Understanding Enterprise Privacy Compliance Processes for the

Financial Services Industry

Harvard Privacy Symposium

August 20, 2008

3:00 – 3:45 p.m.

Susan M. Pandy, Senior Director, Internet & eCommerce, NACHA

John Carlson, Senior Vice President, BITS

Dan Burks, Chief Privacy Officer, U.S. Bank

Agenda

• Electronic Payments Snapshot

• Risks

• Regulation & Supervision

• Striking a Balance between Security, Privacy and Convenience

The Electronic Payments Mix

Changes in Payments Volumes ’03 – ‘06

* Includes ACH, Credit Card, Debit Card and EBT. •Does not include check images

18.6

-4.5

-5

0

5

10

15

20

Elec

tron

ics*

Checks Written

76% of the increase in total electronic

volume comes from sources other than

from declines in check volume.

Source: ECCHO, Federal Reserve 2007 Payments Study

Checks Become Less Relevant Over Time

• To Come

Banks Respond with Electronic Payments

Source: Grant Thornton 14th Annual Bank Executive Survey

Cross-Channel Information Risk

Phishing

Internet/PC

Man-in-the-Middle

Hacking

WormsEmployee

TheftSpyware

Theft of Data

Ch

ann

els

ATM

Physical

POS

Wireless

SkimmingEmployee

TheftTrapping

Dumpster Diving

Employee Theft

MailTheft

SpywareEmployee

Theft

SkimmingEmployee

Theft

ExternalTheft

Trapping

Information Risk in Electronic Payments

• Increased product offerings across channels (e.g., Internet, phone, mobile, ATM, branch, etc.)

• Enhanced accessibility to electronic payment channels/networks = End-to-end transaction risk

• Information fraud = attempts to gain access to identities, transactions, credentials, data or any combination of these factors.

• Exposure risk: Trojans, crimeware, data breaches and hacking

Sample Headlines

Feds Arrest Hackers of TJX, Other Retailers in Huge Conspiracy BustEleven perpetrators held responsible for online theft and sale of more than 40 million credit and debit cards

Card data stolen from grocery chain

Privacy Trust Eroding FactorsBar Chart 4: Factors Mostly Likely to Decrease Privacy Trust Scores

-48%-44%

-36%

-23%-19% -17%

-60%

-50%

-40%

-30%

-20%

-10%

0%

Data breachIrresponsible

marketing Data inaccuracyToo much"legalese"

Aggressivesharing

Customer servicemishaps

Source: Ponemon Institute 2007

Bar Chart 2: Percentage Difference between 12 Data Breach Companies and Sample Average Ranks in 2006 and 2007

1%

-23%-25%

-20%

-15%

-10%

-5%

0%

5%

2006-Before Breach 2007-After Breach

Affect Of A Breach On Privacy Trust

Source: Ponemon Institute 2007

Regulation and Supervision

• Role of Regulators in security and privacy protection – Differences between financial regulators and

the Federal Trade Commission– Focus on authentication as one of several

important security controls

• Industry collaboration

• Research and development priorities

Key Regulatory Requirements

• Gramm-Leach Bliley (GLBA)

• Identity Theft “Red Flags” Rule

• Interagency guidance – Information security, including authentication– Vendor management

Authentication Requirements

• 2005: Federal Financial Institutions Examination Council (FFIEC) updated guidance for authentication– Risk-based program that requires:

• Risk assessment process• Adequate “layered” security controls • Customer awareness programs

– Urges multifactor authentication– Applies to all forms of electronic banking

activities

Authentication (Cont.) • In response to risks and regulatory/supervisory

requirements, financial institutions are: – Deploying stronger and broadly accepted authentication methods,

predominantly knowledge-based authentication (KBA) (e.g., challenge questions) and/or device authentication (e.g., unique identifier of customer’s PC)

– Tokens also used, but for limited applications (e.g., high value transfers)

– Applying layered controls to protect consumers and FIs

• Guidance underscores the importance of the enrollment process and scalability

• Consumer acceptance is top concern, together with cost and technology readiness – Reveals tension between imposing new requirements and customer

convenience

Vendor Management Requirements

• Oversight of third party service providers – Senior Management/Board Oversight– risk assessment– Contract review– Ongoing monitoring

