Document Sample
2008-Rasch-Privacy-Identity-Theft Powered By Docstoc
					Data Theft and
Identity Fraud

Mark D. Rsach
June 18, 2008

• Identity theft: The unauthorized collection, possession,
   transfer, replication or other manipulation of another
   person‟s personal information for the purpose of committing
   fraud or other crimes that involve the use of a false
• Identity fraud: the gaining of money, goods, services,
   other benefits, or the avoidance of obligations, through the
   use of a false identity.
Identity Theft

9.3M - 8.9 Million Adult Americans
Total Losses $5.44 – $5.66 Billion
Average Losses $5,885 - $6,383
Median fraud amount per fraud victim $750 - $750
Average consumer cost $675 - $422
Average resolution time 28 hours - 40 hours
Median resolution time 5 hours - 5 hours
68.2% Paper-based Theft
11.6% Computer Crime
50% Family Members, Friends, and Neighbors
28.8% Lost or Stolen Wallets and Checkbooks
Facts You Didn't Know Related to Identity

It takes 467 days to discover that you are a victim of identity
   fraud (Experian).
79 percent of businesses make no effort to destroy sensitive
   material that is thrown away or being prepared for recycling.
40 percent of businesses risk their clients identities by
   throwing away information on their customers which includes
   home addresses, phone numbers and photocopies of
   passports - all of which can be used by a criminal to steal a
   persons identity (survey commissioned by Fellowes).
Current address (or present address fraud) accounted for almost
   half of all identity fraud cases reported to Experian in the
   second half of 2006.
Most Useful Info

• ID documents/numbers
– SIN, health, drivers license, passport, birth cert.
– employee, student, member
• Account numbers/details
– Bank, credit card, mortgage, phone, etc.
• Credit reports
• Home address
• Date of birth
• Passwords, PINs
• Employment details
• Biometric information
Techniques of ID Theft

• taking/stealing from individuals:
– finders keepers: trash, used computer equip, lost wallet
– theft of wallet, checkbook, credit card, mail
– pretexting by phone or in person
– scams: employment, surveys, contests….
– phishing, vishing, pharming, whaline
– skimming - via ATMs, hidden machines
– wireless eavesdropping
– malware: keystroke loggers, etc
Techniques of ID Theft

• taking from public sources:
– personal websites, social networking sites
– online resumes
– employer/association websites
– online public records (eg, court/tribunal)
– post-disaster missing person sites
– obituaries
– used vehicle info package (Ont.)
• owner‟s name/address used to get copy of ownership permit
Techniques of ID Theft

• taking/stealing from organizations:
– dumpster diving
– used computer equipment
– corrupt employees
– pretexting (duped employees)
• purchase/subscribe (e.g., credit reports)
– hacking
– taking advantage of security holes
Phishing Statistics – Victim Attempts

Week ending 20 April, 2008

Phishing Sources by Country
Phishing Sources by Continent
Phishing Percentage over Time
Intermediate Stages

• ID data trafficking
– buy and sell personal information
• ID document “breeding”
– create counterfeit documents
– apply for new documents, ID numbers (forgery)
• Submit change of address to post office
– divert victim‟s mail
Purpose: ID Fraud

•   use credit card, phone credit
•   withdraw from bank account
•   open new accounts (bank, utility, phone…)
•   obtain loans
•   mortgage/sell property (mortgage/title fraud)
•   steal cars; order goods online using drop-site
•   get insurance or government benefits
•   get employment/hide criminal record
•   create cover for other criminals/terrorists
Control Points

• Individuals:
– limited control / ability to assess risk
• Organizations:
– Service providers
• Online services, electronic banking, magnetic stripe cards,
wireless communications, …
– Software/hardware vendors/manufacturers
– Data holders
– Public records
– Social networking sites
Market Responses

• Stronger authentication mechanisms
– more passwords, two factor authentication
– Credit card security code
– Smart cards
– Digital IDs; “information cards”
– Biometrics
• New detection tools
– ID Alarm
– Better account monitoring/pattern recognition
• Industry standards
– Financial transactions (Interac, etc.)
Criminal Law

• Existing ID Theft/Fraud crimes
– fraud, forgery, personation, computer misuse
– mere possession is not a crime; no deprivation
• Possible new ID Theft crimes
– possession of [multiple] ID with intent to defraud
• remove deprivation requirement
• rebuttable presumption of intent (multiple ID, spec.data)
– fraudulently obtaining personal info (Bill C-299)
– trafficking in ID info/cards recklessly or knowingly
– breach of trust (employee theft)
– fraudulently redirecting mail
EU Convention on Cybercrime

