Transcript Slide 1

Data Theft and
Identity Fraud
Mark D. Rsach
June 18, 2008
Definitions
• Identity theft: The unauthorized collection, possession,
transfer, replication or other manipulation of another
person’s personal information for the purpose of committing
fraud or other crimes that involve the use of a false
identity.
• Identity fraud: the gaining of money, goods, services, other
benefits, or the avoidance of obligations, through the use of
a false identity.
Identity Theft
2004-2005
9.3M - 8.9 Million Adult Americans
Total Losses $5.44 – $5.66 Billion
Average Losses $5,885 - $6,383
Median fraud amount per fraud victim $750 - $750
Average consumer cost $675 - $422
Average resolution time 28 hours - 40 hours
Median resolution time 5 hours - 5 hours
68.2% Paper-based Theft
11.6% Computer Crime
50% Family Members, Friends, and Neighbors
28.8% Lost or Stolen Wallets and Checkbooks
Facts You Didn't Know Related to Identity
Fraud
It takes 467 days to discover that you are a victim of identity
fraud (Experian).
79 percent of businesses make no effort to destroy sensitive
material that is thrown away or being prepared for recycling.
40 percent of businesses risk their clients identities by
throwing away information on their customers which includes
home addresses, phone numbers and photocopies of
passports - all of which can be used by a criminal to steal a
persons identity (survey commissioned by Fellowes).
Current address (or present address fraud) accounted for almost
half of all identity fraud cases reported to Experian in the
second half of 2006.
Most Useful Info
• ID documents/numbers
– SIN, health, drivers license, passport, birth cert.
– employee, student, member
• Account numbers/details
– Bank, credit card, mortgage, phone, etc.
• Credit reports
• Home address
• Date of birth
• Passwords, PINs
• Employment details
• Biometric information
Techniques of ID Theft
• taking/stealing from individuals:
– finders keepers: trash, used computer equip, lost wallet
– theft of wallet, checkbook, credit card, mail
– pretexting by phone or in person
– scams: employment, surveys, contests….
– phishing, vishing, pharming, whaline
– skimming - via ATMs, hidden machines
– wireless eavesdropping
– malware: keystroke loggers, etc
Techniques of ID Theft
• taking from public sources:
– personal websites, social networking sites
– online resumes
– employer/association websites
– online public records (eg, court/tribunal)
– post-disaster missing person sites
– obituaries
– used vehicle info package (Ont.)
• owner’s name/address used to get copy of ownership permit
Techniques of ID Theft
• taking/stealing from organizations:
– dumpster diving
– used computer equipment
– corrupt employees
– pretexting (duped employees)
• purchase/subscribe (e.g., credit reports)
– hacking
– taking advantage of security holes
Phishing Statistics – Victim Attempts
Week ending 20 April, 2008
http://www.marshal.com/TRACE/phishing_statistics.asp
Phishing Sources by Country
Phishing Sources by Continent
Phishing Percentage over Time
Intermediate Stages
• ID data trafficking
– buy and sell personal information
• ID document “breeding”
– create counterfeit documents
– apply for new documents, ID numbers (forgery)
• Submit change of address to post office
– divert victim’s mail
Purpose: ID Fraud
•
•
•
•
•
•
•
•
•
use credit card, phone credit
withdraw from bank account
open new accounts (bank, utility, phone…)
obtain loans
mortgage/sell property (mortgage/title fraud)
steal cars; order goods online using drop-site
get insurance or government benefits
get employment/hide criminal record
create cover for other criminals/terrorists
Control Points
• Individuals:
– limited control / ability to assess risk
• Organizations:
– Service providers
• Online services, electronic banking, magnetic stripe cards,
wireless communications, …
– Software/hardware vendors/manufacturers
– Data holders
– Public records
– Social networking sites
Market Responses
• Stronger authentication mechanisms
– more passwords, two factor authentication
– Credit card security code
– Smart cards
– Digital IDs; “information cards”
– Biometrics
• New detection tools
– ID Alarm
– Better account monitoring/pattern recognition
• Industry standards
– Financial transactions (Interac, etc.)
Criminal Law
• Existing ID Theft/Fraud crimes
– fraud, forgery, personation, computer misuse
– mere possession is not a crime; no deprivation
• Possible new ID Theft crimes
– possession of [multiple] ID with intent to defraud
• remove deprivation requirement
• rebuttable presumption of intent (multiple ID, spec.data)
– fraudulently obtaining personal info (Bill C-299)
– trafficking in ID info/cards recklessly or knowingly
– breach of trust (employee theft)
– fraudulently redirecting mail
EU Convention on Cybercrime
Adopted in 11/2001, in force since 7/2004
43 signatory states, 22 already ratified including the
U.S.
