United States: Federal Banking Agencies Issue Guidance Regarding Unauthorized Access to Customer Information

Originally published April/May 2005

In late March, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency and the Office of Thrift Supervision (the "Agencies") issued the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (the "Guidance"). 70 Fed. Reg. 15736 (2005). The Guidance requires the development and implementation of a response program to address unauthorized access to, or use of, customer information that could result in substantial harm or inconvenience to a customer. The Guidance does not have an effective date, but the Agencies expect the institutions to implement the requirements as soon as possible. The Guidance is issued under the authority of section 501(b)(3) of the Gramm Leach Bliley Act ("GLBA"), which requires the Agencies to establish various safeguards to protect against not only "unauthorized access to," but also the "use of," customer information that could result in "substantial harm or inconvenience to any customer." The Agencies issued proposed Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice in August of 2003. 68 Fed. Reg. 47954 (2003).

The Guidance applies to national banks, state banks, thrifts, bank holding companies, non-bank subsidiaries of bank holding companies (to the extent that such entities are not functionally regulated), and branches and agencies of foreign banks. A financial institution’s foreign offices, branches, or affiliates are not covered, but a financial institution subject to the Guidance is responsible for the security of its customer information, whether the information is maintained within or outside of the United States. The Guidance only applies to consumer accounts (i.e., accounts established for a personal, family or household purpose).

Many commenters urged the Agencies to expressly preempt state laws or provide a safe harbor for financial institutions complying with the Guidance. The Agencies declined to address the issue of preemption in the Guidance, noting that the extent to which Section 501(b) preempts state law is governed by Section 507 of GLBA. Generally, Section 507 only preempts state laws which are "inconsistent" with its provisions, and then only to the extent of such inconsistency. State laws providing greater protection to the consumer are generally not preempted. Therefore, institutions must still monitor and comply with state laws addressing security breaches and unauthorized access to customer information.

The Guidance enumerates a number of security measures that each financial institution must consider and adopt, if appropriate, to control risks stemming from reasonably foreseeable internal and external threats to an institution’s customer information. The Guidance specifically states that a financial institution should implement those security measures designed to prevent unauthorized access to or use of customer information, such as by placing access controls on customer information systems and conducting background checks for employees who are authorized to access customer information.

The measures enumerated in the Guidance include response programs that specify actions to be taken when an institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies. The Guidance does not impose a rigid program on each institution. Instead, every financial institution is required to develop and implement a response program appropriate to the size and complexity of the institution and the nature and scope of its activities, designed to address incidents of unauthorized access to customer information.

Elements of a Response Program. As noted above, an institution’s response program should be risk-based. At a minimum, it should contain procedures for:

• assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;

• notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information;

• consistent with the Agencies’ suspicious activity reporting requirements, immediately notifying law enforcement in situations involving Federal criminal violations requiring immediate attention;

• taking appropriate steps to contain and control the incident to prevent further unauthorized access to, or use of, customer information, such as by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; and

• notifying customers when warranted.

Contracts with Service Providers. The Guidance notes that under the safeguarding regulations every financial institution must require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information. Afinancial institution’s contract with its service provider should require the service provider to take appropriate action to address incidents of unauthorized access to the institution’s customer information, including by notifying the institution as soon as possible of any such incident. Such notice will enable the institution to expeditiously implement its response program.

The Agencies decided not to grandfather existing contracts or to add a transition period to the Guidance because the notification requirement is consistent with the existing safeguarding rules issued by the Agencies. In order to ensure the safeguarding of customer information, financial institutions that use service providers likely have already arranged to receive notification from the service providers when customer information is accessed in an unauthorized manner. If an institution does not formally include such a disclosure requirement in its contracts, it should exercise its best efforts to add a disclosure requirement to its existing contracts and any new contracts should include such a provision. Customer Notice

Standard for Providing Notice. The Guidance provides that when an institution becomes aware of an incident of unauthorized access to "sensitive customer information," the institution should conduct a reasonable investigation to determine promptly the likelihood that the information has been or will be misused. If the institution determines that misuse of the information has occurred or is reasonably possible, it should notify affected customers as soon as possible. As the scope and timing of a financial institution’s investigation is dictated by the facts and circumstances of a particular case, the Agencies have not designated a specific number of hours or days within which financial institutions should provide notice to customers.

