Notification of an Information Breach - Mary Beth Guard
Notification of an Information Breach
by Mary Beth Guard
Third parties have gained access to sensitive customer information. Who do you need to tell?
There are regulatory requirements for regulator, customer, and law enforcement notifications. In addition to those, however, there may be other notifications you need to make for practical reasons.
In planning your response program for information breaches, ask yourself:
- Who will be affected by the information breach?
- Who will be affected by the actions we take in RESPONSE TO the information breach?
The answers to those two questions will help guide you through who ought to be notified, as a practical matter.
Notification to Customers
In terms of notice to customers, here is the analysis to go through:
- Has there been unauthorized access to sensitive customer information?
- If so, you must conduct a "reasonable investigation" and promptly determine "the likelihood that the information has been or will be misused."
- If you conclude, as a result of your investigation that misuse either has occurred, or is reasonably possible, you need to notify affected customers.
If, on the other hand:
- your investigation leads you to conclude that misuse of the information is unlikely to occur; and
- you take appropriate steps to safeguard the interests of affected customers, such as via monitoring, if necessary, you do NOT need to notify the customer.
(Note: the final guidelines omit the monitoring requirement, but from a practical standpoint, it's still a good idea to monitor, if it's workable, because it can help reduce losses.)
Don't be na?ve about the risk. The information thief may not ever use the information to commit fraud with respect to the customer's existing accounts at your institution. He may instead use it to open accounts elsewhere in the customer's name.
If you discover a virus or worm or Trojan or spyware affecting your network, for example, you need to have a way planned, in advance, to notify your internal users. Too often, employees are the last to know vital information about what's going on. Don't make that mistake.
Also, the regulators have mentioned the need to provide staff with instructions regarding the recording and reporting of any unusual activity on flagged accounts and any transaction limitations that have been (or need to be) implemented. (Don't forget to remove the flags or the transaction limitations at an appropriate time and communicate that to staff.)
Notification to Regulators
When you become aware of a potential breach of sensitive customer information, you must begin an investigation immediately. Notification to your primary federal regulator should take place when you initiate your investigation - not when you conclude it. Notify regulators as quickly as possible, by telephone or in some other expeditious manner.
Law enforcement should be notified by telephone in situations involving Federal criminal violations requiring immediate attention.
First published on 07/14/2005