Adopted in 11/2001, in force since 7/2004
43 signatory states, 22 already ratified including the
The Convention on Cybercrime (CCC)
harmonizes domestic criminal substantive law
provides investigation authorities with certain powers
sets a system of international cooperation
Influence on other legislative efforts
EU Council Framework Decision 2005/222/JHA on
attacks against information systems
Phishing and the CCC

Computer related fraud (Art. 8):
“causing a loss of property to another person by:
a) any input, alteration, deletion or suppression of computer
b) any interference with functioning of a computer system, with
   fraudulent and dishonest intent of procuring, without right, an
   economic benefit for oneself or for another person“
According to the Explanatory Report to the CCC, this criminal
   offence aims at “manipulation in the course of data processing
   with the intention to effect an illegal transfer of property.”
Misleading internet users to disclose their private data
Pharming and the CCC

Computer related fraud (Art. 8) committed by way of “interfering
    with the functioning of a computer system“
Illegal Access (Art. 2)
    accessing on-line bank accounts
Infringement of copyright and related rights
    (Art. 10)
    creating bogus websites that resemble the original ones
Identity Theft and Assumption Deterrence

18 U.S.C. §1028 Makes identity theft a crime. October 1998
Punishes whoever:
“knowingly transfers or uses, without lawful authority, a means
  of identification of another person with the intent to commit,
  or to aid or abet, any unlawful activity that constitutes a
  violation of federal law, or that constitutes a felony under any
  applicable state or local law.”
Name or SSN is considered a “means of identification.” So is a
  credit card number, cellular telephone electronic serial number
  or any other piece of information that may be used alone or in
  conjunction with other information to identify a specific
Beware of unintended consequences…

– shouldn‟t criminalize socially accepted uses of
alternative identities
• pseudonyms (eg, online privacy protection)
• kids‟ use of adult ID to get cigarettes or booze
• investigative journalism/public interest research
– mere possession is not enough
• eroding the presumption of innocence
– how much uncaptured crime = acceptable cost of protecting
innocent individuals from prosecution?
– “knowingly and with intent to defraud…”
Red Flag Rules

Go into effect November 1, 2008,
The regulations apply to banks -- but also apply to any
  financial institution or creditor that holds a covered
  transaction account -
FACTA Red Flag Rules

any consumer account, or other account for which there is a
  reasonably foreseeable risk of identity theft, must develop and
  implement an Identity Theft Prevention Program (Program) for
  combating identity theft in connection with new and existing
The Program must include reasonable policies and procedures for
  detecting, preventing, and mitigating identity theft and enable a
  financial institution or creditor to:
    • Identify relevant patterns, practices, and specific forms of activity
      that are “red flags” signaling possible identity theft and
      incorporate those red flags into the Program;
    • Detect red flags that have been incorporated into the Program;
    • Respond appropriately to any red flags that are detected to
      prevent and mitigate identity theft; and
    • Ensure the Program is updated periodically to reflect changes in
      risks from identity theft.
Purposes of Red Flag Rule

In adopting FACTA Sections 114 and 315, Congress recognized
   that lax business practices played a significant role in aiding
   identity thieves. Prior law included
    • Customer Identification Program rule adopted under
      section 326 of the USA PATRIOT Act, 31 USC 5318(l), (CIP
      rule) adopted as a counter-terrorism measure; and
    • (2) the information security guidelines adopted under the
      Gramm-Leach-Bliley Act, 15 USC 6801, (GLB)
Report to Board of Directors and/or Senior

Plan requires approval and reporting to the board of directors or
   “senior management.” [71 Fed Reg 40789] However, the
   principle that a
Senior management level employee is responsible for the
   Program is not included for organizations without a board of
   directors. Instead of “designated employee,” the Agencies
   should specify that, absent a board of directors, a senior
   manager is charged with overseeing the Program.
Covered Entities

The rules apply to any financial institution or creditor that
   holds a covered account.
A financial institution is defined as a state or national bank, a
   state or federal savings and loan association, a mutual savings
   bank, a state or federal credit union, or any other entity that
   holds a "transaction account" belonging to a consumer.

