I. INTRODUCTION
The Office of the Comptroller of the Currency, Treasury (OCC), Board of Governors of the Federal Reserve System (Board), Federal Deposit Insurance Corporation (FDIC) and Office of Thrift Supervision (OTS) adopted the final rule to implement § 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) by amending the Interagency Guidelines Establishing Standards for Safeguarding Customer Information. In addition, the Interagency Guidelines Establishing Standards for Safeguarding Customer Information have been renamed and are now entitled the Interagency Guidelines Establishing Standards for Information Security (hereinafter referred to as the “Guidelines”) to clarify that the Guidelines encompass the disposal of consumer information. The final rule, effective July 1, 2005, generally requires each financial institution to develop, implement and maintain, as part of its existing information security program, appropriate measures to properly dispose of consumer information derived from consumer reports to address the risks associated with identity theft.
Section 216 of the FACT Act added a new § 628 to the Fair Credit Reporting Act (FCRA), which is codified at 15 U.S.C. § 1681w. In general, the additional section is designed to protect a consumer against the risks associated with unauthorized access to information about the consumer contained in a consumer report, e.g., fraud, identity theft and related crimes, and required financial institution regulators to adopt regulations that require any person who “maintains or otherwise possesses consumer information or any compilation of consumer information derived from consumer reports for a business purpose to properly dispose of any such information or compilation.” The FACT Act provides that the regulators ensure that their respective regulations are consistent with the requirements issued pursuant to the Gramm-Leach-Bliley Act (GLB Act) (Pub. L. 106-102), as well as other provisions of Federal law.
Pursuant to § 501 and § 505 of the GLB Act, the federal financial institution regulatory agencies jointly issued Interagency Guidelines Establishing Standards for Safeguarding Customer Information setting forth standards for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information. These previous Guidelines established rules relating to the safeguarding of customer information as well as elements in policies and procedures that a financial institution must adopt to address identifiable threats to confidentiality of such information or its unauthorized use.
The previous Guidelines applied to “consumer customer information” (i.e., “customers” as defined in the respective bank regulatory agency “Privacy of Consumer Financial Information” rule) maintained by or on behalf of financial institutions and any subsidiaries of such financial institutions (except for brokers, dealers, persons providing insurance, investment companies and investment advisers who are covered by other regulations). Although the previous Guidelines do not apply to business customers’ accounts or relationships, financial institution were free to adopt more comprehensive policies covering other customers and relationships in addition to consumers. Under the revised Guidelines, the amended definition of “consumer information” now includes the qualification “for a business purpose,” as set forth in § 216 of the FACT Act. The additional phrase “for a business purpose” encompasses any commercial purpose for which a financial institution might maintain or possess “consumer information.”
The previous Guidelines required every financial institution to implement a comprehensive written information security program that includes administrative, technical and physical safeguards for customer records and information appropriate to the size and complexity of the institution and the nature and scope of its activities. Although a financial institution may already have an information security program in place, that program – along with its policies and procedures – was to be reviewed and perhaps revised in order to make the necessary changes to fit the requirements of the Guidelines.
Specific responsibilities are placed on a financial institution’s Board of Directors and its management. The Board must be actively involved in the development and implementation of a written information security program that it ultimately approves. Ongoing supervision of the program is also the Board’s responsibility; however it could delegate such responsibility to management. In addition, the Board must be provided with – on a least an annual basis – a management report regarding the program.
A financial institution must conduct an assessment of the risks to customer information and indicate in its security program how it controls such risks. Issues to be considered during the development of a program – but that need not be adopted by the financial institution, unless applicable – include limiting the access to information and the facilities where the information is maintained, the encryption of electronic customer information, dual control, segregation of duties, employee background checks, monitoring systems, attack response programs and protection against fire or water damage.
Employee training is required for the implementation and maintenance of the program in addition to regular testing of the effectiveness of the program.
Financial institutions are also required to exercise appropriate due diligence in selecting and monitoring service providers and such service providers must implement appropriate security measures to meet the objectives of the Guidelines. Should a third party service provider have access to customer information, a financial institution must have a contract with the provider that requires the provider to comply with the objectives of the Guidelines. Existing third party service provider contracts or contracts entered into prior to March 5, 2001, were to be brought into compliance by July 1, 2003.
