Regulatory issues.

Encryption. The Commerce Department has proposed new regulations for the export of encryption products. The proposal, which further clarifies a recent announcement by President Clinton, would allow the unlimited export of encryption products to certain types of organizations. (See "Legal Reporter," December 1998) Those organizations allowed to receive export of encryption products, regardless of key length, are subsidiaries of U.S. companies and foreign commercial firm that are insurance companies, health and medical end-users, and online merchants. For any other uses, the proposed regulations allow the export of encryption hardware and software of up to 56 bits without a license after a onetime technical review. Comments on the proposal, which must be received by March 1, 1999, should be sent to Nancy Crowe, Regulatory Policy Division, Bureau of Export Administration, Department of Commerce, P.O. Box 273, Washington, D.C. 20044.

Electronic privacy. Privacy advocates and computer industry representatives have criticized the electronic privacy guidelines recently developed by the Department of Commerce (DOC) to help U.S. companies comply with privacy standards set by the European Union European Union (EU), name given since the ratification (Nov., 1993) of the Treaty of European Union, or Maastricht Treaty, to the

European Community (EU).

The guidelines, titled "The International Safe Harbor Privacy Principles The International Safe Harbor Privacy Principles are a set of privacy regulations set forth by the European Union (EU) as part of the Directive on Data Protection. Intended for organizations within the EU or US that store customer data, the Safe Harbor Principles are designed to ," were drafted in response to the EU's "Directive on Data Protection." The EU document sets standards required for any party exchanging personal electronic information with an EU member state. Because the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. lacks comprehensive federal legislation on privacy of personal information, U.S. companies will not be allowed to exchange information with EU states unless they can prove that they adequately protect the privacy of such data. The principles proposed by the DOC were designed to give U.S. companies a set of criteria to meet that would establish a "safe harbor Safe Harbor

1. A legal provision to reduce or eliminate liability as long as good faith is demonstrated.

2. A form of shark repellent implemented by a target company acquiring a business that is so poorly regulated that the target itself is less attractive. " for purposes of compliance with EU objectives.

In general, the DOC document requires that companies provide notice to individuals about the expected types and uses of personal information. Consumers must also be given the opportunity to disallow To exclude; reject; deny the force or validity of.

The term disallow is applied to such things as an insurance company's refusal to pay a claim. the use of their information for any purpose other than that for which they originally disclosed the data. Consumers must also be allowed to choose whether their information is transferred to a third party and must be given access to information kept on them.

Under the proposed guidelines, companies must take reasonable security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security to protect personal information and must ensure the accuracy of such data. And, finally, the measure requires that companies provide a method of redress for those consumers who feel that their privacy rights have been violated.

While most of the approximately forty-five respondents agreed with the goals of the proposal, almost all criticized the specifics. The major points of contention included the vague nature of the guidelines, the difficulty of compliance, and the methods of enforcement.

Several comments dealt with issues specific to security and fraud prevention. Norman Willcox, president and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of the National Fraud Center, commented that U.S. laws and regulations protecting the privacy of personal information often exempt data used in fraud prevention. The DOC should, therefore, create an exception for security personnel and investigators, wrote Willcox. Similarly, John Byrne This article or section may contain excessive or improper use of copyrighted images and/or audio files.
Please review the use of non-free media according to policy and guidelines, correct any violations, then remove this tag once compliant. See the talk page for details. of the American Bankers Association The American Bankers Association (ABA) is comprised of banks and other financial institutions. It seeks to promote the strength and profitability of the banking industry by Lobbying federal and state governments, building industry consensus on key issues, and providing products and noted that financial institutions are required to report suspicious transactions and to gather information to deter fraud. The DOC principles, commented Byrne, should clearly state that the gathering of such information does not have to be approved by or disclosed to customers.

A primary complaint apart from security issues concerned the proposal's vague language. For example, according to according to
prep.
1. As stated or indicated by; on the authority of: according to historians.

2. In keeping with: according to instructions.

3. comments submitted by James Cregan, senior vice president for the Magazine Publishers of America, the lack of definitions for such terms as "sensitive information" and "reasonable security measures" leaves too much room for misunderstanding.

