FTC Delay of Identity Theft Rules A Reprieve For Businesses
The Federal Trade Commission has once again delayed enforcing new regulations that would require lawyers, accountants, and a sweeping number of other businesses to have procedures for detecting possible identity theft. The agency said it will not begin enforcing its so-called “red-flag rules” until December 31, six months after they were supposed to go into effect. The delay gives business owners and others some breathing room while the FTC sorts out exactly who would be covered by the rules. Read the full Portfolio article here.

Data Breaches Persist in Healthcare
In September 2009, the Obama administration’s Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect, requiring hospitals and other health care organization to beef up client data protections. Despite this, a recent study found that health care data is still hemorrhaging from peer to peer networks. A peer-to-peer, commonly abbreviated to P2P, is any distributed network architecture composed of participants that make a portion of their resources (such as processing power, disk storage or network bandwidth) directly available to other network participants, without the need for central coordination instances (such as servers or stable hosts). Read the full CIO post here.

Community Hospital of San Bernardino Fined for Data Breach
For violations of patient confidentiality, the state Department of Public Health fined Community Hospital of San Bernardino $325,000. The hospital was assessed a $250,000 fine for unauthorized access of 204 patients’ medical information by one employee. A fine of $75,000 was added after the facility failed to prevent the unauthorized access of three patients’ medical information in a separate case. Diane E. Nitta, the hospital’s administrator, said the hospital has “enhanced staff education efforts around patient privacy (and) put in place expensive security measures that guard against inappropriate access to our patients’ records. Read the full article from The Sun here.

Government Pushing to Control Internet
For the past decade, the federal government has been moving to gain effective control over the internet. Now, thanks to legislation just crafted by Sen. Joseph Lieberman of Connecticut, the government may finally realize its goal of being able to control virtually all aspects of the vast internet, including private internet systems. The decade-long process began in earnest in 2001, when the Bush Administration secured passage of legislation giving it jurisdiction to prosecute computer hackers anywhere in the world if the packets of information traveled through a U.S. computer or router and affected a “federal interest computer.” Read the full AJC post here.

U.S. Hampered in Fighting Cyber Attacks, Report Says
The U.S. government’s ability to counter cyber attacks against its nonmilitary computer systems is largely ineffective, according to a report from an internal watchdog released last week. The Homeland Security Department branch that monitors cyber attacks can’t force other agencies to protect their systems, is woefully understaffed and its ability to manage responses to cyber attacks has been hindered by constant turnover, said the department’s inspector general. The department’s U.S. Computer Emergency Readiness Team, known as US-CERT, also withheld data from other federal agencies that could have helped them address security breaches, the report found. Read the full WSJ post here.

Wanted: Young Cyber Experts to Defend Internet
Nationwide campaigns to steer youthful techies into careers defending the Internet are gaining steam. The federal government, education officials and giant military contractors are collaborating to recruit a new class of tech professional specifically trained to battle data thieves, online scammers and cyberspies. The recruitment tool of choice: competitions that pit tech-savvy youths in mock warfare against professional hackers. This year, the Collegiate Cyber Defense Competition drew teams from 83 colleges and universities, up from five schools in 2005. Boeing hired seven contestants to help defend its internal networks, which are prime targets for corporate and military spies. Read the full USA Today post here.

The Unreadiness Team
THE REPORT is chilling. Optimistically titled “U.S. Computer Emergency Readiness Team Makes Progress in Securing Cyberspace, but Challenges Remain,” it paints a disturbing picture of a national security disaster waiting to happen. The U.S. Computer Emergency Readiness Team, or CERT, established in 2003 to coordinate national cyber-defense efforts, is an arm of the Department of Homeland Security (DHS) tasked with “analyzing and reducing cyber threats and vulnerabilities, disseminating cyber threat warning information, and coordinating cyber incident response activities.” But this vast responsibility has come with little and confusing authority. Read the full Washington Post Op-Ed here.

U.S. is Requiring Companies to Defend Against Identity Theft
With identity fraud on the increase, the federal government is stepping up efforts to make sure businesses are on the alert — especially financial institutions and other companies that issue credit cards. The government says that businesses have the responsibility of making sure thieves don’t use stolen information to buy goods or open phony accounts. And to that end, the Federal Trade Commission wants businesses that might be targets of identity thieves to develop written plans to spot “red flags” that fraud could be involved and prevent it. Read the full LA Times story here.

Medical Groups Challenge ‘Red Flags’ Rule in U.S. Court
A number of medical groups filed a lawsuit in a Washington D.C. court Friday seeking exemption from the Federal Trade Commission’s rule regarding identity theft regulations. The FCC’s “red flags” rule requires any institution that could be considered a creditor to implement stringent anti-identity theft provisions. Physicians, nursing homes and other healthcare facilities could fall into this category since they routinely provide services for which they are reimbursed at a later date. Late in 2009, the U.S. District Court for the District of Columbia ruled that application of the rule to another professional group, attorneys, is “erroneous” and “inconsistent.” Read the full MDI article here.

