You've Been Hacked: Should you inform your customers?
by Sam Ott, BOL Guru
The Compliance Officer's normal daily routine is interrupted by a call from the head of Operations. It is a courtesy call to inform him that last month an employee discovered that the computer system containing customer records had been hacked. It was not possible to determine if any personal financial information of any customers had been viewed by the hackers, but there was no question a breach of the security system had occurred.
The Operations Manager tells him not to worry. The "hole" in the system that allowed the intrusion had been located and modifications had been put in place to make sure it would not happen again. In addition, no unusual customer withdrawal activity had been detected over the last month and no customer had called complaining about any unauthorized transactions in any accounts. It was probably just a couple of high school students playing around. The reason the Compliance Officer was not notified earlier was due to the desire of the Operations Manager to not unnecessarily alarm him if it was determined that no damage had been done.
The Compliance Officer thanked the Operations Officer for the call and breathed a sigh of relief that he is working for a financial institution that had systems in place to detect any computer intrusions and make adjustments before any major problems appeared.
What is wrong with this picture? The Compliance Officer and the Operations Manager are pleased that their computer security system worked. The unauthorized intrusion by that hacker was detected and changes were made prior to any problems any customer account. Neither the financial institution nor any customer discovered any unauthorized transactions, so no harm, no foul. Right? Not necessarily.
Most likely the target of the hacker was not the funds in the customer accounts, but the personal information of the customers. The goal was to obtain data which could be utilized by the hacker to assume the identity of a customer or be sold to a third party for the same purpose. The greatest exposure to a financial institution whose customer account data bases are hacked does not come from the unauthorized withdrawal of funds from customer accounts, but rather from the theft of the customer's identity by the hacker.
If the unauthorized release of customer personal information goes undetected, the identity thief could easily establish numerous bogus checking accounts, obtain credit cards and loans, or even purchase property utilizing the customer's identity. The credit rating of the customers could be severely damaged and require extensive efforts to be repaired.
If the information security safeguards utilized by a financial institution to protect its data are determined to not be appropriate, a customer may seek to hold the financial institution liable to a customer for damages for the unauthorized release of personal financial information. If the institution fails to timely notify its customers of the danger, customers may suffer more harm because they would not be in a position to institute protect measures and mitigate damages.
If you're concerned about damage to your reputation, consider which would be worse - your customers finding out months from now, perhaps from a third party, that the security of their information had been compromised, or finding out from you immediately in a reassuring phone call or letter that gently describes the problem and outlines the steps you have taken to rectify it.
If a security breach is detected, consider the following steps:
Immediately determine the nature of the problem and take action to prevent future intrusions;
If necessary, retain a forensic expert to review the system and your security procedures;
Identify the customers whose personal information was or may have been compromised;
Evaluate the nature of the harm your customers could experience, based upon the data that may have been accessed and determine whether customer notification is appropriate and/or necessary;
Determine the appropriate method of customer notification;
Involve your legal counsel and marketing department in the drafting of the wording of the notification;
Include with the disclosure information regarding precautions to take to protect against identity theft;
Encourage your customers to review not only their account transactions, but also any unusual correspondence from third parties which seems to indicate the customer has establish new accounts or obtained credit from third parties
A financial institution may not be able to avoid liability if its information security safeguards were deficient, but most likely can reduce any damage awards by showing prompt and appropriate corrective action was taken when the problem was discovered.
Copyright, 2002, Bankers Online. First published on BankersOnline.com 11/20/02.
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
