I must be having a brain freeze because I think this should be an easy question: If a customer discloses personal information in response to a phishing e-mail, has identity theft occurred at that point or not until the phisher actually uses the customer's information? I'm thinking it's already ID theft, but then the definition says ID theft is "a fraud committed or attempted using the identifying information of another person without authority." (emphasis mine) I've got myself confused.

Several of our customers responded to a phishing e-mail and I'm trying to figure out if I need to file a SAR, if it's an actual case of ID theft for my Red Flags report, etc.

I tend to agree with you Deena. Unless someone has attempted to use the information, I don't think ID theft has occurred (yet).

However, the phishing could be ID theft if the phisher impersonated, or used identifying information of, another person or entity to conduct the phishing. The impersonated entity could be the victim of ID theft here.

Deena: Even if it hasn't been used, obtaining financial information under false pretenses is a federal offense. So you could file a SAR, but if there has been no loss it wouldn't be required.

Having one of your customers give out information in a phishing scam was one of the examples of Red Flags that was in the proposed rule, but wasn't included in the final rule.

We actually have the bank being notified that a customer has transmitted personal information in response to a phishing scam as one of our red flags, but now that we have the red flag, I just wasn't sure whether we actually had ID theft yet if the information hasn't been used. I do agree that the phishing scam itself is a crime and I suppose the bank is actually an ID theft victim since it was our information that was used to carry out the scam. Even if I don't have to file a SAR, if it's ID theft I have to report it as such when I make my annual report to the board, right?

If it's one of your red flags, you are supposed to "respond appropriately" to prevent and mitigate the risk of ID Theft. Your report to the board is supposed to include "significant incidents" involving ID theft.

We have responded appropriately (according to our program), but I'm still not sure this is a "significant incident" since the information has not been used as far as we know.

Appropriate responses might also be to close the account and reopen a new one, have the customer change his/her PIN, reissue ATM/Debit Card, etc. It depends on what specific information your customer provided to the fraudster. These actions could be part of satisfying the requirement to prevent and mitigate the risk of ID theft as Ted noted. If you wait for the info to be used and something slips by, you might be criticized for not "preventing and mitigating" the risk.

Thanks, GuitarDude, we've done all those things - they are all responses called for by our program.

Deena: While the one instance you mentioned might not be a significant incident, you said in your first post that several of your customers were involved. If there is a connection or pattern between the incidents with your customers, that might be significant.

Ted, there is definitely a connection. Someone sent out a phishing e-mail that looked like it was from our bank. The e-mail was sent to both customers and non-customers. We have had at least three customers tell us that they provided information in response to the e-mail. I'm thinking I'll report this with my board report but I don't think we'll file a SAR. Would you agree?

I would consider that to be a significant event. At this point, you have no idea how many customers have been affected. You just know about the 3 that brought it to your attention. I would activate my incident response plan, file a SAR and call my examiner to discuss. They may have information about similar incidents that could help you better manage this breach event. Understanding your regulatory examiner's expectations can help you avoid criticism in the future.

Deena: I agree with Brenda that it would be a significant event for the report.

Thanks to all for your responses. As I said, I will definitely report it in my Red Flags report to the board. I still don't know about filing a SAR though. I have no dollar amount and no suspect, so what would I report?