ELECTRONIC BANKING LAW AND COMMERCE REPORT

1 Using Binding Corporate Rules forInternational Data Transfers: The ICC Reportby Christopher KunerA growing number of countries have developedlegal restrictions on international data transfers.This article looks at an International Chamber ofCommerce report on binding corporate rules(BCRs) that allow companies to meet compliancerequirements and transfer personal data aroundthe world using a single set of rules.

6 Federal Preemption Under the ESIGN Actby Jeremiah S. Buckley and R. Colgate SeldenNational standards are crucial for organizationspromoting the electronic delivery of financial serv-ices. This article explores how through the pre-emption provisions of the Electronic Signatures inGlobal and National Commerce Act (ESIGN),Congress sought to resolve the interplay betweenstate and federal laws to promote the national useof electronic records and signatures.

13 Adapting to the Threat Landscape: BITSCrisis Management Coordinationby John W. Carlson and Teresa C. LindseyBITS discusses its Crisis Management Coordinationprogram to maintain critical services during a crisis,especially their work with the telecommunicationsand energy sectors. The authors also review tworegional coalitions focused on business continuityissues, and BITS’ efforts in the areas of cyberthreats and information security.

17 Selected Regulatory Developmentsby Scott A. Anenberg

ELECTRONIC BANKING LAWAND COMMERCE REPORT

Using Binding CorporateRules for InternationalData Transfers: The ICCReport

By Christopher Kuner

The growing number of countries with legal restrictionson international data transfers makes it crucial for busi-nesses to provide a legal basis for their international dataflows. Unfortunately, many legal bases for data transfers areeither impracticable or have a limited utility in different sec-tors; for example, most financial services organizations arenot eligible to join the US/EU safe harbor system. Manycompanies are interested in exploring binding corporaterules (BCRs) as a means of international data protectioncompliance, but are unsettled by legal uncertainties sur-rounding their use.

The International Chamber of Commerce (ICC) is aninternational business organization with member companiesin over 140 countries, and has long been involved in effortsto help companies cope with legal restrictions on interna-tional data transfers (for instance, ICC together with sixother business organizations proposed a set of alternativemodel clauses for data transfers which were found to pro-vide “adequate protection” by the European Commission inDecember 2004)1. To learn more about the legal enforce-ability of BCRs, in 2004 ICC surveyed companies around theworld concerning the enforceability of BCRs in their homejurisdictions. The results were published in the “ICC Report

CONTENTS

Christopher Kuner ([email protected]), a partner inthe Brussels office of Hunton & Williams (http://www.hunton.com) is chairman of the ICC Task Force on Privacyand Data Protection and one of the authors of the ICCReport.

(continued on page 3)

Volume 9Number 8

© 2005 Glasser LegalWorks

February 2005

February 2005 © 2005 Glasser LegalWorks2

ELECTRONIC BANKING LAW AND COMMERCE REPORT

From the EditorData Security

A recent identity-fraud survey indicated that the greatest threats to personal financial informa-tion remain the traditional stolen or lost wallet and, sadly, family and friends.1 Yet, this reportseems like a breath of spring air after all the gloom about cyber threats. It is perversely reassuringthat the most significant threats remain those posed by persons closest to the consumer. That real-ity does not, however, mean that banks and other financial institutions don’t need to put in placeprotections against privacy threats, or deal with the dizzying array of data protection regulations.

Christopher Kuner, from Hunton & Williams’s office in Brussels, discusses an InternationalChamber of Commerce report on binding corporate rules for the international transfers of personaldata. This mechanism could allow banks and other financial institutions, not covered by the EUsafe harbor agreement, to ensure an “adequate level of data protection.”

With a nod towards the current legal debate on the preemption of state laws by federal finan-cial regulations and privacy laws, Jerry Buckley and Colgate Selden, of Buckley Kolar LLP, reviewthe preemption provisions of the Electronic Signatures in Global and National Commerce Act(ESIGN). Congress passed this act in 2000, which preempted the inconsistent patchwork of statelaws on electronic transactions, to promote the use of electronic records and signatures.

John Carlson and Teresa Lindsey discuss BITS’s Crisis Management Coordination program’swork with the telecommunications and energy sectors and BITS’s efforts in the areas of cyberthreats and information security. They also review how two coalitions are working to addressregional business continuity issues.

David E. Brown Jr., Editor-in-Chief

ELECTRONIC BANKING LAW AND COMMERCE REPORTPublished by GLASSER LEGALWORKS150 Clove Road, Little Falls, NJ 07424Phone: (973) 890-0008; Fax: (973) 890-0042E-mail: [email protected] Site: http://www.glasserlegalworks.comKent M. Zimmermann, PresidentStephen W. Seemer, Chief Operating OfficerDan Goldman, Executive EditorOne year subscription,10 issues, $323.(ISSN: 1090 –8420)Please address all editorial correspondence to theManaging Editor at [email protected]. Allother correspondence concerning rates andsubscriptions should be addressed to thepublishers at [email protected] the publishers make every effort to insurethe accuracy of information published inElectronic Banking Law and Commerce Report,they make no warranties to the accuracy of anyinformation stored on a Web site or other Internetsource mentioned in this publication, particularlywhen that data is to be relied upon for makinglegal judgments. All contents © 2004, GlasserLegalWorks. All Rights Reserved.Please cite this publication as (Author), (Title),ELECTRONIC BANKING LAW AND COMMERCE REPORT,(Month, Year) at (Page #).

EDITORIAL ADVISORY BOARDChairman: John L. Douglas, Alston & Bird LLPEditor-in-Chief: David E. Brown, Jr., Alston & Bird LLPContributing Editor: Scott A. Anenberg, Shaw PittmanManaging Editor: Elizabeth Thompson

David A. BaltoRobins, Kaplan, Miller & Ciresi

Lawrence G. BaxterPresidentand Chief e-CommerceOfficer, Wachovia Corp.

Roland E. BrandelMorrison & Foerster LLP

Russell J. BruemmerWilmer Cutler PickeringHale & Dorr LLP

Thomas Hal ClarkeSenior Vice President andDeputy General Counsel,Wachovia Corp.

Kelly McNamara CorleySenior Vice President andGeneral Counsel,Discover FinancialServices, Inc.

Ellen d’AlelioSteptoe & Johnson

Melanie L. FeinGoodwin Procter L.L.P.

Paul R. GuptaMayer, Brown, Rowe &Maw LLP

Gerald P. HurstAssistant GeneralCounsel, Bank of America

Henry L. JudyKirkpatrick & Lockhart LLP

Sylvia KhatcherianManaging Director,Legal Department,Morgan Stanley

C. F. Muckenfuss IIIGibson, Dunn& Crutcher LLP

John C. Murphy, Jr.Cleary, Gottlieb,Steen & Hamilton

P. Michael NugentExecutive Vice Presidentand General Counsel,IntelliRisk ManagementCorporation

J. Michael ShepherdExecutive Vice Presidentand General Counsel,Bank of New York

Brian W. SmithLatham & Watkins LLP

Stuart G. SteinHogan & Hartson LLP

Thomas P. VartanianFried, Frank, Harris, Shriver& Jacobson

Mark A. WeissCovington & Burling

Richard M. WhitingGeneral Counsel andExecutive Director, The Financial ServicesRountable

1. Available at http://www.javelinstrategy.com/.

© 2005 Glasser LegalWorks VOL. 9, NO. 8 3


33

on Binding Corporate Rules for International Transfersof Personal Data.”2

The ICC Report demonstrates that BCRs arealready a viable solution for data protection compli-ance, and that while some legal uncertainties remain,they are likely to develop into the preferred mechanismfor multinational companies (including financial institu-tions) to provide a legal basis for international datatransfers.

BackgroundIn 1995, the European Communities enacted the EU

Data Protection Directive 95/46 (the Directive), which isdesigned to protect individuals’ right to privacy withrespect to the processing of personal data.3 TheDirective contains restrictions prohibiting the personaltransfers of data to a third (i.e., non-EU) country unlessthe country in question ensures an “adequate level ofdata protection” as determined by the EuropeanCommission, or the company making the transfer com-plies with a specific derogation. The concept of “per-sonal data” is interpreted very broadly, and includesmost types of data processed by banks and financialinstitutions. Since the passage of the Directive, countriesin other regions (such as Asia4 and Latin America5) haveadopted similar restrictions, and still others are consider-ing “adequacy” restrictions close to the Europeanmodel.6 Sensitivities among politicians and labor unionsconcerning business process outsourcing, which by itsnature is based on data flowing freely across nationalborders, has made it even more critical that companiesbe able to transfer personal data globally.

BCRs are a set of rules adopted within a particularcompany or corporate group that provide legally-bind-ing protections for data processing within the companyor group. BCRs can be legally binding on members ofa corporate group through a variety of legal devices,and may provide a legal basis for data transfers toother countries or regions.7 The concept of BCRs is notnew, and many if not most multinational corporationsuse BCRs for a variety of compliance requirements suchas environmental, health and safety, money launderingand general corporate governance requirements.

Benefits BCRs are an innovative tool used to protect the

privacy of individuals while facilitating internationalglobal transfers of personal data to corporate groups incountries without sufficient data protection legislation.BCRs allow companies to transfer personal data aroundthe world using a single set of rules, which gives indi-viduals the confidence that their personal data is beingprocessed using a binding and enforceable set of stan-dards. Moreover, BCRs make compliance less time-con-suming and costly, and provide multi-national

corporations with greater flexibility than do most alter-native legal bases (such as signing a multitude of datatransfer agreements). While their use in the data pro-tection context is presently focused on internationaldata transfers, in fact BCRs can be used to provide foroverall compliance within the corporate group, i.e.,their use need not be limited to data transfers.

