Printer Friendly

Regulatory issues.

Encryption. The Commerce Department has proposed new regulations for the export of encryption products. The proposal, which further clarifies a recent announcement by President Clinton, would allow the unlimited export of encryption products to certain types of organizations. (See "Legal Reporter," December 1998) Those organizations allowed to receive export of encryption products, regardless of key length, are subsidiaries of U.S. companies and foreign commercial firm that are insurance companies, health and medical end-users, and online merchants. For any other uses, the proposed regulations allow the export of encryption hardware and software of up to 56 bits without a license after a onetime technical review. Comments on the proposal, which must be received by March 1, 1999, should be sent to Nancy Crowe, Regulatory Policy Division, Bureau of Export Administration, Department of Commerce, P.O. Box 273, Washington, D.C. 20044.

Electronic privacy. Privacy advocates and computer industry representatives have criticized the electronic privacy guidelines recently developed by the Department of Commerce (DOC) to help U.S. companies comply with privacy standards set by the European Union (EU).

The guidelines, titled "The International Safe Harbor Privacy Principles," were drafted in response to the EU's "Directive on Data Protection." The EU document sets standards required for any party exchanging personal electronic information with an EU member state. Because the United States lacks comprehensive federal legislation on privacy of personal information, U.S. companies will not be allowed to exchange information with EU states unless they can prove that they adequately protect the privacy of such data. The principles proposed by the DOC were designed to give U.S. companies a set of criteria to meet that would establish a "safe harbor" for purposes of compliance with EU objectives.

In general, the DOC document requires that companies provide notice to individuals about the expected types and uses of personal information. Consumers must also be given the opportunity to disallow the use of their information for any purpose other than that for which they originally disclosed the data. Consumers must also be allowed to choose whether their information is transferred to a third party and must be given access to information kept on them.

Under the proposed guidelines, companies must take reasonable security measures to protect personal information and must ensure the accuracy of such data. And, finally, the measure requires that companies provide a method of redress for those consumers who feel that their privacy rights have been violated.

While most of the approximately forty-five respondents agreed with the goals of the proposal, almost all criticized the specifics. The major points of contention included the vague nature of the guidelines, the difficulty of compliance, and the methods of enforcement.

Several comments dealt with issues specific to security and fraud prevention. Norman Willcox, president and CEO of the National Fraud Center, commented that U.S. laws and regulations protecting the privacy of personal information often exempt data used in fraud prevention. The DOC should, therefore, create an exception for security personnel and investigators, wrote Willcox. Similarly, John Byrne of the American Bankers Association noted that financial institutions are required to report suspicious transactions and to gather information to deter fraud. The DOC principles, commented Byrne, should clearly state that the gathering of such information does not have to be approved by or disclosed to customers.

A primary complaint apart from security issues concerned the proposal's vague language. For example, according to comments submitted by James Cregan, senior vice president for the Magazine Publishers of America, the lack of definitions for such terms as "sensitive information" and "reasonable security measures" leaves too much room for misunderstanding.

Respondents also noted that in some instances the proposed DOC standards are more exacting than the EU directive. For example, respondent Arthur Sackler, vice president of law and public policy for Time Warner, Inc., noted that the safe harbor principles would require that companies tell individuals how information is collected. This level of technical detail is not required by the EU. The principles would also require that companies ensure that third parties using customer information have privacy protections, a policing function that, according to the comments of Tess Koleczek, Web site data protection manager for Netscape, would be costly and labor-intensive and could increase a company's liability.

An overriding question concerns whether these proposed guidelines will meet EU standards. While some news organizations such as Reuters have reported that the EU has rejected the safe harbor principles as inadequate, Eric Fredell, spokesperson for the DOC's Task Force on Electronic Commerce, says that talks with EU representatives are still ongoing.

For copies of the safe harbor principles and the industry comments, log on to SM Online.

Bank security. The Office of the Comptroller of the Currency (OCC) has issued an alert to all U.S. banks concerning the security and privacy of customer information. The advisory warns bank officials of scares used to obtain customer information and offers security recommendations to help prevent the release of private data.

The advisory contains a warning about pretext calling, a method that information thieves use to obtain customer data from bank employees. The thief, often an information broker who is selling facts to a third party, calls a bank's customer service department and gives an account or Social Security number. Convinced that the caller is a legitimate accountholder, the employee gives out confidential information about those accounts. According to the advisory, some data thieves pretending to have lost an account number repeatedly call a bank until they find someone who will give the desired information.

The advisory offers several recommendations to help banks safeguard against these scams. First, the OCC recommends that banks develop policies and procedures for addressing information privacy. These procedures can be multifaceted but should, at least, establish guidelines for releasing customer information. Employees should be trained to recognize the tactics used to obtain confidential information.

Banks should also consider stringent security controls, says the advisory, such as requiring an authorization code before releasing information Over the telephone. This code, which should be similar to a PIN number, should not be linked to any other bank information such as account, Social Security, or ATM numbers.

Financial institutions must also test their own security procedures. To do this, the OCC advocates that bank security conduct its own pretext calling to determine whether employees are inappropriately releasing customer information.

The OCC recommendations are available at SM Online.
COPYRIGHT 1999 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1999 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:on encryption, electronic privacy and bank security
Author:Anderson, Teresa
Publication:Security Management
Date:Feb 1, 1999
Previous Article:Judicial decisions.
Next Article:Light at the end of the tunnel?

Related Articles
Encrypting controversy: a fierce debate erupts over cryptography and privacy.
Code blues.
Congressional regulation.
Internet security: perceptions and solutions.
Encryption, key recovery, and commercial trade secret assets: a proposed legislative model.
The encryption factor.
Addressing privacy issues: New standards set to become law by 2004. (Guest Columnist).
"Privacy & Security Law Report" and "Privacy Law Watch" from BNA.
"Privacy & Data Security Law Journal" from A.S. Pratt.
Newsletter covers Canadian Banking Law.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters