Banking's Next Headache: Security Breaches Risk Assessment or (Second Guess Your Examiners)
The final Guidance that interprets the requirements of section 501(b) of the Gramm-Leach Bliley Act and the Security Guidelines include the development and implementation of a response program to address unauthorized access to (or use of) customer information that could result in substantial harm or inconvenience to a customer. The Guidance describes the appropriate elements of a financial institution's response program, including customer notification procedures.
The Security Guidelines direct financial institutions to: (1) identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and (3) assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.
The guidance is a welcome directive for financial institutions, some of which have made headlines lately due to lost consumer data through courier mishaps, illegal provision to third parties, and insider fraud. The industry also is hopeful the Guidance will slow the overlapping state law proposals, and the various federal legislative proposals that have been introduced that are even more restrictive.
However, the ambiguity of some of the Guidance rules, which was intended in order to reduce restrictions, has left many bankers puzzled as to ways to address certain breaches and assess their compliance. The guidance provides that "...when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused." Sensitive customer information is defined to mean a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a PIN or password, or any combination of components that would permit access to the customer's account in any way.
"If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible," the Guidance states. However, notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation.
Service providers must also take appropriate actions to protect customer information. And the financial institution should notify its primary federal regulator of a security breach, whether or not the institution notifies its customers.
The issues that concern bankers are the confusion on what constitutes a breach. For instance, a lost laptop; the loss of data by a third party; a missing CD; a stolen transaction bag; encrypted data; a retailer that mishandles a bank customer's credit card information. Also, banks are located in states where the new Guidance conflicts with state laws requiring customer notification of the loss of a state resident's personal consumer data, regardless of whether fraud resulted from the loss. As many as 32 other states have pending legislation that will further confuse that issue.
The bankers must make the risk assessment and the decision on whether or not to notify the customer. How the examiners will treat banks working to meet compliance, and whether they will agree with the bank's decision, is one of the unknowns.
The Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice is in the Federal Register (68FR 47954). The Security Guidelines are at 12 CFR 30.
Copyright © 2005 Bankers' Hotline. Originally appeared in Bankers' Hotline, Vol. 15, No. 8, 8/05
First published on 08/01/2005