[ISN] Regulatory fire may torch lending business

From: InfoSec News (alerts@private)
Date: Thu Oct 12 2006 - 02:02:51 PDT


http://www.inman.com/inmannews.aspx?ID=57774

By Neil J. Morse
October 12, 2006

Fear of fraud is fueling a rush of new state laws intended to protect 
consumers. But in its path, this blazing regulatory fire may torch many 
financial services providers unable to keep up with all the new 
requirements.

"There's 35 different states looking at privacy laws and depending on 
what information [lenders are] sending out, in some states that may 
trigger a violation of privacy laws," worries Alfred Connizzo, chief 
operations officer, LandAmerica Credit Services, Norcross, Ga.

One leading area of lawmaking involves security breach notification, 
which centers on making lenders responsible for notifying customers when 
a breach (loss, compromise, theft, etc.) occurs. "It's important to have 
a policy in place [explaining] what you're going to do if there is a 
breach," Connizzo counsels.

That responsibility, however, is becoming more difficult as individual 
states develop their own definitions of "public" versus "private" 
information.

"There are 35 different laws pending to define what that is," according 
to Connizzo. "For some of them, 'private' is defined as the last name 
and any other piece of identifying information. [But] is that [really] 
private information?" he asks doubtfully. Connizzo is hoping a 
preemptive federal law will get rid of these changes being made by the 
states.

In the meantime, data breaches in the last year have exposed the 
personal information of more than 80 million Americans, according to the 
Privacy Rights Clearinghouse, a nonprofit organization that follows 
identity theft.

Among the most celebrated was the May 3 theft of computer disks holding 
the names, Social Security Numbers and other information of 26.6 million 
armed forces veterans.

Motivated by these occurrences, 17 states have passed "credit freeze" 
laws enabling consumers to prevent banks or credit agencies from issuing 
new accounts in their names. Businesses are opposed to such legislation 
because retailers, in particular, want to make it easy to buy and are 
willing to write off identity theft as a cost of doing business.


Focus on high-risk areas

But it is insider hacking that can be the most insidious threat to 
corporate security, according to Ian Lim, director of enterprise 
security, New Century Mortgage, Irvine, Calif., who estimates that it 
can emanate from "the 10 percent of those who can bypass 90 percent of a 
company's protection." Lim said, "You can't secure everything so focus 
on high-risk areas. Identify, verify, analyze, prioritize and 
remediate."

He elaborated: "Conduct an annual risk assessment in the third quarter 
of the year. Prioritize risk with your executive management and build 
remediation plans into departmental budgets." Lim offered several Web 
sites to help companies keep up with the "current threat landscape." Lim 
says "breaches may come from organized crime, terrorists, hackers and 
"hacktivists," the last comprised of people "trying to make a point" in 
their cyber-thefts."

One result of all this fraud is a heavier compliance burden for 
business. Peter Delano, senior analyst, investment management, 
TowerGroup, Needham, Mass., said the post-Enron/Worldcom climate is 
fanning the regulator flames when it comes to laws like those aimed at 
security breaches. "All this regulation ... hurts -- it hurts a lot, 
because just as soon as you think you have [one] figured out there are 
others; there's no end, it's ongoing testing, and reporting and 
monitoring," Delano complains.

He reports that half of all financial services companies have had a 
major increase in efforts to meet compliance regulations from 2002 to 
2005, and 15 percent of all operating costs are spent on compliance 
among large firms.

Copyright 2006 Inman News


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Oct 12 2006 - 02:27:02 PDT