U.S. 'red flag' rules should affect Canadian banks
Nov. 1 has become a deadline for financial institutions south of the border to comply with regulations that might reduce the threat of identity theft. Entrust offers tools to make the grade A new regulation requiring banks and creditors to identify potential consumer identity theft is scheduled to take effect in the United States on Nov. 1, but at least one industry expert said Canada could also experience the spillover effects.

The regulations under the Fair and Accurate Credit Transactions Act (FACTA) require that institutions implement programs to seek patterns in consumer and employee behaviour that might indicate possible foul play. Any organization involved in credit decisions are affected by the regulations, known as the “red flag” rules.

But while only U.S. banks and creditors must comply by Nov. 1, Adel Melek, partner and global leader of security and privacy services with Toronto-based professional services firm Deloitte, said he thinks the regulation could eventually spawn a Canadian version. “Invariably every time there is a piece of legislation that gets introduced, especially in the U.S., there is some consideration for its application in Canada,” said Melek.

He did however add that it would likely take the form of a guideline, rather than a regulation, as has typically been the case north of the border, and “in Canada, by virtue of having a guideline, there would by default not be clear consequences or claws or teeth.”

But besides a Canadian version of the red flag rules, Canadian banks expanding services south of the border will either have to figure out how to earmark U.S. customers (based on identifiers like address or citizenship) in order to ensure compliancy, Melek said, or extend blanket coverage.

According to Danny Shaw, global practice leader of technology risk management with U.S.-based Jefferson Wells, the new regulations stem from the fact that identity theft criminals were taking advantage of gaps in existing U.S. legislation like with the Fair Credit Reporting Act founded in the 70s. “So if you think of it, this is really an identity theft regulation even if they’re calling it the red flag rule,” he said.

An instance of a red flag might be when a customer’s identity, such as an address or social security number, is not encrypted and readily accessible on documents or computer systems.

The regulation’s area of coverage is broad, encompassing approximately two million organizations. And, the requirements will affect people, processes and technology that might be in place to manage credit decisions, said Shaw, meaning the impact could potentially be quite “huge” for some organizations.

But while those institutions were made aware of the looming deadline early this year, a recent BankInfoSecurity survey found that almost half of 300 surveyed institutions will either barely meet or will miss the deadline.

Lack of awareness is a contributing factor, said Shaw, but time constraints and the number of regulations that a business must comply with can often complicate the matter. “They need to look at this as part of their normal best practice… While you’re doing these other things, you need to do this also,” said Shaw.

And compliance is crucial, he said, citing the identity theft incident that cost retailer T.J. Maxx an approximate US$4.5 to 8.6 billion in damages. “We’re talking real money there,” he said. “This is not one of those things where we lost someone’s record [and] we’ll send them a sorry letter. This is true loss of dollars if they don’t get this done.”

Read more...
 
Federal privacy commissioner going too far

The federal Conservatives were elected to power - albeit a minority - at least partially on pledges of openness and transparency.

Their biggest test will come with privacy commissioner Jennifer Stoddart. And if they are true to their word, they will stop Stoddart in her tracks.

It's been reported that in a recent speech to the Canadian Bar Association, Stoddart proposed that names and personal information be removed from decisions and case information from federal tribunals posted on the Internet.

Stoddart is proposing the names be struck from the record and initials, which would be reversed, would replace actual names as part of 'anonymizing' the process.

This strikes at the very heart of a process that is a cornerstone to democracy - openness.

The public has the right to attend any of these proceedings.

The Supreme Court of Canada is also studying the issue.

It is already becoming increasingly difficult for the public to get access to what is supposed to be going on in the public.

In criminal cours, it used to be that lists with the names and charges would be posted in public places in courtrooms for people to see which cases were going on where.

Now it's just a list of names. Information in court records has always been considered public - available to anyone who might ask for them. In many cases, superior courts and appeal courts deliver decisions by way of written judgments, which are often posted on the websites of the courts.

