Ellen Harris Small and Terry Wooding_ Rutgers University - Slide 1.ppt

Document Sample
Ellen Harris Small and Terry Wooding_ Rutgers University - Slide 1.ppt Powered By Docstoc
					 Gramm-Leach-Bliley Act
  Compliance Workshop




Terry Wooding
Ellen Harris-Small
                          1
Gramm-Leach-Bliley Act Compliance
      Seminar Objectives
 Defining GLBA
 Discuss role of FTC
 Compliance
 Designing a security plan
 Discuss Non public customer information
 Discuss Policy and Procedures
 Staff’s role in GLBA and sample training
  workshop
 Importance of safeguarding information
                                             2
WHAT IS GLBA?
  The Gramm-Leach-Bliley Act (GLBA) was signed into
   law on November 12, 1999.

  Requires financial institutions to provide privacy notice
   to their customers and restricts sharing of non-public
   personal customer’s information with third parties.

  Mandates financial institutions to provide security and
   integrity of customer’s information.



                                                            3
WHY WAS GLBA ENACTED?

The GLBA is intended to protect the financial
  privacy of non-public personal consumer
  information held by financial institutions
 or companies that offer financial products
 or services to individuals, such as loans,
  financial or investment advice, or insurance.



                                                  4
The Privacy Rule applies to businesses that are
"significantly engaged" in "financial activities":

 Lending, exchanging, transferring, investing for others, or
    safeguarding money or securities. These activities cover
    services offered by lenders, check cashers, wire transfer
    services, and sellers of money orders.
   Providing financial, investment or economic advisory services.
    These activities cover services offered by credit counselors,
    financial planners, tax preparers, accountants, and investment
    advisors.
   Servicing loans or brokering loans.
   Collecting debt.
   Providing real estate settlement services.
   Career counseling (of individuals seeking employment in the
    financial services industry).
   Companies receiving information from a covered businesses.
                                                                     5
Federal Trade Commission (FTC)
  Has jurisdiction over “financial institutions”.
  Administers consumer affairs and
   pursues law enforcement.
  Advances consumers’ interests and develops
   policies and standards for compliance.
  Conducts hearings, workshops, and
   conferences.
  Creates practical and plain-language
   educational programs and brochures for
   consumers and businesses.                         6
Federal Trade
Commission (FTC)

      has jurisdiction over
       “financial institutions”

      has taken the position
         that colleges and
            universities are
        financial institutions
         because they make
          loans to students.
                                 7
FERPA vs. GLBA


                  The Family Education
                   Rights and Privacy Act
                   addresses the privacy of
                   student information.

                  Gramm- Leach-Bliley Act
                   addresses the security of
                   customer records and
                   information.



                                          8
FTC has ruled:
 Safeguarding consumer’s
     information is not a
   privacy issue but is one
  of security for customers
   of financial institutions.

 Compliance with FERPA
 does not exempt colleges
   and universities from
     GLBA safeguard
       regulations.

                                9
 Section 501 of GLBA


Requires financial institutions to
 establish standards relating to
 administrative, technical and physical
 information safeguards in order to
 protect customer records and
 information.


                                          10
Is This A Serious Problem?

 Since February 2005, Over 60 of the 150
  security breaches victimized nearly 55 million
  people whose personal information was
  compromised.
 A number of these involved higher education
  institutions. (Privacy Rights Clearinghouse)



                                               11
Is This A Serious Problem?

 8.9 million people or 4% of the US adult
  population in 2005 had their non-public
  confidential information stolen and used to
  commit fraud.
 The average amount per victim was
  $6.383.00.
 The total annual cost was 56.6 billion dollars.



                                                    12
Is This A Serious Problem?
 There is a new victim every two seconds




                                            13
Why Should We Comply?
Penalties assessed for Non-Compliance:
Officers & Directors
 Individually liable up to $ 10,000 per violation
  and/or up to 5 years in jail
 If this violation also violates another Federal
  law, or as part of a pattern involving more
  then $100,000 within a 12-month period,
  penalties double.
 Potential barring from working in the Banking
  industry
                                                     14
Penalties for Non-Compliance
For the institution:
 Up to $100,000 per violation
FDIC Violations
 Possible revocation of FDIC Insurance
 Cease & Desist orders barring policies or practices
 Permanently barring management from working in
  the Banking industry
 Penalties up to $1M for individual and lesser of $1M
  or 1% of total assets of financial institution.


