FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

Slides:

Advertisements

Similar presentations

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Advertisements

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

NAU HIPAA Awareness Training

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

Are You Ready? Identity fraud and identity management are quickly becoming critical operational concerns for the financial industry. The Red Flags Guidelines.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Information Security Awareness April 13, Motivation Recent federal and state regulations and guidance Recent federal and state regulations and guidance.

Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 Sara Juster, JD Vice President/Corporate Compliance Officer Nebraska.

© Chery F. Kendrick & Kendrick Technical Services.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

Data Classification & Privacy Inventory Workshop

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Privacy Management for a Global Enterprise.

Network security policy: best practices

Teresa Macklin Information Security Officer 27 May, 2009 Campus-wide Information Security Activities.

Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.

Electronic Records Management: What Management Needs to Know May 2009.

Tiffany George Attorney, Division of Privacy & Identity Protection Federal Trade Commission COMPLYING WITH THE RED FLAGS RULE & ADDRESS DISCREPANCY RULE.

2015 ANNUAL TRAINING By: Denise Goff

HIPAA PRIVACY AND SECURITY AWARENESS.

Enterprise data (decentralized control, data security and privacy) Incident Response: State and Federal Law Rodney Petersen Security Task Force Coordinator.

Confidentiality and Public Information Act LISD Special Education Department Training SY

Arkansas State Law Which Governs Sensitive Information…… Part 3B

Florida Information Protection Act of 2014 (FIPA).

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Family Educational Rights and Privacy Act. From the moment a child enters the school system, sensitive information is collected about the child (and even.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.

Data Protection Act AS Module Heathcote Ch. 12.

Red Flag Training IDENTITY THEFT PREVENTION PROGRAM OVERVIEW AUTOMOTIVE.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

Technology Supervision Branch Interagency Identity Theft Red Flags Regulation Bank Compliance Association of CT Bristol, CT September 3, 2008.

FIRMA April 2010 SOCIAL NETWORKING Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

Addressing Unauthorized Release of Personal Information at UC Davis August 12, 2003.

ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING

Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

TOP TEST SECURITY RECOMMENDATIONS FOR SCHOOL DISTRICTS John Fremer, Ph.D. President Caveon Test Security October 25, 2006.

The Internet of Things and Consumer Protection

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.

Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.

Data Security in the Cloud and Data Breaches: Lawyer’s Perspective Dino Tsibouris Mehmet Munur

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Data protection—training materials [Name and details of speaker]

1 Identity Theft Prevention and the Red Flag Rules.

Data Security Survival Skills for 21 st Century Evaluators Teresa Doksum & Sean Owen October 17, 2013.

Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.

Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.

Nassau Association of School Technologists

Consumer Authentication in e-Banking & Part 748 – Appendix B Response Program Catherine Yao Information Systems Officer NCUA.

Protection of CONSUMER information

Privacy principles Individual written policies

Florida Information Protection Act of 2014 (FIPA)

Responding to a Data Breach 360° of IT Compliance

Florida Information Protection Act of 2014 (FIPA)

Data Protection Legislation

Chapter 3: IRS and FTC Data Security Rules

General Counsel and Chief Privacy Officer

Red Flags Rule An Introduction County College of Morris

Alabama Data Breach Notification Act: What 911 Districts Need to Know

DATA BREACHES & PRIVACY Christine M

Current Privacy Issues That May Affect Your Credit Union

The new data protection rules

CompTIA Security+ Study Guide (SY0-401)

Identity Theft Prevention Program Training

SOCIAL NETWORKING Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking.

Colorado “Protections For Consumer Data Privacy” Law

Protecting Student Data

Presentation transcript:

FIRMA April 2010 DATA BREACHES & PRIVACY Christine M. Farquhar Managing Director, Compliance J.P. Morgan U.S. Private Banking

FIRMA April Introduction: Not only are we mandated to design, implement and maintain safeguards to protect client information, but keeping client information private and secure is vital to our businesses. In the case of private banking, the use of the word “private” is not coincidental. Maintaining trust confidentiality is equally important. How do financial institutions achieve these regulatory requirements and honor client expectations? When there is a breach of confidential information, is your institution ready to appropriately respond as quickly as possible?

