Click to return to BOL home page
Banker Store BOL Vendor Connect BOL Career Connect BOL Learning Connect Bankers Information Network
Home Compliance Lending Operations Security Marketing Technology/eBanking
Top Stories Bankers' Threads Background Check CrimeDex Em@il Education ID Verification Banker Tools
 


MAIN CONTENT 
Compliance

    Agency Road Maps

    Alphabet Soup

    Compliance Tools

    FACTA/FCRA

    OFAC

Lending

    Article 9

    FACTA/FCRA

    HMDA Heaven

    Lending Tools

    SCRA

Marketing

Operations

    Check 21

    Disaster Updates

    Disaster Recovery

    HR Corner

    IRA Season

    Money Matters

    Operations Tools

    SARResearchGuide

Security

    AML/BSA

    Bank Robbery

    Counterfeits

    ID Fraud/Phishing

    Security Tools

Technology/eBanking

    Disaster Updates

    Disaster Recovery

    Info Security


SPECIAL AREAS 
BOL Archives

BOL Blogs

Briefing Archive

Calendar

Court Watch

Disaster Issuances

Em@il Education

Examiner's Corner

Executive Briefing

Infovault

Launch Pad

Lessons Learned

Monthly Roundup

Risk Management

Site Map

Site Orientation

Top Stories


~ ~ ~
SERVICES 
Background Check
BOL Conferencing

CrimeDex

Em@il Education

ID Verification

Record Retention


~ ~ ~
SHOP 

Banker Store
Bankers Info Ntwk
Books
Vendor Connect

CONNECT 

Career Connect

Learning Connect

Vendor Connect

Guru Central

INTERACT 

Ask a Guru
Bankers Threads

Contact Us

Give Us Feedback


TOOLS 

60 Second Solutions

Alphabet Soup

Banker Tools

BOL Forms

FUN 

Banker Humor

Banker Memories

BOL Recipes

eCard Exchange

LEARN MORE 

About Advertising
About Our Sponsors
About Us


Print Friendly! Email This Article! Discuss NOW!


Banking's Next Headache: Security Breaches
Risk Assessment or (Second Guess Your Examiners)

The final Guidance that interprets the requirements of section 501(b) of the Gramm-Leach Bliley Act and the Security Guidelines include the development and implementation of a response program to address unauthorized access to (or use of) customer information that could result in substantial harm or inconvenience to a customer. The Guidance describes the appropriate elements of a financial institution's response program, including customer notification procedures.

The Security Guidelines direct financial institutions to: (1) identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and (3) assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.

The guidance is a welcome directive for financial institutions, some of which have made headlines lately due to lost consumer data through courier mishaps, illegal provision to third parties, and insider fraud. The industry also is hopeful the Guidance will slow the overlapping state law proposals, and the various federal legislative proposals that have been introduced that are even more restrictive.

However, the ambiguity of some of the Guidance rules, which was intended in order to reduce restrictions, has left many bankers puzzled as to ways to address certain breaches and assess their compliance. The guidance provides that "…when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused." Sensitive customer information is defined to mean a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a PIN or password, or any combination of components that would permit access to the customer's account in any way.

"If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible," the Guidance states. However, notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation.
Service providers must also take appropriate actions to protect customer information. And the financial institution should notify its primary federal regulator of a security breach, whether or not the institution notifies its customers.

The issues that concern bankers are the confusion on what constitutes a breach. For instance, a lost laptop; the loss of data by a third party; a missing CD; a stolen transaction bag; encrypted data; a retailer that mishandles a bank customer's credit card information. Also, banks are located in states where the new Guidance conflicts with state laws requiring customer notification of the loss of a state resident's personal consumer data, regardless of whether fraud resulted from the loss. As many as 32 other states have pending legislation that will further confuse that issue.

The bankers must make the risk assessment and the decision on whether or not to notify the customer. How the examiners will treat banks working to meet compliance, and whether they will agree with the bank's decision, is one of the unknowns.

The Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is in the Federal Register (68FR 47954). The Security Guidelines are at 12 CFR 30.

Copyright © 2005 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 15, No. 8, 8/05



Print Friendly! Email This Article! Discuss NOW!


Privacy Policy    Disclaimer   Recommend This Site !   Contact Us


BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.