There are four "high risk" areas that aren't getting the attention they deserve as financial institutions work toward complying with the ID Theft Red Flags Rule, says a leading industry compliance expert. Many institutions have already complied with the regulation and have done their risk assessment to identify covered accounts and determined what red flags they need to be monitoring. But there are areas that should be considered "high risk" and aren't getting the attention they deserve from institutions, says Sai Huda, CEO of Compliance Coach. The Red Flags Rule is a risk-based regulation. As such, Huda says, compliance should be approached from a risk management and not a purely technical perspective, and institutions should ask these questions: * Which accounts are more at risk to identity theft? * Which red flags represent higher risk? * Which detection and response procedures are commensurate with the risks? * Which service providers pose greater risk? * What controls exist to mitigate the risks? The big question that most institutions have at top of mind is "What about enforcement?" Huda says the federal banking regulators are taking a risk-based, top-down approach when assessing institutions. "They are first assessing whether the [institution] has implemented a risk-based program and how it is overseeing compliance," he says. "If the program is risk-based and sound, they will limit their scope. If not, then they will dig deeper."

A security researcher has found that hackers are using Twitter as a means to distribute instructions to a network of compromised computers, known as a botnet. The traditional way of managing botnets is using IRC, but botnet owners are continuously working on finding new ways of keeping their networks up and running, and Twitter seems to be the latest trick.

With mounting concerns over online privacy and information gathering by search engines, Google has come up with a solution, Opt-out village, a 22-acre remote mountain enclave for those obsessed with privacy. According to trusted news network, ONN, access to the new privacy feature is simple. Just click the opt-out button on the Google home page. Within minutes, a van will arrive to sweep you away to Opt-Out Village nestled in the Pacific NorthWest. A team of privacy experts will eliminate your personal identifiers and guarantee that your name and address will not appear on Google local searches.

The federal GLBA, HIPAA, FACTA and its Red Flags and Disposal Rules, state data Breach Notification Laws and many other federal and state laws and industry regulations like PCI-DSS are intended to protect the privacy and security of consumer's personally identifiable and financial information entrusted to businesses and other organizations. Many suchidentity theft, id theft, government security, government privacy regulations aim to prevent identity theft and privacy violations. While some businesses have been negligent in securing information, other businesses have been victimized by black hat hackers or "crackers" who operate ahead of the cybersecurity technology curve. Cybersecurity is an ongoing challenge for businesses and for government as discussed in the President's Cyberspace Policy Review. In the four-year period ending in 2008, 23% of all data breaches reported were attributed to hackers. For those data breaches involving more than one million profiles, hacking was identified as the cause in 66% of the breaches according to a recent research report on data breach risk factors.

Consumers, who become victims of identity theft through access to public records, do not have a clue as to how they became a victim. They cannot know unless the fraudster who "legally accessed" the public information is caught and confesses that they used or sold the information for identity theft. Most often end users of stolen identities are caught, not the kingpins. Illegal immigrants who purchase identities on the street sometimes for hundreds of dollars do not know the source. * What can an identity thief do with a name and SSN? Here is a short list. * Make a fake Social Security Card (see image below) * Make a fake Medicare Card and get medical treatment and Medicare benefits * Use the fake Social Security Card to get a driver's license or passport * Get a job and government benefits. * Get credit and open new financial accounts * Get housing, utilities and phone service * Get insurance * Thieves use fake ID to elude law enforcement by pretending they are you.

Some American Express card members' accounts may have been compromised by an employee's recent theft of data, the company said Thursday. American Express Co. spokeswoman Susan Korchak said a "relatively small portion" of card members was involved, but declined to be more specific. The former employee has been arrested and the company is investigating how the data was obtained, she said. The company is in the process of notifying affected card members by letter. In one such letter sent last week, American Express Privacy Officer Alfred Silipigni said he was informing the member of "an unfortunate issue" concerning his card. "We recently learned that certain account data was acquired without authorization by an employee who is no longer with the company," he wrote. "The former employee has been arrested, and we are cooperating with law enforcement authorities with their ongoing investigation." American Express declined to disclose any more details about the incident beyond what was in the letter. The company has put additional fraud monitoring and protection controls on the accounts at issue, Korchak said. American Express has about 39 million corporate, small business and consumer cards in force in the United States.