The Convention on Cybercrime (CCC)
harmonizes domestic criminal substantive law
provides investigation authorities with certain powers
sets a system of international cooperation
Influence on other legislative efforts
EU Council Framework Decision 2005/222/JHA on
attacks against information systems
Phishing and the CCC
Computer related fraud (Art. 8):
“causing a loss of property to another person by:
a) any input, alteration, deletion or suppression of computer
data;
b) any interference with functioning of a computer system, with
fraudulent and dishonest intent of procuring, without right, an
economic benefit for oneself or for another person“
According to the Explanatory Report to the CCC, this criminal
offence aims at “manipulation in the course of data processing
with the intention to effect an illegal transfer of property.”
Misleading internet users to disclose their private data
Pharming and the CCC
Computer related fraud (Art. 8) committed by way of “interfering
with the functioning of a computer system“
Illegal Access (Art. 2)
accessing on-line bank accounts
Infringement of copyright and related rights
(Art. 10)
creating bogus websites that resemble the original ones
Identity Theft and Assumption Deterrence
Act
18 U.S.C. §1028 Makes identity theft a crime. October 1998
Punishes whoever:
“knowingly transfers or uses, without lawful authority, a means
of identification of another person with the intent to commit,
or to aid or abet, any unlawful activity that constitutes a
violation of federal law, or that constitutes a felony under any
applicable state or local law.”
Name or SSN is considered a “means of identification.” So is a
credit card number, cellular telephone electronic serial number
or any other piece of information that may be used alone or in
conjunction with other information to identify a specific
individual.
Caution
Beware of unintended consequences…
– shouldn’t criminalize socially accepted uses of
alternative identities
• pseudonyms (eg, online privacy protection)
• kids’ use of adult ID to get cigarettes or booze
• investigative journalism/public interest research
– mere possession is not enough
• eroding the presumption of innocence
– how much uncaptured crime = acceptable cost of protecting
innocent individuals from prosecution?
– “knowingly and with intent to defraud…”
FACTA RED FLAG
Red Flag Rules
Go into effect November 1, 2008,
The regulations apply to banks -- but also apply to any
financial institution or creditor that holds a covered
transaction account -
FACTA Red Flag Rules
any consumer account, or other account for which there is a
reasonably foreseeable risk of identity theft, must develop and
implement an Identity Theft Prevention Program (Program) for
combating identity theft in connection with new and existing
accounts.
The Program must include reasonable policies and procedures for
detecting, preventing, and mitigating identity theft and enable a
financial institution or creditor to:
• Identify relevant patterns, practices, and specific forms of activity
that are “red flags” signaling possible identity theft and
incorporate those red flags into the Program;
• Detect red flags that have been incorporated into the Program;
• Respond appropriately to any red flags that are detected to
prevent and mitigate identity theft; and
• Ensure the Program is updated periodically to reflect changes in
risks from identity theft.
Purposes of Red Flag Rule
In adopting FACTA Sections 114 and 315, Congress recognized
that lax business practices played a significant role in aiding
identity thieves. Prior law included
• Customer Identification Program rule adopted under
section 326 of the USA PATRIOT Act, 31 USC 5318(l), (CIP
rule) adopted as a counter-terrorism measure; and
• (2) the information security guidelines adopted under the
Gramm-Leach-Bliley Act, 15 USC 6801, (GLB)
Report to Board of Directors and/or Senior
Management
Plan requires approval and reporting to the board of directors or
“senior management.” [71 Fed Reg 40789] However, the
principle that a
Senior management level employee is responsible for the
Program is not included for organizations without a board of
directors. Instead of “designated employee,” the Agencies
should specify that, absent a board of directors, a senior
manager is charged with overseeing the Program.
Covered Entities
The rules apply to any financial institution or creditor that
holds a covered account.
A financial institution is defined as a state or national bank, a
state or federal savings and loan association, a mutual savings
bank, a state or federal credit union, or any other entity that
holds a "transaction account" belonging to a consumer.
Definitions
A transaction account is a deposit or other account from which the owner
makes payments or transfers. Transaction accounts include checking
accounts, negotiable order of withdrawal accounts, savings deposits subject
to automatic transfers, and share draft accounts.