                                                         15
 What are the safeguard procedures
 at your school?
 Who is the individual or group
  responsible for the acts oversight?

 Have you attended
  Safeguard training?


If you can not answer the first question or
 the answer to question number two is no,
your school may not be in compliance.

                                              16
GLBA OBJECTIVES

  Ensure security and confidentially of customer
   records and information.
  Protect against any anticipated threats or
   hazards to the security of the records.
  Protect against unauthorized access or use of
   records or information which could result in
   harm or inconvenience to customer.



                                                   17
HOW TO COMPLY

 Each financial institution is required to
  maintain safeguards.
 Design policies to protect customer
  information in whatever format –
  electronic or hardcopy.
 Develop a written security plan.



                                              18
 Three Types of Safeguards

 Administrative & Operational safeguards
    Hiring, background & reference checks, staff training, NPI
     handling, monitoring, disciplinary measures for policy
     breaches and auditing.
 Technical safeguards
    Anti-virus software, patches, up-to-date firewalls,
     encryption, data transmitting and intrusion detection.
 Physical safeguards
    Storing records, password procedures, backup, disposal,
     protection against destruction and hardware security.

                                                              19
SAFEGUARDS RULES
Require institutions to consider all
 areas of:
 Hiring
 Employee management & training
 Information systems
 Managing system failures
 Back-up and recovery procedures
 Incidence response handling
                                    20
GLBA also REQUIRES:

 Third party service
  providers to have a
   written policy by
    May 23, 2003.
 Schools must have a
contractual agreements
   with their service
 providers in place by
     May 23, 2004.

                         21
Common Requirements of the
Regulations
 A policy-driven security management program
 Validation of security controls
 A risk management approach to information security
 Demonstration of the due diligence in the application
    of internal controls
   An effective security incident management process
   Reporting
   Archiving document preservations
   Document disposal

                                                          22
INFORMATION SECURITY PLAN


 Designate one or more staff to coordinate the
    safeguards program.
   Identify and assess the risk to customer information.
   Design, implement policies which regularly monitor
    the safeguards program.
   Select appropriate and contract with service
    providers who have safeguards program.
   Evaluate and adjust the plan as needed.


                                                            23
Information security plans require:

  A written plan to insure security and confidentiality of
   non-public consumer information (NPI).
  Must provide protection against reasonable and
   foreseeable internal risk and external risks.
  Must protect against misuse, destruction or
   compromise of confidential customer information.




                                                          24
Information Systems Security Plan

                 Requires:
                  Regular testing
                  Monitoring
                  Security updates and
                   improvements
                  Backup recovery
                   procedures
                  Evaluate plan and
                   adjust
                                       25
Identify POLICY

 Find current policies related to protecting
  information
 Review policies & procedures
 Revise and update as needed
 Distribute policies
 Provide staff training, communicate expectations
 Conduct risk analysis
 Continue to monitor program and adjust
                                                26
PCI Data Security Standard:
Build and Maintain a Secure Network:
1. Install and maintain a firewall configuration to
   protect data.
2. Do not use vendor-supplied defaults for system
   passwords and other security parameters.


Protect Cardholder Data:
3. Protect stored data.
4. Encrypt transmission of cardholder data and
   sensitive information across public networks.

                                                      27
PCI Data Security Standard:
Maintain a Vulnerability Management
  Program:
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and
   applications.

Implement Strong Access Control
  Measures:
7.   Restrict access to data by business “need-to know.”
8.   Assign a unique ID to each person with pc access.
9.   Restrict physical access to cardholder data.
                                                           28
PCI Data Security Standard:
Regularly Monitor and Test Networks:
10. Track and monitor all access to network
    resources and cardholder data.
11. Regularly test security systems and processes.


