Click to return to BOL home page
Banker Store BOL Vendor Connect BOL Career Connect BOL Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads Background Check CrimeDex Em@il Education ID Verification Record Retention
 


MAIN CONTENT 
Compliance

    Agency Road Maps

    Alphabet Soup

    Compliance Tools

    FACTA/FCRA

    OFAC

Lending

    Article 9

    FACTA/FCRA

    HMDA Heaven

    Lending Tools

    SCRA

Marketing

Operations

    Check 21

    Disaster Updates

    Disaster Recovery

    HR Corner

    IRA Season

    Money Matters

    Operations Tools

    SARResearchGuide

Security

    AML/BSA

    Bank Robbery

    Counterfeits

    ID Fraud/Phishing

    Security Tools

Technology/eBanking

    Disaster Updates

    Disaster Recovery

    Info Security


SPECIAL AREAS 
BOL Archives

BOL Blogs

Briefing Archive

Calendar

Court Watch

Disaster Issuances

Em@il Education

Examiner's Corner

Executive Briefing

Infovault

Launch Pad

Lessons Learned

Monthly Roundup

Risk Management

Site Map

Site Orientation

Top Stories


~ ~ ~
SERVICES 
Background Check
BOL Conferencing

CrimeDex

Em@il Education

ID Verification

Record Retention


~ ~ ~
SHOP 

Banker Store
Bankers Info Ntwk
Books
Vendor Connect

CONNECT 

Career Connect

Learning Connect

Vendor Connect

Guru Central

INTERACT 

Ask a Guru
Bankers Threads

Contact Us

Give Us Feedback


TOOLS 

60 Second Solutions

Alphabet Soup

Banker Tools

BOL Forms

FUN 

Banker Humor

Banker Memories

BOL Recipes

eCard Exchange

LEARN MORE 

About Advertising
About Our Sponsors
About Us


Print Friendly! Email This Article! Discuss NOW!


Security/Compliance: Latest Big Issue …Trash!

I knew when I saw the look in the chimney sweep's eyes that I had been a bad, bad girl. As he approached the fireplace to begin the inspection and cleaning process, he looked aghast at the huge stack of paper sitting on the grate where the logs should be. He gazed at it, then looked at me and said, "Lady, you weren't planning to burn all this paper in your fireplace, were you?" His tone of voice made it clear that the only acceptable answer was "No," but I couldn't lie. That had been precisely my intent. Sounded like a great way to dispose of financial records more than a decade old. Guess not ...

Congress also had some concerns about disposal of sensitive financial information, and, as a result, the FACT Act contains Section 216 which requires the bank regulatory agencies to adopt a final rule requiring each financial institution to develop, implement, and maintain "appropriate measures" to properly dispose of consumer information derived from consumer reports to address the risks associated with identity theft. The final rule was published in December 2004 and becomes effective July 1, 2005.

Prior to the July effective date, some institutions may need to amend their existing information security programs to incorporate the new measures. The starting point is understanding what constitutes "consumer information" for purposes of the new rule. From there, your institution will need to figure out what it holds that would be classified as "consumer information," where it is stored, how it is used, and when it's prudent to dispose of it.

The term consumer information is defined to mean any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by your institution (or on your behalf) for a business purpose.

Examples include a consumer report you pull on someone - whether they become a borrower, a guarantor, an employee or prospective employee, or are an unsuccessful applicant for credit . It also includes information derived from such a report, as well as information obtained about a consumer from an affiliate, other than mere transactions and experiences data.

As with other data protected by your information security program, risk assessment is a critical first step. The goal is to implement and maintain security measures designed to guard against misuse, alteration or destruction.

Ask:
  • Who has access to this type of information?
  • Who really needs access? You may be able to reduce the number of employees who access consumer information.
  • At what point is the information no longer needed?
Examine how you guard against unauthorized users pulling credit reports. Track copies that are made, memos that extract data from the reports.

Basically, you will then evaluate the same eight categories of security measures you evaluated when adopting your original information security program:
  1. logical access controls
  2. physical access controls
  3. encryption
  4. system modification procedures
  5. dual controls, segregation of duties, background checks
  6. IDS
  7. incident response program
  8. emergency plan
Then, after your risk assessment and evaluation of the categories of security measures, you will need to adopt the security measures that would be appropriate.

The regulators say they anticipate any changes to an institution's existing information security program likely will be minimal because the measures already in place to dispose of "customer information" could be adapted to properly dispose of "consumer information."

Don't assume, however, that no action is warranted on your part. Take a thoughtful, reasoned approach to analyzing the storage and use of consumer information, document your analysis, document your decisions, obtain board approval prior to July 1, 2005 of any new measures being incorporated into your information security program, and, of course, train your staff on any new procedures that come about as a result. Oh, yeah. And don't plan to simply heft the consumer information into your fireplace either. Chimney sweeps frown on that.

Mary Beth Guard, Esq. is CEO of Glia Group, Inc., Executive Editor of BankersOnline.com, and an advisor to BankersOnline.com. In a career spanning more than two decades, she has gained a national reputation as a banking attorney, speaker, writer and Internet expert. You can contact Mary Beth via email at
mbguard@bankersonline.com.

Copyright © 2005 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 14, No. 12, 1/05



Print Friendly! Email This Article! Discuss NOW!


Privacy Policy    Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.