BCRs also benefit individuals by increasing compli-ance with data protection legislation. The 2003 imple-mentation report by the European Commission on theDirective showed “very patchy compliance by data con-trollers” with the national implementations of theDirective, due in particular to the complex and burden-some nature of data protection law.8 The current systemof data protection enforcement is designed to bringcompliance through the threat of punitive measures,whether audits by data processing authorities (DPA) orcomplaints by data subjects. In contrast, BCRs representa proactive approach to data protection and shift theburden of ensuring compliance from DPAs and individu-als to companies themselves. Use of BCRs also createsand sustains a company culture that respects privacy andpromotes compliance with data protection legislation.

Challenges BCRs do present some challenges to companies

using them. For instance, although BCRs create a “safehaven” for transfers between corporate groups, the“safe haven” does not apply to transfers to companiesoutside of the corporate group (“onward transfers”).BCRs are also both a minimal and complementary stan-dard. So, if local law is stricter than the BCRs, a datasubject’s claim can be based on local law, as the BCRsare only the minimum level of protection. However, ifthe BCRs offer greater protection than local law, a datasubject’s claim can be based on them rather than thelocal law. BCRs therefore have the potential to increasea company’s potential liability.

The main obstacle to the use of BCRs is theabsence of a streamlined mechanism for approval byDPAs when necessary. For example, in the EU a com-pany currently has to submit its BCRs for approval tothe DPA of each member state in which the companyintends to transfer the data. So far, BCRs have beenapproved by European DPAs in Austria (Bank AustriaCreditanstalt) and Germany (Daimler Chrysler and GE);approval of other companies’ BCRs is known to beimminent in other member states such as TheNetherlands and the UK. Moreover, the Article 29Working Party is considering the possibility of approv-ing BCRs on a pan-European basis, though the timeframe for a workable procedure being approved is veryuncertain.

The content of binding corporate rules dependson many factors, including the needs of the corporategroup using them, the type of data it is processing andthe purposes of processing, the applicable legal

USING BINDING CORPORATE RULES . . .(continued from page 1)


requirements and so on. Thus, it can be expected thatBCRs will differ between the geographic regions, legalsystems and business sectors in which they are used.The most extensive analysis of the substance of BCRsso far has been provided by the EU’s Article 29Working Party (comprised of all the EU DPAs) in itsWorking Paper 74. In December 2004, the WorkingParty also approved a standardized checklist of factorsfor companies to take into consideration when apply-ing for approval of BCRs. This article does not examinethe substance of BCRs, which need to be determinedby each individual company based on its requirements.

The ICC ReportData protection authorities have stressed that is

important that BCRs be binding in practice as well as inlaw. However, in some countries DPAs apparently havedoubts about the legally binding nature of BCRs. TheICC Report therefore solicited input from ICC membersabout the legally binding effect of BCRs in their coun-tries; respondents included US, UK, Spanish, Swiss,Danish, Belgian, and Hong Kong law firms, and Swiss,Dutch, German, Japanese, and US manufacturing com-panies and financial services companies. The Reportdiscusses in detail the various techniques that can beused in individual countries to actually make BCRsbinding (both internally within the organization, andexternally for the benefit of the data subject), and ana-lyzes the steps companies need to take to make BCRsbinding in practice and in law.

To be binding in practice, members of the corpo-rate group, employees, and subcontractors need tofeel compelled to comply with the internal rules. Whileways to ensure internal compliance may vary greatlyfrom company to company, measures that promotecompliance include informational and training sessionson the BCRs for employees and subcontractors; disci-plinary sanctions for employees who violate the rules; arobust complaint handling system; comprehensive self-audit procedures; appropriate redress for violation ofBCRs; a way for data subjects to bring concerns to therelevant DPA; and the appointment of a chief privacyofficer and local privacy officers.

To be binding in law, BCRs must create obligationsthat are legally binding on the companies and that canbe legally enforced by data subjects and regulatoryauthorities. The legally binding effect of BCRs thus dif-fers among countries and legal systems. The surveyresults published in the ICC Report reveal that withinthe corporate group, such internal binding nature maybe achieved by measures such as:

(1) agreements involving contracts;

(2) agreements involving unilateral undertakings;

(3) a unilateral undertaking by way of aDeclaration of Trust;

(4) a unilateral undertaking or contract incorporat-ing other regulatory issues;

(5) having the parent company unilaterally declarethat it assumes a duty of care over personaldata processed by itself and its subsidiaries;

(6) creating a self-regulatory body and contractu-ally giving it enforcement power by its mem-bers (e.g., a professional association);

(7) having a government agency assert authorityover enforcement of unfair or deceptive tradepractices which could also be applied to BCRs.

BCRs can be made binding on employees by wayof specific obligations in an employment contract, andby linking observance of the rules to disciplinary proce-dures. Similarly, they may be made binding on subcon-tractors by including relevant compliance clauses insubcontracts. Of course, the possibilities differ basedon the national legal system.

There are two principle methods to making therules binding externally for the benefit of data subjects:unilateral undertakings and contracts. Unilateral under-takings include unilateral declarations by the parentcompany, and declarations of trust in favor of data sub-jects. The external binding nature of BCRs for individu-als may also be achieved through contracts betweenthe various corporate groups in which the data subjectsare third party beneficiaries, and a contract betweenthe parent company and the DPA which grants thirdparty beneficiary rights.

ConclusionThe ICC Report shows that not all of the mecha-

nisms for making BCRs binding are possible in all juris-dictions so that legal uncertainties remain.Nonetheless, the Report demonstrates that there are awide variety of legal principles that may lead to legalenforceability of BCRs, and that BCRs are therefore arealistic mechanism for providing a legal basis for datatransfers in many jurisdictions around the world. In par-ticular, banks and financial institutions are used to com-plying with a myriad of corporate policies andregulatory regimes, so that BCRs for data protectionare a natural extension of their existing compliance sys-tems. As coordinated systems for their approval by reg-ulators in different jurisdictions are developed, moreand more financial institutions will no doubt turn toBCRs as the most efficient method to ensure globaldata protection compliance. �




Notes:1. More information on the ICC alternative model clauses is

available at http://www.iccwbo.org/home/news_archives/2005/data_transfers.asp.

2. Available at http://www.iccwbo.org/home/e_business/FINAL%20ICC%20BCRs%20report%20rev.pdf.

3. Directive 95/46/EC of the European Parliament and ofthe Council, Oct. 24, 1995. This and the other EU docu-ments referred to in this article are all available on theweb site of the European Commission at http://www.europa.eu.int/comm/internal_market/privacy/index_en.htm. For more detailed information on European data pro-tection law, see Christopher Kuner, European DataPrivacy Law and Online Business, Oxford University Press,2003.

4. For example, Hong Kong enacted the Personal Data(Privacy) Ordinance in 1995. Malaysia and Thailand are inthe process of drafting privacy legislation. India has legis-lation pending that is largely based on the UnitedKingdom Data Protection Act.

5. For example, Argentina and Chile.6. See, e.g., Article 8 of the Russian Federal Law No. 85-FZ

of July 4, 1996 on Participation in the InternationalInformation Exchange; Hong Kong Personal Data(Privacy) Ordinance, 33 §2(a), 3 (1995).

7. The EU’s Article 29 Working Party, which is a group ofdata protection regulators, suggests such instruments becalled “binding corporate rules for international datatransfers” or “legally enforceable corporate rules forinternational data transfers.” Working Document (WP74)adopted by the Article 29 Working Party on June 3,2003, on “Transfers of Personal Data to Third Countries:Applying Article 26(2) of the EU Data Protection Directiveto Binding Corporate Rules for International DataTransfers”, page 8.

8. “Report from the Commission: First report on the imple-mentation of the Data Protection Directive: Analysis andimpact study on the implementation of Directive EC95/46 in Member States”, May 15 2003, page 13.

Glasser LegalWorks is pleased to announce that this newsletter is now available on the Internet to subscribers of the print edition.

The online version offers interactive capabilities that the enhance the usefulness of your subscription including Search features for current and archived articles and Links to other information andWestlaw® cases.

To register for this service, please visit:www.glwnewsletters.com/register.asp

A NewService forSubscribers

Online Editions Now AvailableFREE

Questions? Call800.308.1700 x109

Glasser LegalWorks is pleased to announce that this newsletter is now available on the Internet to subscribers of the print edition.

The online version offers interactive capabilities that enhance the usefulness of your subscription including Search features for current and archived articles and Links to other information andWestlaw® cases.

To register for this service, please visit:www.glwnewsletters.com/register.asp

IntroductionThe constitutional doctrine of federal preemption is

front and center in the courts and Congress at present.State regulators are challenging the powers of federalfinancial regulators to preempt state laws,1 and mem-bers of Congress are proposing to redefine the scopeof federal financial regulators’ preemptive authority.2

For those who are seeking to promote the elec-tronic delivery of financial services, national standardsare crucial. A patchwork of inconsistent state rules fordoing business electronically has the potential tohobble the use of electronic media. The Internet is aborderless medium that instantaneously reaches anational and international market. This article willexplore how Congress in the year 2000 sought throughthe preemption provisions of the Electronic Signaturesin Global and National Commerce Act3 (ESIGN) toresolve the interplay between state and federal laws asthey relate to electronic records and signatures. Thecontent of this article is based on a discussion of pre-emption contained in The Law of Electronic Signaturesand Records.4

ESIGN and UETAIn 1999, the National Conference of Commissioners

on Uniform State Laws (NCCUSL) issued its final draft ofthe Uniform Electronic Transactions Act (UETA). Sincethat time, approximately 47 states and the District ofColumbia have enacted the UETA in some form. Somestates, however, have enacted non-uniform versions ofthe UETA. The differences range from minor stylisticchanges to significant variations from the NCCUSL text.

Due in part to concerns about non-uniform UETAenactments, Congress passed a federal electronic sig-nature and record statute. Enacted in 2000, ESIGN bor-rowed many concepts from UETA. It also containedsome significant differences. Most importantly, ESIGNplaces special obligations on those who wish to elec-tronically provide disclosures to a consumer, if the dis-closures are otherwise required to be provided to theconsumer “in writing.”

