Pub. 13 2018-2019 Issue 1

NEBRASKA BANKERS ASSOCIATION 13 Fully registered Dealer Bank • Not FDIC Insured • No Bank Guarantee • May Lose Value FROM ONE COMMUNITY BANK TO ANOTHER. We have delivered fixed income strategies and support to banks of all sizes since 1985. Operating in over 30 states, the Capital Markets Group is always ready to meet the needs of our fellow community bankers. We keep investing simple so that banks can focus on what really matters — lending to the communities who support us. • Portfolio Strategy, Sales and Service • Bond and Securities Underwriting/Trading • BancPath® and FlexLoan® via Asset Management Group We speak the same language. Counselor’s Corner — continued on page 14 fundamental best practices ignored by TaxSlayer while keeping abreast of cur- rent trends among attackers to minimize their chances of becoming the next big data breach headline. TaxSlayer Enforcement Action TaxSlayer developed browser-based tax software services beginning in the 1990s; by 2016, it was filing almost one million tax returns online. 2 Like most online service providers, it allowed us- ers to create an account with a username and password, and then to input “a host of personal information.” 3 From October 10, 2015, to December 21, 2015, TaxSlayer was hacked using a list validation attack. The attack was foiled when the company implementedmultifactor authentication. The hackers gained full access to 8,882 accounts. TaxSlayer did not learn of the attack until a user reported suspicious activity to it in January 2016. As bankers are keenly aware, the GLBA directs federal regulators to implement a “Safeguards Rule” govern- ing the way that financial institutions and certain other companies protect the data. 4 Banking regulators have issued joint guidance known as the Interagency Guidelines Establishing Information Security Standards. 5 As a tax prepara- tion service, TaxSlayer was subject to the FTC Safeguards Rule, 6 which is largely similar to the Interagency Guidelines. The FTC Safeguards Rule requires a number of specific protection mecha- nisms, including: a. Designating one or more employ- ees to coordinate the information security program. b. Identifying reasonably foresee- able internal and external risks to the security, confidentiality, and integrity of customer information, and assessing the sufficiency of any safeguards in place to control those risks. c. Designing and implementing information safeguards to control the risks identified through risk as- sessment, and regularly testing or otherwise monitoring the effective- ness of the safeguards’ key controls, systems, and procedures. d. Overseeing service providers, and requiring themby contract to protect the security and confidentiality of customer information. e. Evaluating and adjusting the in- formation of the security program in light of the results of testing and monitoring, changes to the business operation, and other relevant cir- cumstances. 7 TaxSlayer violated this rule in three principal ways: it failed to implement a written information security program until November 2015, failed to conduct a risk assessment that would have identi- fied several key data security risks, and failed to implement actual information safeguards to mitigate those risks. 8 Spe- cifically, the FTC said TaxSlayer should have implemented five safeguards. First, it should have required that its customers choose strong passwords. The FTC found that TaxSlayer’s lone password require- ment (that passwords be between eight and 16 characters in length) “created a risk that attackers could guess commonly used passwords, or use dictionary attacks, to access TaxSlayer online accounts.” 9 Sec- ond, it should have implemented adequate risk-based authenticationmeasures, such as multifactor authentication. Third, it failed to inform users about material