Media Alert: FDIC Wants Banks to Notify Customers of Identity Thefts - Banking Security Expert Available to Comment

Mar 19, 2005, 00:00 ET from TraceSecurity, Inc.

    BATON ROUGE, La., March 19 /PRNewswire/ --
     On Friday, March 18, 2005, regulators at the Federal Deposit Insurance
 Corp. (FDIC) voted 5-0 to approve a ruling that would force U.S. banks to warn
 their customers if they believe their customers have been subjected to
 identity theft.
     The ruling follows several highly publicized consumer privacy breaches
 that were disclosed over the last few weeks, including the loss of backup
 tapes containing the credit card information of 1.2 million federal workers by
 Bank of America; the loss of 145,000 customers' personal information to
 identity thieves at ChoicePoint, an aggregator and reseller of personal
 information; the loss and possible theft of customer credit card information
 from over 100 DSW Stores, a nationwide shoe retailer; and the disclosure from
 Lexis-Nexis, a compiler of legal and consumer information, that the Social
 Security numbers, names and addresses of 30,000 people may have been stolen by
 identity thieves.
     The FDIC decision comes at a time when lawmakers in Washington, DC are
 mulling legislation that could force companies to disclose material breaches
 of customer information. The FDIC proposal is somewhat similar to California's
 Information Practice Act (A.K.A. SB 1386) which mandates similar public
 disclosure for companies that have exposed California residents to privacy
 breaches, although whereas SB 1386 requires companies to disclose all
 breaches, the proposed FDIC rule would only require banks to disclose breaches
 in which they believe customers' private information was misused.
     Security Expert Available for Comment:
     Jim Stickley, an internationally recognized banking security expert and
 the Chief Technology Officer for TraceSecurity (,
 a security compliance software and services firm based in Baton Rouge, LA, is
 available to journalists over the weekend and on Monday who seek insight into
 how these privacy lapses occur, and how banks and consumers can take steps to
 prevent such lapses.
     TraceSecurity's clients include over 100 banks and credit unions, which
 license the company's compliance management software to continually monitor
 their security compliance status. TraceSecurity's banking clients also hire
 the company to perform social engineering audits in which undercover
 TraceSecurity consultants attempt to break into banks in broad daylight to
 steal confidential information. TraceSecurity has a 90% success rate at
 discovering critical vulnerabilities that expose organizations to identity
     "The FDIC ruling, if approved by the Federal Reserve, could cause a
 significant increase in identity theft disclosures," said Stickley. "Today,
 most large-scale identity thefts go unreported, either because the bank wants
 to avoid tarnishing their reputation or because they are simply unaware of the
 breaches. Many banks employ archaic data privacy practices that haven't kept
 pace with the evolving threats. The exploits of identity thieves, however,
 which are often coordinated by international crime syndicates, have become
 increasingly creative and sophisticated. Many banks are caught in a catch-22
 situation:  Their customers are demanding greater online access to a broader
 range of financial services, yet as banks make their services available online
 to customers, they're also making them available to thieves."
     "There's no single silver bullet that can eliminate identity theft,"
 concludes Stickley. "Based on our experience, the banks that do the best job
 of protecting their customers' information are the banks that view information
 security not as a static one-time fix, but as a regularly monitored business
 process that requires continuous improvement. Information security must become
 infused directly into every facet of the business, governing everything from
 policies and procedures for how the receptionist greets front desk visitors,
 to how waste paper is shredded, to how software engineers design and test the
 guts of online banking applications."
     To Arrange an Interview:
     To arrange an interview with Mr. Stickley over the weekend, please contact
 Mark Coker of Dovetail Public Relations ( via email
 at mark (at) dovetailpr (dot) com. On Monday, Mark Coker, David Splivalo or
 Kerry Swanson can be reached at 408.395.3600.
     About TraceSecurity, Inc.
     Privately held TraceSecurity is a leading provider of on-demand security
 compliance software and services. The company's patent-pending enterprise
 software helps customers satisfy national and international data security
 compliance requirements mandated by such regulations as HIPAA, Sarbanes-Oxley
 and GLBA. Over 100 global enterprises in the financial services, insurance,
 energy, government, manufacturing and services industries rely on
 TraceSecurity to continually monitor and improve the computer security of
 their companies. TraceSecurity's products and services include on-demand
 vulnerability and compliance assessment software, social engineering audits,
 comprehensive security assessments and security strategy consulting.
     Headquartered in Baton Rouge, Louisiana, TraceSecurity maintains offices
 in Houston Texas, San Diego California, and Portland Oregon. The company can
 be reached by phone at 225-612-2121 or on the Web at

SOURCE TraceSecurity, Inc.