Both UETA and ESIGN are technology neutralstatutes designed to put electronic records and signa-tures on equal footing with their paper counterparts.Accordingly, they both operate as “overlay” statutesamending thousands of state and federal laws. Neitherstatute changes the substance of underlying laws. Forexample, all of the elements of a contract (such as offer,acceptance, capacity and consideration) must be pres-ent in an electronic context. UETA and ESIGN also do

not change the standards for validity of a signature,except to allow the signature to be in electronic form.

UETA and ESIGN have three main precepts:

• Electronic records and signatures cannot be deniedlegal effect or enforceability solely because they arein electronic form;

• If a law requires a record to be in writing, an elec-tronic record satisfies the law; and

• If a law requires a signature, an electronic signaturesatisfies the law.

Together, these principles provide for the equality ofelectronic and non-electronic records and signatures.

However, in light of the fact that some states haveenacted electronic signature legislation that varies fromthe text of ESIGN and the UETA as reported, it was nec-essary for Congress to set out rules for when ESIGN willpreempt contradictory state laws and to describe theappropriate interaction between ESIGN and UETA. Theresultant preemption provisions of ESIGN set up aunique interaction between state and federal laws.

Constitutional Doctrine of PreemptionThe doctrine of federal preemption, rooted in the

supremacy clause of the United States Constitution,5applies in three situations:

• Where Congress has expressly preempted statelaw;6

• Where federal law dominates or occupies a particu-lar field, resulting in an inference that Congressintended state law to be preempted;7 and

• Where state law is nullified to the extent that it con-flicts with federal law, because compliance withboth state and federal law or regulations is a physical impossibility, or because compliance with



Federal Preemption Under the ESIGN ActBy Jeremiah S. Buckley and R. Colgate Selden

Jerry Buckley ([email protected]), a foundingpartner of Buckley Kolar LLP (www.buckleykolar.com),and Colgate Selden ([email protected]), anassociate at the firm, represent clients in the financialservices industry on a broad range of issues.Mr. Buckley and other attorneys at the firm played aleading role in developing the Uniform ElectronicTransactions Act and advocating the enactment of thefederal Electronic Signatures in Global and NationalCommerce Act. Mr. Buckley is also co-author ofThe Law of Electronic Signatures and Records (GlasserLegalWorks, 2004) and a number of articles onelectronic signatures and records.


state law stands as an obstacle to the accomplish-ment of the objectives of Congress.8 Federal regu-lations have as preemptive an effect as federalstatutes.9

Subject to a unique savings clause for certain parallelstate laws, ESIGN expressly preempts state law withrespect to all commercial, consumer, and business trans-actions “in or affecting interstate or foreign commerce.”10

This provision invokes in full breadth the Constitution’scommerce clause, which empowers the United StatesCongress to “regulate Commerce with foreign Nations,and among the several States, and with the IndianTribes.”11

The extent of Congress’s authority under the com-merce clause has generally been viewed as very broad,and many transactions that might otherwise be consid-ered to be local, or intrastate, have been held to“affect” interstate commerce. Local activity can bereached by Congress if it exerts a substantial economiceffect on interstate commerce.12 Congress is permittedto establish laws protecting the use of the channels ofinterstate commerce, the instrumentalities of interstatecommerce, and persons or things moving in interstatecommerce, even though the threat may come only fromintrastate activities.13 Congressional authority extends toregulating acts which are individually trivial in theirimpact on interstate commerce, but which in the aggre-gate may have substantial national consequences.14

ESIGN’s Special Preemption ProvisionsESIGN’s preemption provisions are a core element

in the legislative approach Congress adopted to permitthe nationwide use of electronic signatures and records.With certain specific exceptions, ESIGN allows a statestatute, regulation, or rule of law to “modify, limit orsupersede the provisions of Section 101 of the Act” ifand only if:

• The statute, regulation, or rule of law constitutes anenactment of UETA as approved and recom-mended for enactment by the NCCUSL in 1999without any modifications pursuant to Section3(b)(4) of UETA and without any provisionsdesigned to circumvent the purposes of ESIGN byimposing specific technology requirements, or

• The statute, regulation, or rule of law (other thanUETA):

(1) Prescribes alternative procedures or require-ments for the use or acceptance of electronicrecords or electronic signatures which are con-sistent with the requirements of Title I and TitleII of ESIGN, and do not require, or accordgreater legal status or effect to, the implemen-tation or application of a specific technology ortechnical specifications for effectuating elec-tronic records or signatures, and

(2) Does not seek to circumvent Title I or II ofESIGN by imposing nonelectronic deliverymethods under Section 8(b)(2) of UETA.

State statutes, regulations, or rules of law governingprocurement by a state or any state agency or instru-mentality are not preempted, thus providing to statesthe same freedom to set the terms of their electronicprocurement transactions as private parties. In addition,certain specific types of state laws, discussed below, areexcepted from the general preemption provisions ofESIGN.

Note that the ESIGN preemption provision coversnot only statutes and regulations, but also other rules oflaw. Presumably, such other rules of law includecommon law rules developed by state courts. Given theESIGN requirement that alternative state rules be tech-nology neutral, this raises interesting questions concern-ing the extent to which preemption can be applied tothe law resulting from court rulings that favor one typeof technology over another, either explicitly or implicitly.The potential distinctions in this area are subtle. Forexample, ESIGN apparently prohibits judicial adoptionof a common law rule explicitly granting special treat-ment to electronic signatures based on asymmetricencryption. At the same time, it may prove easier, as apractical matter, to convince a jury that a disputed sig-nature created with asymmetric encryption is authenticthan to prove the authenticity of other types of dis-puted signatures. In other words, while state courts pre-sumably cannot announce rules that explicitly favor aparticular technology, the application of neutral eviden-tiary rules to electronic records may still result in certaintechnologies being favored.

Rationale for the Unique PreemptionProvisions of ESIGN

The preemption provisions of ESIGN are unique,reflecting the competing legislative priorities facingCongress as it constructed the ESIGN statutory scheme.The authors of ESIGN were not writing on a tabula rasa.Electronic signatures and records had been the focus ofan intense and successful effort by NCCUSL to developa uniform state law.

The drafters of ESIGN borrowed both its concep-tual underpinnings and most of the text in Sections 101and 106 from UETA. NCCUSL had spent several yearsdeveloping UETA. If Congress had preempted UETAjust as it was being promulgated, without permittingstates the option of adopting it, Congress might havebeen criticized for hijacking NCCUSL’s work product andunfairly injecting federal law into an area traditionallyreserved to the states. Many in Congress would havebeen offended by such charges. Insensitivity toNCCUSL was also to be avoided, as the organizationhas a 110-year history of producing high-quality uniformlaws for state enactment and has produced model laws



in ground-breaking areas. Congressional interferencemight have been perceived as discouraging NCCUSL’simportant work.

In addition, the principal sponsors of ESIGN wereof the view that state laws are to be overridden onlywith good cause. A competing consideration for thecongressional sponsors, however, was the compellingposition that the Internet is a borderless medium and aresource to be fostered and promoted. Since enact-ment of UETA by the states was likely to take years, thesponsors of ESIGN reasoned that the absence of a uni-form national standard for such a long period wouldimpede the development of e-commerce. This was aprime policy motivation for Congress to accelerate theUETA adoption process by enacting ESIGN.

Another consideration favoring adoption of a fed-eral law was that some of the first states to adopt UETAexcluded a wide swath of transactions from its scope.This threatened the core premise of UETA, establish-ment of a uniform national standard.15 To avoid thecreation of a patchwork of varying state laws, Congresswas compelled to establish a minimal, uniform nationalstandard.

However, while compliance with ESIGN may besufficient to establish the validity of an electronic signa-ture or record, Congress did not seek to assert thatESIGN was the final word on electronic signatures andrecords. UETA contains some helpful amplification ofterms and considerations related to electronic signa-tures and records that are not contained in ESIGN, andCongress deferred to the right of the states to adoptUETA, thereby allowing parties to take advantage ofthe more fulsome provisions of UETA where it isenacted as reported by the NCCUSL.

By adopting these preemption rules, Congress wasnot only deferential to UETA, but affirmatively pro-moted its adoption by the states. Far from diminishingthe likelihood of UETA being adopted, ESIGN may berepaying its intellectual debt to UETA drafters bysmoothing the way for adoption of the unmodified offi-cial text, a process that is proceeding reasonablyquickly.16

Having deferred to UETA, the congressionalauthors of ESIGN adopted a more traditional federalpreemption stance with respect to other laws, declar-ing any provisions of state law which seek to “modify,limit or supersede” ESIGN to be preempted to theextent that they are inconsistent with the premises ofESIGN.

Exemption From Preemption Pursuant toEnactment of UETA: Four Scenarios

Some states adopted UETA before enactment ofESIGN. Other states, while enacting UETA after ESIGN,varied from the official text as approved and recom-mended by NCCUSL. In these cases, a question arisesas to whether UETA text as adopted enjoys the bene-

fits of the exemption from preemption provided byESIGN. The date at which UETA was adopted, pre- orpost-enactment of ESIGN, does not matter. What doesmatter is whether in enacting UETA the state variedfrom the official NCCUSL text. In answering that ques-tion, there are four potential scenarios that need to beconsidered.

1. State enacts UETA exactly as reportedby NCCUSLIf a state adopts UETA exactly as reported by

NCCUSL, the state version of UETA is exempt frompreemption under ESIGN. For transactions that do notinvolve federal writing or signature requirements, par-ties subject to the law of that state could simplycomply with UETA. ESIGN requirements and limitationsthat go beyond the requirements of UETA, such as therequirement for preconsent consumer disclosuresunder ESIGN Section 101(c), or the additional exemp-tions from coverage in ESIGN, could be ignored.However, because of the wide variety of federal writingrequirements affecting commerce, and the desire ofmost businesses to create a single functional processthat is valid across a wide variety of jurisdictions, com-pliance with ESIGN’s additional requirements and limi-tations is advisable in almost all cases.