Difficult economic times can be the breeding ground for increased fraudulent activities. In July 2009, the Financial Crimes Enforcement Network (www.fincen.gov) published its 12th edition of The SAR Activity Review - By the Numbers. SARs (Suspicious Activity Reports) are one key aspect of FinCEN's efforts related to its responsibility for regulatory administration of the Bank Secrecy Act of 1970. Many different financial industries such as banks, credit unions, insurance companies, check-cashing services, broker/dealers, and casinos are required to complete and file SARs. According to FinCEN's press release on the SAR Activity Review, "The report reveals that of the 20 different violation types tracked, seven of the categories relate specifically to fraud and all seven showed an increase in SAR filings during the year. While these categories represent one-third of the possible violation types, they accounted for nearly half of the increase in total SAR filings from 2007 to 2008, with all of the fraud categories seeing double-digit increases in percentage of filings in 2008. These categories are: check fraud, mortgage loan fraud, consumer loan fraud, wire transfer fraud, commercial loan fraud, credit card fraud, and debit card fraud." Could any of this apply to you? Are your control and monitoring processes able to identify these examples of common patterns of suspicious activity that FinCEN has identified?

DESPITE SIGNIFICANT IMPROVEMENTS since the U.S. Sarbanes-Oxley Act of 2002 became effective, the continuing cost of compliance with the act's Section 404 requirements remains a concern for board members and management. A periodic operational audit of the Section 404 program can provide valuable information to executive management and the audit committee, and potentially identify areas where significant costsavings can be realized. Whether the Section 404 program is managed by the finance department, internal auditing, or another organization, it's an excellent candidate for this type of review, particularly if the focus remains on program efficiency. Several questions, based on The IIA's publication Sarbanes-Oxley Section 404: A Guide for Management by Internal Control Practitioners, can be used as the basis for the audit. The questions cover issues ranging from ensuring that operating management takes ownership of its processes, to achieving fewer and more effective key controls, to determining whether the external auditor's reliance on management testing has been optimized.

Has your management team asked the following four questions about your organization's internal controls? 1) Have we identified the meaningful risks to our objectives? 2) Which controls are "key controls" that will best support a conclusion regarding the effectiveness of internal control in a particular process? 3) What information will be persuasive in assessing whether the controls are continuing to operate effectively? 4) Are we presently performing effective monitoring that is not unnecessary and costly testing? These questions appear in a white paper, "Effective Internal Control Systems for Rapidly Changing Markets: A New Opportunity," packed with answers for GRC professionals wondering if there is a better way to operate. The paper, authored by the GRC experts at advisory firm SMART Group, clearly lays out how controls monitoring processes can and should align with the "Guidance on Monitoring" COSO published earlier this year to help organizations strengthen the effectiveness and efficiency of their internal controls frameworks. Among other useful how-to information, the 12-page paper includes a five-step "Implementation Guide" for creating a better controls-monitoring program.

As I mentioned two weeks ago, a recent survey indicates that more than half of large companies have limited knowledge of which systems or applications their employees have access to. This marks a system access problem, and a growing risk during a period of frequent and large layoffs. If a company needs to turn off access manually (which is often the case), it may miss several user accounts that they don't realize exist. This leaves the door open for past employees, and others, to access important data, including financial information and customer information. To learn more about these open-door system risks, I asked Courion vice president Kurt Johnson about his firm's research.

Wharton School professor Andrea Matwyshyn has attended Defcon for the past five years. This year, her radar is pointing to corporate disclosure of computer security threats. Most consumers, she says, find out about them primarily through news reports and after-the-fact data breach notifications. Big business, Matwyshyn says, needs to do a much better job of keeping customers abreast of how they're dealing with big security threats. "Companies need to be aware that their customers are going to start asking questions about their security and what they're doing," she told Forbes.

On a side table in his Washington offices, Federal Trade Commission Chairman Jon Leibowitz keeps a framed image of Arnold Schwarzenegger from the 1984 film The Terminator. It was given to Leibowitz a couple of years ago by one of the FTC's regional offices, an homage to his crackdown on spyware that surreptitiously gathers information on Web users' surfing habits. Now, Leibowitz wants to terminate-or at least rein in-a different practice he finds no less harmful to consumers: delivering ads to individuals based on the Web pages they visit and searches they carry out. Appointed by President Barack Obama in February to run the country's top consumer watchdog, Leibowitz has made so-called behavioral targeting a top priority. How far he goes in regulating the practice could have big implications for a host of companies that depend on Web advertising and engage in some form of targeting. These include Google (GOOG), Facebook, and Microsoft (MSFT), which on July 29 announced a plan to partner with Yahoo! (YHOO) in the area of Internet search. It would also affect the way legions of companies and advertisers craft marketing campaigns. Behavioral targeting has become more prevalent as it gets easier and cheaper to use software to track online behavior and then use the data to pitch Web users related goods and services. These ads are more likely to induce a customer to make a purchase or otherwise respond to a pitch, researchers say.

For all the concern and uproar over online privacy, marketers and data companies have always known much more about consumers' offline lives, like income, credit score, home ownership, even what car they drive and whether they have a hunting license. Recently, some of these companies have started connecting this mountain of information to consumers' browsers.

A popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers.

Ignorance may be bliss, but it can also be expensive. Insufficiently knowledgeable computer users are downloading and paying for fake security software in increasing numbers, creating massive revenue for cybercriminals. "More and more people are acclimating to the Internet and they feel they can make these important security decisions," said Sean-Paul Correll, security evangelist and threat researcher for Panda Security. "They don't feel the need to call their tech-savvy grandson."

Free, vendor-neutral online Data and Privacy in Web 2.0 Summit on August 13th. Thought leaders will present a series of webcasts discussing best practices and case studies on legal issues in online social communities, implications of the smart grid and the Cloud, privacy policies and more: http://www.brighttalk.com/summit/dataprivacy2 Web 2.0 services have been rapidly growing because of the value they offer to businesses and individuals alike. However, with so much information at stake and so little control of employees and customer activities online, how do companies ensure consumer and businesses' data are secure and safe from misuse and malware-related data breach? This summit will focus on minimizing leakage from people, devices and data on the move, keeping consumer and businesses' data secure and safe from misuse and malware-related data breach.

The Air Force is seeking an entrepreneurial innovator to develop technology to analyze the conduct of insiders to determine if they pose a threat to government IT systems. In a call for proposals aimed at small businesses, posted on Tuesday, the Air Force is asking outside developers to "define, develop and demonstrate innovative approaches for determining 'good' (approved) versus 'bad' (disallowed/subversive) activities, including insiders and/or malware." For their initial efforts, the Air Force will pay up to $100,000. The proposal says current techniques that monitor illicit activities only address the most blatant violations of policy or the grossest deviations from accepted behavior. Most systems concentrate their resources on repelling attacks at the network borders with little attention devoted to threats that evade detection and/or emanate from within. The proposal states: "As such, there currently exists a great need across the federal, military and private sectors for a viable and robust means to provide near-real-time detection, correlation and attribution of network attacks, by content or pattern, without use of reactive previously-seen signatures. Many times, these trusted entities have detailed knowledge about the currently-installed host and network security systems, and can easily plan their activities to subvert these systems."

GoogleApps is an upgade to the Los Angeles computer systems security? Doesn't that explain a lot?! Google Inc. this week came swinging at critics who have cited privacy and security concerns in calling on the city of Los Angeles to rethink its plan to implement the Google Apps hosted e-mail and office applications. In an interview yesterday, Matt Glotzbach, director of product management for Google Enterprise, said the angst voiced by consumer groups and others about the Los Angeles project is overstated and based on incomplete information. In fact, he contended that transitioning the applications to Google will strengthen the security of the city's data and better maintain its privacy. "From what I know of the city's operation, this is a security upgrade," Glotzbach said. "Those who may be unfamiliar with cloud computing see this as a security risk simply because it is new and because it is something different," he said. Glotzbach said he believes that at least some of the concerns raised originated from Google's competitors. Meanwhile top managers at the Los Angeles Information Technology Agency (ITA), which oversees technology implementations in the city, yesterday said the city is still committed to implementing Google Apps. The agency insisted that provisions are in place for addressing the security and privacy issues raised by critics. A spokesman for Mayor Antonio Villaraigosa said the city council will sign off on the project only after it is assured that the privacy and security concerns have been properly addressed.

Google Inc. this week came swinging at critics who have cited privacy and security concerns in calling on the city of Los Angeles to rethink its plan to implement the Google Apps hosted e-mail and office applications. In an interview yesterday, Matt Glotzbach, director of product management for Google Enterprise, said the angst voiced by consumer groups and others about the Los Angeles project is overstated and based on incomplete information. In fact, he contended that transitioning the applications to Google will strengthen the security of the city's data and better maintain its privacy. "From what I know of the city's operation, this is a security upgrade," Glotzbach said. "Those who may be unfamiliar with cloud computing see this as a security risk simply because it is new and because it is something different," he said. Glotzbach said he believes that at least some of the concerns raised originated from Google's competitors. Meanwhile top managers at the Los Angeles Information Technology Agency (ITA), which oversees technology implementations in the city, yesterday said the city is still committed to implementing Google Apps. The agency insisted that provisions are in place for addressing the security and privacy issues raised by critics. A spokesman for Mayor Antonio Villaraigosa said the city council will sign off on the project only after it is assured that the privacy and security concerns have been properly addressed.

To assist small businesses and other entities, the Federal Trade Commission staff will redouble its efforts to educate them about compliance with the "Red Flags" Rule and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply. To give creditors and financial institutions more time to review this guidance and develop and implement written Identity Theft Prevention Programs, the FTC will further delay enforcement of the Rule until November 1, 2009. The Red Flags Rule is an anti-fraud regulation, requiring "creditors" and "financial institutions" with covered accounts to implement programs to identify, detect, and respond to the warning signs, or "red flags," that could indicate identity theft. The financial regulatory agencies, including the FTC, developed the Rule, which was mandated by the Fair and Accurate Credit Transactions Act of 2003 (FACTA). FACTA's definition of "creditor" includes any entity that regularly extends or renews credit - or arranges for others to do so - and includes all entities that regularly permit deferred payments for goods or services. Accepting credit cards as a form of payment does not, by itself, make an entity a creditor. "Financial institutions" include entities that offer accounts that enable consumers to write checks or make payments to third parties through other means, such as other negotiable instruments or telephone transfers.

In all of 2008, 40 banking institutions failed - 25 banks and 15 credit unions. So far in 2009, 72 institutions have either been closed or taken over by regulators, including 7 banks just this past weekend. The Federal Deposit Insurance Corporation (FDIC)'s troubled bank list, now at 305, has more than doubled from last year's total, when 117 banks were listed. Which begs the questions: Where and why are all these institutions failing, and how many more closures will we see by year's end? Failures by the Numbers Analysis of this year's bank/credit union failures (see interactive map) reveals some interesting facts: * Total Failed Banks: 64 * Total Failed Credit Unions: 8 o Top States For Failures: o Georgia - 16 banks o Illinois - 12 banks o California - 8 banks, 3 credit unions o Florida - 3 banks * Largest Failure BankUnited, Coral Gables, FL., $12.8 billion in assets, * Total Cost to FDIC Insurance Fund: $13.553 billion