Institutions in the financial, healthcare, government, and other industries are now directly affected by the numerous enacted regulations requiring stronger security and privacy measures. Authernative solutions bridge the gap between efficiency and stringent security, while assisting industries in their efforts to comply with mandated International, federal, and state legislation including:

Enacted Law

Senate Approved Legislation

Specter-Leahy Bill (Personal Data Privacy and Security Act of 2005 (S. 1789))

Proposed Legislation

Back to Top

Federal Financial Institutions Examination Council (FFIEC) Authentication in an Internet Banking Environment Guidance. On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) which includes the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS), has issued a guidance to all banks offering Internet-based financial services. The guidance describes enhanced or multi-factor authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006. The guidance, which applies to all member banks, states that firms are expected to use enhanced authentication methods when verifying online customers and states that single-factor authentication, when used as the only control mechanism, is inadequate for high-risk transactions involving access to customer information or the movement of funds. Even where risk assessments indicate that the use of single-factor authentication is inadequate, FFIEC says financial institutions should implement multifactor authentication.

Download FFIEC Report with FDIC Summary Cover Sheet

Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment. On August 15, 2006, the staffs of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision (the Agencies) have jointly developed the attached frequently asked questions (FAQs) to assist financial institutions and their technology service providers in understanding the Federal Financial Institutions Examination Council’s (FFIEC's) guidance entitled Authentication in an Internet Banking Environment (the guidance).

Back to Top

U.S. Gramm-Leach-Bliley Act (GLBA) On November 12, 1999, the Gramm-Leach-Blily Act, also known as the Financial Services Modernization Act, 106 P.L. 102; 113 Stat. 1338 (the FSMA) was signed into law. GLBA requires financial institutions and their partners to protect security and confidentiality of non-public customer information, protect against any anticipated threats or hazards to the security or integrity of customer information, and protect against unauthorized access to, or use of, customer information that could result in substantial harm or inconvenience to customers. Failure to comply with GLBA results in significant regulatory fines for the financial institution. CEOs and directors can be held personally responsible and legally liable for any misuse of personally identifiable non-public information. Actual adoption of security technology is mandated by the following requirements imposed on financial companies by Section III.C.1 of the guidelines:

• Access controls on customer information systems
• Encryption of electronic customer information
• Procedures to ensure that system modifications do not affect security
• Monitoring systems to detect actual attacks on, or intrusions into, customer information systems
• Response programs that specify actions to be taken when unauthorized access has occurred

Back to Top

Health Information Portability and Accountability Act (HIPAA) of 1996 mandates standards for the transaction, security, and privacy of electronically protected health information to be implemented by health plans (payer organizations such as health maintenance organizations and preferred provider organizations), providers (such as hospitals, physicians, pharmacies and dentists), and clearinghouses. Aspects of HIPAA apply to employees, trainees/students, volunteers, staff or credentialed MDs, and contractors. HIPAA also applies to business associates, which can include billing/collection agencies, accreditation agencies, auditors, lawyers, consultants, vendors, and case managers, to name a few. The Act requires covered entities to implement procedures aimed at restricting access to electronic data to those who are properly authorized, to protect the confidentiality of data while it is being communicated and as it is being stored, and to maintain business continuity in the face of various contingencies. On April 14, 2003 new federal regulations to protect medical privacy went into effect.

Back to Top

California Assembly Bill (AB) 1950 On 29 September 2004, California Assembly Bill (AB) 1950 became law, taking effect 1 January 2005. The bill requires any business or other entity (California-based or other) that holds information about California residents to maintain "reasonable security procedures and practices appropriate to the nature of the information" to protect this information from unauthorized use or disclosure. In particular, AB 1950 protects the following information types when combined with an individual's last name and first name or first initial, and when such information is not publicly available: Social Security Number, Driver’s license number or California identification card number, Account numbers, credit or debit card numbers, and Medical Information. AB 1950 significantly expands on SB 1386, further requiring Information holders to:

• Take "reasonable precautions" to protect personal information from modification, deletion, disclosure and misuse.
• Require partners with which information holders share information to meet the same standards.
• Protect personal healthcare information.

Back to Top

California Database Protection Act (CDPA) Civil Code §1798.82 (formerly Senate Bill 1386 of 2002) took effect in July 2003. CDPA mandates public disclosure of computer security breaches in which confidential information may have been compromised. The law covers not just state agencies but all private enterprises doing business in California. Any entity that fails to disclose that a breach has occurred could be liable for civil damages or face class-action lawsuits. Personal confidential information includes first and last names in conjunction with either of the following data: Social Security Number, Drivers License or CID, account number, credit or debit card number with any required security code, access code or password that would permit access to an individual’s financial account.

