Although the recent economic climate increased focus on safety and soundness concerns in most bank examinations, indications are that regulators are returning their attention to compliance matters. Prior to the recent recession, customer privacy was a primary regulatory focal point with a specific emphasis on information security. In 2005 and in response to various state laws requiring customer notification in the event of an information security breach, the banking agencies expanded their Safeguards Guidance by issuing Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice ("Breach Guidance"). Identity theft poses a significant threat to customers, and bold identity thieves' tactics continually evolve in search of the next big payoff. Therefore, the Breach Guidance is likely to be a principal focus of examinations, and being prepared for a security breach will mitigate both regulatory and litigation risks.

Responding to a Breach

Financial institutions must develop and implement a response program to address incidents of unauthorized access to customer information that is appropriate to the size and complexity of the institution and the nature and scope of its activities. This incident response program should contain procedures for the following:

  • Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused;
  • Notifying primary regulators as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of "sensitive customer information";
  • Notifying appropriate law enforcement authorities, including filing a timely SAR, if applicable;
  • Taking appropriate steps to contain and control the incident; and
  • Notifying customers when warranted.

In addition to developing the response program, the institution would be wise to create an information security breach incident response team by designating individuals that will be responsible for updating the incident response program and taking appropriate actions should a breach occur.

Analysis and Reporting Following a Breach

If your institution suspects an information security breach has occurred, the response team should begin by determining the nature and scope of the incident, including the number of affected customers, state of residence of such customers, systems affected, and the type of information involved. Specifically, the response team should determine whether "sensitive customer information" has been compromised. Sensitive customer information includes a customer's name, address or telephone number; the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account; and any combination of other components permitting access to a customer account.

The response team should contact legal counsel to aid in developing an appropriate response plan. If the response team suspects sensitive customer information was compromised, it should notify the primary regulators by telephone or email as soon as possible. The response team should also work with counsel to determine whether the circumstances require contacting local or federal law enforcement agencies or filing a Suspicious Activity Report. Finally, the response team or counsel should examine third party contracts, especially those where the institution acts as a service provider, to determine whether such contracts require the institution to give notice of the information security breach to the contractual counterpart. Such contracts often contain a very short time frame for providing notice.

Mitigating Damage

As soon as possible, the response team should take appropriate action to contain and control the incident. Such action may include securing the physical data storage area, isolating affected electronic data storage, and monitoring, freezing, or closing affected accounts. In taking such action, the response team should exercise due care to preserve records and other evidence that may aid law enforcement in investigating and prosecuting illegal activity.

Determining Whether to Provide Customer Notice

The Breach Guidance does not require a financial institution to notify customers every time it suspects certain customer information has been compromised. Instead, the institution must notify customers whose information is compromised only where (i) sensitive customer information is involved and (ii) the institution determines that misuse of such information has occurred or is reasonably possible. However, if uncertain, an institution should generally err on the side of notifying customers. Statutory penalties and successful customer litigation are far less likely after providing notice. If the response team makes a determination that customer notice is not necessary under the circumstances, it should be sure to document its reasoning and maintain the documentation for at least five years.

Providing Customer Notice

Where providing notice to customers is required under the Breach Guidance, the institution should notify customers as soon as possible following the breach, unless a law enforcement agency provides the institution with written notice that notifying customers may interfere with its investigation. The institution may provide notice by any manner designed to ensure the customer can reasonably be expected to receive it, such as, mail, telephone, or electronic mail (if the customer provided an email address and agreed to receive electronic communications).

The customer notice should contain the following information:

  • Description of the incident in general terms;
  • Description of the type of information compromised;
  • Mitigating actions taken by the institution;
  • Telephone number for further customer assistance; and
  • Statement advising the customer to remain vigilant over the following 12-24 months and promptly report identity theft to the institution.

The customer notice should also contain the following information when appropriate:

  • Recommendation to review account statements;
  • Process by which the customer may initiate a fraud alert;
  • Process by which the customer may obtain free credit reports and delete incorrect information; and
  • Information relating to the Federal Trade Commission's identity theft prevention materials.

In addition, approximately 43 states, including the Midwestern states of Illinois, Indiana, Iowa, Kansas, Michigan, Minnesota, Missouri, Nebraska, North Dakota, Ohio, and Wisconsin, passed breach notification statutes, and the Breach Guidance does not preempt such state laws to the extent they offer greater protection to customers. Although certain state legislatures such as Minnesota and Wisconsin chose to exempt banks from the requirements of their breach notification statutes, many state notification laws do not contain a similar exception for banks. Therefore, in the event an institution experiences a breach affecting customers in multiple states, the institution should work closely with counsel to ensure it provides customer notice compliant with all applicable state laws and the Breach Guidance.

Takeaway

After placing an emphasis on safety and soundness, regulators are returning to compliance issues. Customer privacy is likely to be an examination focal point in the near future, and being prepared for a security breach will mitigate both regulatory and litigation risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.