If the parties to an electronically effectuated trans-action want to operate under UETA but are located indifferent states, one of which has adopted UETA whilethe other has not, they will be confronted with interest-ing choice of law questions, some of which are notresolvable by contract provisions specifying applicablelaw. Where one party to the transaction is a consumeras defined in ESIGN, the safer course may be to pro-vide the consumer consent disclosures required byESIGN. A number of states enacting UETA have at thesame time enacted the ESIGN consumer consent provi-sions as part of state law. Since such provisions are notinconsistent with the provisions of ESIGN, it wouldobviously not be preempted by ESIGN.17

2. State enacts UETA substantially asreported by NCCUSL, but makes stylisticchangesIn this scenario, the state has enacted UETA sub-

stantially as reported by the NCCUSL, but with stylisticchanges to comport with the state’s legislative draftingpractices. If these changes do not affect the substanceof UETA as reported, the congressional objectives inenacting the preemption provisions would still be satis-fied, and there would be no reasonable basis for deny-ing the benefits of the exemption from preemption.

3. State enacts UETA substantially asreported by NCCUSL but adds provisionsIf a state adds amendments to the official text that

are minor and do not affect the substance of UETA,



then it would seem appropriate to treat the core text ofUETA as having been enacted “as reported” by theNCCUSL, thus conferring on the adopted version ofUETA the benefits of exemption from the ESIGN pre-emption provisions. The minor additions could be con-sidered separate enactments of the legislature, notexempt from preemption, and subject to analysis underthe standards of Section 102(a)(2) of ESIGN.

On the other hand, if the additions to UETA are suf-ficiently substantial or are so integrated into the text ofUETA as to change the meaning of UETA, then theadoption as a whole should be preempted, to theextent it fails to meet the Section 102(a)(2) standards.The congressional objective in enacting ESIGN alongwith the special exemption for the text of UETA “asreported” was to create a national standard. If stateschoose to substantively modify the reported text ofUETA, they should not expect their enactment to beaccorded deference or to have the courts pick throughtheir versions to extract those parts that are not modi-fied and give them special status outside the ordinarypreemption standard set out in Section 102(a)(2). ESIGNplaces a high value on national uniformity, and in enact-ing it Congress did not want to subject persons doingbusiness electronically to the expense and uncertaintyof parsing what parts of a state law are preempted andwhat parts are not.

4. State enacts UETA but omits provisionsIf a state enacts UETA but omits significant or vital

portions of it, then it surrenders the right to claim thebenefits of an exemption from the preemption provi-sions of ESIGN. Minor omissions from the reported textmay perhaps be tolerated without damaging the publicpolicy objectives of ESIGN. However, as in the case ofsubstantive additions, substantive omissions from theofficial text frustrate the goal of an easily understoodnational standard and promote a reversion to the patch-work of state laws which ESIGN attempts to avoid.Thus, if a state enacts UETA with more than minor, non-substantive omissions, the entire state enactmentshould be subject to the preemption provisions ofSection 102(a)(2) of ESIGN.

Prohibition of Exceptions to UETA andCircumvention of ESIGN

Congress demonstrated its intent to preserve theright of parties to do business under a uniform set ofnationwide rules by preempting the right of states toadopt variations of UETA which would mar the uniformstandard created by ESIGN. First, it barred states fromenacting any exceptions to the official text of UETA as reported, despite the fact that UETA itself inSection 3(b)(4) provides for the right of states to enactexceptions.

It is this very provision and the exercise of it byearly enactors like California that led Congress to enact

ESIGN because the use of the exception power underUETA threatened to deprive large swaths of commerceof the benefits which UETA seeks to confer.

As a further demonstration of its intent to use itspreemption powers to prevent states from burdeningthe electronic delivery of goods and services in inter-state commerce, Congress specifically closed whatmight have been another loophole in UETA that wouldhave reintroduced requirements for nonelectronic deliv-ery methods. Section 8(b)(2) of UETA provides that ifanother law requires that a record be delivered by amethod which may not be electronic, that method mustbe used. In Section 102(c) of ESIGN, Congress left inplace any state law requiring specific, nonelectronicdelivery requirements which were enacted as of thedate of the ESIGN’s passage, but prohibited the use bystates of UETA Section 8(b)(2) to impose new, nonelec-tronic delivery requirements to circumvent ESIGN.Congress also took steps to limit the discretion of stateregulators beyond the limitations imposed by UETA,which permits state regulators to reimpose writingrequirements for purposes of record retention. ESIGNeliminates that authority, for the most part.

These provisions reflect a congressional policy deci-sion to protect electronic signatures and records fromparties hostile to the electronic delivery of certain prod-ucts and services to consumers. These parties werelargely responsible for persuading the California legisla-ture to exclude consumer transactions from theCalifornia UETA and were successful in persuading theClinton administration to oppose enactment of ESIGNwhen it was considered in the House of Representatives.Congress considered the arguments advanced by thesegroups at length and provided in ESIGN specific con-sumer protections to promote understanding of thenature of the electronic contracting process; neverthe-less, some of these parties continued to argue that cer-tain consumer transactions should be outside ESIGNprocedures. Recognizing that these parties might seekto use state enactment of UETA as a forum to raisethese issues again, Congress determined to preemptthis possibility.

This context is important to understanding congres-sional intent not only vis-à-vis UETA, but generally whenit exercised its preemption powers under ESIGN. It wasaware of the hostility on the part of some to what ESIGNwas designed to accomplish, and it sought to use itspower of preemption to head off state law provisionswhich would thwart its purposes. When it wants to deferto the states to enact stronger consumer protections,Congress has demonstrated that it knows how to do so.For instance, the Truth-in-Lending Act preempts statelaws that impose lesser standards upon lenders, but setsup a procedure to allow states to enact stronger con-sumer protections.18 The Real Estate SettlementProcedures Act (RESPA) preempts state laws which are


inconsistent with it, but only to the extent of the incon-sistency.19 In enacting ESIGN, Congress took theextraordinary step of specifically exempting UETA frompreemption, but then closed off states’ ability to imposealternative procedures or requirements inconsistent witha uniform, nationwide set of rules for the use or accept-ance of electronic records or electronic signatures.

Enforceability of Statutes and RegulationsOther Than UETA That Address ElectronicRecords and Signatures

If state laws other than UETA attempt to modify,limit, or supersede ESIGN by specifying alternative pro-cedures or requirements for the use or acceptance ofelectronic records or signatures to establish the legaleffect, validity, or enforceability of contracts or otherrecords, then those alternative procedures or require-ments must be consistent with Titles I and II of ESIGN.

The preemption language used and the context inwhich it is used indicate an intent by Congress tooccupy the field, leaving very little flexibility to thestates to add to or to subtract from federal electronicsignature requirements. ESIGN’s provisions overlay andoverride any state law in effect as of the date ofESIGN’s enactment, and if any state thereafter seeks toenact a new law which would affect the provisions ofESIGN, the state statute must declare its intent toamend ESIGN and must conform to the strictures setout in ESIGN regarding inconsistent alternative proce-dures or requirements. To the extent that any stateenactment touches the field occupied by ESIGN orUETA, the intent of Congress is to preempt such law if itis inconsistent with ESIGN. For all practical purposes,while a state may enact new laws touching on electronicsignatures and records, these laws will be preempted ifthey impede parties’ rights to use the uniform nationalprocedures prescribed by ESIGN or UETA.

Section 102(a)(2)(A)(ii) provides that, in general, astate may not adopt requirements which accord greaterlegal status or effect to the implementation or applica-tion of a specific technology or technical specificationfor performing the functions of creating, storing, gener-ating, receiving, communicating, or authenticating elec-tronic records or electronic signatures. There areexceptions for certain state functions and activities.

A particularly complex issue is raised by additionsto UETA, or any other state electronic record and signa-ture law that addresses issues on which ESIGN is silent.For example, a state might provide that UETA’s defaultrules on sending and receipt may not be varied byagreement in consumer transactions. ESIGN is silent onthe subject of sending and receipt, except for itsimplicit endorsement of the default rule in UETA, whichallows variation by agreement. Under the general princi-ples of federal preemption, such a special rule shouldbe permissible so long as it is not an obstacle to the

accomplishment of Congress’s objectives.20 Of course,to a certain extent any variation from the official text ofUETA or ESIGN frustrates the objective of a uniformnational law. But if that was an overriding objective ofCongress, then the special deference shown to UETAand other consistent state enactments would not be inthe statute at all.

The fact that Congress permits state alternatives tosupersede ESIGN suggests that Congress left to thestates the opportunity to fine-tune electronic record andsignature laws around the edges. Under the reading ofESIGN, one must assess the extent to which the amend-ment serves either to facilitate and clarify the use ofelectronic records or signatures, or conversely, attemptsto establish new burdens or roadblocks. Additional ruleswhich add complexity, or new or state-specific burdensthat do not also apply to paper transactions, should bepreempted as obstructionist. On the other hand, addi-tional rules that simply clarify, or attempt to provide aprotection analogous to one which already exists forequivalent paper transactions, should not.

