I. INTRODUCTION
The National Automated Clearing House Association (NACHA) issued an interim policy (effective September 28, 2007) regarding ACH data breach notification requirements. While NACHA has indicated that it will not enforce compliance with the interim policy as a rule until it has adopted a formal rule relating to data breaches, financial institutions are expected to take advantage of the notification procedures contemplated by the interim policy in an effort to better manage risks to accompany data breaches.
The NACHA data breach requirements are similar to those adopted in Nebraska and other states that require businesses to notify their customers whenever a third party has gained unauthorized access to sensitive personal and financial information.
Under the NACHA interim rule, if an originating depositary financial institution (ODFI) or the customers on whose behalf it sends ACH entries (Originators) suffers a data breach, the ODFI is required to send a notice to NACHA and to the institutions at which the affected customers have accounts (Receiving Depositary Financial Institutions or RDFIs), as set forth in further detail below. An ODFI can report a breach of ACH data using the form available on the NACHA web site at https://www.nacha.org/risk/report-data-breach.
II. KEY DEFINITIONS
Pursuant to the interim policy, the terms “data breach” and “Consumer-Level ACH Data” are among the key terms that determine an institution’s obligations. These terms are defined as follows:
A. Data Breach
Data Breach means the “loss, theft, or unauthorized access of Consumer-Level ACH Data by or from any ODFI or Originator or any of their respective third-party service providers using the ACH Network, or any affiliate of the foregoing under circumstances indicating that the misuse of such information has occurred or is reasonably possible.”
B. Consumer-Level ACH Data
Consumer-Level ACH Data means “the following information with respect to consumer customers of a RDFI gathered by an ODFI or Originator or any of their respective third-party service providers for the purpose of initiating ACH transactions:
Under the interim policy, data captured as part of check conversion or truncation transactions are covered. However, information that is received for any other purpose is not covered. For example, bank routing numbers and account numbers that are used for normal check processing are not covered.
III. ODFI OBLIGATIONS
The interim policy imposes four types of obligations on ODFIs:
A. Prevention
Each ODFI must ensure that it, its Originators, and their respective third-party service providers have adopted and implemented “commercially reasonable policies, procedures, and systems to receive, store, transmit, and destroy Consumer-Level ACH data in a secure manner and to protect against data breaches.”
B. Detection, Escalation, and Investigation
Each ODFI must ensure that it, its Originators, and their respective third-party service providers implement “commercially reasonable policies, procedures and systems to detect the occurrence of a data breach within their respective organizations.” These policies and procedures should include timely escalation of the breach to appropriate internal personnel and, in a case where the breach occurs at an originator or third-party service provider, prompt notice to the ODFI’s designated security contact. If a data breach is known or suspected to have occurred, the ODFI and the relevant originator and/or third party service provider should immediately conduct an investigation to determine if: (1) a data breach actually occurred; (2) the scope of the data breach (including the type and amount of data involved); (3) the risk of the relevant data being misused; and (4) the steps needed to prevent further data breaches.
C. Notification to NACHA and RDFIs
An ODFI must notify a NACHA security contact if it knows or reasonably suspects that (1) one of its originators or third-party service providers has experienced a data breach of Consumer-Level ACH data and (2) misuse of that information has occurred or is reasonably possible. The required notification must include the following findings relating to the data breach:
Other relevant findings may be included in the notification, but their determination should not delay the required notification described above. These other findings include: (1) any mitigating factors, and (2) any other information the ODFI believes would be relevant to an RDFI’s evaluation of the data breach and responding to it.
NACHA has provided a standard form on its Website that may be used for giving NACHA the required notice. An ODFI must take reasonable steps to correct the address and promptly resend to NACHA any notice that is returned as undeliverable. The ODFI should also take reasonable steps to notify RDFI’s whose accounts may be impacted by the data breach. The ODFI may, at its option, do this directly or by using a NACHA-designated procedure. The interim policy reminds ODFI’s that they should determine if they have any other consumer notification requirements under applicable laws.
D. Timeframe for Notification
An ODFI must take all appropriate steps to provide an initial notice of a data breach to NACHA and each affected RDFI as soon as reasonably possible. Accordingly, an ODFI should not wait to complete its investigation if it has enough information to (1) conclude that a data breach likely occurred and that misuse of Consumer-Level ACH data is reasonably possible; and (2) allow RDFIs to take meaningful action to respond. Notice may be delayed if disclosure to ACH Network participants would impede an on-going criminal investigation.
IV. CONCLUSION
The NACHA interim policy imposes significant compliance obligations on ODFIs with respect to data breaches, including data breaches suffered by their Originators. As a result, an ODFI will want to review its agreements with Originators to ensure that these Originators are obligated to provide it with notice of a data breach and to cooperate with the ODFI in investigating and responding to the data breach. These provisions should also cover data breaches suffered by any third-party service provider used by an Originator.