NetworkingCUNA Councils ConnectList Serve File Library All Past Conferences 2012 Conference  Tools & ResourcesWhite PapersNews Archive Podcasts In the Spotlight Council Web Polls Job Center Additional Resources from CUNA Take ActionCompliance ResourcesRegulatory & Legislative Resources BookmarksCUNA HOMECUNA Councils HOME Other Useful Links & Resources |
Petco and Privacy: What Does a Recent FTC Order Mean for CUs?
The eight-part Petco order is a road map for similar actions by any agency that has GLBA enforcement authority, including the National Credit Union Administration (NCUA). Part I orders Petco not to “misrepresent” the extent to which it maintains and protects the security of its customer information. Petco.com promised that “our customers’ data is strictly protected against any unauthorized access,” and “SSL encrypts your order information to avoid decoding by anyone other than Petco.com.” It followed that statement with a standard privacy policy that’s similar to those on many credit union websites, likely drawn from GLBA standard wording. Unfortunately for Petco, FTC found that “since at least Feb. 5, 2001, [Petco’s] website and application had been vulnerable to commonly known or reasonably foreseeable attacks from third parties attempting to obtain access” using common Web attack programs. How many credit unions know how secure their online banking or website host is from the type of information theft FTC addressed? Part II of the order requires Petco to establish and maintain a comprehensive information security program that’s designed to protect the “security, confidentiality, and integrity of personal information collected from or about consumers.” This included the appointment of an information security officer(s), system review to identify risk, design of reasonable safeguards, and ongoing evaluation, testing, and monitoring of the information security program. With all of the attention paid to identity theft and the damage it may cause to members, can NCUA be far behind? Parts III through VII deal with continuing requirements for implementing and reporting the security program. Part VIII “sunsets” the order in 20 years. Within days of FTC’s enforcement actions, some credit unions received contract modifications from auto dealers and other parties that handle member information. These parties asked credit unions to “represent and warrant” that they maintain “physical, electronic, and procedural safeguards that comply with federal and state regulations to guard and protect customer information [the credit union] has access to or acquires pursuant to the terms of this agreement.” These requests also asked each credit union to hold harmless, defend, and indemnify the merchant in the event of a breach of security due to the credit union’s “failure to take reasonable safeguards to protect” member information or information disclosed by the credit union “outside the scope of its issued privacy statement.” What an ironic twist. We’ve tried to get dealers and other merchants and service providers that collect lending- or member-related data to agree to a similar contract provision for more than two years. Now they want one from us! Have your attorney review such a request, and evaluate the relationship with the third party. Do you really need it? If the third party insists and the service is valuable, at a minimum make the promises reciprocal. That is, when the third party’s security is inadequate, the credit union should have the same protections. Credit unions must understand their member data security. Don’t store data about members that you don’t need. Doing so creates an inviting target. The Petco order reinforces the need to bind by contract to security standards third parties that host, store, or use member information. Credit unions also must insist on proof of information security safeguards, and document that they periodically review and update their information security safeguards. Inspection and test results not only will help during examinations, they’ll improve the security of critical payment systems that carry a growing number of member transactions. There’s a cost to providing member information security. But as the Petco order shows, a penny saved isn’t good for business when information security is involved. Bruce Jolly is a partner with Venable LLP, Washington, D.C. Contact him at 202-344-4818 or bjolly@venable.com. This article first appeared in Credit Union Magazine at www.creditunionmagazine.com and is reprinted with permission.
|
|||
|
|
| Membership Application |
| Renew Membership Online |
| Membership Benefits |
| Member Directory |
| Update Member Information |
| Frequently Asked Questions |
| CUNA Councils Connect |
| List Serve |
| File Library |
| Job Center |
| Bookmarks |
| White Papers |
| News Archive |
| Podcasts |
| In the Spotlight |
| Job Center |
| Web Poll Archive |
| Additional Resources from CUNA |
| 2012 Conference |
| 2011 Conference |
| All Past Conferences |
| Sponsorship Information |
| Webinars/Roundtables |
| Excellence in Operations, Sales & Service Awards |
| CUNA Council Calendar |
| Speaker Proposal Form |
| Our Mission |
| Bylaws |
| Executive Committee |
| Committees |
| Get Involved |
| Council Staff |
In November 2004, the Federal Trade Commission (FTC) accepted a consent decree from Petco Animal Supplies Inc., for not living up to the privacy promise on the San Diego retailer’s website. The agency took the action because Petco hadn’t taken reasonable steps to protect customers’ credit card information. Similar announcements were taken against two mortgage lenders to enforce the Gramm-Leach-Bliley Act’s (GLBA) safeguards rule.