Maintain an Information Security Policy:
12. Maintain a policy that addresses information
    security.




                                                     29
NON-PUBLIC CUSTOMER
INFORMATION (NPI)
 Credit card numbers
 Social Security numbers
 Drivers license numbers
 Student loan data
 Income information
 Credit histories
 Customer files with NPI
 NPI Consumer
  information
 Bank Account data
                            30
Top States for ID Theft
Victims per capita are:
 New York          Illinois
 California        Oregon
 Nevada            Michigan
 Arizona           Florida
 Washington        Georgia
 Texas             Colorado

 Hawaii
                                31
Cost of a Breach in Security
 One University’s accidental release of credit card
     information to the internet cost them over
     $1,000,000.00 in security upgrades and
                    notifications.




 Other examples can be found on the FTC web page.
                    www.ftc.gov                       32
What can we do to guard NPI?

 Keep confidential
  information private.
 Use care when asking
  or giving SSN.
 Use secure disposal
  methods.
 Protect the privacy of
  data transmissions.
 Improve procedures.
                               33
Review security policies at your
school
 Computer usage
 Cash handling
 Confidentiality policy
 FERPA information
 Document handling




                                   34
GLBA POLICY

Current policies related to protecting information
  may assist you designing the GLBA policy:
 Review policies & procedures
 Revise and update as needed
 Review other schools’ policies
 Draft the policy
 Have the draft reviewed by covered
  departments.

                                                 35
 GLBA POLICY

 Gain Executive level support
 Distribute the GLBA policy
 Ask staff to sign to agree with policy
 Review and update policy at least annually
 Provide continued staff training
  and communication.



                                               36
Suggestions for TRAINING:
    Staff training should include:
         GLBA facts
         A definition of non-public information
         Information about maintaining security and
          confidentially of customers non-public
          information
         School’s security & safeguard policies
         Special training in Information Systems
          security for IT professionals
         Identity theft and prevention

                                                       37
Suggestions for TRAINING

• Sensitize staff to seriousness of
  identity theft.
• Make it personal to grab attention
  and interest.
• Use examples.
• Encourage discussion.
• Offer solutions and best practices.
• List actions to take to prevent
  clients from becoming victims.
• Clarify responsibilities of staff
  include protecting and securing
  data and information.
                                        38
  Sample Training Workshop




Identity Theft – Safeguarding Information
                                        39
What is Identity Theft?


 Under ID Theft Act, identity theft is defined very
  broadly as:
  knowingly using, without authority, a
  means of identification of another
  person to commit any unlawful activity.
  (unlawful activity: a violation of Federal law, or a felony
  under State or local law).


                                                                40
 IDENTITY
  THEFT




When someone steals your identity (NPI), they are
 usually using your ID to obtain goods and services for
 themselves that “you” will have to pay for.              41
 How Does an Identity Thief Get
 Your Information?
 Stealing files from places where you work, go to
    school, shop, get medical services, bank, etc.
   Stealing your wallet or purse.
   Stealing information from your home or car.
   Stealing from your mailbox or from mail in transit.
   Sending a bogus email or calling with a false
    promise or fraudulent purpose.
    - For example: pretending to be from a bank,
       creating a false website, pretending to be
       a real company, fake auditing letters.



                                                          42
From: PNC Bank
Sent: May 17, 2007 6:31 PM
To: abuse@rutgers.edu
Subject: To All PNC bank users

Dear PNC user,
During our regular update and verification of the user data, you
must confirm your credit card details.
Please confirm you information by clicking link below.

http://Cards.bank.com pncfeatures/cardmember access.shtml
                                                               43
PHISHING
 Loss from phishing attacks in 2004 was $137
  million, in 2006 it was 2.8 billion.
 The number of adults receiving phishing
  e-mails almost doubled from 57 million in
  2004 to 109 million in 2006.
 The per victim loss increased from $257 to
  $1244.
 The percentage of money recovered dropped
  to 54% in 2006 from 80% in 2004.