Respondents also noted that in some instances the proposed DOC standards are more exacting than the EU directive (European Union Directive) A set of privacy requirements that took effect in 1998 and ordered European member nations to enact compliant legislation. It deals with the establishment of Data Protection Authorities, people's rights to personal information and enforcement. . For example, respondent Arthur Sackler, vice president of law and public policy for Time Warner, Inc., noted that the safe harbor principles The US Safe Harbor Arrangement is a streamlined process for US companies to comply with EU Directive 95/46/EC on the protection of personal data, developed by the US Department of Commerce in consultation with EU. would require that companies tell individuals how information is collected. This level of technical detail is not required by the EU. The principles would also require that companies ensure that third parties using customer information have privacy protections, a policing function that, according to the comments of Tess Koleczek, Web site data protection manager for Netscape, would be costly and labor-intensive and could increase a company's liability.

An overriding question concerns whether these proposed guidelines will meet EU standards. While some news organizations such as Reuters have reported that the EU has rejected the safe harbor principles as inadequate, Eric Fredell, spokesperson for the DOC's Task Force on Electronic Commerce, says that talks with EU representatives are still ongoing.

For copies of the safe harbor principles and the industry comments, log on to SM Online.

Bank security. The Office of the Comptroller of the Currency The Office of the Comptroller of the Currency (or OCC) was established by the National Currency Act of 1863 and serves to charter, regulate, and supervise all national banks and the federal branches and agencies of foreign banks in the United States. (OCC OCC

See: Options Clearing Corporation

OCC

See Options Clearing Corporation (OCC). ) has issued an alert to all U.S. banks concerning the security and privacy of customer information. The advisory warns bank officials of scares used to obtain customer information and offers security recommendations to help prevent the release of private data.

The advisory contains a warning about pretext calling, a method that information thieves use to obtain customer data from bank employees. The thief, often an information broker who is selling facts to a third party, calls a bank's customer service department and gives an account or Social Security number. Convinced that the caller is a legitimate accountholder, the employee gives out confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job"
steer, tip, wind, hint, lead about those accounts. According to the advisory, some data thieves pretending to have lost an account number repeatedly call a bank until they find someone who will give the desired information.

The advisory offers several recommendations to help banks safeguard against these scams. First, the OCC recommends that banks develop policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental for addressing information privacy. These procedures can be multifaceted but should, at least, establish guidelines for releasing customer information. Employees should be trained to recognize the tactics used to obtain confidential information.

Banks should also consider stringent security controls, says the advisory, such as requiring an authorization code An identification number or password that is used to gain access to a local or remote computer system. See authorization. before releasing information Over the telephone. This code, which should be similar to a PIN number, should not be linked to any other bank information such as account, Social Security, or ATM numbers.

Financial institutions must also test their own security procedures. To do this, the OCC advocates that bank security conduct its own pretext calling to determine whether employees are inappropriately releasing customer information.

The OCC recommendations are available at SM Online.

COPYRIGHT 1999 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:	on encryption, electronic privacy and bank security
Author:	Anderson, Teresa
Publication:	Security Management
Date:	Feb 1, 1999
Words:	1066
Previous Article:	Judicial decisions.
Next Article:	Light at the end of the tunnel?
Topics:	Banking industry Safety and security measures Commercial banks Data encryption Laws, regulations and rules Privacy Privacy, Right of Laws, regulations and rules Right of privacy Laws, regulations and rules Security measures Laws, regulations and rules Security systems Laws, regulations and rules Security systems industry

Related Articles
Encrypting controversy: a fierce debate erupts over cryptography and privacy.
Code blues.
Congressional regulation.
Internet security: perceptions and solutions.
Encryption, key recovery, and commercial trade secret assets: a proposed legislative model.
The encryption factor.
Addressing privacy issues: New standards set to become law by 2004. (Guest Columnist).
"Privacy & Security Law Report" and "Privacy Law Watch" from BNA.
"Privacy & Data Security Law Journal" from A.S. Pratt.
Newsletter covers Canadian Banking Law.