scams are also beginning to emerge.

Minnesota Public Radio reports on U.S. Bank's efforts to educate customers about phishing attacks.

Glenbrook's Russ Jones has just posted a new opinion piece on RFID in financial services.

If implemented properly, with a careful eye on the special requirements of the financial services industry, RFID holds great promise. But if deployed prematurely or before all the privacy ramifications are understood, it might also provide some nasty and unfortunate surprises.

Gregg Keizer reports on InternetWeek.com on the growth in phishing attacks -- rogue emails sent out that attempt to get consumers to provide account details and passwords by impersonating financial institutions.

In the past two weeks alone, an estimated 60 million phishing e-mails have been sent to users, said Tumbleweed Communications, an anti-spam and secure messaging vendor that compiled the numbers from Anti-Phishing.org. Because the phishing messages often look remarkably official, down to logos and professionally designed forms for entering credit card information, an average of 5 percent of those who receive them respond.

Actually, we've heard anecdotally of even higher response rates to these unfortunate emails. Founded by Tumbleweed, the industry has recently established the Anti-Phishing Working Group to help deal with the threats from phishing attacks.