Back to Top

Sarbanes-Oxley Act of 2002 requires companies to comply with financial reporting requirements, one of which entails describing and evaluating the effectiveness of the internal controls, suggesting greater security of systems, stronger authentication and deeper audit trails to know where the information came from that's used to generate reports and who has changed it.

Back to Top

Federal Information Security Management Act (FISMA) — the E-Government Act (Public Law 107-347) passed by Congress and signed into law by the President in December 2002 recognized the importance of information security to the economic and national security interests of the United States. Title III of the E-Government Act, entitled the Federal Information Security Management Act (FISMA), requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

FISMA, along with the Paperwork Reduction Act of 1995 and the Information Technology Management Reform Act of 1996 (Clinger-Cohen Act), explicitly emphasizes a risk-based policy for cost-effective security. In support of and reinforcing this legislation, the Office of Management and Budget (OMB) through Circular A-130, Appendix III, Security of Federal Automated Information Resources, requires executive agencies within the federal government to:

• Plan for security
• Ensure that appropriate officials are assigned security responsibility
• Periodically review the security controls in their information systems
• Authorize system processing prior to operations and, periodically, thereafter

Back to Top

U.S. Patriot Act Customer Identification Program (CIP) — increases requirements for positive identification of the holders of financial assets with implementation of industry-wide regulations took effect the first day of October 2003. This program requires financial services firms operating in the U.S. to obtain, verify and record information that identifies each individual or entity that opens an account.

Back to Top

The North American Electric Reliability Council Urgent Action Standard 1200 requires to: (1) identify and implement electronic access controls for access to critical cyberassets within the electronic security perimeter; (2) identify all personnel, including contractors and service vendors, who are granted electronic or physical access to critical cyberassets; and (3) maintain a document that identifies the access limitations to sensitive information related to critical cyberassets.

Back to Top

European Union Data Protection Directive applies to firms operating in European Union and specifies that "personal data" must have "appropriate security”, either compliant with ISO/IEC 17799 or BS 7799-2. The directive prohibits an individual’s personal information from being accessed and redeployed for other uses. It also requires appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Back to Top

The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the use and collection of personal information via the Internet. The Act applies not only to Canadian companies but potentially to any entity that collects personal information in Canada and/or personal information from Canadian citizens. The Act is in response to advances in information technology and a growing public concern for the protection of the privacy of personal financial and health information and correspondence and the need for more reliable and standardized treatment of e-commerce and electronic documents. Under the act, personal information is to be protected by security safeguards appropriate to the sensitivity of the information. These safeguards must protect the information against loss or theft and unauthorized access, disclosure, copying, use or modification. More sensitive information, such as patient records, should be safeguarded by a higher level of protection.

Back to Top

Specter-Leahy Bill (Personal Data Privacy and Security Act of 2005 (S. 1789)) Requires entities with personal data to establish internal policies that protect data. Require that entities notify consumers, as well as law enforcement, of a breach. Prohibits companies from requiring consumers to disclose Social Security numbers Increases punishment for identity theft and other data privacy and security violations. It additionally mandates the General Services Administration to review commercial data contracts, with an eye toward information security.

Back to Top

Corporate Information Security Accountability Act On 9 October 2003, U.S. Homeland Security Secretary Tom Ridge stated that the U.S. government may require publicly traded companies to disclose details of their information security readiness to the Securities and Exchange Commission (SEC) in their quarterly and annual reports. The Department of Homeland Security plans to work with the SEC to develop requirements for the inclusion of security information in financial reporting; the U.S. Congress is preparing draft legislation with the same objective. Reporting requirements of this type — comparable to those that were required for Y2K preparedness — would force the board of directors of a publicly traded company to assign oversight responsibility to a specific board member. The chief executive officer (CEO) and chief financial officer (CFO) would have to increase their attention on the overall security posture of the business, instead of treating security as an isolated IT problem. This legislation may be enacted no later then end of 2005.

Back to Top

The Data Accountability and Trust Act (DATA Act -- H.R. 4127) seeks to protect consumers by creating federal standards and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach.

Back to Top

Financial Privacy Protection Act of 2005 (S. 1594). Says financial service providers must maintain customer information security systems and notify customers of unauthorized access to personal data.

Back to Top

Consumer Data Security and Notification Act of 2005 (H.R. 3140). Expands protections for sensitive personal information. Regulates the information collection and sharing practices of unregulated information brokers, while expanding data security guidelines for consumer reporting agencies and information brokers. It also requires that these agencies notify consumers of data security breaches involving sensitive information. Financial services firms must do the same.

Back to Top

Consumer Notification and Financial Data Protection Act of 2005 (H.R. 3374). Provides for uniform and timely notice of data breaches for consumers whose sensitive financial personal information has been placed at risk.