A transaction account is a deposit or other account from which the owner
   makes payments or transfers. Transaction accounts include checking
   accounts, negotiable order of withdrawal accounts, savings deposits subject
   to automatic transfers, and share draft accounts.
A creditor is any entity that regularly extends, renews, or continues credit; any
   entity that regularly arranges for the extension, renewal, or continuation of
   credit; or any assignee of an original creditor who is involved in the decision
   to extend, renew, or continue credit. Creditors include finance companies,
   automobile dealers, mortgage brokers, utility companies, and
   telecommunications companies.
A covered account is an account used mostly for personal, family, or household
   purposes, and that involves multiple payments or transactions. Covered
   accounts include credit card accounts, mortgage loans, automobile loans,
   margin accounts, cell phone accounts, utility accounts, checking accounts,
   and savings accounts. A covered account is also an account for which there is
   a foreseeable risk of identity theft - for example, small business or sole
   proprietorship accounts.
Identity Theft Prevention Program

each financial institution and creditor that holds any "covered
   account" to develop and implement an Identity Theft
   Prevention Program designed to prevent, detect, and
   mitigate identity theft in connection with new and existing
issuers of credit and debit cards to develop policies and
   procedures to assess the validity of an address change
   request when that request is followed closely by a request for
   an additional or replacement card.
users of consumer credit reports to develop policies and
   procedures to respond to notices from credit reporting
   agencies regarding address discrepancies.

Written Identity Theft Prevention Program ("Program") to
detect, and
mitigate identity theft in connection with certain covered
The programs must be uniquely tailored to a covered entity's
   size, complexity, and nature of operations.
Four Essential Features

Identify and incorporate relevant patterns, practices, and specific forms of
   activity that are "red flags" signaling possible identity theft.
    • vary depending on the nature of the business in question,
    • based on the guidance provided by regulators and the covered entity's
       own experiences.
 Detect red flags that have been incorporated into the entity's Program.
    • obtaining identifying information about, and verifying the identity of, a
       person opening an account, and, in the case of existing accounts,
       authenticating customers,
    • monitoring transactions, verifying the validity of address change requests.
Respond appropriately to any red flags that are detected,
    • monitoring an account for evidence of identity theft,
    • contacting the customer,
    • calling law enforcement,
    • changing any password or security device that permits account access,
    • closing an account, etc.
 Update ID theft program periodically to reflect changes in risks to customers
   from identity theft, or to the safety and soundness of the covered entity.
What You Should Do

Look for patterns, practices, and activities that indicate possible risk of identity
Evaluate the list (which is not exhaustive) and include in its Program those red
   flags that are appropriate to its business.
     • Alerts, notifications, or other warnings received from consumer reporting
       agencies or service providers, such as fraud detection services;
     • The presentation of suspicious documents;
     • The presentation of suspicious personal identifying information, such as a
       suspicious address change or a social security number listed in the Social
       Security Administration's Death Master File;
     • The unusual use of, or other suspicious activity related to, a covered
       account; and
     • Notice from customers, victims of identity theft, law enforcement
       authorities, or other persons regarding possible identity theft in
       connection with covered accounts.
Other Requirements

Program must be in WRITING
Obtain approval of the initial written Program by the Board of
   Directors or a committee of the Board;
Involve the Board of Directors, a committee of the Board, or
   senior management in the development, implementation, and
   administration of the Program;
Report, at least annually, to the Board of Directors, a committee
   of the Board, or senior management, on compliance with the
   red flag regulations;
Train staff to implement the Program effectively; and
Exercise appropriate and effective oversight of arrangements
   with third-party and affiliated service providers

• limit collection/retention of personal information
• don‟t create or contribute to data warehouses
• control (minimize?) outsourcing
• minimize disclosures of personal information
– eg., credit card receipts
• security safeguards
– computer firewalls, access controls
– trash: shredding docs, cleaning used computer equip.
– validation, authentication of customers
• employee screening, training, monitoring
• warnings; notice to potential victims
 Privacy is Dead
     Now What?

  Mark D. Rasch
Managing Director -
  FTI Consulting
Privacy Generally

   No General Legal Protections for Privacy
   Hodgepodge of Federal and State Laws
   Deal With Particular Subject Matters
   Constitutional implied or penumbra rights
      • Fourth Amendment Search and Seizure
      • Fifth Amendment Self Incrimination
      • Ninth Amendment – delegation
      • Griswald v. Conn., Doe reproductive rights cases
      • “right to be left alone”
What do we MEAN by Privacy?