A creditor is any entity that regularly extends, renews, or continues credit; any
entity that regularly arranges for the extension, renewal, or continuation of
credit; or any assignee of an original creditor who is involved in the decision
to extend, renew, or continue credit. Creditors include finance companies,
automobile dealers, mortgage brokers, utility companies, and
telecommunications companies.
A covered account is an account used mostly for personal, family, or household
purposes, and that involves multiple payments or transactions. Covered
accounts include credit card accounts, mortgage loans, automobile loans,
margin accounts, cell phone accounts, utility accounts, checking accounts,
and savings accounts. A covered account is also an account for which there is
a foreseeable risk of identity theft - for example, small business or sole
proprietorship accounts.
Identity Theft Prevention Program
each financial institution and creditor that holds any "covered
account" to develop and implement an Identity Theft
Prevention Program designed to prevent, detect, and
mitigate identity theft in connection with new and existing
accounts.
issuers of credit and debit cards to develop policies and
procedures to assess the validity of an address change
request when that request is followed closely by a request for
an additional or replacement card.
users of consumer credit reports to develop policies and
procedures to respond to notices from credit reporting
agencies regarding address discrepancies.
Requirements
Written Identity Theft Prevention Program ("Program") to
prevent,
detect, and
mitigate identity theft in connection with certain covered
accounts.
The programs must be uniquely tailored to a covered entity's
size, complexity, and nature of operations.
Four Essential Features
Identify and incorporate relevant patterns, practices, and specific forms of
activity that are "red flags" signaling possible identity theft.
• vary depending on the nature of the business in question,
• based on the guidance provided by regulators and the covered entity's
own experiences.
Detect red flags that have been incorporated into the entity's Program.
• obtaining identifying information about, and verifying the identity of, a
person opening an account, and, in the case of existing accounts,
authenticating customers,
• monitoring transactions, verifying the validity of address change requests.
Respond appropriately to any red flags that are detected,
• monitoring an account for evidence of identity theft,
• contacting the customer,
• calling law enforcement,
• changing any password or security device that permits account access,
• closing an account, etc.
Update ID theft program periodically to reflect changes in risks to customers
from identity theft, or to the safety and soundness of the covered entity.
What You Should Do
Look for patterns, practices, and activities that indicate possible risk of identity
theft.
Evaluate the list (which is not exhaustive) and include in its Program those red
flags that are appropriate to its business.
• Alerts, notifications, or other warnings received from consumer reporting
agencies or service providers, such as fraud detection services;
• The presentation of suspicious documents;
• The presentation of suspicious personal identifying information, such as a
suspicious address change or a social security number listed in the Social
Security Administration's Death Master File;
• The unusual use of, or other suspicious activity related to, a covered
account; and
• Notice from customers, victims of identity theft, law enforcement
authorities, or other persons regarding possible identity theft in
connection with covered accounts.
Other Requirements
Program must be in WRITING
Obtain approval of the initial written Program by the Board of
Directors or a committee of the Board;
Involve the Board of Directors, a committee of the Board, or
senior management in the development, implementation, and
administration of the Program;
Report, at least annually, to the Board of Directors, a committee
of the Board, or senior management, on compliance with the
red flag regulations;
Train staff to implement the Program effectively; and
Exercise appropriate and effective oversight of arrangements
with third-party and affiliated service providers
Organizations
• limit collection/retention of personal information
• don’t create or contribute to data warehouses
• control (minimize?) outsourcing
• minimize disclosures of personal information
– eg., credit card receipts
• security safeguards
– computer firewalls, access controls
– trash: shredding docs, cleaning used computer equip.
– validation, authentication of customers
• employee screening, training, monitoring
• warnings; notice to potential victims
Privacy is Dead
Now What?
Mark D. Rasch
Managing Director Technology
FTI Consulting
Privacy Generally
No General Legal Protections for Privacy
Hodgepodge of Federal and State Laws
Deal With Particular Subject Matters
Constitutional implied or penumbra rights
• Fourth Amendment Search and Seizure
• Fifth Amendment Self Incrimination
• Ninth Amendment – delegation
• Griswald v. Conn., Doe reproductive rights cases
• “right to be left alone”
What do we MEAN by Privacy?
Right to be left alone
Right to integrity of person
Right to CONTROL of data collected
BUT
Who OWNS the data about us?
Who has a right to access?
What circumstances?
