Chapter 3 - Information Technology for Risk Managers Flashcards
Gramm-Leach-Bliley Act of 1999
- Applies to financial institutions - banks, brokerages and insurance companies.
- Must securely store personal information
- Must disclose policies regarding information sharing and allow customers the opportunity to opt out.
Data Security and Breach Notification Act of 2015
- Requires business entities to:
a. Employ security measures that protect data from unauthorized access
b. Restore data systems, data integrity and confidentiality after a security breach
c. Determine whether a breach will result in economic loss, identify theft or financial fraud - In event of a breach, requires business entities to notify:
a. Affected U.S. residents
b. The FTC and U.S. Secret Service or FBI
c. Consumer reporting agencies if more than 10K individuals affected.
Fair and Accurate Credit Transactions Act of 2003 (FACT Act or FACTA)
- Allows consumers to request and obtain a free credit report once every 12 months.
- Contains provisions to help reduce identity theft, such as the ability to place alerts on credit histories if identity theft is suspected, and requires secure disposal of consumer information.
- Also requires reporting agencies to block reporting of any information in a consumer’s file that originated from an alleged identity theft.
Cybersecurity Information Sharing Act of 2015 (CISA) -
Makes it easier for companies to share personal information with the government, especially in cases of cybersecurity threats
1. Creates a system for federal agencies to receive threat information from private companies
2. Includes provisions to prevent sharing data known to be both personally indentifiable and irrelevant to cybersecurity.
Red Flags Rule
Created by the FTC to help prevent identity theft; applies to financial institutions and creditors
1. Financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer.
2. Creditor applies to any entity that regularly extends or renews credit - or arranges for others to do so - and includes all entities that regularly permit deferred payments for goods or services
A creditor:
a. Obtains or uses consumer credit reports and provides information to consumer reporting agencies or
b. Advances funds which must be repaid in the future (or against collateral).
Health Insurance Portability and Accountability Acot of 1996 (HIPAA), as amended…
Any healthcare provider that electronically stores, processes or transmits medical data must comply with regulations.
Sets standards for documentation, handling and privacy of medical records.
HIPAA Security Rule - defines what administrative, physical and technical safeguards must be in place and defines who may have access to the data
Provides a set of standardized codes for medical data - diagnoses, procedures and drugs.
Federal Information Management Security Act of 2002 (FISMA)
Applies to Federal Agencies
Has brought attention within the federal government to cyber security and explicitly emphasizes a “risk-based policy for cost-effective security”
Requires agency program officials, chief information officers and inspectors general to conduct annual reviews of the agency’s information security program and report the results to the Office of Management and Budget
Fair Credit Reporting Act (FCRA)
Was enacted to promote the accuracy, fairness and privacy of information gathered in the files of consumer reporting agencies
- Intended to protect consumers from inaccurate information on their credit reports; the FCRA regulates the collection, dissemination and use of consumer information.
- The FCRA forms the foundation of consumer rights law in the United States; originally passed in 1970, it is enforced by the FTC, the Consumer Financial Protection Bureau and private litigants.
Data Quality Act (DQA) or Information Quality Act (IQA)
Applies to the sharing by federal agencies of, and access to, information disseminated by federal agencies, and
Requires that each federal agency to which the guidelines apply:
-Issue guidelines ensuring and maximizing the quality, objectivity, utility and integrity of information (including statistical information) disseminated by the agency by not later than one year after the date of issuance of the guidelines.
- Establish procedures allowing affected persons to seek and obtain a correction of information maintained and disseminated by the agency that does not comply with the guidelines.
- Report periodically to the director of the Office Management and Budget: The number and nature of complains received by the agency regarding inaccuracy of information disseminated and how such complaints were handled by the agency.
What are the 4 steps in the data risk assessment?
1) Data inventory - what data do you have, what type, how many records?, sensitive data? (PII, PHI, PIFI, Claims data, intellectual property, data of others).
2) Data Risk Analysis - Why is retention risky? 1- Records have value, 2-The type and quantity of data stored may make the organization a target for hacking, identity theft, cyberterrorism, extortion, corporate espionage, etc. 3- The greater the volume, the greater the risk release creates 4-What are the potential repercussions associated with the release of the information? a. Direct - data restoration, client notification, credit monitoring, investigation, loss of service, regulatory penalties, lawsuits, etc. b. Indirect - reputation, loss of goodwill, etc.
3) Data Mapping - Tracking of the data cycle, from point of input through storage to output, to identify the organization’s systems that are involved and that expose the organization to risk. 1-Multiple databases a. HR, acctng, procurement, proprietary information, claims management system 2- Information exchange - who is data shared with a. between departments b. with outside parties.
4) Data Protection and Exposure REduction - What steps have been taken by the organization to protect the data and reduce the exposure? 1- Testing for firewalls, vulnerability, password strength 2- Implementing new security measures and policies 3-Training and educating employees 4. Monitoring and enforcing policies
Functions of a RMIS
- Supports the user in the key steps of the risk management process: identification, analysis, financing, control & administration
- Integration with other internal or external information systems including real-time event monitors.
- Reports and dashboards a. trends b. ad hoc queries c. heat maps d. loss forecasting e. OSHA reporting f. Total cost of risk reports and allocations.
- Facilitates the consolidation of the following into one system:
a. Insurance policy info
b. Claims info
c. Property schedules
d. Exposure information
e. Exposure identification
f. Document storage
Considerations when purchasing a RMIS
Costs, security, technology, customer service/tech support, customization, usability/ease of use, users, other features.
RMIS Features
Claims Management, Policy Management, Reporting, Dashboard & Analytics, Health and Safety
Methods of Benchmarking
Internal & External
Internal Benchmarking
Comparing the organization’s own performance from one-time period to another or between departments, locations, divisions, etc.