Right to be left alone
Right to integrity of person
Right to CONTROL of data collected
Who OWNS the data about us?
Who has a right to access?
What circumstances?
Threats to Privacy

Data Collection
   • Voluntary collection
   • Compelled collection
   • “Ambient” information
   • “Public” information
   • Surveillance
Data Dissemination
Data non-anonymization
Data Aggregation
Subject profiling
Federal Privacy Laws

Privacy Act (1974)                  Computer Matching and Privacy
Federal Trade Commission Act        Protection Act (1988)
(1914)                              Tax Reform Act of 1976,
Fair Credit Reporting Act (1970)    The Right to Financial Privacy Act
Family Educational Rights and       of 1978
Privacy Act, Public Law 93-380,     Video Privacy Protection Act
1974                                (1988)
Cable Communications Policy Act     Telephone Consumer Protection
(1984)                              Act (1991)
Cable Privacy Protection Act of     Drivers Privacy Protection Act, PL
1984                                103-322, 1994
Electronic Communications Privacy   "Children's Online Privacy
Act (1986)                          Protection Act" (1998)
Title III Wiretap Provisions        HIPPA (1996)
                                    GLBA (2000)
Data Collection

Website collection
  • EU Data Privacy Laws
  • US “Safe Harbor” Provisions
  • FTC Section 5 “false and deceptive trade practices”
      • Lilly Case
      • Do what you say – say what you do
      • Google Doubleclick – finalized March 10, 2008
   • Privacy policies
Who owns collected data?

Data Subject?
Data Collector?
Sale of Data?
Data Sharing?

Anonymous speech
Takedown notices
Copyright infringement
As a general rule – anonymity loses
Amendments to
 Regulation S-P

● Financial Services Modernization Act of 1999
● FTC implementation
   - Privacy Rule in 2000 – Higher education is exempt if compliant with
   - Safeguards Rule in 2002 – applies to “financial Institutions”
   including higher education
   - Information Security Programs were required beginning May 23,
(16 CFR PT. 314)

 Requires development, implementation, and maintenance of
 “a comprehensive information security program” containing
 “administrative, technical, and physical safeguards that are
 appropriate” for the size, complexity, nature and scope of your
 activities, and the sensitivity of the protected information.

-   Designation of an employee or employees to coordinate the information
    security program.
-   Employee training and management;
-   Risk Assessment, including focus on:
      ▪ Information systems, including network and software design, as well
         as information processing, storage, transmission and disposal; and
      ▪ Detecting, preventing and responding to attacks, intrusions, or other
         systems failures.
-   Design and implement information safeguards to control the risks you
    identify through risk assessment, and regularly test or otherwise monitor
    the effectiveness of the safeguards' key controls, systems, and procedures.
-   Oversee service providers, by:
      ▪ Taking reasonable steps to select and retain service providers that are
         capable of maintaining appropriate safeguards for the customer
         information at issue; and
      ▪ Requiring your service providers by contract to implement and
         maintain such safeguards.
-   Periodic Evaluations and Adjustments of information security program to
    account for any material changes to your operations or business
    arrangements or any other circumstances that you know or have reason to
    know may have a material impact on your information security program.
             Data Breach Notification

Vary from State to State
Differing definitions of Personally Identifiable Information
Vary on HOW to report
What to report
When to report
To WHOM to report
What to do BESIDES report
Who has the obligation to report
FACTA and Disposal Rules

FACTA – what credit card information you can collect/print
Disposal rule – 16 CFR Part 182
   Part of duty to protect personal information
   Credit information
   Social Security Information
   Related Financial Information

●   Case law/experts suggest an emerging duty to provide
    data security
    – Kahle v. Litton (May 16, 2007): court recognized that the
    defendant mortgage company owed a duty to safeguard the
    plaintiff mortgagee‟s data
    – Bell v. Michigan Council (February 15, 2005): court
    recognized a fiduciary duty to safeguard PII between a union
    and its members
    – Corbell v. Norton (December 3, 2004): D.C. Court of
    Appeals cites Interior‟s obligation „as a fiduciary‟ to maintain
    and preserve information
    – Daly v. Met Life (May 20, 2004): NYS court found a
    fiduciary duty requiring insurer to protect insured‟s personal
Superior Mortgage

September 28, 2005
FTC‟s Safeguards Rule, enacted under the Gramm-Leach-Bliley
  Act, requires financial institutions to implement reasonable
  policies and procedures to ensure the security and
  confidentiality of sensitive customer information.
Superior maintained customers‟ Social Security numbers, credit
  histories, and credit card numbers, among other sensitive
GLBA Regulations S-P

GLBA and Regulation S-P require brokers, dealers, investment advisers registered with the
   SEC, and investment companies to
•  provide an annual notice of their privacy policies and practices to their customers (and
   notice to consumers before sharing their nonpublic personal information with
   nonaffiliated third parties outside certain exceptions). 15 U.S.C. 6803(a); 17 CFR 248.4;
   17 CFR 248.5.
•  describe the institutions‟ policies and practices with respect to disclosing nonpublic
   personal information about a consumer to both affiliated and nonaffiliated third parties.
   15 U.S.C. 6803; 17 CFR 248.6.
•  provide a consumer a reasonable opportunity to direct the institution generally not to
   share nonpublic personal information about the consumer (that is, to “opt out”) with
   nonaffiliated third parties. 15 U.S.C.6802(b); 17 CFR 248.7.
•  where applicable under the FCRA, a notice and an opportunity for a consumer to opt out
   of certain information sharing among affiliates.) Sections 13, 14, and 15 of Regulation S-
   P (17 CFR 248.13, 17 CFR 248.14,and 17 CFR 248.15) set out exceptions from these
   general notice and opt out requirements under GLBA.

     •   Exceptions for sharing information with other financial institutions under joint
         marketing agreements and with certain service providers.
     •    Exceptions for sharing information for everyday business purposes, such as
         maintaining or servicing accounts.
Amendments to Reg S-P

On March 4, 2008, the Securities and Exchange Commission announced
   proposed changes to Regulation to address identity theft of securities
   industry customers.
Reg S-P was adopted seven years ago under the Gramm-Leach- Bliley
   Act (“GLBA”) and the Fair Credit Reporting Act,
Requires financial institutions under the authority of the SEC (including
   investment advisers, mutual funds, broker-dealers and SEC-
   registered transfer agents) to adopt policies and procedures to
   protect client information.
Disposal rule and FACTA require secure disposal of personal information.
The two requirements of Reg S-P relating to safeguarding and disposal
   of confidential information have not kept pace with bank and other
   regulators‟ detailed programs for information privacy and data
More Specific Requirements

More specific standards under the safeguards rule of Reg S-P, including
  physical, technical and administrative safeguards, written policies
  and required responses to data security breach incidents.
   • require the financial institution to develop and execute a more
      detailed “information security program” similar to programs
      required by other federal regulators.
   • be in writing
   • designate an employee in charge of information security,
   • identify anticipated threats and implement controls to address
      those threats.
   • require staff training,
   • regular testing
   • coordination with service providers to maintain the program‟s

(i) designate in writing an employee or employees to coordinate the information security
(ii) identify in writing reasonably foreseeable security risks that could result in the
      unauthorized disclosure, misuse, alteration, destruction or other compromise of personal
      information or personal information systems;
(iii) design and document in writing and implement information safeguards to control the
      identified risks;
(iv) regularly test or otherwise monitor and document in writing the effectiveness of the
      safeguards‟ key controls, systems, and procedures, including the effectiveness of access
      controls on personal information systems, controls to detect, prevent and respond to
      attacks, or intrusions by unauthorized persons, and employee training and supervision;
(v) train staff to implement the information security program;
(vi) oversee service providers by taking reasonable steps to select and retain service
      providers capable of maintaining appropriate safeguards for the personal information at
      issue, and require service providers by contract to implement and maintain appropriate
      safeguards (and document such oversight in writing);
(vii) evaluate and adjust their information security programs to reflect the results of the
      testing and monitoring, relevant technology changes, material changes to operations or
      business arrangements, and any other circumstances that the institution knows or
      reasonably believes may have a material impact
Goals of Information Security Program

A financial institution‟s information security program must be
   reasonably calculated to prevent the breach and misuse of
   client information that results in “substantial harm or
    • “personal injury, or more than trivial financial loss,
       expenditure of effort or loss of time.”
    • identify theft and extortion would likely cause “substantial
       harm or inconvenience,”
    • inadvertent mis-delivery of an account statement would
Expanded Coverage of Reg S-P’s Scope

SEC proposes to broaden the type of information and persons
  covered by the SEC safeguards and disposal rules.
   • SEC proposes to have both rules protect “personal
     information,” which encompasses “nonpublic personal
     information” under the GLBA and “consumer report
     information” under the Fair and Accurate Credit
     Transactions Act of 2003.
   • While “personal information” means personally identifiable
     financial information, “consumer report information”
     focuses on information generally contained in consumer
Information Security Coordinator