Back to Top

Comprehensive Identity Theft Prevention Act (S. 768). Establishes an Office of Identity Theft within the Federal Trade Commission while requiring that the FTC disseminate regulations regarding collection, maintenance, sale or transfer of personal data. It also sets information breach notification standards and prohibits unnecessary solicitation of Social Security numbers.

Back to Top

Notification of Risk to Personal Data Act (S. 751). Requires federal agencies that are engaged in interstate commerce to disclose unauthorized acquisition of an individual's personal information.

Back to Top

Federal Agency Data-Mining Reporting Act of 2005 (S. 1169). Requires reports to Congress on use of data mining by federal agencies.

Back to Top

Safeguarding Americans from Exporting Identification Data Act, (S. 810). Regulates transmission of personally identifiable information to foreign affiliates and subcontractors.

Back to Top

Safe-ID Act (H.R. 1653). Prohibits transfer of personal information to anyone outside the United States without notice and consent.

Back to Top

Financial Data Security Act of 2005 (H.R. 3375). Amends the Fair Credit Reporting Act to include a section on data security safeguards, including notice stipulations. More specifically the security policies and procedures place an affirmative obligation on each consumer reporter to implement, and a continuing obligation to maintain, reasonable policies and procedures to protect the security and confidentiality of sensitive financial personal information relating to any consumer that is maintained, serviced, or communicated by or on behalf of such consumer reporter against any unauthorized use that is reasonably likely to result in substantial harm or inconvenience to such consumer. If deemed required by the investigation, the consumer reporter will provide notice to the consumer in the event of potential identity theft risk, potential fraudulent transaction risk, or potential delayed determination for information security programs.

Back to Top

Basel II Accords In April 2003, the Basel Committee on Bank Supervision (BCBS) issued the third consultative document on the New Basel Capital Accord, which, when finalized, will replace the current 1988 Capital Accord. Basel Committee has moved more aggressively to promote sound supervisory standards and guidelines worldwide, and recommends to the International financial institutions statements of best practice, which will be implemented statutory or otherwise. Of greatest concern to the IT community is the Basel II Accords' focus on Operational Risk. The Committee has adopted the common industry definition of operational risk as "the risk of direct or indirect loss resulting from inadequate or failed internal process, people and systems, or from external events" - a definition which clearly encompasses IT security. Specifics for compliance are not yet clear, as compliance will not be required until 2006, but expected regulatory requirements do imply a need for strong authentication, authorization, and auditing of all information access to banking and customer data.

Back to Top

Standards for Safeguarding Customer Information proposed by Federal Trade Commission (FTC) in July 2001, are expected to be finalized soon, further requiring security, privacy and confidentiality of customer records and information.

Back to Top

National Hacker Notification Law proposed in the U.S. Senate in 2003, if passed, will require firms or Government Agencies to notify people if their personal data has been compromised by hackers or similar types of intruders. The bill defines personal data as an individual's social security number, a driving license number, a bank account number or credit card details. Agencies or companies that fail to comply with the law would be subject to fines of $5,000 per violation or up to $25,000 per day while the violations continue.

Back to Top

Council of Europe Convention on Cybercrime signed by the United States on November 23, 2001, has been submitted to the Senate for ratification on November 17, 2003. The convention requires Parties to criminalize, certain conduct that is committed through, against, or related to computer systems. Such substantive crimes include offenses against the "confidentiality, integrity and availability" of computer data and systems, as well as using computer systems to engage in conduct that would be criminal if committed outside the cyber-realm, i.e., forgery, fraud, child pornography, and certain copyright-related offenses. The Convention also requires Parties to have the ability to investigate computer-related crime effectively and to obtain electronic evidence in all types of criminal investigations and proceedings.

Back to Top

Federal Trade Commission National and International Cybersecurity Plan was submitted to U.S. House of Representatives Subcommittee on Commerce, Trade and Consumer Protection on November 19, 2003. The Federal Trade Commission has outlined a multi-faceted strategy for protecting the nation's information infrastructure that involves education, law enforcement and international cooperation. Specifically, the FTC has taken action to protect consumers against cybersecurity breaches under the auspices of a U.S. law that outlaws "unfair or deceptive acts or practices in or affecting commerce," especially consumers who have been falsely led to believe that a company with whom they were doing online business was providing adequate safeguards to ensure the security of the transactions. FTC has also taken punitive actions toward companies that fail to provide security measures that are "appropriate for the kind of information it collects and maintains."

Back to Top

Identity Theft Prevention and Victim Recovery Act proposed by Senator Jon Corzine in March 2005, requires financial institutions and other commercial entities, including data brokers, to establish security systems that protect the personal data of their customers. The CEO would be required to personally attest that the safeguards are in place and that the company monitors compliance. The legislation also would require firms to promptly notify affected customers in the event of a breach involving sensitive customer information.