Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429
RE: Comments/OES
Mr. Feldman:
We are writing you to provide feedback on the “Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information and
Customer Notice.” Thank you for this opportunity.
We commend the Agencies on taking this initiative to clarify Section
501b of Gramm-Leach-Bliley. However, we believe the current draft, which
focuses primarily on tracking customer database access, doesn’t address
a major category of customer information leakage. We believe there is a
need to clearly articulate that financial organizations have an
affirmative obligation to enforce compliance by their workforce for data
usage, and not just data access.
In an average financial services firm, thousands of workers have
“authorized” access to millions of sensitive consumer records stored in
electronic databases in order to provide appropriate service and
customer relationship management.
However, with the rapid adoption of the Internet and tools such as
electronic mail, consumer information can be leaked in a moments notice
by an insider.
Consider the damage done in just one such incident. In November of 2002,
a customer service employee of Teledata Communications Inc. who had easy
access to consumer credit reports stole 30,000 customer records. This
employee was paid almost $2 million by a fraud ring in exchange for this
information. The theft caused millions of dollars in financial losses
and demonstrates why it is critical to stop consumer information theft
at the source. (*See Attached Article)
In another case, the OCC permanently banned two bank officers from the
banking industry and assessed civil monetary penalties for e-mailing
over 2,200 confidential customer loan files over the Internet to a third
party (*See Attached News Release)
I can assure you that the risks of another Teledata or OCC incident are
real. Many of our customers are financial services firms, and in working
with them we have seen hundreds of incidents of customer data leaving
the organization unprotected via e-mails, web mails, etc. from employees
with legitimate access to the information.
In addition, in May 2003, we conducted a survey with Harris Interactive
of 500 employees and managers, many in financial services, with access
to customer data. Almost half of the respondents said it would be “easy”
to take sensitive customer information from their employers’ network.
Two-thirds believed their co-workers posed the greatest risk to consumer
data security. Attached is an overview of some other findings from this
survey. We’d be happy to send you the full survey results, if you like.
At a recent hearing on Identity Theft before the House Financial
Services Committee, where I was a witness, Secret Service Special Agent
Tim Caddigan said his law enforcement officers have been investigating
incidents where fraud rings bribe or coerce a “collusive employee” into
stealing consumer information from corporate databases. Chances are that
this employee would already have access to the database being targeted
by the fraud ring.
We believe adding a requirement in this Guidance document for companies
to monitor and enforce employee compliance for data usage would go a
long way toward cutting off this area of customer information loss. This
is a requirement that is missing from GLBA, but was added to HIPAA’s
security requirements. (*See Attachment)
Clarifying the requirement of enforcing
compliance for not just database access but also customer data usage is
critical. Federal courts have generally recognized that companies are
vicariously liable for any acts of their employees or agents that
violate the consumer privacy requirements. (See, e.g., Jones v.
Federated Financial Reserve Corp., 144 F.3d 961 (6th Cir. 1998); Yohay
v. City of Alexandria Employees Credit Union, 827 F.2d 967 (4th Cir.
1987).) Given these court cases and others currently pending, further
clarification of a company’s obligations would go a long way to improve
the protection of sensitive customer information.
As for what constitutes “sensitive data,” we would suggest this include
all the data someone outside the company would need to access a customer
account online or impersonate an account owner over the phone. Although
we can’t say we’re familiar with the practices of all financial
institutions, it would seem that account validation fields such as
Maiden Name, Driver’s License or other Government-issued ID numbers are
reasonable additions to the currently proposed list.
Again, thank you for this opportunity. I am more than willing to provide
additional help or discuss this further with you and your staff.
Sincerely,
Joseph Ansanelli
Chairman and Chief Executive Officer
Vontu, Inc.
San Francisco, CA
*Attachments can be viewed in the FDIC Public Information Center, 550
17th St, NW, Washington, DC, during business days 8:00 am to 5:00 pm.
|