                                            44
    How Does an Identity Thief
    Use Your Information?

 Obtains Credit Cards in your name or
    makes charges on your existing accounts (42%).
   Obtains Wireless or telephone equipment or services in
    your name (20%).
   Forges checks, makes unauthorized EFTs, or open
    bank accounts in your name (13%).
   Works in your name (9%).
   Obtains personal, student, car and mortgage loans, or
    cashes convenience checks in your name (7%).
   Other uses: obtains drivers license in your name.
                                                         45
You may be a victim if:

 You are denied credit.
 You stop getting mail.
 You start getting collection calls/mail.
 You start getting new bills for accounts
  you do not have or services you did
  not authorize.
 Your bank account balances drops.


                                             46
  Victims of Identity Theft
 If your identity is stolen, do the
  following immediately:

     Contact the fraud department of
      the three major credit bureaus
      (Equifax, Experian, Trans
      Union).
     Contact your creditors and
      check your accounts.
     File a police report.
   - File a complaint with the FTC.
                                        47
DAMAGES


           Time
           Money
           Credit rating
           Reputation




                            48
RECOVERY

 Take back control of
 your identity:
     Close any
      fraudulent accounts.
     Put passwords on
      your accounts.
     Change old
      passwords and
      create new PIN
      codes.
                             49
Remind Victims to:



   Call fraud departments of credit reporting agencies.
   Have fraud alerts placed on their credit report.
   Contact creditors.
   Close open account get new account numbers.
   Report to the local police, get a copy of the report.
   Follow up.
   Keep a copy of the police report for the future.
   Go to the FTC website for additional information.
                                                       50
PREVENTION
         Protect yourself
                    Protect others
       Guard against fraud:
         • Sign cards as soon as they arrive.
         • Keep records of account numbers
         and phone numbers.
         • Keep an eye on your card during
         transactions. Also be aware of who
         is around you, is anyone else
         listening?
         • Check your credit report and
                                            51
         credit card monthly statements.
              ANNUAL CREDIT
              BUREAU REPORT



 Review your credit report annually
 If you are denied credit, you are allowed to
  request one free copy of your credit report.
 Check your report for accurate information,
  open accounts, balance information, loan
  information, etc.
                                                 52
CREDIT BUREAU LINKS

 Equifax – www.equifax.com
     To order a report, 1-800-685-1111
     To report fraud, 1-800-525-6285
 Experian – www.experian.com
     To order a report, 1-888-397-3742
     To report fraud, 1-888-397-3742
  Trans Union – www.tuc.com
     To order a report, 1-800-916-8800
     To report fraud, 1-800-680-7289

                                          53
Good Practices


  Empty your wallet/purse of non-essential
     identifiers.
    Photocopy the contents of your wallet/purse.
    Do not use any information provided by the
     people who may be trying to scam you look it up
     yourself.
    Shred documents before you depose of them.
     Photocopy your passport (keep a copy at home
     and one with you when you travel).

                                                   54
NPI
 Has anyone asked you for information that
  should not be required to conduct business?
 How did you handle the request?
 Will you handle it differently in the future?




                                                  55
  General Privacy

 Do not provide correcting
  information for account
  verification questions.
 Be suspicious.
 Be paranoid.
 Don’t be afraid to say no
  when asked for
  information that is not
  required to conduct the
  current business            56
  transaction.
GLBA requires us to
PROTECT CONSUMERS
from substantial harm or
inconvenience.




                           57
Actions to prevent Others
from becoming Victims

  Determine what information you need.
  Provide a secure workplace.
  Always ask for a student’s ID or debtors
   account number.
  Keep prying eyes away from customer’s
   information.
  Don’t expose NPI information to the
   outside world.

                                              58
           Actions to prevent Others
           from becoming Victims

 Take care when you provide employee’s or
  customers’ personal information to others.
 Know & explain how you handle personal
  information.
 Ask for written permission prior to sharing
  personal information.
 Report problems or concerns to managers or
  supervisors.

                                                59
Remember to always maintain
confidentiality, security and integrity :

Avoid
     unauthorized disclosure
     removing information from
      your office
     sharing information
     tossing information in the
      trash
     down loading or e-mailing
      information.
                                            60
What are university assets?




