Answer by Andy Zavoina:
While I am aware of no requirements to notify customer's, there are SAR filing requirements for computer intrusion.
If customer data is compromised, those customers will likely require notification so that they may be more aware of and watch for any fraudulent activity. The bank may also have to take steps to change account numbers of those customers and require passwords or other data that was available to be changed.
Answer by Mary Beth Guard:
I agree with Andy's comments, and I have a request. If your institution was among those affected by this summer's hack into the servers of a well-known Internet banking provider, would you share your experiences with the rest of the BOL users by posting them anonymously on the Bankers Threads message board?
It would be extremely valuable to know what you learned from the experience, how you responded to the crisis, and what, if anything, you might do differently if faced with the same circumstances again.
I was told that one small bank I'm familiar with was estimating they were going to spend over $20,000 just on overtime pay relating to the incident, from contacting customers, assigning new account numbers, processing check orders, dealing with exception items.
On July 28, there were news reports about what was being called the largest identity theft case ever, with social security numbers, credit card numbers, DL numbers, dates of birth, and other detailed personal information appearing in an Internet chat room. At this point, it's still unknown where the data was stolen from, but if it doesn't make you think twice about how solid your information security program is, it certainly should
Want to see how hackers think, or what it takes to track them? MSNBC has an interactive slide show that allows you to do just that. Take on the role of the white hat or black hat and see a hack, step by step. Click on the blue graphic at the top of this page.
Answer by Michael Guard:
I also agree with Andy's comments, and have a related point. While there would be no legal requirement to notify customers even if a hacker definitely got into the bank's computer network, banks will always want to consider whether their customers have a reasonable possibility of finding out about the security breach, even if the bank remains silent. If the answer is yes, consider whether the bank would be hurt more by its silence, or by coming forward to tell their customers the facts before they can find out any place else.
If there has been a real compromise of customer information, in my opinion, there should not be a reasonable expectation of the event remaining secret for long. When no compromise of any customer information has occurred, the chances are less that everyone will eventually learn of the event. However, hackers being what they are, there is a real chance that the details will end up on the Web and the whole world will know. Hackers like to brag about their exploits. Bottom line is, it is a tough judgment call.
One last point. If a hacker does get into the bank's network, even if no customer information was compromised or damage done to the bank in any way, this is a situation where the board of directors needs to be informed by way of a report reflecting what happened, how the event was responded to, and what is being done or recommended to avoid it happening again. While there is only a requirement to report to the board once per year, this is the type of event the regulators expect to be reported on a timely basis. The board cannot perform its duty to oversee the information security program effectively if they are not even told about an intrusion. From a security perspective, this is at the same level of a robber coming into the bank and drawing a gun, but not getting away with any money. The board needs to know.
First published on BankersOnline.com 8/6/01