New Data Security Guidance for Banks
By Susan N. LeDuc
Recently, the federal banking regulatory agencies issued an “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.” This Guidance interprets section 501(b) of the Gramm-Leach-Bliley Act as well as the security guidelines issued by the federal banking regulatory agencies. The Guidance addresses procedures to be used by financial institutions to respond to unauthorized access to or use of customer information by third parties.
The regulatory agencies clearly expect banks of all sizes to implement the Guidance as soon as possible. The Guidance provides that if “sensitive” bank customer information is stolen or illegally accessed, the bank is required to first notify its primary regulator, and then, if certain conditions exist, notify the affected customers.
The Guidance requires each bank to assess the particular risks that its business and operations present to the security of customers’ information. Each bank must then develop its own information security program. The Guidance mandates certain minimum elements for all such information security programs, no matter the results of the bank’s own risk assessment. These required elements include access controls on customer information systems, employee background checks and breach response programs, including required oversight of and contractual provisions with bank service providers and vendors and the process of notifying affected customers.
1. Access Controls – The Guidance requires that access controls on customer information systems include controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means (i.e. pretexting).
2. Employee Background Checks – The Guidance confirms that employee background checks should be conducted for employees who are authorized to access customer information (although it does not provide details). Such background checks should also include a verification that the bank will not and does not violate federal law by hiring or employing such a person; in particular, 12 USC 1829 prohibits an institution from hiring or employing an individual convicted of certain criminal offenses or who is subject to an order under 12 USC 1818(e)(6) prohibiting the person from being employed by a bank. A bank can conduct this verification, in part, by checking each employee’s or potential employee’s name against all five federal banking regulators’ searchable databases of enforcement actions and orders at www.ffiec.gov/enforcement.htm. Washington, D.C., regulatory staffers indicate that additional regulatory guidance on employee background checks is anticipated, but the timing of such guidance is unknown.
3. Response Programs – The Guidance confirms that each bank must develop a risk-based response program to address incidents of unauthorized access to customer information systems (such a system consists of all of the methods used to access, collect, store, use, transmit, protect or dispose of customer information, including the systems maintained by the bank’s service providers and vendors – domestic or foreign).
At a minimum, the bank’s response program should contain procedures to address the following elements:
• Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;
• Notifying its primary federal regulator as soon as possible whenever the institution becomes aware of an incident involving unauthorized access to or use of “sensitive customer information” (see definition in Guidance);
• Consistent with federal Suspicious Activity Report (SAR) regulations, notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving federal criminal violations requiring immediate attention;
• Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information (for example, monitoring, freezing or closing affected accounts, while preserving records and other evidence); and
• Notifying customers as soon as possible when warranted (i.e. the bank determines that misuse of its information about a customer has occurred or is reasonably possible).
The Guidance confirms that each bank must “require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.” In addition to such mandated contractual obligations to a bank, a service provider may be required to implement its own comprehensive information security program in accordance with the Safeguards Rule promulgated by the Federal Trade Commission at 12 CFR Part 314. The Guidance also confirms that a bank’s contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the bank’s customer information, including notification to the bank as soon as possible of any such incidents, to enable the bank to expeditiously implement its response program.
Where an incident of unauthorized access to customer information involves customer information systems maintained by a bank’s service provider, it is the responsibility of the bank to notify the bank’s regulator and (possibly) its customers. Under the Guidance, however, a bank may authorize or contract with its service provider to notify the bank’s customers or regulator on its behalf.
When a bank becomes aware of an incident of unauthorized access to “sensitive customer information,” the bank must conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the bank makes such a determination, then the bank must notify the affected customers (the required minimum elements of the notice are specified in the Guidance) as soon as possible.
The Guidance makes clear that the regulators believe that each bank has an affirmative duty to protect its customers’ information against unauthorized access or use. When such unauthorized access or use occurs, the regulators expect the bank to notify its primary regulator and (depending on the bank’s assessment of the likelihood that the information has been or will be misused) its affected customers of an incident, regardless of whether it may be embarrassed or inconvenienced by doing so.
Susan N. LeDuc is a regulatory specialist at the law firm of Gallagher, Callaghan & Gartrell P.A., in Concord, N.H. She can be contacted at Leduc@gcglaw.com.