                              61
Are customer
     information and
               records assets?




                                 62
Potential Damages to the University


Reputation
Fines
Reparation costs
Recovery costs
Increased prevention costs
                                      63
EXPECTATIONS




 All University employees are responsible for securing
  and caring for University property, resources and
  other assets.
 The University relies on the attention and cooperation
  of every member of the community to prevent, detect
  and report the misuse of university assets.
                                                      64
SAFEGUARDING INFORMATION




                       65
What can the staff do to
guard NPI?
    Keep confidential information
     private.
    Use care when asking or giving
     social security numbers.
    Use secure disposal methods.
    Protect the privacy of data
     transmissions.
    Review and follow written polices
    Improve procedures.
                                     66
CHECK YOUR WORK AREA!




   Do you leave NPI reports on your desk?
   Is NPI stored in unlocked file cabinets?
   Keep computer disks secure.
   Do not save NPI on your computer C drive.
                                                67
Safeguarding Information
Your role as a user…. :
 Ensure Physical Security.
 Select and Protect hard to guess
        passwords.
   Avoid email traps and disclosures.
   Back up files.
   Log off your computer when not in use.
   Do not open emails with attachments from
    unknown sources.
   Obliterate data before giving up your computer.
   Recognize social engineering tactics.
                                                      68
University Regulations & Guidelines
related to Safeguarding Information

Standards for University Operations Handbook
 Confidentiality
 Accounting for Financial Resources
 Acceptable Use of Network &Computing Resources:
     Agreement for Accessing Information
     Acceptable Use Policy
     Guidelines for Interpretation of Acceptable Use
     Acceptable Use Supplement
     Basics


                                                        69
Management’s Expectations
 Follow GLBA policy.
 Report any breaches.
 Be observant and make suggestions.
 Never e-mail NPI.
 Make sure that conversations cannot be
  overheard when exchanging sensitive
  information.
 Password protect your computer. Do not
  leave it unguarded even for a minute, lock it.
                                                   70
Safeguarding customer information
and university assets
is everyone’s job!




                                    71
The FTC’s Identity Theft Program

  Toll-free phone number for complaints:
        877-ID THEFT
  Consumer Education Materials
  Web site: www.consumer.gov/idtheft
  Identity Theft Data Clearinghouse – the
   federal government’s centralized database
   of ID theft complaints




                                               72
Learn about security and privacy
protection practices for your workplace
 "Security & Privacy -- Made Simpler," from the Better Business
   Bureau
   www.bbb.org/securityandprivacy/SecurityPrivacyMadeSimpler.pdf
 “Protecting Personal Information: A Guide for Business,” from the
   Federal Trade Commission
   www.ftc.gov/bcp/edu/pubs/business/privacy/bus69.pdf
 “Information Security Handbook,” from the National Institute of
   Standards and Technology
   http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-
   Mar07-2007.pdf
 “Prevent Identity Theft with Responsible Information-Handling
   Practices in the Workplace,” from the Privacy Rights
   Clearinghouse
   www.privacyrights.org/ar/PreventITWorkplace.htm

                                                                    73
WHAT WOULD YOU DO?




                     74
  Additional Resources

 The California Office of Privacy Protection has developed a series of
   Recommended Practices. Several of the guides may be helpful in
   protecting your business whether or not you are located in California.
       “Recommended Practices on California Information-Sharing
        Disclosures and Privacy Policy Statements,”
        www.privacy.ca.gov/recommendations/infosharingdisclos.pdf
       “A California Business Privacy Handbook,”
        www.privacyprotection.ca.gov/recommendations/ca_business_
        privacy_hb.pdf
       '“Recommended Practices for Protecting the Confidentiality of
        Social Security numbers,”
        www.privacy.ca.gov/recommendations/ssnrecommendations.pdf



                                                                      75
In Summary…




       Protect Yourself
       Protect Others
       Protect the University


                             76

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:9/20/2011
language:English
pages:76
handongqp handongqp
About