The new rules state that financial institutions should implement a response program to address security breaches involving customer information. The plan should include procedures to notify customers about any security incidents that involve access to customer information that could result in 'substantial harm or inconvenience' to the customer, according to a report issued by the Board of Governors of the Federal Reserve System.
The rules state, ''When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.''
''If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.''
However, notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation. But even if the bank doesn't notify customers, it is obligated to notify its primary federal regulator of any security breach involving sensitive customer information.
Several companies have admitted recently that customers' personal and financial has been accessed or even stolen.