Threats to Privacy
Data Collection
• Voluntary collection
• Compelled collection
• “Ambient” information
• “Public” information
• Surveillance
Data Dissemination
Data non-anonymization
Data Aggregation
Subject profiling
Federal Privacy Laws
Privacy Act (1974)
Federal Trade Commission Act
(1914)
Fair Credit Reporting Act (1970)
Family Educational Rights and
Privacy Act, Public Law 93-380,
1974
Cable Communications Policy Act
(1984)
Cable Privacy Protection Act of
1984
Electronic Communications Privacy
Act (1986)
Title III Wiretap Provisions
Computer Matching and Privacy
Protection Act (1988)
Tax Reform Act of 1976,
The Right to Financial Privacy Act
of 1978
Video Privacy Protection Act
(1988)
Telephone Consumer Protection
Act (1991)
Drivers Privacy Protection Act, PL
103-322, 1994
"Children's Online Privacy
Protection Act" (1998)
HIPPA (1996)
GLBA (2000)
Data Collection
Website collection
• EU Data Privacy Laws
• US “Safe Harbor” Provisions
• FTC Section 5 “false and deceptive trade practices”
• Lilly Case
• Do what you say – say what you do
• Google Doubleclick – finalized March 10, 2008
• Privacy policies
Who owns collected data?
Data Subject?
Data Collector?
Sale of Data?
Data Sharing?
Profiling?
Mining?
Anonymity
Anonymous speech
Postings
Blogging
Takedown notices
Copyright infringement
P2P
Defamation?
As a general rule – anonymity loses
Amendments to
Regulation S-P
GRAMM-LEACH-BLILEY ACT
● Financial Services Modernization Act of 1999
● FTC implementation
- Privacy Rule in 2000 – Higher education is exempt if compliant with
FERPA
- Safeguards Rule in 2002 – applies to “financial Institutions”
including higher education
- Information Security Programs were required beginning May 23,
2003
SAFEGUARDS RULE
(16 CFR PT. 314)
Requires development, implementation, and maintenance of “a
comprehensive information security program” containing
“administrative, technical, and physical safeguards that are
appropriate” for the size, complexity, nature and scope of your
activities, and the sensitivity of the protected information.
Elements
-
-
-
Designation of an employee or employees to coordinate the information
security program.
Employee training and management;
Risk Assessment, including focus on:
▪ Information systems, including network and software design, as well
as information processing, storage, transmission and disposal; and
▪ Detecting, preventing and responding to attacks, intrusions, or other
systems failures.
Design and implement information safeguards to control the risks you
identify through risk assessment, and regularly test or otherwise monitor
the effectiveness of the safeguards' key controls, systems, and procedures.
Oversee service providers, by:
▪ Taking reasonable steps to select and retain service providers that are
capable of maintaining appropriate safeguards for the customer
information at issue; and
▪ Requiring your service providers by contract to implement and
maintain such safeguards.
Periodic Evaluations and Adjustments of information security program to
account for any material changes to your operations or business
arrangements or any other circumstances that you know or have reason to
know may have a material impact on your information security program.
DATA BREACH NOTFICATION LAWS
Data Breach Notification
Vary from State to State
Differing definitions of Personally Identifiable Information
Vary on HOW to report
What to report
When to report
To WHOM to report
What to do BESIDES report
Who has the obligation to report
FACTA and Disposal Rules
FACTA – what credit card information you can collect/print
Disposal rule – 16 CFR Part 182
Part of duty to protect personal information
Credit information
Social Security Information
Related Financial Information
LEGAL LIABILITY- CASE LAW
●
Case law/experts suggest an emerging duty to provide
data security
– Kahle v. Litton (May 16, 2007): court recognized that the
defendant mortgage company owed a duty to safeguard the
plaintiff mortgagee’s data
– Bell v. Michigan Council (February 15, 2005): court
recognized a fiduciary duty to safeguard PII between a union
and its members
– Corbell v. Norton (December 3, 2004): D.C. Court of
Appeals cites Interior’s obligation ‘as a fiduciary’ to maintain
and preserve information
– Daly v. Met Life (May 20, 2004): NYS court found a
fiduciary duty requiring insurer to protect insured’s personal
information
Superior Mortgage
September 28, 2005
FTC’s Safeguards Rule, enacted under the Gramm-Leach-Bliley
Act, requires financial institutions to implement reasonable
policies and procedures to ensure the security and
confidentiality of sensitive customer information.
