Skip to content

Handling a Breach of Customer Privacy

Answered by: 

Question: 
We would like information on whether a bank is required to contact regulators and customers when an employee has e-mailed some non-public information of our customers to an employee at another financial institution. The purpose was to get copies of forms, but some information such as loan numbers, loan amounts, and names of customers were on the copies of the documents. Since this information was passed between financial institutions, and all efforts will be taken to inform the other financial institution that this information was passed and must be held confidential or destroyed, does this create the notice requirement for privacy of a breach?
Answer: 

First, you need to determine if your state has a law that requires you to disclose this breach to your customers. At least 28 states have data breach notification laws in place and several others are in the process of drafting one. Based on the facts in your question, it does not appear you are required to make notifications under the FFIEC’s "Guidance for Unauthorized Access to customer Information." In order to qualify as a reportable event, you would have to satisfy the following:

  • Loss of "sensitive Information" which includes the customer’s name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account.
  • Once an institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine promptly the likelihood that the information has been or will be misused.

If your institution determines that misuse of the information has occurred or is reasonably possible, you should notify affected customers as soon as possible. You should also notify your regulators as soon as you believe there is a problem so they are aware of the incident and can provide additional guidance.

First published on BankersOnline.com 6/19/06

First published on 06/19/2006

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics