USA: +1(669)289-8683 
Sign in
Create a Wiki entry on the Security and Privacy of Consumer Financial Information as it relates to the chapter and recent news.
ISOL 633 – Legal Regulations,
Investigations and
Compliance
Lesson 4 – Chapter 4
Security and Privacy of
Consumer Financial Information
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
▪ Describe legal compliance laws addressing
how financial institutions protect the
security and privacy of consumer financial
information.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
• Financial institutions and the protection of
information they collect
• Financial regulatory laws and government
regulatory bodies
• The Gramm-Leach-Bliley Act and financial
institutions
• The Federal Trade Commission Red Flags
Rule
• Payment Card Industry Standards
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Business Challenges Facing
Financial Institutions
• Bear cost of consumer identity theft
• Company names and logos used in phishing
scams
• Targets of hackers
• Must follow regulations designed to
protect security and privacy of data they
collect and use; rules place compliance
burden on financial institutions
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Types of Financial Institutions
Savings and loan associations
Finance companies
Insurance companies
Investment companies
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Examples of
Regulation/Definitions
• National Banking Act
of 1864
• Bank Secrecy Act of
1970
• Bank Holding
Company Act of 1956
• Gramm-Leach-Bliley
Act
Legal Issues in Information Security
Definitions:
Consumer
Consumer Information
Consumer Goods
Consumer Services
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Consumer Financial Information
Name
Social
Security
number
Address/
telephone
number
Legal Issues in Information Security
Driver’s
license
number
Work history
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Who Regulates Financial
Institutions?
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Federal Reserve System
•
•
•
•
•
•
Created by Congress in 1913
Central Bank of the US
Bank for other banks
Bank for Government
Responsibilities?
Structure and Organization
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Structure of the Federal Reserve
Continued
• 12 Regional Banks
• Each with 24 Branches
• Each with 12 member Board of Directors
• Function:
• Distribute Currency and coin between regions
• Supervise and review National Member Banks for
Soundness
• Serve as bank for federal govenment
• Regulate State Chartered members banks
• Supervise Bank holding companies
• Supervise foreign banks operating in the US
• Supervise foreign activities of domestic member banks
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Federal Deposit Insurance
Corporation
• Banking Act of 1933
• Banking Act of 1935
• 5 member board of Directors
• 3 – Appt by President
• Comptroller of Currency
• Director of Consumer Financial Protection Bureau
•
•
•
•
No more than 3 from any one political party
8 Regional Offices
Purpose?
Members?
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
National Credit Union
Association
• Congress passed the Federal Credit Union Act of 1934
• Created Federally Chartered Credit Unions
• The NCUA was formed in 1970 to supervise and charter
Federal Credit Unions
• What is a Credit Union?
• Cooperative –So what is a cooperative?
• Affiliates (members) pool their money together to
make loans to each other
• Structure
• 3 member Board of Directors
• 5 regional offices
• NCUSIF
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Office of the Comptroller of
Currency (OCC)
• 1864- National Banking Act
• Under the Department of Treasury
• Charters and Supervises National Banks and
Federal Savings Associations (Thrifts)
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Consumer Financial Protection
Bureau (CFPB)
• 2010
• Focus is on Consumers
• Ensures that all consumers have access to financial
products and services
• Services offered in a fair and competitive manner
• Examines financial institutions to ensure
compliance
• Board of Directors
• 6 Divisions and number of advisory boards
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FEDERAL TRADE COMMISSION
(FTC)
• Independent Federal Agency – Congress 1914
• Oversee compliance with more than 46
different laws
•
•
•
•
5 Commissioners – 7 year term
No More than 3 from any one political party
7 Regional offices
Function
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Federal Financial Institutions
Examination Counsel
• Established in 1979 – by act of Congress
• Reports to Congress Annually
• Established by:
• Financial Institutions Regulatory and Interest Rate
Control Act of 1978
• Composition of the Counsel:
•
•
•
•
•
•
•
This body has 6 members comprised of:
Chair of the FDIC
Chair of NCUA
Comptroller of the OCC
Director of the CFPB
Member of the Board of Governors of the FED
Chair of the FFIEC State Liaison Committee
• DOE NOTY REGULATE FINANCIAL INSTITUTIONS
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Federal Financial Institutions
Examination Council (FFIEC)
▪ Establish principles and standards for
examination of federal financial
institutions
▪ Develop uniform reporting system
▪ Conduct training for federal bank
examiners
▪ Make recommendations regarding bank
supervision matters
▪ Encourage adoption of uniform
principles and standards by federal
and state banks
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
FFIEC Continued
• Task Forces – 6 Under the direction of the FFIEC
• Consumer Compliance – Promotes a uniform approach
to consumer protection laws
• Examiner Education – Oversees FFIEC examiner
training.
• Information Sharing – Sharing of information among its
members.
• Reports – Uniform financial reporting for members
• Supervision – Supervision and examination procedures
• Surveillance Systems – Develops Systems to Monitor the
financial condition and the performance of financial
institutions
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Gramm-Leach Bliley Act (GLBA)
▪ The Financial Modernization Act of 1999
▪ Protects personal financial information
held by financial institutions
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Impacts of GLBA
• Allows banks, securities, and
insurance companies to merge
• Financial activities include
borrowing, lending, providing
credit counseling, debt collection,
and other activities
• Protects nonpublic personal
information (NPI)
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Nonpublic Personal Information
(NPI)
Social Security numbers
Financial account numbers
Credit card numbers
Date of birth
Name, address, and phone numbers when
collected with financial data
• Details of any transactions or the fact that an
individual is a customer of a financial institution
•
•
•
•
•
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
GLBA―Principal Parts
GLBA
Privacy
Rule
Legal Issues in Information Security
Safeguards
Rule
Pretexting
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
GLBA Privacy Rule
• Financial institutions may not share NPI with
nonaffiliated third parties unless institution gives
notice to consumer
• The notice must tell consumers about types of data the
institution collects and how it uses that information
•
Called a notice of privacy practices
• Consumers have chance to opt out of some data
sharing
• Difference between Customer and Consumer
• Amended by Financial Services Regulatory Relief Act of
2006
•
April 2010 –Model Privacy Notice form
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
GLBA Safeguard Rule
• Each agency must establish standards
that:
• Protect the security and confidentiality
of customer information
• Protect against threats to the security
or integrity of customer information
• Protect against unauthorized access to
or use of customer information that
could result in harm to a customer
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
GLBA Pretexting Rule
• Pretexting
• Trying to gain access to customer information
without proper authority; also known as social
engineering
• Illegal to make false, fictitious, or
fraudulent statements to a financial
institution or its customers to get
customer information
• Illegal to use forged, counterfeit, lost, or
stolen documents to do the same thing
• Designed to stop identity theft
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Federal Trade Commission Red
Flags Rule
▪ Fair and Accurate Credit Transaction Act of 2003 (FACTA)
▪ Identify Theft Red Flags Rule
▪ Applies to financial institutions and creditors with covered
accounts
▪ What is a covered Account?
▪ Requirements?
▪ Oversight?
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Red Flag Categories
Suspicious
Documents
Suspicious
Personal
Identifying
Information
Notice of
Identity Theft
Legal Issues in Information Security
Unusual Account
Activity
Credit Reporting
Agency Alerts
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Red Flag Rules Continued…
• Written Identity Theft Prevention Program
• Detect, prevent and mitigate identity theft.
• Employee training
• Oversight
• Federal Reserve System
• FDIC
• OCC
• Enforcement
• $2,500.00
• No private right of action
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Payment Card Industry (PCI) Data
Security Standards (DSS)
▪ Safeguards and protects credit card data
▪ All merchants accepting credit cards must
follow PCI DSS standards
▪ Single approach makes it easier for
merchants to accept all cards
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Payment Card Industry Security
Standards Counsel
• Since 2006
• Comprised of Major Credit Card Companies
•
•
•
•
•
•
•
•
•
•
MasterCard
Visa
American Express
JCB International (Chase)
Discovery
NOT a government agency
Purpose?
Scope?
Requirements?
Oversight?
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
PCI DSS Controls and Rules
▪ Build and maintain a secure network
▪ Protect cardholder data
▪ Maintain a vulnerability management program
▪ Implement strong access control measures
▪ Regularly monitor and test networks
▪ Maintain an information security policy
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
How Effective Have these
Measures Been?
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Examples of Breaches:
• FTC vs. Nationwide Mortgage Group under GLBA
• Target self reporting credit card data breaches
• TJX – self reporting of credit card data breaches
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
•Neiman Marcus (retail). Between July and October 2013, the credit card information of
350,000 individuals was stolen, and more than 9,000 of the credit cards have been used
fraudulently since the attack Sophisticated code written by the hackers allowed them to move
through company computers, undetected by company employees for months.
•Michaels (retail). Between May 2013 and January 2014, the payment cards of 2.6 million
Michaels customers were affected. Attackers targeted the Michaels POS system to gain access to
their systems.
•Yahoo! Mail (communications). The e-mail service for 273 million users was reportedly hacked
in January 2015, although the specific number of accounts affected was not released.
•Aaron Brothers (retail). The credit and debit card information for roughly 400,000 customers of
Aaron Brothers, a subsidiary of Michaels, was compromised by the same POS system malware.
•AT&T (communications). For two weeks 2015 AT&T was hacked from the inside by personnel
who accessed user information, including social security information.
•eBay (retail). Cyber attacks in late February and early March 2015 led to the compromise of
eBay employee log-ins, allowing access to the contact and log-in information for 233 million
eBay customers. eBay issued a statement asking all users to change their passwords.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
•Bartell Hotels (hotel). The information for up to 55,000 customers was reportedly stolen
between February and May, 2015.
•U.S. Transportation Command contractors (transportation). A Senate report revealed that
networks of the U.S. Transportation Command’s contractors were successfully breached 50
times between June 2012 and May 2013. At least 20 of the breaches were attributed to
attacks originating from China.
•J.P. Morgan Chase (financial). An attack in June was not noticed until August, 2015. The
contact information for 76 million households and 7 million small businesses was
compromised. The hackers may have originated in Russia and may have ties to the Russian
government.