Superior maintained customers’ Social Security numbers, credit
histories, and credit card numbers, among other sensitive
information.
GLBA Regulations S-P
GLBA and Regulation S-P require brokers, dealers, investment advisers registered with the
SEC, and investment companies to
•
provide an annual notice of their privacy policies and practices to their customers (and
notice to consumers before sharing their nonpublic personal information with
nonaffiliated third parties outside certain exceptions). 15 U.S.C. 6803(a); 17 CFR 248.4;
17 CFR 248.5.
•
describe the institutions’ policies and practices with respect to disclosing nonpublic
personal information about a consumer to both affiliated and nonaffiliated third parties.
15 U.S.C. 6803; 17 CFR 248.6.
•
provide a consumer a reasonable opportunity to direct the institution generally not to
share nonpublic personal information about the consumer (that is, to “opt out”) with
nonaffiliated third parties. 15 U.S.C.6802(b); 17 CFR 248.7.
•
where applicable under the FCRA, a notice and an opportunity for a consumer to opt out
of certain information sharing among affiliates.) Sections 13, 14, and 15 of Regulation SP (17 CFR 248.13, 17 CFR 248.14,and 17 CFR 248.15) set out exceptions from these
general notice and opt out requirements under GLBA.
•
•
Exceptions for sharing information with other financial institutions under joint
marketing agreements and with certain service providers.
Exceptions for sharing information for everyday business purposes, such as
maintaining or servicing accounts.
Amendments to Reg S-P
On March 4, 2008, the Securities and Exchange Commission announced
proposed changes to Regulation to address identity theft of securities
industry customers.
Reg S-P was adopted seven years ago under the Gramm-Leach- Bliley
Act (“GLBA”) and the Fair Credit Reporting Act,
Requires financial institutions under the authority of the SEC (including
investment advisers, mutual funds, broker-dealers and SECregistered transfer agents) to adopt policies and procedures to
protect client information.
Disposal rule and FACTA require secure disposal of personal information.
The two requirements of Reg S-P relating to safeguarding and disposal
of confidential information have not kept pace with bank and other
regulators’ detailed programs for information privacy and data
security.
More Specific Requirements
More specific standards under the safeguards rule of Reg S-P, including
physical, technical and administrative safeguards, written policies
and required responses to data security breach incidents.
• require the financial institution to develop and execute a more
detailed “information security program” similar to programs
required by other federal regulators.
• be in writing
• designate an employee in charge of information security,
• identify anticipated threats and implement controls to address
those threats.
• require staff training,
• regular testing
• coordination with service providers to maintain the program’s
effectiveness.
Requirements
(i) designate in writing an employee or employees to coordinate the information security
program;
(ii) identify in writing reasonably foreseeable security risks that could result in the
unauthorized disclosure, misuse, alteration, destruction or other compromise of personal
information or personal information systems;
(iii) design and document in writing and implement information safeguards to control the
identified risks;
(iv) regularly test or otherwise monitor and document in writing the effectiveness of the
safeguards’ key controls, systems, and procedures, including the effectiveness of access
controls on personal information systems, controls to detect, prevent and respond to
attacks, or intrusions by unauthorized persons, and employee training and supervision;
(v) train staff to implement the information security program;
(vi) oversee service providers by taking reasonable steps to select and retain service
providers capable of maintaining appropriate safeguards for the personal information at
issue, and require service providers by contract to implement and maintain appropriate
safeguards (and document such oversight in writing);
(vii) evaluate and adjust their information security programs to reflect the results of the
testing and monitoring, relevant technology changes, material changes to operations or
business arrangements, and any other circumstances that the institution knows or
reasonably believes may have a material impact
Goals of Information Security Program
A financial institution’s information security program must be
reasonably calculated to prevent the breach and misuse of
client information that results in “substantial harm or
inconvenience,”
• “personal injury, or more than trivial financial loss,
expenditure of effort or loss of time.”
• identify theft and extortion would likely cause “substantial
harm or inconvenience,”
• inadvertent mis-delivery of an account statement would
not.
Expanded Coverage of Reg S-P’s Scope
SEC proposes to broaden the type of information and persons
covered by the SEC safeguards and disposal rules.
• SEC proposes to have both rules protect “personal
information,” which encompasses “nonpublic personal
information” under the GLBA and “consumer report
information” under the Fair and Accurate Credit
Transactions Act of 2003.
• While “personal information” means personally identifiable
financial information, “consumer report information”
focuses on information generally contained in consumer
reports.
