Standards for Safeguarding Customer Information
Comments to the
FEDERAL TRADE COMMISSION (FTC)
16 CFR Part 314
October 9, 2000
Portogo, Inc., based in Minneapolis, Minnesota, provides a range of Internet technology solutions to businesses insuring or self-financing their risk of lost, stolen or compromised data resulting from Internet transmission failure. Portogo's services are delivered through proprietary electronic tools that measure Internet traffic risks, actuarially project loss costs and develop related databases, log and track Internet transmissions and assist in the remediation of data lost, stolen or disrupted during a transmission.
The foundation of these electronic tools is INSURITI, a new patent-pending technology process that insures the transmission of data over the Internet.
Based upon its Internet security expertise, Portogo has a substantial interest in the processes used to safeguard the transmission of nonpublic personal information. Portogo respectfully submits these comments to the Federal Trade Commission in conjunction with the Commission's promulgation of regulations addressing the safeguarding of customer information by financial institutions.
The proposed rule, in large measure, articulate appropriate and effective standards for financial institutions to establish information security programs. Based upon our experience in servicing the loss, theft or disruption of data transmissions over the Internet, we believe that an effective risk assessment process requires more than evaluating data security risks and developing appropriate controls, as the rule currently contemplates.
It has been our experience that an effective risk assessment process must also consider the financial implications of any property loss incurred when data is compromised during a transmission over the Internet. Losses caused by data transmission failures can be substantial. Not only does information have intrinsic property value that must be considered, but remediation following a loss also has financial implication for a financial institution.
An effective risk management process should identify the value of data and assess the necessary remediation costs if a transmission is compromised. This process should also ensure that an institution has considered and addressed the financing of these risks, either by consciously retaining the costs for these exposures or transferring these costs to a third-party. An assessment of risk financing issues effectively complements a risk assessment process by evaluating the value of data typically transmitted, ensuring financial recourse for losses incurred, providing for forensic recovery of lost, stolen or compromised data and establishing investigative protocols for identifying the source of such losses. Quite simply, a risk management process is not complete if it does not consider an institution's capacity to finance and remediate the risk of unauthorized disclosure, misuse, alternation, destruction or other compromises of nonpublic financial information. Congress' directive to the Commission and other federal agencies to establish standards for safeguarding customer information appears to contemplate this point. One of the stated objectives of these standards is to "insure the security and confidentiality of customer records and information." 15 U.S.C. 6805(b)(2) (emphasis supplied). We are not suggesting that Congress, by use of the highlighted term, necessarily intended that financial institutions must insure their customer information risks. We do believe, however, that Congress intended that an effective risk management process should identify and address the financial implications of these risks.
We would respectfully recommend that §314(c) be amended to require an institution to consider the financial implications of data transmission risks, in addition to mandating that institutions develop corresponding controls. In this respect, the rule would not impose a risk financing mandate nor any specific requirements for financing such risks. To the contrary, a financial institution's information security program would simply be required to consider its responsibility for valuing (or, assessing) data risk and financing of such risks as an element of its information security program. Consequently, substantial flexibility would be afforded financial institutions in developing programs tailored to their specific business needs.
Portogo appreciates the opportunity to comment on the proposed rule. Should you have any questions or require any further information, please contact Stephen Cardot, President/CEO and/or Thomas Weiseth, Vice-President/CCO, Portogo, Inc, at 612-870-0410.
Stephen C. Cardot
Thomas J. Weiseth
fon: 612. 870.4755