Feds to banks: Put security policies in writing

Government says finance industry must scrutinize the way personal data is handled. But what about other industries?

Anne Broache Staff Writer, CNET News.com

Anne Broache

covers Capitol Hill goings-on and technology policy from Washington, D.C.

Anne Broache

Jan. 10, 2006 1:30 p.m. PT

2 min read

Even if federal law doesn't explicitly say so, all companies that handle personal information for their customers should have written security policies, a computer security attorney said Tuesday.

Last month, the Federal Reserve Board, which governs the U.S. banking industry, issued a new guide stating that all banks and other financial institutions must take certain steps to safeguard the personal data they handle.

Among other things, those entities are expected to tightly control who can access their customer information systems. The are also called on to monitor physical storage of paper records, set up monitoring systems to detect intruders and provide written contracts outlining how they will respond to suspected breaches.

The new Federal Reserve guidelines don't actually set forth new rules, but they do attempt to clarify some of the legalese contained in the 1999 Graham-Leach-Bliley Act, which outlined data security standards for financial institutions.

"I believe this guidance is useful for a guidepost in enterprises outside of finance," Benjamin Wright, a frequent speaker on information security and e-commerce, said during a presentation hosted by the SANS Institute.

The evidence, he said, lies in recent situations in which courts or the federal government held nonfinancial companies to the same "reasonableness" standard as they did entities expected to follow Graham-Leach-Bliley.

The Federal Trade Commission, for instance, found that shoe retailer DSW's failure to implement "reasonable security measures" led to hackers to gaining access to the financial information of more than 1.4 million customers.

"A written policy is the first step for establishing we are taking reasonable steps within our enterprise to ensure security," Wright said.

In the wake of several high-profile breaches last year, at both financial and nonfinancial firms, Congress considered a number of proposals intended to broaden data security laws. None of those measures advanced to consideration by the full legislative body.

Wright predicted a new round of congressional action in 2006, particularly to set uniform federal standards amid those adopted by individual states.

But for now, many companies must decide for themselves how best to safeguard their systems.

Federal regulations, Wright said, "don't specifically say, 'You need a firewall,' they don't specifically say, 'You need to use x, y, and z encryption'...The guidance is focused much more on saying you need to have a process, and that process needs to have a written policy, and that policy needs to be alive...But one size does not fit all."