Require firms of all sizes to designate an employee to coordinate
  the information security program.
Would have “sufficient authority and access to the institution‟s
  managers, officers and directors to effectively implement the
  program and modify it as necessary.”
Many firms have no such individual – thus they would
   • Add duties to IT managers with no experience in security
   • Add duties to security personnel with no experience in IT
   • No option to “outsource” compliance through consulting
   • Difference between responsibility and expertise

Require every institution to regularly test or otherwise monitor
  the effectiveness of the safeguards.
Broker-dealers, Commission registered investment advisers and
  investment companies are already subject to rules that
  require testing of policies and procedures.
   • Broker-dealers must comply with FINRA Rule 3520 and
     Commission Rules 38a-1 and 206(4)-7 which require
     investment companies and investment advisers,
     respectively, to conduct testing and an annual review of
     their policies and procedures that should include privacy
     and information safeguarding.
   • Not clear if S-P requirements are supplemental or different
Third Party Providers

Financial institutions should ensure TSPs implement and
   maintain controls sufficient to appropriately mitigate risk.
In higher-risk relationships the institution by contract may
    • prescribe minimum control and reporting standards,
    • obtain the right to require changes to standards as external
       and internal environments change,
    • obtain access to the TSP for institution or independent
       third-party evaluations of the TSP‟s performance against
       the standard.
In lower risk relationships the institution may prescribe the use
   of standardized reports, such as trust services reports or a
   Statement of Auditing Standards 70 (SAS 70) report.
Employee Information

in addition to nonpublic personal information and consumer
   report information of “consumers,” “personal information” also
   would include information identified with any employee,
   investor or security holder who is a natural person that is
   handled by the institution or maintained on the institution‟s
covers employees rather than only clients of financial
   institutions, including employee user names and passwords,
   which, if compromised, could undermine the integrity of a
   financial institution‟s information security system.
Explicit Coverage

The SEC safeguards rule would also apply to registered transfer
  agents in addition to the brokers, dealers, registered
  investment advisers, and investment companies.
However, registered broker-dealers, would be excluded from the
  safeguards rule
Disposal Rule

The SEC disposal rule would apply to “natural persons who are
  associated persons of a broker or dealer, supervised persons
  of a registered investment adviser, and associated persons of
  a registered transfer agent.”
The rule would continue to cover broker-dealers, investment
  companies, registered investment advisers and registered
  transfer agents.

creates record-keeping requirements for policies and procedures
   to comply with the proposed regulation, as well as
   documentation of compliance
Doesn‟t say how detailed the records must be
Includes plans on how to comply
Why a particular plan or solution was chosen
Why it is appropriate to the size and complexity of the business,
   and to the sensitivity of the data protected
Written plans on privacy, security, training and incident
Broker Mobility.

Exception allowing a broker who is changing firms to take limited
   personal information to the new firm in order to maintain
   relationships with clients
Is this a “disclosure” to the new firm?
Can customer “opt out?” of this disclosure
Breach Notification

A financial institution would need to notify the affected individual and,
   potentially, the SEC in the event of a data security breach.
notify the affected individual when the institution becomes aware of
   unauthorized access to personal information and determines that
   misuse of personal information has occurred or is reasonably
This “risk of harm” standard is similar to that used in the guidance
   relating to customer notification of security breaches issued by the
   bank regulatory agencies.
SEC would require notification to the SEC only when the breach poses
   a significant risk of substantial harm or inconvenience to a consumer
   or when someone has intentionally obtained “sensitive personal
   information,” such as a social security number.
Financial institutions must report the incident to the SEC on
   proposed Form SP-30.
 Requires written procedures for responding to a data security breach
Breach Notification

If third party with Broker/Dealer information suffers breach,
    WHO has duty to notify?
    • Data Collector – has personal relationship with data
       subject, and has the “contract” for privacy
    • Data Collector has presumably selected the third party to
       share information
    • Who is the “owner” of the information?
    • Who has the “duty” to notify, whose expense, and who is
       liable for inadequate or untimely notification
Federal Preemption

Financial institutions subject to the bank regulatory agency
   guidance providing notice of a security breach under that
   standard are exempt from the requirements of several of the
   numerous state data security breach notice laws.
Those financial institutions providing notice under the new SEC
   standard will now also be permitted under many state laws to
   provide notice to consumers under the federal standard rather
   than the different state standards.
For More Information

Mark D. Rasch
Managing Director, Technology
FTI Consulting, Inc.
(202) 312-9174