It would be surprising if everyone hasn’t heard about Epsilon, an online marketing unit of Alliance Data Systems Corp, by now. Epsilon experienced a significant security breach on March 30, 2011. The breach occurred when customers’ emails were accessed without authorization. It is reported that the Epsilon customers impacted include TiVo, Kroger, JPMorganChase, US Bank, Capital One, Citi and many others.
In this age of information technology, many experts say that it is not “if” a security breach will happen, but “when.” Financial institutions are not immune. In developing and reviewing information security controls, policies and processes, financial institutions have a variety of sources upon which to draw. Federal laws and regulations address security, as well as regulator-issued security related guidance. Another resource is the FFIEC IT Examination Handbook. This handbook can be found at http://ithandbook.ffiec.gov/it-booklets/information-security.aspx .
Senior management in financial institutions set the tone of the importance, awareness and compliance for information security. It is important for financial institutions to have written policies and governance for information security functions; develop and implement an information security strategy to mitigate risks; institute and maintain an ongoing information security risk assessment program; and put in place security controls to effectively allow and monitor access to systems.
For more information, please contact jphipps@dickinsonlaw.com / 515-246-4531 or any member of Dickinson's Banking Law Group.
