(NOTE TO SUPERVISORS:  Please ensure that all employees without e-mail access receive a paper copy of this message.)

 

 

                                                                                      June 10, 2005

Memorandum

 

To:       All DOI Employees

 

From:   Debra E. Sonderman, Director

      Office of Acquisition and Property Management

      Senior Procurement Executive

 

Subject:  Update on Bank of America Charge Card Missing Data

 

 

We were recently notified that Bank of America is expanding and extending its response to cardholders who were affected by the December lost tape incident.  Following are updated frequently asked questions based on that communication.  The full text is available on the DOI charge card website at http://www.doi.gov/pam/integratedcard.html.

 

Updated DOI Frequently Asked Questions

With Responses Excerpted from June 6 Bank of America Communication

 

1.         Where does the investigation stand?

 

As announced in late February of 2005, computer backup tapes containing customer and account information for 1.2 million GSA SmartPay government charge cardholders were lost in shipment.  Since the announcement, the Secret Service and Bank of America monitoring indicates there continues to be no evidence to suggest that the tapes and their contents have been accessed or misused.

 

2.         How many cardholders are taking advantage of the free credit monitoring offer?

 

Through May 29, 2005, Bank of America has received phone calls from 6.6 percent of the affected cardholders and emails from less than 1 percent.  Additionally, 34,043 customers who had previously instructed the Bank not to receive credit bureau information about them have now “opted-in” to take advantage of credit bureau monitoring.  TransUnion, with which the Bank made arrangements to provide cardholders with free credit reports and an opportunity to establish free fraud alerts, has received 125,260 calls from affected cardholders.

 

3.         Can I extend my fraud alert?  Can I still order a copy of my credit file?

 

Bank of America will be extending its contract with TransUnion to supply the easy access and specialized toll free number for affected cardholders through the end of 2006.  All affected cardholders will be able to continue to order a free credit file.  This alert is a service provided by the credit bureaus.  Once an alert is placed on a credit file, any new or additional line of credit request may be delayed until such time as the extender of credit can verify the identity of the individual initiating the request.  You may contact TransUnion, one of the three nationally recognized credit reporting bureaus in the United States, at 1-800-526-9104, to obtain a credit bureau report and have the opportunity to place a fraud alert on their file at no cost.  The fraud alert will be effective for all three credit bureaus.

 

4.         Have any patterns of fraud been detected?

 

Bank of America contracted with Experian to monitor credit bureau activity for affected cardholders to the extent permitted by law.  This monitoring is designed to detect unusual patterns in credit bureau activity.  Experian will notify Bank of America if it detects any such unusual activity.  To date no trends have emerged that would indicate fraudulent activity resulting from the lost tapes.

 

5.         Have there been any changes in security procedures to prevent this from happening again?

 

In order to provide higher levels of assurance that Bank of America security practices are sound, Bank of America agreed to perform a Joint Security Review, conducted by the security specialists from the GSA and the Department of Defense.  The first meeting was held at the GSA offices in Arlington, Virginia on March 17, 2005.  At this meeting, Bank representatives met with security personnel of both GSA and DOD and provided a synopsis of the loss of the backup tapes, responded to questions posed by the government’s security team, and provided updates on changes the bank has made in its processes since the incident occurred.

 

A second meeting of the Joint Security Review was held at the Bank’s corporate headquarters in Charlotte, North Carolina, on May 17, 2005.  At this meeting, the security representatives reviewed recent third party audit reports of the Bank’s security practices.

 

In addition, Bank of America is working with the GSA to develop security requirements to be included in the GSA Master Contract.  The new requirements will ensure that all charge card issuers performing under the GSA Master Contract will provide the same level of security for all Government charge cardholders.

 

Bank of America has undertaken additional activities to protect the personal information of its government charge cardholders.  These activities include:

 

  • Review of all paper reports that are provided to the agencies and organizations to ensure that all sensitive cardholder data (such as social security number) is truncated where appropriate.
  • Review of all computer-accessed information to ensure that all sensitive cardholder data (such as social security number) is truncated where appropriate.
  • Review of all data transmissions and implementation of encryption processes.
  • Monitoring of government charge card accounts and any consumer account that a federal cardholder may have with Bank of America for unusual activity and fraud.
  • Communication of cardholder security features for the government charge card via changes in the card carrier packages.

 

Bank of America promises to continue to work with its client agencies to develop strategies that will provide continued dedicated client service to its customers.