•Dairy Queen International (restaurant). Credit and debit card information from 395 Dairy
Queen and Orange Julius stores was compromised by the Backoff malware 2015.
•Snapsave (communications). Reportedly, the photos of 200,000 users were hacked from
Snapsave, a third-party app for saving photos from Snapchat, an instant photo-sharing app
between 2014 and 2015
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
•U.S. Investigations Services (services). U.S. Investigations Services, a subcontractor
for federal employee background checks, suffered a data breach in August, 2015
which led to the theft of employee personnel information. Although no specific origin
of attack was reported, the company believes the attack was state-sponsored.
•Community Health Services (health care). At Community Health Service (CHS), the
personal data for 4.5 million patients were compromised between April and June,
2015. CHS warns that any patient who visited any of its 206 hospital locations over
the past five years may have had his or her data compromised. The sophisticated
malware used in the attack reportedly originated in China. The FBI warns that other
health care firms may also have been attacked.
•UPS (services). Between January and August, 2014 customer information from more
than 60 UPS stores was compromised, including financial data, reportedly as a result
of the Backoff malware attacks.
•Defense Industries (defense). Su Bin, a 49-year-old Chinese national, was indicted
for hacking defense companies such as Boeing. Between 2009 and 2013, Bin
reportedly worked with two other hackers in an attempt to steal manufacturing plans
for defense programs, such as the F-35 and F-22 fighter jets.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
•Home Depot (retail). In 2015 Cyber criminals reportedly used malware to compromise
the credit card information for roughly 56 million shoppers in Home Depot’s 2,000 U.S. and
Canadian outlets.
•Google (communications). Reportedly, 5 million Gmail usernames and passwords were
compromised. About 100,000 were released on a Russian forum site. 2014-2015.
•Apple iCloud (technology). Hackers reportedly used passwords hacked with brute-force
tactics and third-party applications to access Apple user’s online data storage, leading to
the subsequent posting of celebrities’ private photos online.[ It is uncertain whether users
or Apple were at fault for the attack.] 2014-2015
•Goodwill Industries International (retail). Between February 2013 and August 2014,
information for roughly 868,000 credit and debit cards was reportedly stolen from 330
Goodwill stores. Malware infected the chain store through infected third-party vendors.
•SuperValu (retail). SuperValu was attacked between June and July, and suffered another
malware attack between late August and September.The first theft included customer and
payment card information from some of its Cub Foods, Farm Fresh, Shop ‘n Save, and
Shoppers stores. The second attack reportedly involved only payment card data.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
•Five Chinese hackers indicted. Five Chinese nationals were indicted for
computer hacking and economic espionage of U.S. companies between 2006
and 2014. The targeted companies included Westinghouse Electric (energy and
utilities), U.S. subsidiaries of SolarWorld AG (industrial), United States Steel
(industrial), Allegheny Technologies (technology), United Steel Workers Union
(services), and Alcoa (industrial).
•Unnamed public works (energy and utilities). According to the Department of
Homeland Security, an unnamed public utility’s control systems were accessed
by hackers through a brute-force attack on employee’s log-in passwords. 2015
•Feedly (communications). 2015 Feedly’s 15 million users were temporarily
affected by three distributed denial-of-service attacks.
•Evernote (technology). 2015 In the same week as the Feedly cyber attack,
Evernote and its 100 million users faced a similar denial-of-service attack.
•P.F. Chang’s China Bistro (restaurant). Between September 2013 and June
2014, credit and debit card information from 33 P.F. Chang’s restaurants was
compromised and reportedly sold online.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
What are the Odds?
• According to the Bureau of Justice Statistics 17.6 MILLION U.S. RESIDENTS
EXPERIENCED IDENTITY THEFT IN 2014
• That represents about 7 percent of U.S. residents age 16 or older, were
victims of at least one incident of identity theft in 2014.
• The most common type of identity theft was the unauthorized misuse or
attempted misuse of an existing account—experienced by 16.4 million persons.
Victims may have experienced multiple types of identity theft. An estimated 8.6
million victims experienced the fraudulent use of a credit card, 8.1 million
experienced the unauthorized or attempted use of existing bank accounts
(checking, savings or other) and 1.5 million victims experienced other types of
existing account theft, such as misuse or attempted misuse of an existing
telephone, online or insurance account.
• Source: Victims of Identity Theft, 2014 (NCJ 248991), was written by BJS
statistician Erika Harrell. The report, related documents and additional
information about the Bureau of Justice Statistics’ statistical publications and
programs can be found on the BJS website at http://www.bjs.gov/.
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
WEB SITES
http://www.consumer.ftc.gov/article
s/pdf-0119-guide-assisting-id-theftvictims.pdf
https://www.consumer.ftc.gov/articl
es/pdf-0094-identity-theftaffidavit.pdf
https://www.consumer.ftc.gov/articl
es/pdf-0009-taking-charge.pdf
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
THANK YOU!
Please email your questions to
Dr. Les Stovall
Leslie.Stovall@UCumberlands.edu
Legal Issues in Information Security
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
