Feds Push Banks on Security Alerts

Banks need to immediately inform customers of security breaches, according to new guidance handed down by federal banking authorities this week.

The “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” calls for

all U.S. banks to have a response procedure in place in the event a hacker accesses private customer data.

It doesn’t apply to commercial or business accounts or to customers who disclose information to a third-party, like a
fraudulent Web site.

A proper procedure includes banks conducting an investigation when becomes aware of a possible breach and notifying customers

when appropriate. The guidance doesn’t require banks to immediately notify customers in every case, especially if the

notification hinders an investigation by law enforcement officials. In that case, a warning can be delayed. However, the bank

is required to notify its primary federal regulator, whether officials notify customers or not.

The rules were produced by the Federal Reserve System (FRS),
the Federal Deposit Insurance Corporation (FDIC), the Office of the
Comptroller of the Currency (OCC) and the Office of Thrift Supervision
(OTS).

While it’s not a federal law, the guidance is something that no banker —
subject to yearly examination by regulators — will ignore, said John Hall,
a spokesman for the American Bankers Association (ABA).

“I’ve never known any bank compliance officer that treats a guidance as
anything other than a rule,” he said.

One of the concerns at the ABA of the
original draft of the guidance, Hall said, was that it was too rigid, and
not flexible enough to allow banks to adopt their own response mechanisms.

“You don’t want to create a ‘cry wolf’ mentality where customers are getting
these [notifications] so often that they become numb to them,” he said. “So
you want to make sure that they are appropriate, that you send them out at
an appropriate time and for appropriate reasons. We just want to make sure
it would be an effective notification.”

The guidance has been in the works since 2003 but was likely given more
notice as a result of a recent string of publicly announced security
breaches. In February, the Bank of America (BoA) admitted losing data
tapes
containing personal information on as many as 1.2 million federal
employees.

Then data broker ChoicePoint stopped
selling
some of its accumulated personal information after it was
discovered that the information on more than 145,000 people might have been
compromised.

Last week ChoicePoint and LexisNexis, which was involved in a data breach
scandal
of its own recently, told a House panel they favored
federal legislation
requiring data brokers to notify customers in case
of a leak.

Currently, only the California has such a requirement for companies doing
business in its state.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web