[IP] A critical look at new bank "security breach" requirements [priv]
------ Forwarded Message
From: Declan McCullagh <declan@xxxxxxxx>
Date: Thu, 24 Mar 2005 00:54:15 -0500
To: <politech@xxxxxxxxxxxxxxx>
Subject: [Politech] A critical look at new bank "security breach"
requirements [priv]
http://news.com.com/2061-10796-5631623.html
March 23, 2005, 7:55 AM PST
Feds set security breach rules for banks, credit unions
Banks and credit unions will be expected to follow stricter guidelines
about reporting accidental disclosures of customers' personal information.
Federal regulators on Wednesday outlined what steps they expect
financial institutions to take after a security breach happens. (Alert
readers will remember a series of recent incidents involving Bank of
America, payroll provider PayMaxx, and of course, ChoicePoint.)
Among the guidelines: A notice to customers "should describe the
incident in general terms and the type of customer information that was
the subject of unauthorized access or use. It also should generally
describe what the institution has done to protect the customers'
information from further unauthorized access."
Notice is expected to be given "as soon as possible" in e-mail or
written form, and should include a telephone number that customers can
call for additional assistance, according to the document prepared by
the Federal Reserve System, the Federal Deposit Insurance Corporation,
the Comptroller of the Currency, and the Office of Thrift Supervision in
response to the Gramm-Leach-Bliley Act.
A brief digression: The new guidelines seem to make sense, but it's
difficult to figure out whether they go too far or not far enough.
Normally consumers can shop around and choose products based on a whole
range of different options.
For instance, a hypothetical BankSuperSecure might employ only bonded
employees with government security clearances and hire armed guards to
watch these employees all the time. Those security measures would
probably reduce the chance of insider shenanigans -- but would come at a
substantial cost that would be passed on to consumers in the form of
lower interest rates on savings accounts and higher interest rates on
loans and credit cards.
Its hypothetical competitor CheapDiscountBank might take less rigorous
security mechanisms but offer far better terms on savings accounts and
loans. In this scenario (let's assume that the banks were required to
disclose their respective approaches to security), consumers could
choose what risks they're willing to take and companies could
experiment. Because that process doesn't exist today, we end up with a
one-size-fits-all rule that sets both a security floor and also a de
facto ceiling that banks seem unwilling to exceed. It's difficult to
know whether that security "level" is the best one for consumers.
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)
------ End of Forwarded Message
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/