Banks need to immediately inform customers of security breaches, according to new guidance handed down by federal banking authorities this week.
The “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice” calls for
all U.S. banks to have a response procedure in place in the event a hacker
It doesn’t apply to commercial or business accounts or to customers who disclose information to a third-party, like a
fraudulent Web site.
A proper procedure includes banks conducting an investigation when becomes aware of a possible breach and notifying customers
when appropriate. The guidance doesn’t require banks to immediately notify customers in every case, especially if the
notification hinders an investigation by law enforcement officials. In that case, a warning can be delayed. However, the bank
is required to notify its primary federal regulator, whether officials notify customers or not.
The rules were produced by the Federal Reserve System (FRS),
the Federal Deposit Insurance Corporation (FDIC), the Office of the
Comptroller of the Currency (OCC) and the Office of Thrift Supervision
(OTS).
While it’s not a federal law, the guidance is something that no banker —
subject to yearly examination by regulators — will ignore, said John Hall,
a spokesman for the American Bankers Association (ABA).
“I’ve never known any bank compliance officer that treats a guidance as
anything other than a rule,” he said.
One of the concerns at the ABA of the
original draft of the guidance, Hall said, was that it was too rigid, and
not flexible enough to allow banks to adopt their own response mechanisms.
“You don’t want to create a ‘cry wolf’ mentality where customers are getting
these [notifications] so often that they become numb to them,” he said. “So
you want to make sure that they are appropriate, that you send them out at
an appropriate time and for appropriate reasons. We just want to make sure
it would be an effective notification.”
The guidance has been in the works since 2003 but was likely given more
notice as a result of a recent string of publicly announced security
breaches. In February, the Bank of America (BoA) admitted losing data
tapes containing personal information on as many as 1.2 million federal
employees.
Then data broker ChoicePoint stopped
selling some of its accumulated personal information after it was
discovered that the information on more than 145,000 people might have been
compromised.
Last week ChoicePoint and LexisNexis, which was involved in a data breach
scandal of its own recently, told a House panel they favored
federal legislation requiring data brokers to notify customers in case
of a leak.
Currently, only the California has such a requirement for companies doing
business in its state.