Security Breaches Guidance Released: Procedures Spelled Out by Regulatory Agencies
The federal financial institution regulatory agencies have issued joint guidance on what constitutes an information security breach and how such a breach should be handled.
The "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice" was published as a supplement to the Security Guidelines that were approved as part of the Gramm-Leach-Bliley Act.
The guidance applies to any "customer information," which includes all "nonpublic personal information" about a customer whether in paper, electronic or other form, maintained by or on behalf of the financial institution.
The guidance states that the minimum response program to a breach should include procedures for:
Assessing the nature and scope of an incident, including what customer information systems and types of information have been compromised;
Notifying the primary federal regulator as soon as possible after the institution becomes aware of an incident;
Filing a timely Suspicious Activity Report when an incident applies to SAR requirements;
Containing the incident to prevent further unauthorized access;
Notifying customers where warranted.
The guidance requires notice to regulators and customers only in cases where "sensitive customer information" is breached. That information includes a customer's name, address, or telephone number in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number or the password or personal identification number that might allow a criminal access to a customer's account.
No timing on notification is specified in the guidance, though it states that a financial institution should conduct an immediate investigation once a breach is detected and if the information may cause harm to the customer, notify that customer "as soon as possible" by any reasonable means. (The guidance gives examples of such means.) The guidance also allows financial institutions to notify law enforcement but delay customer notification when such notification might impede an investigation.
The guidance specifies that banks are responsible for notifying customers and regulators when unauthorized access incidents involve their service providers, but allows a bank to contract with its provider to handle such notification.
In cases where a group of customers may be compromised, financial institutions can notify the specific individuals if they can accurately pinpoint those individuals that might be affected. If not, it must notify the entire group.
While the guidance is immediately effective, examiners will take into account banks' good-faith efforts to put response programs in place.
Meanwhile, several Senate bills have been introduced that crack down on companies who suffer breaches, a response to recent highly publicized customer information breaches. The FTC is also looking at how it can use existing banking statutes and consumer fraud laws to prosecute companies that fail to report serious breaches.
A law has been passed in California that specifies what disclosures companies must provide to victims and about 30 states are considering similar laws.
Copyright © 2005 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 15, No. 4, 5/05
[an error occurred while processing this directive]
|
Print Friendly!
Email This Article!
Discuss NOW!