An Interpretation of How ESIGN and StateElectronic Signature Laws Interact

It is not unreasonable to argue that even in stateswhere UETA or another electronic record statute isappropriately adopted, if parties were to choose simplyto conform their conduct to the requirements of ESIGN,the validity of their electronic signatures and recordsshould be beyond challenge. It is clear that Congressintended to establish a national baseline for use of elec-tronic records and signatures. As a matter of policy, itwould be reasonable to permit parties to comply withthe provisions of ESIGN and operate across the UnitedStates without the need to analyze electronic recordand signature laws on a state-by-state basis.21

Some would argue that militating against this inter-pretation is the language from ESIGN Section 102(a)permitting a state to “modify, limit or supersede”ESIGN. The use of the verb “supersede” may suggestto some that UETA, or another consistent state law,replaces ESIGN with respect to state statutes, regula-tions, and common law. However, such a reading is notcompelled by the language of ESIGN. Congress soughtto create a national standard in ESIGN while permittingstates to adopt UETA and other alternatives to ESIGNthat are “not inconsistent with” the federal statute. Tothe extent necessary to give those laws effect in statesthat adopt them, Congress permitted the states tosupersede the preemptive provisions of ESIGN.However, to argue that in doing so Congress intendedto grant the states “reverse preemption” authority,allowing them to supplant all of ESIGN in areas withinthe state’s jurisdiction is to take a step too far. It is notnecessary to read congressional deference to UETA(and other state laws “not inconsistent with” ESIGN) as




a surrender of authority to the states to replace the con-gressionally established national rules embodied inESIGN. The better view would be that Congress choseto allow certain limited state alternatives to ESIGN toexist alongside ESIGN and be available to partieswhose transactions fall within the jurisdiction of anystate that chooses to enact such alternatives. But par-ties conducting electronic transactions in a nationalmarket need not advert to the various states’ alterna-tives when using electronic records, but rather can, ifthey chose, simply comply with the national rulesembodied in ESIGN.

As a practical matter, however, the differencesbetween the two approaches are probably minimal; oneassumes that ESIGN is always available and the otherassumes the precedence of UETA or other consistentstate law. Most of the operative provisions in ESIGNSection 101 are intended to mirror, either in languageor in result, equivalent provisions in UETA.

Specific Exceptions to PreemptionBecause it was adopting an overlay statute that had

universal applicability to federal and state laws and con-tained a strong preemption standard, Congress thoughtcarefully about what types of laws should not be subjectto the provisions of ESIGN. Section 103 of ESIGN setsout specific types of laws excepted from the provisionsof Section 101 of ESIGN. The exception of specific statelaws from the operation of ESIGN is a further indicationof the congressional intent to adopt a strict preemptionstandard with respect to any other state laws that mightbe at variance with the purposes of ESIGN.

Regulatory Interpretations of State Law and ESIGN

Section 104 of ESIGN acknowledges that stateagencies may have authority under state law to issueorders or guidance regarding the interaction of a statestatute and ESIGN. Congress did not prohibit theissuance of such guidance but provided that a stateregulatory agency is preempted by Section 101 ofESIGN from adopting any regulation order or guidanceunless:

• Such regulation, order, or guidance is consistentwith Section 101 of ESIGN; it does not add to therequirements of Section 101; the agency finds inconnection with issuance of the regulation, order, orguidance that there is a substantial justification forsuch issuance; and

• The methods selected to carry out the purpose ofthe regulation are substantially equivalent to therequirements imposed on records that are not elec-tronic records, and will not impose unreasonablecosts on the acceptance and use of electronicrecords; and the method selected to carry out thepurpose of the rule or regulation does not require

or accord greater legal status or effect to the imple-mentation or application of a specific technology ortechnology application.

Section 104(b)(3) permits a state regulatory agencyto interpret Section 104(d) of ESIGN to specify perform-ance standards to assure accuracy, record integrity, andaccessibility of records that are required to be retainedif the performance standard serves an important gov-ernmental objective and is substantially related to theachievement of that objective, including a requirementthat a record be in tangible printed or paper form ifthere is a compelling government interest relating tolaw enforcement and national security for imposingsuch a requirement and such requirement is essential toattaining such interest. Even in such a case, however,state regulatory agencies have no authority to imposeor reimpose requirements that a record be in tangible,printed, or in paper form.

Such restrictions demonstrate the intent ofCongress to hold state agencies to a very high standardif they seek to interpret or amplify upon the provisionsof ESIGN. When read in connection with the preemp-tion language contained in Section 102 of ESIGN, con-gressional intent to protect the uniform national rulesspelled out in ESIGN is clear. The substantive and pro-cedural requirements spelled out in Section 104 forstate agencies provide clarification and amplification ofthe general preemption language contained inSection 102.

A Longer Perspective on ESIGN PreemptionIn addition to its desire to protect and promote a

national set of rules related to electronic signatures andrecords, Congress may have felt comfortable establish-ing a strong set of preemption rules under ESIGNbecause all transactions covered by ESIGN are contem-plated to be voluntary, that is, the parties have theoption to use electronic signatures and records, but arenot compelled to do so. In preempting the ability ofstates or state agencies to impose or reimpose tangiblerecord requirements, Congress reserved to the peoplethe freedom to voluntarily conduct their business in anelectronic environment, free from unreasonable interfer-ence by either state or federal authorities.

Whenever Congress preempts state law, it evokesthe historic tensions that have existed in the Americanfederal form of government since its earliest days.22

However, what is most interesting about ESIGN pre-emption is that it is arguably responsive to bothHamiltonian and Jeffersonian sides of the federalismdebate. The federalist or Hamiltonian view that the fed-eral government should foster commerce and onenational economy by establishing national standardsruns through ESIGN with its emphasis on promotingnew technology in the context of a borderless, nationalset of rules for electronic signatures and records.



Simultaneously, the Jeffersonian view that freedom isbest served if power is reserved to the people is alsofostered by the ESIGN preemption provisions, with theright of the people to contract electronically fosteredand protected from interference by both state or fed-eral authorities.

As time goes by it can be expected that UETA willbe enacted in most states. Ultimately, UETA and ESIGNwill stand side by side, the principal difference in moststates being that ESIGN requires more fulsome con-

sumer disclosures and UETA spells out specific deliveryand receipt rules. However, even after UETA is adoptedby a state, UETA and ESIGN will continue to have aninteractive relationship since the preemption provisionsof ESIGN will continue to protect UETA from encroach-ment by subsequent state enactments or rulemakingrelated to electronic signatures and records whichmight interfere with the national uniform standardsenvisioned by both statutes. �


Notes:1. See Wachovia Bank, N.A. v. Watters, 334 F.Supp.2d 957

(W.D. Mich. 2004), appeal docketed, No. 04-2257 (6thCir. Oct. 14, 2004); Wachovia Bank, N.A. v. Burke, 319F. Supp.2d 275 (D. Conn. 2004).

2. S. 2973, 108th Cong. (2004) (introduced by Sen.Corzine); H.R. 5251, 108th Cong. (2004) (introduced byRep. Frank).

3. 15 U.S.C § 7001 et seq.(2000).4. JEREMIAH S. BUCKLEY ET AL., THE LAW OF ELECTRONIC

SIGNATURES AND RECORDS (Glasser LegalWorks, 2004)5. U.S. Constitution, Article VI, cl. 2.6. See Pacific Gas and Electric Co. v. State Energy

Resources and Development Comm’n, 461 U.S. 190,203-04 (1983); Fidelity Federal Savings and Loan Ass’n v.de la Cuesta, 458 U.S. 141, 152-53 (1982) (hereafter, “dela Cuesta”).

7. See de la Cuesta, 458 U.S. at 153. See also Barnett Bankof Marion County. N.A. v. Nelson, 517 U.S. 25, 31 (1996)(“A federal statute, for example, may create a scheme offederal regulation ‘so pervasive as to make reasonablethe inference that Congress left no room for the States tosupplement it.’” [citations omitted]).

8. See Barnett Bank, 517 U.S. at 31–37 and cases citedtherein; de la Cuesta, 458 U.S. at 153-156, 159 and casescited therein. See also Silkwood v. Kerr-McGee Corp.,464 U.S. 238, 248 (1984).

9. de la Cuesta, 458 U.S. at 153–54.10. ESIGN § 7001(a).11. U.S. Constitution, Section 8, Clause 3.12. Katzenbach v. McClung, Ala. 1964, 85 S.Ct. 377, 379

U.S. 294, 13 L.Ed.2d 290.13. U.S. v. Michael R., C.A. 9 (Ariz.) 1996, 90 F.3d 340.14. U.S. v. Payne, S.D. Ohio 1994, 841 F. Supp. 810,

affirmed, 59 F.3d 171, cert. den., 116 S. Ct. 347, 516 U.S.935, 133 L.Ed.2d 243.

15. For example, California’s adoption of UETA expresslyexcepted dozens of consumer protection statutes. SeeCal. Civil Code § 1633.3(b) (West 2000).

16. According to the National Conference of Commissionerson Uniform State Laws, forty-three states have alreadyadopted UETA and six have introduced bills for its adop-tion. See http://www.nccusl.org/nccusl/uniformact_fact-sheets/uniformacts-fs-ueta.asp.

17. This assumes that when the ESIGN consumer consentprovisions were adopted, the adoption included all therelevant limitations contained in ESIGN.

18. 15 U.S.C. § 1667e (2002).19. 12 U.S.C. § 2616 (2002).20. See Barnett Bank, 517 U.S. at 31–37 and cases cited

therein; de la Cuesta, 458 U.S. at 153–156, 159 andcases cited therein. See also Silkwood v. Kerr-McGeeCorp., 464 U.S. 238, 248 (1984).

21. While the language of parallel provisions of ESIGN andUETA differ in certain respects, the differences are minorand arguably irrelevant. In the limited circumstance, ifany, where a variation on language in the provisions ofESIGN or UETA might render compliance with ESIGNinsufficient to satisfy the requirements of UETA, partiesdoing business in a state that has adopted UETA needonly look to UETA and no other state law to determine ifthey have properly effectuated their transaction electroni-cally.

22. In this regard, the preemption provisions of ESIGN maybe of interest to constitutional historians for two reasons:first, because of the unique interplay between state andfederal law that grows out of the specific exception ofUETA from the preemption scheme, and second,because of the more subtle issues of federalismaddressed in the ESIGN preemption arrangements.


BITS last reported in this publication in October of2003 on “Preparing the US Financial Industry forCrisis.”1 Happily, since that time, we have not had to setthe BITS2 Crisis Management Coordination process fullyin motion. We have, however, had occasion to launchcomponents of the process. Crisis management plansmust be fluid, continually adapting to the ever changingthreat landscape in which we find ourselves. Events in2004—such as the hurricanes and the regional/sector-specific escalation of the Homeland Security AlertLevel—afforded us an opportunity not only to imple-ment our crisis management process but also to meas-ure our performance. Our performance strengthenedour resolve to continue to analyze our vulnerabilities,identify mitigants and adapt our crisis managementcoordination plans accordingly.

