The Federal Deposit Insurance Corporation (FDIC) has just issued specific guidance and recommended mitigation actions to financial institutions with respect to the risks posed by spyware. In light of recent spyware problems, hopefully the FDIC is on the right track.

Background

As the FDIC points out, spyware refers to technologies that collect information without user knowledge and report that information to third parties. Certain forms of spyware, as noted by the FDIC, can intercept sensitive and confidential information about an organization or user, including passwords, credit card numbers and other identifying data. Thus, as appropriately recognized by the FDIC, spyware has significant confidentiality, integrity and availability implications for banks and their customers.

Spyware risks

The FDIC warns that financial institutions should be aware of spyware risks on their own computers and on computers used by customers connecting to online banking Web sites. The FDIC stresses that spyware increases the risk to financial institutions by: (a) compromising confidentiality by allowing attackers to eavesdrop and intercept sensitive communications, such as customer IDs and passwords; (b) damaging an institution's reputation by potentially allowing unauthorized access to user accounts; (c) misappropriating bank resources and permitting unauthorized access to bank systems; and (d) increasing vulnerability to other Internet-based attacks, such as phishing.

Spyware risk mitigation

The FDIC specifically recommends that financial institutions should evaluate the risks associated with spyware and strengthen enterprise information security programs by: (a) considering threats from spyware as part of the risk assessment process — this ensures that financial institutions consider all risks to private customer information and take appropriate steps to mitigate those risks, such as implementing anti-spyware technologies; (b) enhancing security and Internet-use policies to address risks associated with spyware and acceptable user behavior (e.g., prohibiting Internet downloads and visits to inappropriate Web sites) — in addition, management should take steps to enforce these policies and reprimand staff who fail to comply with them; (c) expanding employee training to include the risks associated with spyware so that users will become cognizant of the behavior they should adopt to prevent spyware on bank computers and on personal computers that are used to connect to the bank's network; (d) educating customers about the risks associated with spyware and encouraging them to implement steps to prevent and detect spyware on their own computers — also, advising customers of the risks in using public computers — such as those in hotels, libraries or Internet cafés — to connect to online banking Web sites because of the uncertainty of spyware that may have been installed on the public equipment; and (e) investigating the implementation of multi-factor authentication methods, which would limit the ability of identity thieves to compromise customer accounts, even when such a thief has a customer's ID, password and account numbers.

Upshot

The FDIC is correct that in stating that spyware poses a significant risk to financial institutions and its customers. And the FDIC is right that practices to prevent and detect spyware should be regularly reviewed to ensure that institutions are aware of all risks to their systems and to sensitive customer information. The real question is whether financial institutions can stay ahead of the game in terms of risk knowledge and mitigation over time. And as always, time will tell.

Eric Sinrod is a partner in the San Francisco office of Duane Morris (www.duanemorris.com), where he focuses on litigation matters of various types, including information technology disputes. His column appears Wednesdays at USATODAY.com. His Web site is www.sinrodlaw.com, and he can be reached at . To receive a weekly e-mail link to Mr. Sinrod's columns, please send an e-mail with the word Subscribe in the Subject line to .

Reprinted here with permission from USAToday.com.