Sensitive Customer Information. An institution’s obligation to provide notice under the Guidance is limited to situations involving unauthorized access to sensitive customer information. The Agencies believe that limiting the coverage to incidents involving "sensitive customer information" is consistent with an institution’s obligation under Section 501(b) of GLBA (protecting against substantial harm or inconvenience to the customer). Substantial harm or inconvenience is most likely to result from improper access to sensitive information. Nevertheless, an institution still may send notices to customers in situations not involving sensitive customer information if it determines such action is appropriate.

For purposes of the Guidance, "sensitive customer information" includes a customer’s social security number, driver’s license numbers, debit and credit card numbers, personal identification numbers, password or account number, in conjunction with a personal identifier such as the customer’s name, address, or telephone number. In addition, "sensitive customer information" includes any combination of components of customer information that allows someone to log on to or access another person’s account, such as user name and password. Some commenters asked the Agencies to exclude publicly available information and encrypted information, and also suggested that the Guidance apply only to account numbers for transaction accounts or other accounts from which withdrawals or transfers can be initiated. The Agencies decided not to provide any particular exclusions.

Affected Customers. If an institution, based upon its investigation, can determine from its logs or other data precisely which customers’ information has been improperly accessed, it may notify only those customers with respect to whom the institution determines that misuse of information has occurred or is reasonably possible. The Guidance recognizes that there may be situations where the institution cannot determine which individual files have been accessed improperly and decides to notify all customers in the group.

Content of the Customer Notice. The Guidance does not contain a model customer notice but provides some basic requirements. For example, the notice should:

• be provided in a "clear and conspicuous manner";

• describe the incident in general terms and the customer’s information that was the subject of unauthorized access or use;

• generally describe what the institution has done to protect the customer’s information from further unauthorized access so that a customer can make decisions regarding the institution’s customer service;

• include a number that customers can call for further information and assistance;

• remind the customer of the need to remain vigilant over the next 12 to 24 months; and

• recommend that the customer promptly report incidents of suspected identity theft.

The notice should also include the following additional items, when appropriate:

• Recommendation that the customer review account statements and immediately report any suspicious activity to the institution;

• Description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer’s consumer reports to put the customer’s creditors on notice that the customer may be a victim of fraud;
• Recommendation that the customer periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;

• Explanation of how the customer may obtain a credit report free of charge; and

• Information about the availability of the FTC’s online guidance regarding steps a consumer can take to protect against identity theft. The notice should encourage the customer to report any incidents of identity theft to the FTC, and should provide the FTC’s Web site address and toll-free telephone number that customers may use to obtain the identity theft guidance and report suspected incidents of identity theft. Conclusion

Several recent security breaches have resulted in the unauthorized disclosure of non-public, personal information of customers. These breaches have caught the attention of consumers, state legislatures and Congress and left financial institutions wondering about the appropriate response measures. The Guidance requires institutions to implement policies and procedures to address the unauthorized disclosure of consumer information. Although many institutions already have adopted and implemented such procedures as part of their customer information safeguarding policies, some contracts with third-party service providers may be silent regarding security breaches and other types of unauthorized disclosures. Institutions must review their existing contracts and policies for compliance with the Guidance and monitor new state law requirements regarding the unauthorized disclosure of customer information. 

Copyright © 2007, Mayer, Brown, Rowe & Maw LLP. and/or Mayer Brown International LLP. This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

Mayer Brown is a combination of two limited liability partnerships: one named Mayer Brown LLP, established in Illinois, USA; and one named Mayer Brown International LLP, incorporated in England.