FIRMA April Preserving Client Confidentiality within and outside your organization To keep client information under physical, electronic and procedural controls... Do your affiliates perform services for the benefit of your clients? Do you have control around how affiliates access your client information? Is staff dedicated to serving your client base within your affiliates Dedicated office space—no space sharing with other lines of business without specific approval and training for personnel Dedicated printers/faxes/files Are there “ring-fences” around your technology? If not, how are you vetting access? Consider confidentiality agreements for those people with access to your systems that are not dedicated solely to your clients Place “entitlements” on technology access Do your contracts with third-party providers address client confidentiality ? Client information given over to them should be used solely for the stated contractual purposes Do your third-party providers have well defined privacy practices? Have you adopted internal policies and procedures around preserving client confidentiality? Make sure your personnel are aware of them Examples: Written procedures for the transportation of paper containing confidential information Policies around technology access—who monitors and approves access to your systems Clean desk policies

FIRMA April 2010 Educating your personnel Ongoing training—for example, mandatory annual privacy training Periodic reminders—complements formal training efforts Examples: Protecting client information in s Never share passwords to your systems At every opportunity, stress the importance of your privacy practices Even when every reasonable precaution is taken and you have made every effort to educate your staff and your clients about safeguarding information, breaches can happen... 3

FIRMA April Privacy Breaches Some background: Data Protection/Breach—Interagency Guidelines: Requires financial institutions to establish response programs for unauthorized access to customer information: Applies to consumers only Applies to paper as well as computer based information Applies to information held in foreign countries Must identify and assess breach of information Must notify federal regulator if “sensitive” information involved Must notify law enforcement and file SAR if crime involved Must notify consumer customer if sensitive information is, or could possibly be, misused “Sensitive information” means: ID information in conjunction with SSN or account numbers, or Any combination of information that would allow access to customers account, e.g., name and password or PIN

FIRMA April Considerations from the States: Many states, the District of Columbia and Puerto Rico have enacted laws that require the establishment of response programs for unauthorized access to customer information Similar to Federal Guidance but some state laws have these differences: Applies only to computer information (a few states apply to paper too) Must notify state Attorney General or other agency rather than law enforcement Must notify customer regardless of whether information is, or could possibly be, misused (a few states have risk of harm standard) Specify fines and/or penalties for violations Privacy Breaches

FIRMA April 2010 An organized approach to responding to privacy breaches Establish an umbrella Privacy Office or designated contact that is ultimately responsible for creating standards and guidelines for use by your institution when dealing with breaches Establish escalation points within the various areas of your firm Form “Incident Response Teams” with legal, compliance and/or risk representation Incident Response Teams can serve as a control around proper escalation and response, including any required response to clients or reporting to regulatory agencies. Adopt the use of an “Incident Report Form” Gives your folks a tool to report breaches effectively. Can include: name and contact information of the person reporting incident description of the incident with enough detail to allow an investigation—  date and time of the incident,  when discovered,  by whom, etc. Where did it occur—Country/City, etc. A description of the information involved Were third parties or outside service providers involved 6

FIRMA April An organized approach... Required elements of notification When sensitive information has been breached, notification must include: a description of the incident, what your institution has done to protect client information from further unauthorized access, a phone number for further information, and a reminder that clients should be vigilant over the next month period and that they should promptly report incidents of suspected ID theft, Consider including in the notification recommend clients review account statements for suspicious activity describe fraud alerts and explain how to place alerts on their consumer credit reports recommend they obtain periodic credit reports from a nationwide reporting agency Credit Monitoring Consider offering credit monitoring services or providing clients with the name of a credit monitoring service they can contact on their own.

FIRMA April THE MODEL PRIVACY FORM In October 2009, the Agencies adopted new model privacy notification forms – the Model Forms. Standardized--page layout, content, format, style, pagination, and shading are prescribed. Only certain fields may include variable text. Address information sharing and non-sharing practices. May require an “opt-out” depending on how sharing reasons are answered. Did not generally contemplate private banking The Federal Regulators launched an “online form builder” Since you have little latitude to change it, the form builder is quite useful While the Agencies have indicated that use of the Model Forms is voluntary, a financial institution that does NOT choose to use the Model Forms may: Receive new and enhanced scrutiny, as to format as well as content, from Agency examiners; Will lose its safe harbor; Will appear different from other firms--consumers will not be able to do the simple comparison of privacy practices the Agencies were seeking; May find itself a focus of media and consumer advocates critical of different forms.