A Company's Obligations to Protect Customer Information - Coursework Example

Protecting Information Section Number of Protecting Information The unprecedented development of Information and Communication Technology (ICT) in the last couple of decades has opened up hitherto unexplored avenues of communicating, establishing contacts and making transactions. The Internet and the World Wide Web have integrated the world into a digital whole. Each individual now have a digital or virtual presence on the web or Net as an inevitable counterpart of the physical presence in the real world. In fact, this digital or virtual presence of an individual threatens to overshadow the physical presence as ICT grows all the more pervasive. People are making purchases online, making transactions through net banking and playing the share market through the net. The net is being used for every conceivable financial, social and cultural interaction. Every time there is an online interaction or an online transaction the consumer has divulge some information to the business that he or she is dealing with. In certain financial sectors such as banking and insurance, very sensitive consumer information is handled and stored by businesses. As the computer and the Internet become ubiquitous the volume of such sensitive consumer information increases at a very rapid pace. Proper safeguard of this sensitive consumer information is an issue that is gaining increasing importance. If such information is used arbitrarily or falls into the wrong hands, it could result in very drastic consequences for the consumer. On the Internet, the digital or virtual presence of an individual is established by the digital or virtual identity of the individual. The digital identity of an individual is defined by a set of parameters including the individual’s Social Security Number, bank account information, credit card information, etc. If these parameters are known to a second individual, he or she may falsely assume the identity of the original individual and carry out financial and other transaction on behalf of the original individual. These transactions could result in huge financial and other losses for the victim and unlawful gains for the perpetrator. The perpetrator thus indulges in identity theft of the victim. Again, sensitive information of the consumer, financial or otherwise, could be unscrupulously utilized to gain business advantage or make profits at the cost of the consumer. Measures, therefore had to be adopted, and rules and regulations formulated so that care is taken by all businesses to provide adequate protection and safeguards to consumer information in their possession. The Gramm-Leach-Bliley Act (GLBA) The Financial Modernization Act of 1999, more commonly known as the Gramm-Leach-Bliley Act (GLBA) after its formulators, includes provisions to protect the personal financial information of consumers held by financial institutions. A majority of the provisions of the GLBA Act also applies to non-financial institutions and companies. The GLBA Act comprises three principal components – the Financial Privacy Rules, the Safeguards Rule and the Pretexting provisions. The Financial Privacy Rules of the Act lays down the conditions and obligations for collection and disclosure of customers’ personal financial information by financial institutions. These rules also govern other companies which may not be financial institutions but receive personal financial information of customers nevertheless. According to these rules institutions are required to give their customers privacy notices that describe and explains the information collection and sharing practices of the institutions. On being apprised of these practices, customers has the right to curtail or limit the sharing of their personal financial information as they may deem necessary in view of the practices of the institutions. These rules also dictate that any third party financial institution or other company that receives personal financial information from another financial institution will be restricted in its liberty to use the personal financial information it so obtains. The Safeguards Rules are concerned with ensuring that companies adopt adequate means to safeguard the personal financial information of customers. Financial institutions and other companies are required to design, implement and maintain safeguards to protect the financial information of customers. Every organization has to adopt and implement a security plan to protect the confidentiality and integrity of the personal information of customers. Organizations which receive customer information from other organizations in the course of their business also fall within the purview of the Safeguard Rules of the GLBA. Unscrupulous organizations and individuals often attempt to obtain personal financial information under false pretences. This is known as ‘pretexting’. Pretexting can take the the form of identity thefts, phishing, dumpster diving, etc. The Pretexting provisions of the GLBA aims at protecting personal information of customers from pretexting. The Financial Privacy Rule and the Safeguards Rule govern financial institutions such as banks, security firms and insurance companies as well as companies providing other types of financial services and products to consumers. Lending, brokering, servicing any type of consumer loan, transferring or safeguarding money, preparing individual tax returns, providing financial advice or credit counseling, providing residential real estate settlement services, collecting consumer debts, and an array of other activities fall under the purview of these two rules of the GLBA (Patel, 2004). GLBA Compliance and Implementation The Gramm-Leach-Bliley Act (GLBA) makes it mandatory for every organization to develop and implement a formal and documented information security plan to protect customer information. The information security plan has to be designed in keeping with the size, complexity of the organization and the level of sensitivity of the customer information that the organization handles. The element of such an information security plan must comprise the following: i. Designate one or more employees to coordinate the safeguards. ii. Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks. iii. Design and implement a safeguards program, and regularly monitor and test it. iv. Select appropriate service providers, and contract with them to implement safeguards. v. Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business arrangements or operations or the results of testing and monitoring safeguards. (Patel, 2004) The requirements are however flexible and will vary from institution to institution depending on the appropriateness to the circumstances of the institution concerned. . While a larger and more complex institution could choose to develop a complex information security plan comprising of many separate documents, a more simple institutions could opt for a single-page information security plan. It is the effectiveness of the plan that the GLBA sets its priorities on. A company could therefore decide to assign a single employee for the implementation and co-ordination of the information security plan while another could assign the task to an entire division. The connectivity status of organizations will also decide the scope and extent of the implementation of such information security plans. Enforcing Authorities and other Regulations Consumers, business houses and the Government has to work together to provide effective and adequate protection to consumer information. The role of the Government is to head the team. The Gramm-Leach-Bliley Act authorizes eight federal agencies as well as the states to administer and enforce the Financial Privacy Rule and the Safeguards Rule. The state and local agencies are ideally placed to ensure adherence through local police departments or state consumer protection agencies. The state and local governments have in many cases designed innovative new ways of tackling breach of information and identity theft cases on a first hand basis. The California law, for example, has stipulated consumer notices in the case of certain kinds of data breaches. This has raised the overall awareness against identity thefts to a great extent. The Federal Government, on the other hand, joins the battle, by providing a uniform framework for attacking the problem on a national basis. The Federal Trade Commission (FTC) enforces consumer protection laws relating to data security. The FTC has devised a full arsenal of statutory tools to ensure that companies implement reasonable measures to protect sensitive consumer information. It works on the principle that just as businesses keep their cash safe, they are also responsible for keeping the sensitive information of their consumers safe. The FTC enforces three federal laws that restrict disclosure of consumer information and require companies to ensure the security and integrity of the data in certain contexts — Section 5 of the Federal Trade Commission Act, the Fair Credit Reporting Act (FCRA), and Title V of the Gramm-Leach-Bliley Act. FTC Chairwoman Deborah Platt Majoras summarized these laws at a March 10, 2005 Senate Banking Committee hearing. She identified two other laws that are not enforced by the FTC, but which also restrict the disclosure of certain types of information: the Driver’s Privacy Protection Act, and the Health Insurance Portability and Accountability Act (Smith, 2005). The Technicality of Data Protection In practice, the protection and safeguarding of customer information implies adoption of security measures in all aspects of operations and functioning. Network security is vital for organizations that operate online. Simple connecting to the Internet is beset with risks. Intruders and hackers prowl the network with malicious intent. Ensuring network security implies putting in place security features such as firewalls, antivirus, antiphishing, Intrusion Detection Systems (IDSes) and Intrusion Preventions Systems (IPSes), honeypots, etc. All software or hardware elements that define what kind of interactions are wanted or desired and what kinds are not in a network environment can be termed as firewalls. Firewalls are used as security checkpoints at the perimeter. By providing routing functions between the private network and the Internet, the firewall inspects all communications between the two networks and either passes or drops the communication depending on how the firewall is configured by the system administrator. Viruses, worms, Trojan horses and malware are malicious software that can pose serious threats to any network. The term antivirus denotes the process of detecting the presence of any of these unwanted software and is not restricted to detection of viruses alone. A phishing mail is a deceptive mail purporting to be from a trusted site, which tries to get confidential information out of the recipient usually by taking the recipient to a website where a form requiring the confidential information is asked to be filled. Antiphishing is nowadays included as a perimeter security function so that phishing mails are stopped at the perimeter itself. Both IDSes and IPSes are used in network perimeter defense strategies. The main function of IDSes is to watch the data flow at one or more points in the network and to raise the alarm if they find anything suspicious. The IPS takes action based on the type of “bad” communications it detects. The IPS can stop the dangerous communication, contain it, throttle it, and even fight back against the perceived attacker. “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Spitzner, 2003). Honeypots are intrusion detection systems that lure attackers to them. They are like baits in the network to which potential attackers are automatically drawn. Once the attacker interacts with a honeypot the threat is identified and exposed because in the first place there could be no legitimate reason for interaction with honeypots. The People Factor Curious people, ubiquitous high-speed internet access and poor security are what Ben Rothke, a New York City senior security consultant with International Network Services, calls the “perfect storm”. “When you put those three factors together, they combine to create the situation where confidential data can be quickly leaked and shared with an enormous amount of information. Once the data is shared in such a manner, it is effectively impossible to get it back in a secure state.” (Shanks 2007). Proper training programs should therefore be organized for employees to cultivate security awareness and knowledge. Most regulatory controls fall into three categories viz. Leak Protection, Audit and Logging and Compliance. Leak protection tools try to monitor the traffic to identify manage the leakage of information that an organization classifies as sensitive. Such information may range from protected personal information to sensitive financial data. Auditing and Logging tools audit access to sensitive data and maintain long-term records. Compliance tools are used at the perimeter to ensure that remote connections comply with the regulatory regime applied within the organization. Encryption of sensitive information is a most common example of the use of compliance tools. Protection of customer information is an important and mandatory obligation for every organization as it is directly linked with the reputation of the organization. References -01 Patel, R., 2004, The Right to Privacy: Protecting Your Customers’ Information, Plante & Morgan Universal Advisor, Issue One. Shanks, J., June 2007, The Changing Network Perimeter, The new battle ground is information leakage, BizTech [Online]. Available http://www.biztechmagazine.com/article.asp?item_id=264 [15 March 2008] Smith, M.S., 2005, Identity Theft: The Internet Connection, CRS Report for Congress, Congressional Research Service, The Library of Congress. Spitzner, L., 2003, Honeypots: Catching the Insider Threat, Annual Computer Security Applications Conference (ACSAC) [Online] Available. www.acsa-admin.org/2003/papers/spitzner.pdf [14 March 2008] Read More