Incident Response - Notification to Regulator

The incident response guidance clearly recommends notification to your regulator of breaches but it does not provide guidance as to when you should report (i.e. is there a severity level)to your regulator. One recent example: our customers account # and SS# was obtain somehow by another individual but were fairly sure it was not through us. That individual used the account number and ss# to access our VRU and initiate a transaction to transfer funds from savings to checking. The individual also used the account # to attempt to initiate a series of ACH debit transactions. We caught it early and no money was lost. To me this is just a normal ID theft case but because our system was accessed it triggered our incident response program. Would an ID theft case involving one individual warrant reporting to the regulator??

I would probably only report system wide failures, such as batches of debit cards lost, data files breached or compromised, things of that nature. I don't think that it is necessary to report an isolated instance of ID theft.

Bringing up an old post - we have examiners here - they're indicating that we should report to our regulator on all incidents "involving unauthorised access to or use of sensitive customer information." Has anyone got any recent info on this?

No, but this would be a huge burden, not only on you, but on your regulator as well. Think about all the debit/credit card that takes place. Is this what they really want, as this is unauthorized access.

I have personally received (as a banker) and now have clients who have received requests like this. Usually the regulator will clarify that they want a heads up on any loss of data that could result in the bank's name in the paper - other than debit/credit card stuff that is out there anyway. They want a heads up in case anything hits the paper and they get a call from reporters prior to an SAR reaching them via the regulatory pipeline.

I would discuss it in more detail to clarify what they are trying to accomplish.