[Politech] A critical look at new bank "security breach" requirements [priv]

From: Declan McCullagh (declan@private)
Date: Wed Mar 23 2005 - 21:54:15 PST


http://news.com.com/2061-10796-5631623.html

March 23, 2005, 7:55 AM PST
Feds set security breach rules for banks, credit unions

Banks and credit unions will be expected to follow stricter guidelines 
about reporting accidental disclosures of customers' personal information.

Federal regulators on Wednesday outlined what steps they expect 
financial institutions to take after a security breach happens. (Alert 
readers will remember a series of recent incidents involving Bank of 
America, payroll provider PayMaxx, and of course, ChoicePoint.)

Among the guidelines: A notice to customers "should describe the 
incident in general terms and the type of customer information that was 
the subject of unauthorized access or use. It also should generally 
describe what the institution has done to protect the customers' 
information from further unauthorized access."

Notice is expected to be given "as soon as possible" in e-mail or 
written form, and should include a telephone number that customers can 
call for additional assistance, according to the document prepared by 
the Federal Reserve System, the Federal Deposit Insurance Corporation, 
the Comptroller of the Currency, and the Office of Thrift Supervision in 
response to the Gramm-Leach-Bliley Act.

A brief digression: The new guidelines seem to make sense, but it's 
difficult to figure out whether they go too far or not far enough. 
Normally consumers can shop around and choose products based on a whole 
range of different options.

For instance, a hypothetical BankSuperSecure might employ only bonded 
employees with government security clearances and hire armed guards to 
watch these employees all the time. Those security measures would 
probably reduce the chance of insider shenanigans -- but would come at a 
substantial cost that would be passed on to consumers in the form of 
lower interest rates on savings accounts and higher interest rates on 
loans and credit cards.

Its hypothetical competitor CheapDiscountBank might take less rigorous 
security mechanisms but offer far better terms on savings accounts and 
loans. In this scenario (let's assume that the banks were required to 
disclose their respective approaches to security), consumers could 
choose what risks they're willing to take and companies could 
experiment. Because that process doesn't exist today, we end up with a 
one-size-fits-all rule that sets both a security floor and also a de 
facto ceiling that banks seem unwilling to exceed. It's difficult to 
know whether that security "level" is the best one for consumers.

_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)



This archive was generated by hypermail 2.1.3 : Wed Mar 23 2005 - 22:04:53 PST