In other words, the courts are using tools at their disposal to ensure the public has access to decisions made by judges -often important decisions that affect the way in which the laws in this country are interpreted.

The same needs to hold true for any public proceeding. Openness is essential to a properly functioning judiciary in a democracy. Openness also protects the rights of individuals who come before tribunals or the courts.

The proceedings take place in public - and by extension must be accessible to the public.

That includes the Internet.

Instead of coming up with more ways of keeping information from the public, the direction from the federal government needs to be the opposite. It needs to find more ways to make information like this available.

Adopting the privacy commissioner's recommendation would be a giant step backward in the fight for openness and transparency in our public institutions.

Federal privacy commissioner Jennifer Stoddart said her office will release a report in the fall about complaints she has received about that practice.

In a speech to the Canadian Bar Association last week, she suggested removing the names from rulings published on the Internet would protect the privacy of Canadians.

"I am not convinced that the broad public needs to know the names of individuals involved or requires access to intimate personal details through decisions posted widely on the Internet," the

speaking notes for Stoddart's speech to the bar association conference in Quebec City state.

Tribunal rulings published online could use the initials of individuals, for example, instead of their full names, Stoddart suggested.

Canada's privacy commissioner is responsible for ensuring federal departments and close to 150 federal administrative tribunals comply with federal privacy legislation.
Read more...
 
Data “Dysprotection:” breaches reported last week

A recap of breaches newly reported or updated last week on the main news site, PogoWasRight.org.  For those looking for annual statistics: as of their last update on August 22, the Identity Theft Resource Center shows 449 breaches reported in the U.S. for this year, surpassing last year’s total record.

Newly reported incidents in the U.S.:

  • Promotion selection lists containing the names and Social Security numbers of more than 50,000 active-component noncommissioned officers were compromised earlier this year and in 2005, according to officials familiar with an ongoing Army investigation.
  • Rochester Institute of Technology officials say that a laptop with personal information on 12,700 people who have applied to enroll at NTID since 1968 was recently stolen from the National Technical Institute for the Deaf.
  • The Washington Trust Co. has notified about 1,000 customers that their debit and credit card accounts might have been compromised in a suspected security breach at an unidentified national MasterCard merchant.
  • A glitch during a computer upgrade at the Louisiana Real Estate Commission caused the names, addresses and Social Security numbers of more than 13,000 licensed agents to be exposed on the Internet.
  • Nye Lubricants notified the New Hampshire Attorney General that an employee “may have accessed electronic personal information stored in certain of the Company’s databases without proper authority and/or for improper purposes” on or about August 15.
  • Confidential information for more than 2,500 students, employees and volunteers in Prince William County was put in the public domain for more than a month this summer after an employee working at home released the data through a file-sharing program.
  • A laptop containing the personal information of at least 4,000 students in the Reynoldsburg City School district was stolen.
  • Heavenly Ham alerted 600 customers of a credit card identity theft that may have occurred.
  • Paper jams in a mail-inserting machine caused 2,845 Pennsylvania Department of Public Welfare renewal packets to go to the wrong Pennsylvania welfare clients’ homes.
  • A database that contains the names, addresses and Social Security numbers of 13,000 retired Ohio police officers was improperly transmitted by email to his own home by a retired Ohio Police & Fire Pension Fund employee.
  • Customers who paid for items at a YMCA fund-raiser with checks or credit cards are being warned about a burglary at which credit and debit card numbers were taken.
  • Eighty-six Kansas State University students are receiving letters from the Division of Continuing Education advising them that papers with their names and Social Security numbers on them were stolen from a parked vehicle last week.
  • If you have used an ATM at the Camelot branch of Wachovia Bank in Cape Coral recently, you may want to check on your account.
  • Thousands of personal records were briefly at risk this summer when an intruder placed a malicious link on the Web site of St. Joseph’s Academy in Baton Rouge.
Newly reported incidents elsewhere:
Read more...
 
More...