The financial industry's threat landscape is deepand broad, encompassing both human-made and natu-ral disasters. BITS continues to focus on the followingareas of vulnerability:

• Dependencies on other critical infrastructures—most notably, telecommunications and energy;

• Events that may require a response from a“regional" coalition; and

• Cyber threats and information security.

Dependencies on Other CriticalInfrastructures

Two seminal events—September 11, 2001, and theBlackout of 2003—vividly demonstrated the financialsector's dependency on two critical sectors: telecommu-nications and energy. Since the publication of theInteragency Paper on Sound Practices to Strengthen theResilience of the US Financial System in April 2003 andthe Federal Financial Institutions Examination Council'sIT Examination Booklet on Business Continuity Planningin March 2003 by federal financial regulators, BITS hasworked to identify and mitigate our vulnerabilitieswithin these sectors and enhance our sectors' recover-ability in the event of a crisis.3

TelecommunicationsWe first reported in our October 2003 article on a

first-of-its-kind collaboration between BITS and thetelecommunications industry. The cooperation betweenthese two sectors has been unprecedented. Financialinstitutions have significant dependence on reliable,

resilient and diverse telecommunications services andmust comply with regulatory and supervisory require-ments. Shortly after the September 11, 2001, attacks,the financial services industry, through BITS and otherorganizations, set out to mitigate unacceptable risks byengaging the telecommunications industry in dialogueon how best to assure sufficient levels of diversity,recoverability, redundancy, and resiliency from itstelecommunications service providers. This took placein the context of financial institutions' reviewing theirbusiness continuity plans to reflect the heightened risksposed by terrorism and evolving regulatory require-ments. This dialogue culminated in the publication ofthe BITS Guide to Business-Critical TelecommunicationsServices (the Guide). The full Guide can be downloadedfrom www.bitsinfo.org under Publications.

The Guide provides financial institutions with indus-try business practices for understanding and managingrisks associated with essential telecommunications serv-ices. It is written primarily to guide business managers,continuity planners and other risk managers—fromCEOs to procurement experts—as they analyze risks,conduct due diligence, contract for telecommunicationsservices, and integrate evolving regulatory requirementsinto business continuity plans.4

The Guide highlights key considerations and posesquestions business continuity planners and other riskmanagers should ask themselves and their serviceproviders, taking into account regulatory requirementsand changes in the marketplace. The Guide includes afull set of questions that serve as a starting point for arigorous examination of a financial institution's businesscontinuity strategy for telecommunications needs.Additionally, the questions serve as considerations inprocuring adequate levels of service from telecommuni-cations service providers. Answering the questions willhelp individual financial institutions achieve the neces-sary levels of diversity, recoverability, redundancy, andresiliency of critical telecommunications services.


Adapting to the Threat Landscape:BITS Crisis Management Coordination

By John W. Carlson and Teresa C. Lindsey

Ms. Lindsey ([email protected]) is BITS’s Chief ofStaff with primary responsibility for finance andoperations in addition to leading BITS’s CrisisManagement Coordination (CMC) efforts(http://www.bitsinfo.org). Mr. Carlson([email protected]) is a Senior Director at BITS,responsible for co-leading CMC efforts withMs. Lindsey. Mr. Carlson also has primary responsibilityfor BITS’s telecommunications efforts, and leads theorganization’s Security and Risk Assessment initiative.


EnergyWhen the lights went out in the northeastern

United States in August of 2003, the nation's financialservices sector withstood the massive power outagewith little or no disruption. However, as BITS siftedthrough the lessons learned from the experience, itbecame clear that there was a gap in our understandingof the physical reality of the national structure of thepower grid. Understanding the grid is key to the devel-opment of financial institutions' business continuityplans regarding alternate and back-up power. During itsJune 2004 educational forum BITS focused one sessionon the energy sector with panels on the power grid,backup options, and cross-sector communications.

The panel on backup options generated tremen-dous interest and resulted in a commitment from theCritical Power Coalition (CPC)5 to join forces with BITSand experts from our member companies to produce abest practices or standards guide for the secure andcontinuous supply of electric power suitable for thefinancial services sector. The collaborative process,which will be launched in February of this year, isintended to yield best practices covering:

• Power realities

• Technology issues (best currently available andfuture options)

• Economic issues

• Maintenance and operational considerations

• Regulatory challenges

Regional CoalitionsMore and more we are recognizing that physical

terrorist attacks and destructive forces of nature havelocalized or regional implications. It makes sense thenfor financial services firms located in close geographicproximity to collaborate and cooperate on issuesrelated to business continuity. Two examples ofregional coalitions can be found in the city of Chicagoand in the state of Minnesota.

It is important to note that regional coalitions arenot substitutions for national initiatives such as theFinancial Services Sector Coordinating Council(FSSCC)6 or the Financial Services Information Sharingand Analysis Center (FS/ISAC). Regional coalitionsshould augment existing information sharing efforts.

ChicagoThroughout 2003, a dedicated group of individuals

from financial services firms in the Chicago area—incollaboration with city, state and federal officials—worked together to form a regional coalition known asChicagoFIRST.7 The decision to form ChicagoFIRST wasprompted by a consensus that existing activities didnot adequately address the critical infrastructure pro-tection concerns of Chicago's financial institutions.

In July 2003, BITS was asked to provideChicagoFIRST with interim support. BITS provided facil-itation and expertise in crisis management coordina-tion. ChicagoFIRST provided thought leadership,commitment and responsiveness. In exchange for theresources BITS devoted to ChicagoFIRST, BITS wasallowed to document the process and develop a “les-sons learned" publication so that the ChicagoFIRSTexperience could be replicated in other regions. Thehandbook—Improving Business Continuity in theFinancial Services Sector: A Model for StartingRegional Coalitions8—is the result of a collaborativeeffort, funded by the United States Department of theTreasury and co-authored by BITS, The BostonConsulting Group (BCG), and ChicagoFIRST.

This document first tells the story of the “start up"of ChicagoFIRST, focusing on a core set of questions:

• Why and how did ChicagoFIRST take shape?

• Who joined? When? Why?

• What was the group's agenda?

• How did they organize to achieve it?

• What results have been achieved?

• What were the most important resources and con-tributions that drove the start up's success?

• What were the reactions of participants to theexperience?

The answers to these questions form a solidroadmap for financial services firms in other regions tofollow if they wish to replicate ChicagoFIRST's success.Further, a set of “key success factors" emerges fromthis example. Some combination of these factors willneed to be present for a regional coalition to succeed.To be successful, a regional coalition should:

• Have senior, dedicated and determined leadershipat the outset.

• Arrange for support and involvement of key fed-eral agencies to help jumpstart progress.

• Obtain “buy-in" and support of local authorities.

• Ensure that the private sector understands thepublic sector and vice versa.

• Stay focused on a prioritized and practical agendawith concrete, identifiable goals.

• Rely on a trusted third party for interim projectmanagement support.

• Steadily increase participant involvement and com-mitment over time.

• Appreciate the benefits of establishing an informalnetwork to support business continuity and disas-ter recovery across the financial services sector.



Using the ChicagoFIRST experience and the keysuccess factors that were gleaned from it, the handbookconcludes by outlining the steps necessary to adaptand apply the model to other regions.

MinnesotaThe Minnesota Information Sharing and Analysis

Center9 (MN-ISAC) is a private-public partnership forcritical infrastructure protection. One of the ways it isdifferentiated from the ChicagoFIRST model is that itsmembership is not limited to financial services firms.The MN-ISAC's goal is to create a model for the part-nership of the private critical infrastructure sectors andgovernment entities for the purpose of protection andresilience of the regional and national economy. Theirtwo key objectives are to:

1. Establish information sharing and analysis betweenbusinesses in Minnesota, particularly those that are apart of the critical infrastructure of the United Statesor critical to the local, regional, or state economy

2. Create the interface and structure by which infor-mation sharing and coordination can occur betweencritical infrastructure organizations and officials infederal, state, and local governments before,during, and after an emergency.

The Treasury Department supports the concept ofregional coalitions and will work with interested partiesto facilitate their formation. For more information,please contact the Office of Critical InfrastructureProtection and Compliance Policy at (202) 622-2602 orby e-mail at [email protected].

Cyber Threats and Information SecurityOur nation's economic and national security relies

on the security of information technology. This securitydepends on the reliability, recoverability, continuity, andmaintenance of information systems. The issue ofsecure information technology has a direct and pro-found impact on both the government and private sec-tors, and includes the nation's critical infrastructure. Thesecurity and reliability of information systems areincreasingly linked to consumer and investor confi-dence. Members of the user community—private sectorcompanies, universities and government agencies—thatrely on information technology provided by the ITindustry are demanding greater accountability for thesecurity of IT products and services.

BITS is involved in numerous efforts to addresscyber security and protect the nation's critical infrastruc-ture. BITS is focusing on the following top threeapproaches to advance cybersecurity:

1. Urge major software vendors to address theBITS/FSR software security business requirements;

2. Combat on-line fraud and identity theft and exploreappropriate authentication strategies; and

3. Support efforts to develop meaningful softwareproduct certification programs.

In addition, BITS continues to educate policy makers oncyber security risks and steps that can be taken to pro-tect the nation's critical infrastructure.