Identity Thieves Buy Pot with Sen. Saslaw’s Credit Card
Senate Majority Leader Dick Saslaw (D-Springfield) said his phone has been ringing off the hook since a report appeared yesterday in California noting that local authorities were alleging Sacramento identity thieves had stolen the senator’s credit card number and used it to buy, among other things, medical marijuana. Saslaw gave an interview to a Sacramento radio station yesterday at the request of California authorities, and since then he’s gotten calls from Fox News and others. Saslaw said he was alerted to a problem with his American Express credit card in March and quickly reported it to Virginia State Police. Virginia authorities reported it to the California State Highway Patrol, which is now searching for two suspects in the Sacramento area in connection with the theft. Saslaw said the suspects reached out to multiple banks and credit card companies in an effort to get new cards in his name. “They were persistent,” he said. Read the full Washington Post blog post here.

BofA Hires Exec for Cybersecurity
Bank of America Corp. has hired the former assistant secretary for the Office of Cybersecurity and Communications in the U.S. Department of Homeland Security. Gregory Garcia has been named partnership executive for cybersecurity and identity management at the Charlotte, N.C.-based bank. It is a newly created position. BofA Chief Technology Officer Marc Gordon says Garcia’s hiring emphasizes the bank’s commitment to a leading role in public and private partnerships. “Cybersecurity and identity management have become global issues that require us to work with private and public partners across industries and borders to help us protect our customers,” Gordon says. Read the full New Mexico Business Weekly article here.

Blair’s Resignation and U.S. Cybersecurity
Dennis Blair, as national intelligence director, was actively involved in helping shape federal IT security policy, but his resignation Friday should have minimal impact on the nation’s efforts to secure its sensitive and top secret information stored on government and military computers. “It won’t have any effect,” said James Lewis, senior fellow at the Center for Strategic and International Studies, a public policy group. “The cyber effort is largely run out of DoD and DHS,” a reference to the Departments of Defense and Homeland Security. Read more of the GovInfoSecurity article here.

FTC Appeals Ruling on Identity Theft – Red Flags
The Federal Trade Commission has challenged a court ruling that, if it stands, could give physicians some relief from regulations requiring implementation of formal identity theft prevention programs by June 1. In February, the FTC appealed a December 2009 ruling by the U.S. District Court for the District of Columbia that found the agency exceeded its authority in enforcing its “red flags” rule against lawyers. The American Bar Assn., which initiated the litigation, noted in a statement that the appellate court upheld a similar ruling against the FTC once before. Read the full American Medical News article here.

Congress Vulnerable to Online Attacks
Congress is under constant attack. But the assailants aren’t just partisan adversaries, special interests or foreign agents. These predators come armed with bytes and have names like Trojan, Spybot and Worm. In short, Congress has a cybersecurity problem that ranges from foreign governments stealing information off BlackBerrys to unwitting aides e-mailing sensitive information from their secure office computers to more-vulnerable terminals at home. Some security experts even look with suspicion at the very origins of the House e-mail system. An Israeli company manages the project. The equipment is Canadian. A French company makes the switchers. An Indian company wrote the code. And a Chinese company wrote the backup code. Read the full Politico article here.

Cybersecurity Needs Global Rules: British Lawmakers
Europe’s online security would best be served by developing global cyber regulation, ending current “ad hoc” international efforts, British lawmakers said on Wednesday, echoing industry calls for worldwide rules. In a report, a committee of parliament’s upper chamber said that creating a common European-wide approach, while a desirable step in the right direction, was seen by many in the cyber community as “second best” to global regulation. Read the full Washington Post/Reuter’s article here.

Moscow Gets Tough on Cybercrime as ID Theft Escalates
Russia has quietly arrested several suspects in one of the world’s biggest cyberbank thefts, raising hopes of a previously unseen level of official co-operation in a country that has been a haven for criminals. The Russian Federal Security Service (FSB)has detained suspects including Viktor Pleshchuk, an alleged mastermind behind a £6m (€6.6m, $9m) attack on the payment processing unit of Royal Bank of Scotland, said people familiar with the inquiry. The FSB asked the Federal Bureau of Investigation in the US, which has made the inquiry an international priority, to avoid scaring other targets in Russia into covering their tracks. Read the full Financial Times article here.

According to this article from CMIO, The FTC’s interpretation of the regulation imposes an unfunded mandate on healthcare professionals for detecting and responding to identity theft, according to the organizations. In the letter, they asked the FTC to make it clear that the rule will not apply to their members given the result of recent litigation brought by the American Bar Association against the FTC where the U.S. District Court for the District of Columbia ruled that lawyers should be excluded from the requirements imposed by the “red flags” rule.

What do you all think about this? George Hulme the Healthcare blogger for InformationWeek had this to say: Step up and protect your customers from identity theft.

We believe that George has a valid point. Healthcare providers deal with sensitive customer information that can easily be compromised. Even though the Red Flags rule may be cumbersome to meet the requirements, what is the alternative? Having patients accept the responsibility when they become victims of identity theft? Wouldn’t it be better to have steps in place to ensure that this data is protected? We welcome all thoughts and feedback!

In early July 2009, BITS, the technology and operations division of the Financial Services Roundtable, submitted a comment letter to the OCC revealing significantly higher compliance burden estimates. The letter is based on the results of a June 2009 survey of eleven Roundtable/BITS member companies representing a diverse mix of banking, brokerage, consumer finance, and insurance products, responded to the survey.  The average amount of time spent on a “red flags” program was 2,650 hours with a low of 250 hours and 5,000 hours.  To view the comment letter, click here.

The Fair and Accurate Credit Transactions Act of 2003 (FACTA) requires financial institutions that hold critical customer information to develop identity theft “red flags” programs for new and existing accounts by November 2008.  Since the agencies issued the proposed rule in 2006, BITS has worked with member financial institutions and regulators to understand the new regulation and to develop cost effective compliance strategies.  Our efforts include:
•    Submitting a detailed comment letter in 2007 to the regulatory agencies on a proposed regulation.
•    Convening a dozen conference calls with members and regulators to understand the rule and discuss compliance strategies.
•    Submitting questions for the Frequently Asked Question document (FAQ) in 2008.
•    Engaging credit bureaus, U.S. Postal Service and others on address discrepancy requirements.
•    Conducting two member surveys on implementation challenges and compliance burden.

An integral part of identity theft red flags programs is reliance on the Identity Theft Assistance Center (ITAC).  Federal financial regulators have begun examinations of financial institutions and the early indications are that financial institutions have developed robust and acceptable ID Theft Red Flags programs.

John Carlson is Senior Vice President of BITS/Financial Services Roundtable where he manages relationships with regulatory agencies and engages experts from financial institutions on information security, operational risk, vendor management, fraud risk, and business continuity planning. BITS is the technology and operations division of the Financial Services Roundtable. On June 11, the federal financial regulators and the Federal Trade Commission jointly issued answers to 37 frequently asked questions (FAQs) on the ID Theft “Red Flags” regulation. The FAQs are available on all of the agencies websites and here is a link to the FDIC’s website.

Q: Tell Us About the Red Flags Regulation.
A: Red Flags Rule requires many financial institutions and any other businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their day-to-day operations.

The compliance deadline for financial institutions was November 1, 2008, but the FTC delayed its enforcement of the rules until May 1, 2009, and now it’s been extended to August 1, 2009, to give non-financial institutions more time to comply.

Q: What must financial institutions do to comply with the ruling?
A: The key elements are spelled out in the 60-page regulation. The risk-based rule requires each institution/creditor that holds customer accounts (or any other account for which there is a reasonably foreseeable risk of identity theft) to:

• Identify relevant patterns, practices and specific forms of activity
• Respond to red flags and incorporate into the program
• Oversee service providers
• Train staff
• Obtain approval of a written program by senior management or the board of directors and
• Continued oversight and updating of the program.

In addition, the rule includes “guidelines” that are more detailed and include 26 illustrative examples of red flags that institutions may consider in developing their program. These examples address: alerts from consumer reporting agencies, suspicious documents, suspicious personal identifying information, suspicious activity with a covered account and notices of suspicious activity.

Q: What is BITS doing regarding this regulation?
A: We have actually been very busy over the past two years in preparing for this regulation. As you may know, BITS is the technology and operations division of the Financial Services Roundtable, and primarily we have been working with executives from member financial institutions and regulators to understand the new regulation and to develop cost-effective compliance strategies.

Specifically, we have submitted a detailed comment letter to the federal regulatory agencies in 2007 in response to the proposed regulation; convened a dozen conference calls with an average of 75 members for each call to better understand the rule and discuss common compliance strategies; engaged credit bureaus, U.S. Postal Service and others on address discrepancy requirements; conducted a survey on challenges with developing red flags program with input from 32 member companies; and engaged regulators to understand the requirements and interpretation.

Q: What are the cost requirements of this ruling?
Given the way the regulatory agencies drafted the rules, there is some flexibility to developing programs that are risk-based and an integral part of existing programs, including fraud, customer authentication. The good news is that the regulation is drawing attention from the many parties (e.g., financial institutions, creditors, universities, credit bureaus, medical professionals, third party service providers, government agencies) that play an important role in preventing, detecting and responding to fraud and identity theft.

While new regulatory requirements usually add new costs, they can, if done well, help organizations better manage the risks while protecting consumers at the same time. For some financial institutions, the regulation provided a means for developing better fraud prevention programs that cut across multiple lines of business. For institutions that are not used to protecting personally identifiable information, the regulation could be very expensive to implement. Financial institutions are very good at protecting personally identifiable information. Given the tough economic environment, our members have looked at ways to implement cost-effective identity theft red flags programs.

Q: What role does ITAC, the Identity Theft Assistance Center play in this?
A: ITAC will play an integral part of implementing an identity theft red flags program for the vast majority of Roundtable members, as well those who have participated in the BITS red flags discussions that are using as part of their comprehensive identity theft program.

John Carlson is Senior Vice President of BITS/Financial Services Roundtable where he oversees the BITS regulatory program covering information security, operational risk, vendor management, fraud risk, and business continuity planning. BITS is the technology and operations division of the Financial Services Roundtable.