Information Security Resources
As a business that handles confidential consumer information, you have contractual and legal obligations to protect that information from misuse. You have legal requirements under the following Federal laws:
- Fair Credit Reporting Act
- Fair and Accurate Credit Transaction Act
- Gramm-Leach-Bliley Act (i.e. "Safeguards Rule")
You also have contractual obligations under the Avantus membership agreement. Click here to view Exhibit E: Data Access Security Requirements.
Computer criminals, many based outside the United States, are actively trying to access confidential consumer information. They use this information to perpetrate identity-theft to obtain new credit accounts in the consumer's name, and to steal money from consumer's existing credit accounts. The criminals also target small businesses, seeking their online banking credentials. Once compromised, they use the credentials to transfer funds to their own accounts.
Methods criminals use to attack your computer
Computer criminals will try to get their malicious software ("malware") installed on your computer by exploiting known security vulnerabilities in software programs that you already have installed. If you have vulnerable software installed on your computer, criminals can "trick" your computer into installing their malicious software. This can happen even if you are just "browsing the web" and not downloading or installing software programs.
Criminals will also try to trick you into installing their malicious software unintentionally. For example, you could receive an e-mail that appears to be from FedEx claiming they were unable to deliver a package, and request that you print the attached invoice. But the "invoice" is actually a program that installs their malicious software.
What happens when criminals are able to install their malicious software?
The criminals will use their malicious software to search your computer for confidential consumer information, credit card information, Social Security numbers, e-banking and other web site logins, e-mail account credentials and contents of your e-mail inbox.
Malicious software can also log all of the keystrokes you type on your keyboard in any software program. All of this data is then silently transmitted back to the criminals for exploitation.
What are the consequences if my computers are compromised and used to illegally access confidential consumer information?
- Avantus is required to immediately suspend your company's access to credit information pending an investigation.
- Avantus is required to report the security breach to the national credit repositories. As a result, each credit repository will place your company on their do-not-service lists. This will prevent you from establishing a new service account with any other merged credit report vendor.
- Before having your service reinstated, you will need to address the original cause of the security breach, and have a thorough information technology security audit performed by a qualified auditor.
How can I protect myself?
You have an obligation to follow all of the requirements in applicable law and your Membership Agreement. But at a minimum:
Ensure your operating system is current and up-to-date, and that all critical updates have been applied:
Ensure you have anti-virus, anti-malware, and anti-spyware software installed. Confirm that it is updated regularly, and set to run automatically. Here are some links to anti-virus sites/packages:
Ensure that all of your installed software is up to date. Consider using a vulnerability scanning program. These programs will scan your computer and inform you if any installed software program contains a known security vulnerability. For example:
Train all staff to only open e-mail attachments if they are expected and from known sources.
Other Steps for Securing Information
One of the early steps companies should take is to determine what information they are collecting and storing, and whether they have a business need to do so. You can reduce the risks to customer information if you know what you have and keep only what you need.
Depending on the nature of their business operations, companies should consider implementing the following practices:
- Checking references or doing background checks before hiring employees who will have access to customer information.
- Asking every new employee to sign an agreement to follow your company's confidentiality and security standards for handling customer information.
- Limiting access to customer information to employees who have a business reason to see it. For example, give employees who respond to customer inquiries access to customer files, but only to the extent they need it to do their jobs.
- Controlling access to sensitive information by requiring employees to use "strong" passwords that must be changed on a regular basis. (Tough-to-crack passwords require the use of at least six characters, upper and lower case letters, and a combination of letters, numbers, and symbols.)
- Using password-activated screen savers to lock employee computers after a period of inactivity.
- Locking rooms and file cabinets where records are kept.
- Not sharing or openly posting employee passwords in work areas.
Take steps to preserve the security, confidentiality, and integrity of customer information in the event of a breach. If a breach occurs:
- Contact Avantus immediately.
- Take immediate action to secure any information that has or may have been compromised. For example, if a computer connected to the Internet is compromised, disconnect the computer from the Internet.
- Preserve and review files or programs that may reveal how the breach occurred.
Following these simple steps will help you protect yourself and your business. If you have any questions regarding the security of your information as it relates to working with Avantus, please give us a call at (800) 243-0120.