Urge major software vendors to address theBITS/FSR software security business requirements. InApril 2004, BITS and The Financial Services Roundtable(FSR) announced a joint policy statement calling on thesoftware industry to improve the security of productsand services it provides to financial services customers.The policy statement calls on software providers toaccept responsibility for their role in supporting financialinstitutions and other critical infrastructure companies.BITS and the Roundtable support incentives (e.g., taxincentives, cyber-insurance, liability/safe harbor/tortreform, certification programs) and other measures thatencourage implementation of more secure softwaredevelopment processes and sustain long-term researchand development efforts to support stronger security insoftware products. (The BITS/FSR Software SecurityBusiness Requirements are attached to the April 2004BITS/FSR Software Security Policy statement which isavailable at http://www.bitsinfo.org/bitssoftsecuritypolicyapr04.pdf.) In addition, BITS is working with majorsoftware vendors to discuss business requirements. InJune 2004, BITS announced it had successfully negoti-ated with Microsoft to provide additional support toBITS member companies for Windows NT. We haveprovided Microsoft and other software and hardwarecompanies with the Software Security BusinessRequirements. BITS members agree that these require-ments are critical to the soundness of systems used inthe financial services industry. BITS also is working withor has plans in early 2005 to work with Cisco, IBM andRedHat on software security issues.

Combat on-line fraud and identity theft and exploreappropriate authentication strategies. BITS isinvolved in supporting the pilot of the BITS/FSR IdentityTheft Assistance Center (ITAC), developing the BITSPhishing Prevention and Investigation Network, andfocusing on authentication practices and strategies.

The ITAC is a one-year pilot program intended tohelp victims of identity theft by streamlining the recov-ery process and enabling law enforcement to identifyand prosecute perpetrators of this crime. ITAC is an ini-tiative of The Financial Services Roundtable and BITS,which represent 100 of the largest integrated financialservices companies. Fifty BITS and RoundtableMembers are participating and funding the ITAC pilotprogram as a commitment to their customers and tomaintain trust in the nation's financial services system.The ITAC's services are free-of-charge to customers andmade available based on referrals to the ITAC by one ofthe 50 members of the ITAC pilot program. BITS has



also published several business practices guidelinesand white papers on various aspects of identity theftand fraud reduction strategies.

The BITS Phishing Prevention and InvestigationNetwork (Network) has three primary purposes. First,the Network helps financial institutions shut down on-line scams. Second, it aids in investigations of scamperpetrators by providing law enforcement with trenddata. Law enforcement agencies can use the data tobuild cases and stop scamming operations. Finally, theBITS Network facilitates communication among fraudspecialists at financial institutions, law enforcementagencies, and service providers, resulting in a “unitedfront" for combating on-line scams. Financial institu-tions can also use the BITS Network to share informa-tion about on-line scams. Through its searchabledatabase, fraud professionals at BITS member institu-tions learn from other institutions' phishing incidentsand responses. The database provides quick access tocontacts at law enforcement agencies, foreign govern-mental agencies, and ISP administrators. Foundedunder the auspices of the BITS eScams Subcommitteeof the BITS Internet Fraud Working Group, theNetwork is hosted by the Financial Services InformationSharing and Analysis Center (FS/ISAC). Resources todevelop the Network were contributed by MicrosoftCorporation and RDA Corporation.

On March 8, 2005, BITS will host a forum entitled“A Strategic Look at Authentication" in Washington,DC. Authentication issues have emerged in a numberof BITS's working groups. This strategic forum willfocus on the following issues: business issues that drivethe need for authentication; business challenges toimplementation; public policy implications; and emerg-ing technologies in the authentication area.

Support efforts to develop meaningful softwareproduct certification programs. The BITS ProductCertification Program (BPCP) is an important part of ourwork to address software security. The BPCP providesproduct testing by unbiased and professional facilitiesagainst baseline security criteria established by thefinancial services industry. A product certification, theBITS Tested Mark, is awarded to those products thatmeet the defined criteria. An option is available fortechnology providers to meet the product certificationrequirements via the internationally recognizedCommon Criteria certification schema. BITS has initi-ated discussions with DHS to support efforts toenhance product certification programs, including theCommon Criteria program run by the National SecurityAgency (NSA) and National Institutes of Technologyand Standards (NIST). DHS has expressed support forbroad-based, not sector specific, certification pro-grams. Moreover, DHS wants “buy in “from thebroader user community. Consequently, BITS has been

in discussions with The Business Roundtable, NIST, andthe Cyber Security Industry Alliance (CSIA) to developa joint proposal.

What the Government Can DoBroadly speaking, the federal government can play

an important role in strengthening cyber security. Thefollowing seven key elements—Promotion,Responsibility, Education, Procurement, Analysis,Research, and Enforcement or PREPARE for short—that the US government should support will help usPREPARE to better secure information technology:

Promotion. Government can play an importantrole in promoting the importance of secure informationtechnology. Also, government should do more to facili-tate collaboration among critical infrastructure sectorsand government. Some sectors such as financial serv-ices are heavily regulated and supervised to ensurethat customer information is protected and that finan-cial institutions operate in a safe and sound manner.

Responsibility. Producers of software and hard-ware should be accountable for the quality of theirproducts. Government can play an important role inestablishing incentives.

Education. Communicate to all users of informa-tion technology the importance of safe practices.Public confidence in e-commerce and e-government isthreatened by malicious code vulnerabilities, on-linefraud, spam, spyware, etc. Ensuring that users (homeusers, business of all sizes, government) are aware ofthe risks and take appropriate precautions is an impor-tant role for government and the private sector.

Procurement. Using its purchasing power andleveraging security requirements and best practicesdeveloped by public and private sectors, governmentcan play an important role in encouraging the informa-tion technology industry to deliver and implementmore secure information technology systems.

Analysis. Government should collect informationand analyze the costs and impact of information secu-rity risks, vulnerabilities and threats and provide thisanalysis to policy makers.

Research. Government can play an important rolein funding research in the development of more securesoftware development practices, testing and certifica-tion programs. In addition, training future generationsof programmers and technicians and business leadersthat understand and manage information security canbe accomplished by establishing university and educa-tional/certification programs. Government can help byfacilitating collaboration with the users and suppliers ofinformation technology to develop standards for safepractices.

Enforcement. Law enforcement must do more toenforce, investigate and prosecute cyber crimes hereand abroad.



ConclusionCoordinating efforts during a crisis is one of BITS's

core competencies. We do not tire of—nor shy awayfrom—our responsibility to our member companies. Weremain vigilant in our watch. As the threat landscapeshifts, we strive to be flexible, adaptable, and effective.By identifying key dependencies, working with other sec-tors, and by working better together we are helping ourmember companies and other critical infrastructure sec-tors to respond to the changing risk environment. Muchmore work needs to be done, but a plan is in place.

More on BITSBITS's mission is to serve the financial services

industry's needs at the interface between commerce,technology and financial services. Its work in crisis man-agement coordination, cybersecurity, operational risk,critical infrastructure protection, and fraud reduction isshared not only among member companies butthroughout the financial services sector. When it isappropriate, BITS works with other critical infrastructuresectors, government organizations, technologyproviders, and third-party service providers to accom-plish its goals.

Among its accomplishments, BITS has set industry-wide technology standards and business requirementsfor enhancing security, managing vendors, and reducingfraud. BITS's results typically take the form of industrybest practices, guidelines, and research. Recent accom-plishments have included best practices for preventingand reducing Internet fraud and managing cross-borderoutsourcing. For more information about BITS, go towww.bitsinfo.org. �


Notes:1. Preparing the US Financial Industry for Crisis: BITS

Crisis Management Coordination, “Electronic BankingLaw and Commerce Report, October 2003, by JohnW. Carlson and Teresa C. Lindsey.

2. BITS is the sister organization to The Financial ServicesRoundtable. Its focus is on business and emergingtechnology issues for the CEOs, CIOs and CTOs at100 of the largest financial institutions in the US.

3. The sound practices paper is available athttp://www.occ.treas.gov/ftp/bulletin/2003-14a.pdf.The FFIEC booklet is available at http://www.ffiec.gov/ffiecinfobase/booklets/bcp/bus_continuity_plan.pdf.

4. This document is intended only to provide sugges-tions on business objectives, not to provide legaladvice. An appropriate legal professional should beengaged to provide such advice on a case-by-casebasis.

5. The Critical Power Coalition (CPC) was formed byleading providers and users of critical-power productsand services. For more information visithttp://www.criticalpowercoalition.org/index.html.

6. The FSSCC was created to foster and facilitate finan-cial services sector-wide voluntary activities and initia-tives designed to improve critical infrastructureprotection and homeland security. For more informa-tion visit www.fsscc.org.

7. For more information about ChicagoFIRST visithttps://chicagofirst.org/.

8. The handbook is available athttps://chicagofirst.org/press/2004/handbook.pdf.

9. For more information on MN-ISAC, visithttp://mnisac.org.

Selected Regulatory DevelopmentsBy Scott A. Anenberg

Banking Agencies, SEC Issue Final Rules onDisposal of Consumer Information

The federal bank and thrift regulatory agencies (theBanking Agencies)1 on December 28, 2004, issued afinal rule implementing section 216 of the Fair andAccurate Credit Transactions Act of 2003 (FACT Act).Among other things, section 216 requires each financialinstitution to develop and maintain, as part of its infor-mation security program, appropriate controls designedto ensure that the institution properly disposes of con-sumer information. The rule amends the InteragencyGuidelines Establishing Standards for SafeguardingCustomer Information to require that a financial institu-tion dispose of “consumer information” derived from aconsumer report in a manner consistent with therequirements that currently apply to the disposal of

“customer information.” The amended Guidelines arerenamed the “Interagency Guidelines EstablishingStandards for Information Security” (Guidelines) toreflect their broader scope.

The amended Guidelines define consumer informa-tion as “any record about an individual, whether inpaper, electronic, or other form, that is a consumerreport or is derived from a consumer report and that ismaintained or otherwise possessed by or on behalf of[an institution] for a business purpose,” including “a

Scott Anenberg ([email protected]) is apartner in the Financial Institutions Group in theWashington, D.C. office of Shaw Pittman LLP(http://www.shawpittman.com). He represents foreignand domestic financial institutions on a wide variety ofregulatory and compliance issues.


compilation of such records.” Examples of consumerinformation include:

• a consumer report that a bank obtains;

• information from a consumer report that the bankobtains from its affiliate after the consumer hasbeen given a notice and has elected not to opt outof sharing;

• information from a consumer report that the bankobtains about an individual who applies for butdoes not receive a loan;

• information from a consumer report that the bankobtains about an individual who guarantees a loan(including a loan to a business entity); or

• information from a consumer report that the bankobtains about an employee or prospective employee.