• Risk-based supervision – Increasing focus on oversight of both

domestic and foreign-based service providers

Financial Industry Challenges • Changing threat landscape• Evolution and adequacy of controls • Vendor management • Customer convenience • Customer privacy preferences and

security expectations • Fraud from traditional and new channels • Privacy issues around new channels

Examples of Industry Efforts

• Identity Theft Assistance Center • Focused efforts to address fraud, security and

vendor management through BITS/The Financial Services Roundtable – Development of industry best practices,

including:• Breach notification• Securing data in transport and storage • Encryption key management • Security awareness programs

• Shared Assessments Program

Financial Sector R&D Priorities

• Financial Services Sector Coordinating Council established in 2002– 45 financial sector associations and financial institutions– Goal: critical infrastructure protection and homeland

security through coordination and collaboration – Works in partnership with the Treasury Department and

financial regulators in the Financial and Banking Information Infrastructure Committee (FBIIC)

• R&D committee established 2004– Identifies priorities for research – Beta testing SMART program as a means to provide

subject matter experts to researchers in academia

Seven Major Challenges Facing the Finance and Banking Sector

1. Designing and Testing Secure Applications

2. More Secure and Resilient Financial Transaction Systems

3. Enrollment and Identity Credential Management

4. Understanding the Human Insider Threat

5. Data Centric Protection Strategies

6. Measuring the Value of Security Investments

7. Development of Practical Standards

Striking A Balance

CUSTOMER CONVENIENCE & ACCESS

PRIVACY INFORMATION SECURITY

Balancing Security, Privacy and Convenience

• Keeping pace with technology

• Channel specific fraud detection

• Compliance challenges

• Privacy as strategic marketing vs. compliance exercise

Information Fraud: Sensitive Information Movement – End-to-End

File Server

EndpointEndpoint ApplicationsApplications StorageStorageFilesFilesNetworkNetwork

Production Data

Data warehouse

DR

Staging

WW Campuses

WW Customers

WW Partners

Remote Employees

WAN

WAN

WWW

VPN

Disk storage

Back up disk

Back up tape

Outsourced Development

Enterprise email

Business Analytics

Customer Portal

34

Information Fraud: Specific Risks

NetworkNetwork

Media TheftMedia TheftDevice TheftDevice Theft

TakeoverTakeover

FraudFraud

InterceptIntercept

File Server

EndpointEndpoint ApplicationsApplications StorageStorageFilesFiles

Production Data

Data warehouse

DR

Staging

WW Campuses

WW Customers

WAN

WAN

WWW

VPN

Disk storage

Back up disk

Back up tape

Outsourced Development

Enterprise email

Business Analytics

Customer portal

Media LossMedia Loss

UnauthorizedAccess

UnauthorizedAccess

DOSDOS

CorruptionCorruption

UnavailabilityUnavailability

EavesdroppingEavesdropping

Data TheftData Theft

Remote Employees

WW Partners

Data LossData Loss

Device LossDevice Loss

Unintentional Distribution

Unintentional Distribution

UnauthorizedAccess

UnauthorizedAccess

UnauthorizedActivity

UnauthorizedActivity

UnauthorizedActivity

UnauthorizedActivity

35

Best Practices for Mitigating Against Information Fraud Risks: External

• Protect against emerging threats– Monitor for developments and changes

• Maintain a logical authentication strategy– Revisit this strategy

• Educate – Without creating paranoia or indifference

Best Practices for Mitigating Against Information Fraud Risks: External

• Understand what data is most sensitive to the business

• Select appropriate controls based on: – Policy– Risk – Where sensitive data resides

• Manage security centrally

• Audit security to constantly improve

Select the Appropriate Controls

Data Controls: Encryption and Key ManagementData Controls: Encryption and Key Management

Data Controls: Enterprise Digital Rights ManagementData Controls: Enterprise Digital Rights Management

Access Controls: Authentication and AuthorizationAccess Controls: Authentication and Authorization

Audit Controls: Security Event and Information MgtAudit Controls: Security Event and Information Mgt

Data Controls: Data Loss PreventionData Controls: Data Loss Prevention

Contact Information Susan Pandy, Senior Director

Internet & eCommerce, NACHA 703.561.3953spandy@nacha.org

www.nacha.org John Carlson, Senior Vice President, BITS

202.589.2442john@fsround.org

www.bitsinfo.orgDan Burks, Chief Privacy Officer, U.S. Bank

612.303.7816daniel.burks@usbank.com

www.usbank.com