Information Security Coordinator
Require firms of all sizes to designate an employee to coordinate
the information security program.
Would have “sufficient authority and access to the institution’s
managers, officers and directors to effectively implement the
program and modify it as necessary.”
Many firms have no such individual – thus they would
• Add duties to IT managers with no experience in security
• Add duties to security personnel with no experience in IT
• No option to “outsource” compliance through consulting
agreements
• Difference between responsibility and expertise
Testing
Require every institution to regularly test or otherwise monitor
the effectiveness of the safeguards.
Broker-dealers, Commission registered investment advisers and
investment companies are already subject to rules that
require testing of policies and procedures.
• Broker-dealers must comply with FINRA Rule 3520 and
Commission Rules 38a-1 and 206(4)-7 which require
investment companies and investment advisers,
respectively, to conduct testing and an annual review of
their policies and procedures that should include privacy
and information safeguarding.
• Not clear if S-P requirements are supplemental or different
Third Party Providers
Financial institutions should ensure TSPs implement and
maintain controls sufficient to appropriately mitigate risk.
In higher-risk relationships the institution by contract may
• prescribe minimum control and reporting standards,
• obtain the right to require changes to standards as external
and internal environments change,
• obtain access to the TSP for institution or independent
third-party evaluations of the TSP’s performance against
the standard.
In lower risk relationships the institution may prescribe the use
of standardized reports, such as trust services reports or a
Statement of Auditing Standards 70 (SAS 70) report.
Employee Information
in addition to nonpublic personal information and consumer
report information of “consumers,” “personal information” also
would include information identified with any employee,
investor or security holder who is a natural person that is
handled by the institution or maintained on the institution’s
behalf.
covers employees rather than only clients of financial institutions,
including employee user names and passwords, which, if
compromised, could undermine the integrity of a financial
institution’s information security system.
Explicit Coverage
The SEC safeguards rule would also apply to registered transfer
agents in addition to the brokers, dealers, registered
investment advisers, and investment companies.
However, registered broker-dealers, would be excluded from the
safeguards rule
Disposal Rule
The SEC disposal rule would apply to “natural persons who are
associated persons of a broker or dealer, supervised persons
of a registered investment adviser, and associated persons of
a registered transfer agent.”
The rule would continue to cover broker-dealers, investment
companies, registered investment advisers and registered
transfer agents.
Record-keeping.
creates record-keeping requirements for policies and procedures
to comply with the proposed regulation, as well as
documentation of compliance
Doesn’t say how detailed the records must be
Includes plans on how to comply
Why a particular plan or solution was chosen
Why it is appropriate to the size and complexity of the business,
and to the sensitivity of the data protected
Written plans on privacy, security, training and incident response.
Broker Mobility.
Exception allowing a broker who is changing firms to take limited
personal information to the new firm in order to maintain
relationships with clients
Is this a “disclosure” to the new firm?
Can customer “opt out?” of this disclosure
Breach Notification
A financial institution would need to notify the affected individual and,
potentially, the SEC in the event of a data security breach.
notify the affected individual when the institution becomes aware of
unauthorized access to personal information and determines that
misuse of personal information has occurred or is reasonably
possible.
This “risk of harm” standard is similar to that used in the guidance
relating to customer notification of security breaches issued by the
bank regulatory agencies.
SEC would require notification to the SEC only when the breach poses
a significant risk of substantial harm or inconvenience to a consumer
or when someone has intentionally obtained “sensitive personal
information,” such as a social security number.
Financial institutions must report the incident to the SEC on
proposed Form SP-30.
Requires written procedures for responding to a data security breach
Breach Notification
If third party with Broker/Dealer information suffers breach,
WHO has duty to notify?
• Data Collector – has personal relationship with data
subject, and has the “contract” for privacy
• Data Collector has presumably selected the third party to
share information
• Who is the “owner” of the information?
• Who has the “duty” to notify, whose expense, and who is
liable for inadequate or untimely notification
Federal Preemption
Financial institutions subject to the bank regulatory agency
guidance providing notice of a security breach under that
standard are exempt from the requirements of several of the
numerous state data security breach notice laws.
Those financial institutions providing notice under the new SEC
standard will now also be permitted under many state laws to
provide notice to consumers under the federal standard rather
than the different state standards.
For More Information
Mark D. Rasch
Managing Director, Technology
FTI Consulting, Inc.
[email protected]
(202) 312-9174