The Guidelines expressly exclude from the defini-tion of consumer information any record that does notidentify an individual. As a result, aggregate informa-tion derived from a group of consumer reports or blinddata, such as payment history on accounts, that are notpersonally identifiable would not be subject to the dis-posal requirements. The Banking Agencies deliberatelyavoided specifically defining the nature and scope ofpersonally identifiable information, recognizing thatthere are a variety of types of information apart froman individual’s name, account number, or address that,depending on the circumstances or when used in com-bination, could identify the individual. The BankingAgencies also avoided specifying acceptable or propermethods of disposal. Rather, the amended Guidelinessimply state that financial institutions should haveappropriate disposal procedures for records maintainedin paper-based or electronic form, consistent withguidelines set forth in the FFIEC InformationTechnology Examination Handbook.

As required by the FACT Act, the Securities andExchange Commission (SEC) has adopted comparablerequirements for entities under its jurisdiction. (TheSEC disposal rule applies to brokers and dealers,investment companies, registered investment advisers,and registered transfer agents that possess consumerreport information for a business purpose.) The SECrule requires that covered institutions adopt writtenpolicies and procedures to safeguard consumer reportinformation in a manner generally consistent with thatrequired for banks and thrifts. Like the BankingAgencies, the SEC rule is flexible in that it does notestablish specific disposal requirements, but ratherrequires firms to take “reasonable measures” to pro-tect against unauthorized access to or use of coveredinformation in connection with its disposal.

The SEC rule, which was published on December8, 2004, and must be complied with beginning July 1,2005, is available at: http://www.sec.gov/rules/final/34-50781.pdf. The Banking Agencies’ rule, which also

takes effect July 1, 2005, is available at: http://a257.g.akamaitech.net/7/257/2422/06jun20041800/edocket.access.gpo.gov/2004/pdf/04-27962.pdf.

FTC Establishes Criteria for Determining“Primary Purpose” of E-Mail Under NewAnti-Spam Law

On December 16, 2004, the Federal TradeCommission (FTC) issued a final rule under theControlling the Assault of Non-Solicited Pornographyand Marketing Act of 2003 (CAN-SPAM Act or the Act)identifying the criteria used to determine the “primarypurpose” of an e-mail message for purposes of the Act.Broadly speaking, the CAN-SPAM Act, which took effectJanuary 1, 2004, establishes requirements for those whosend commercial e-mail, spells out penalties for spam-mers and companies whose products are advertised inspam if they violate the law, and gives consumers theright to ask e-mailers to stop spamming them.

Significantly, the CAN-SPAM Act generally appliesonly to messages that fall within the Act’s definition of“commercial electronic mail message,” which is in turndefined as “any electronic mail message the primarypurpose of which is the commercial advertisement orpromotion of a commercial product or service”(emphasis added). The Act also expressly excludesfrom the definition of “commercial electronic mail mes-sage” those messages sent by a company that meetthe definition of “transactional or relationship mes-sage,” a definition which also focuses on the primarypurpose of the e-mail in question.2 Accordingly, the cri-teria for determining the primary purpose of a given e-mail are the key factors in establishing whether or not itis covered by the CAN-SPAM Act.

The rule sets forth the following general criteria fordetermining the primary purpose of an e-mail underthe Act:

• For e-mail messages that contain only the com-mercial advertisement or promotion of a commer-cial product or service (“commercial content”), theprimary purpose of the message will be deemed tobe commercial.

• For e-mail messages that contain both commercialcontent and “transactional or relationship” con-tent, the primary purpose of the message will bedeemed to be commercial if either: (1) a recipientreasonably interpreting the subject line of the e-mail would likely conclude that the message con-tains commercial content; or (2) the e-mail’s“transactional or relationship” content does notappear in whole or substantial part at the begin-ning of the body of the message.

• For e-mail messages that contain both commercialcontent and content that is neither “commercial”nor “transactional or relationship,” the primary purpose of the message will be deemed to be



commercial if either: (1) a recipient reasonably inter-preting the subject line of the message would likelyconclude that the message contains commercialcontent; or (2) a recipient reasonably interpretingthe body of the message would likely conclude thatthe primary purpose of the message is commercial.Factors relevant to this interpretation include theplacement of commercial content in whole or insubstantial part at the beginning of the body of themessage; the proportion of the message dedicatedto commercial content; and how color, graphics,type size, and style are used to highlight commercialcontent.

• For e-mail messages that contain only “transac-tional or relationship” content, the message will bedeemed to have a “transactional or relationship”rather than commercial primary purpose.

Practically speaking, financial institutions and othersshould have little trouble determining the primary pur-pose of single-use messages. For example, an e-mailpromoting a new bank product (and containing noother content) clearly has a commercial primary pur-pose, and a periodic account statement (that containsno promotional content) clearly has a transactional orrelationship primary purpose. In the case of dual-usemessages, however, the primary purpose hinges onboth objective factors, such as the placement andscope of commercial content relative to non-commercialcontent within the email, as well as subjective factorslike the reasonable interpretation of an e-mail recipient.Dual-use messages will generally require senders toexamine the FTC’s rule in detail in order to determinethe primary purpose of the message, and to determinewhether adjustments should be made to avoid catego-rization as a commercial message subject to the Act.

A copy of the FTC’s primary purpose rule is avail-able at: http://a257.g.akamaitech.net/7/257/2422/01jan20051800/edocket.access.gpo.gov/2005/pdf/05-974.pdf.

FDIC Issues Identity Theft Study, SeeksComment on Possible Guidance

The FDIC on December 14, 2004, issued a study on“account-hijacking,” which outlines the problems asso-ciated with this type of identity theft and contains sug-gestions for reducing online fraud. The study, “Puttingan End to Account-Hijacking Identity Theft,” definesaccount hijacking as the unauthorized access to andmisuse of existing asset accounts, typically executedthrough phishing or computer hacking. The FDIC notesthat account hijacking is the fastest growing form ofidentity theft, and is of particular concern to financialinstitutions and their customers. The study catalogs thelegislative and regulatory responses to this and othertypes of identity theft, as well as the types of counter-measures taken by financial institutions and their

technology service providers, but also calls on bothgovernment and industry to do more.

According to the study, account hijacking schemestake advantage of several security weaknesses of cur-rent online financial and communications systems, mostnotably the reliance on single-factor authentication forremote access to online banking and the lack of effec-tive e-mail and Web site authentication systems. Thestudy calls for both government and financial institu-tions to implement various measures that the FDICbelieves will reduce online fraud, including:

• upgrading existing password-based single-factorcustomer authentication systems to two-factorauthentication;3

• using scanning software proactively to identify anddefend against phishing attacks;

• strengthening educational programs to help con-sumers avoid online scams, such as phishing, andtake appropriate action to limit their liability; and

• placing a continuing emphasis on information-shar-ing among the financial services industry, govern-ment, and technology providers.

The FDIC hopes to use the study to formulate guid-ance for bankers later this year, and is therefore solicit-ing public comment on the study until February 11,2005. The full study is available through the FDIC web-site at: http://www.fdic.gov/consumers/consumer/idtheftstudy/index.html. Financial Institution Letter 132-2004, which includes information on the commentrequest, is available at: http://www.fdic.gov/news/news/financial/2004/fil13204.html. �


Notes:1. The Banking Agencies consist of the Office of the

Comptroller of the Currency (OCC), the FederalReserve Board (Board), the Federal Deposit InsuranceCorporation (FDIC), and the Office of ThriftSupervision (OTS).

2. For example, the CAN-SPAM Act states that an e-mailwill be deemed a transactional or relationship mes-sage if its primary purpose is to facilitate, complete, orconfirm a commercial transaction that the recipient haspreviously agreed to enter into with the sender; toprovide warranty information or product recall infor-mation on a product already purchased by the con-sumer; or, generally speaking, to relay other types ofspecific information with respect to products, services,accounts, or agreements which the consumer has pur-chased or entered into.

3. Three basic categories of credentials generally can beused to authenticate an individual: a password orother piece of information; a token or similar physicalitem; or a physical characteristic of the individual, suchas a fingerprint or voice pattern. The FDIC study callsfor authentication systems to move beyond relyingsimply on passwords or similar information and incor-porate a second of the three types of credentials.


Cut Here and Mail or Fax for a FREE Copy of E-Banking Law and Commerce Report Today!

CALL TOLL-FREE: (800) 308-1700 or (973) 890-0008 � MAIL: Glasser LegalWorks, 150 Clove Road, Little Falls, NJ 07424FAX: (973) 890-0042 � E-MAIL: [email protected] � WEB SITE: www.glasserlegalworks.com

Send me ELECTRONIC BANKINGLAW AND COMMERCE REPORTevery month. Please enter a one-yearsubscription at the introductory rate of

$249 (a $51 savings off the regular rate). After 30 days, I willhonor your invoice or cancel and be without obligation.

YES✔

Name

Title

Organization

Address

City/State/Zip

E-Mail

Phone

Fax

Method of Payment

❑ Bill me.

❑ Check enclosed (payable to Glasser LegalWorks).

❑ Charge my credit card:

❑ AMEX ❑ VISA ❑ Master Card

Card #

Expiration date

Signature

Return order via mail, phone, fax or e-mail listed above. 30-Day Money-Back Guarantee if not fully satisfied. Postage and handling included. All prices are subject to NJ sales tax where applicable.

First ClassU.S. Postage Paid

Glasser LegalWorks

ELECTRONIC BANKING LAW AND COMMERCE REPORT

Documents

Transcript of ELECTRONIC BANKING LAW AND COMMERCE REPORT