Federal bank and thrift regulatory agencies issued proposed guidelines Tuesday to require financial institutions to develop programs to respond to incidents of unauthorized access to customer information, including procedures for notifying customers under certain circumstances.
The proposed guidelines interpret the interagency customer information security guidelines, issued in February 2001, that require financial institutions to implement information security programs designed to protect their customers’ information.
The proposed interpretation describes the components of a response program and sets a standard for providing notice to customers affected by unauthorized access to or use of customer information that could result in substantial harm or inconvenience to those customers.
The guidelines state, “an institution should notify affected customers when it becomes aware of unauthorized access to sensitive customer information unless the institution, after an appropriate investigation, reasonably concludes that misuse is unlikely to occur and takes appropriate steps to safeguard the interests of affected customers, including monitoring affected customers’ accounts for unusual or suspicious activity.”
According to the Federal Register, sensitive customer information includes a customer’s social security number, personal identification number, password or account number in conjunction with a personal identifier such as the individual’s name, address or telephone number.
The definition also includes any combination of customer information that would allow someone to log into ia customer’s account, such as name and password.
The guidelines propose that a financial institution’s notice to customer’s of a security breach should include a general description of the incident and provide customers with information to help mitigate potential harm, including a customer service number, steps to obtain and review a credit report, how to file fraud alerts with nationwide credit reporting agencies and sources of information designed to help individuals in protecting against identity theft.
In addition, under the guidelines, financial institutions are expected to inform each customer about the availability of the Federal Trade Commission’s (FTC) online guidance to protect against identity theft and to report suspected incidents to the FTC.
The Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, and the Office of Thrift Supervision are requesting public comment on all aspects of the proposal, including whether the agencies have identified the appropriate standard for financial institutions to provide notice to their customers.