On August 12, 2003, the bank regulatory agencies published in the Federal Register a request for comments on an innocuously titled document, "Interagency Guidance on Response Programs for Unauthorized Access
to Customer Information and Customer Notice". If adopted, the Guidance would require you to add a new component to your information security program that would specify corrective measures that you should take to effectively address and mitigate harm to customers when you beccome aware of unauthorized access to sensitive customer information, including a requirement for you to provide timely, clear and conspicuous notifcation of the breach to customers (with certain exceptions). The comment deadline is October 14.
Here are the highlights of the proposal:
Premise
The regulatory agencies expect every financial institution to develop, as a key part of their information security program, a response program to protect against and address reasonably foreseeable risks associated with internal and external threats to the security of customer information maintained by the financial institution or its service provider. When incidents of unauthorized access to, or use of, customer information occur, the response program should be expeditiously implemented.
Key Definitions
Customer information systems - consist of all of the methods used to access, collect, store, use, transmit, protect, or dispose of customer information, including the systems maintained by its service providers.
Customer information - includes any record containing nonpublic personal information whether in paper, electronic, or other form, maintained by or on behalf of the institution.
Sensitive customer information means any one of the following four types of information, in conjunction with a personal identifier, such as an individual customer's name, address or telephone number:
Social Security number;
Personal Identification Number (PIN);
Password; or
Account number.
Also included within the realm of "sensitive customer information" is any combination of components of customer information that would allow someone to log onto or access another person's account, such as a user name and password.
Elements of a Response Program:
An institution's policies and procedures must enable the institution to:
Assess the situation in order to:
determine the nature and scope of an incident;
identify the information systems affected; and
types of customer information affected.
Notify its primary Federal regulator
File a SAR
Notify law enforcement agencies
Take measures to contain and control the incident to prevent further unauthorized access, including:
shutting down applications or third party connections;
reconfiguring firewalls;
changing computer access codes; and
modifying physical access controls.
Address and mitigate harm to individual customers.
Corrective Measures to Include in the Response Program
These corrective measures are recommended to effectively address and mitigate harm to customers:
Flag accounts - accounts that may have been compromised should identified, monitored for unusual activity and controls initiated to prevent unauthorized withdrawals or transfers of funds
Secure accounts - all accounts associated with customer information that has been compromised should be secured
Notify and assist customers
If individual customers can be specifically identified, the notification can be limited to those customers
If individual customers can not be identified, notice must be give to each customer who likely was affected.
A sufficient number of trained employees should be available to answer customer questions and provide assistance.
Notification Exception:
The guidance provides that a financial institution should notify each affected customer when it becomes aware of the unauthorized access to sensitive customer information, unless the institution, after an appropriate investigation, l) reasonably concludes that the misuse of the information is unlikely to occur, and 2) has taken appropriate steps to safeguard the interests of affected customers, including monitoring affected customers' accounts for unusual or suspicious activity.
Notification Requirements:
The notification must be timely, clear and conspicuous, and delivered in any manner that will insure that the customer is likely to receive it. An institution can elect to utilize the telephone or mail and for those customers who conduct transactions electronically, electronic notice may be given.
In terms of the content of the notice, the guidance spells out certain "required" information, and details certain other information that is optional.
Required information - your notice would need to:
Describe the incident
Indicate the customer's information that was the subject of the unauthorized access or use
Provide a number for the customer to call for information
Remind the customer to be alert for the next 12-24 months and promptly report any incidents of suspected identity theft
Inform the customer that the institution will assist the customer to correct and update nay information in any consumer report, as required by the FCRA
Recommend to the customer that it notify each nationwide credit reporting agency to place a fraud alert in the customer's consumer reports
Recommend the customer periodically obtain credit reports
Inform the customer of the right to obtain a free credit report if the customer has the reason to believe their report may contain fraudulent information
Inform the customer of the FTC's online guidance regarding prevention of identity theft.
Optional information - your notice could also:
Provide a toll-free telephone number for the customer to use to contact you for further information or assistance
Offer to assist the customer in notifying the credit reporting agencies and placing a fraud alert
Inform the customer about subscription services that will notify the customer anytime there is a request for their credit report or offer to subscribe the customer to this service free of charge, for a period of time
When the notice should be given:
The Guidance provides examples of when the notice should be given, as well as instances when notice is not expected.
Examples of When Notice Should Be Given
An employee of the institution has obtained unauthorized access to sensitive customer information maintained in either paper or electronic form;
A cyber intruder has broken into an institution's unencrypted database that contains sensitive customer information;
Computer equipment such as a laptop computer, floppy disk, CD-ROM, or other electronic media containing sensitive information has been lost or stolen;
An institution has not properly disposed of customer records containing sensitive customer information; or
The institution's third party service provider had experienced any of the incidents described above, in connection with the institution's sensitive customer information.
Examples of When Notice Is Not Expected
The institution is able to retrieve sensitive customer information that has been stolen, and reasonably concludes, based upon its investigation of the incident, that it has done so before the information had been copied, misused or transferred to another person who could misuse it;
The institution determines that sensitive customer information was improperly disposed of, but can establish that the information was not retrieved or used before it was destroyed;
A hacker accessed files that contain only customer names and addresses; or
A laptop computer containing sensitive customer information is lost, but the data is encrypted and may only be accessed with a secure token or similarly secure access device.
What to comment on:
The Agencies are seeking comments on the following issues:
Should any component of the response program be clarified in some way and, if so, how?
Are there additional components that should be included in a response program to address incidents involving unauthorized access to or use of customer information? If so, please describe the component, and the reasons that support it.
Should each component of the response program be retained? If not, which components should be deleted and why?
In preparing the proposed Guidance, the Agencies have attempted to identify a standard that will lead to customer notice when appropriate. The Agencies invite comments on whether the standard is appropriate. For those commenters who believe that this standard is in appropriate, the Agencies request that they state specifically their reasoning and offer alternative thresholds for requiring customer notice.
The proposed Guidance defines sensitive customer information. The Agencies request comment on which, if any, additional types of information should be included in the definition.
The Agencies invite comment on the potential burden associated with the customer notice provisions. What is the anticipated burden that may arise from the questions raised by customers who may receive the notices? Should the Agencies consider how the burden may vary depending upon the size and complexity of the institution?
Is the discussion in the Guidance of the requirement of securing accounts sufficiently clear to enable institutions to know what is expected of them?
Should the standard be modified to also include other extraordinary circumstances that compel an institution to conclude that the unauthorized access to information, other than sensitive information, likely will result in substantial harm or inconvenience to the affected customers?
Should the examples of circumstances in which customer notice would be expected and those when it would not be modified?
Comment addresses:
The Agencies encourage comments be delivered by fax or email. Here is fax and email contact information for each agency:
OCC
Attention: Docket No. 03-18
Public Information Room
Office of the Comptroller of the Currency
Fax: (202) 874-4448
e-mail: regs.comments@occ.treas.gov
FRB
Refer to: Docket No. OP-1155
Ms. Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
Fax: (202) 452-3819 or (202) 452-3102
e-mail: regs.comment@federalreserve.gov
FDIC
Robert E. Feldman, Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
Fax: (202) 898-3838
e-mail: comments@fdic.gov
BankersOnline is a free service made possible by the generous support of our
advertisers and sponsors. Please help us keep BankersOnline FREE to all
banking professionals. Support our advertisers and sponsors by clicking
through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