III. SUMMARY OF REVISED GUIDELINES ESTABLISHING STANDARDS FOR INFORMATION SECURITY AND THE PROPER DISPOSAL OF CONSUMER AND CUSTOMER INFORMATION
In order to implement § 216 of the FACT Act, federal financial institution regulators jointly adopted amendments to the Interagency Guidelines Establishing Standards for Safeguarding Customer Information requiring each financial institution to develop and maintain, as part of its information security program, appropriate controls designed to ensure that the institution properly disposes of “consumer information.” The amended Guidelines generally require a financial institution to properly dispose of “consumer information” derived from a consumer report in a manner consistent with a financial institution’s existing obligations under the previous Guidelines to properly dispose of customer information. Although the previous Guidelines addressed an institution’s obligations to properly dispose of customer information, the amendments now state this obligation more directly and combine it with the new requirement to properly dispose of consumer information. The federal regulators incorporated the new requirement into the Guidelines by: (1) adding a definition of “consumer information,” including illustrations of the information covered by the new term; (2) adding an objective (in paragraph II) regarding the proper disposal of customer information and consumer information; and (3) adding a provision (in paragraph III) that requires a financial institution to implement appropriate measures to properly dispose of customer information and consumer information in accordance with each of the requirements in paragraph III.
The amended Guidelines represented minimal changes to an institution’s existing information security program since many of the measures that an institution had already used to dispose of “customer information” could be adapted to properly dispose of “consumer information.”
IV. DEFINITIONS
For purposes of the Guidelines, the following definitions apply:
(1) Consumer information includes:
(A) A consumer report that a bank obtains;
(B) Information from a consumer report that the bank obtains from its affiliate after the consumer has been given a notice and has elected not to opt out of that sharing;
(C) Information from a consumer report that the bank obtains about an individual who applies for but does not receive a loan, including any loan sought by an individual for a business purpose;
(D) Information from a consumer report that the bank obtains about an individual who guarantees a loan (including a loan to a business entity); or
(E) Information from a consumer report that the bank obtains about an employee or prospective employee.
(2) Consumer information does not include:
(A) Aggregate information, such as the mean credit score, derived from a group of consumer reports; or
(B) Blind data, such as payment history on accounts that are not personally identifiable, that may be used for developing credit scoring models or for other purposes.
V. STANDARDS FOR SAFEGUARDING CUSTOMER INFORMATION
A. Information Security Program
The Guidelines expect each financial institution to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. While all parts of the institution are not required to implement a uniform set of policies, all elements of the information security program must be coordinated. In other words, where the elements of the program are dispersed throughout the institution, management should be aware of these elements and their locations. If they are not maintained on a consolidated basis, management should have an ability to retrieve the current documents from those responsible for the overall coordination and ongoing evaluation of the program.
COMMENT: Since the safeguarding of customer information affects every area of a financial institution, some risk management experts have suggested that all department managers should be a party of the institution’s privacy team and that one individual be designated as the team leader (e.g., a “Director of Privacy”).
B. Objectives of an Information Security Program
The objectives of a financial institution’s information security program should be designed to:
COMMENT: Access to or use of customer information or consumer information is not construed to be “unauthorized” access when done with the customer’s consent. Should a customer give consent to a third party to access or use that customer’s information (e.g., providing the third party with an account number, PIN or password), the Guidelines do not require a financial institution to prevent such access or monitor the use or redisclosure of the customer’s information by the third party. In addition, unauthorized access does not mean disclosure pursuant to one of the exceptions in the Privacy Rule.
VI. DEVELOPMENT AND IMPLEMENTATION OF INFORMATION SECURITY PROGRAM
A. Involvement of the Board of Directors
The board of directors or an appropriate committee of the board of each financial institution is charged with the responsibility to:
COMMENT: Although the Guidelines allow the entire board of a financial institution or an appropriate committee of the board to approve the institution’s written security program, the Guidelines also provide that the board may assign specific implementation responsibilities to a committee or an individual.
B. Assessment of Risk
Each financial institution is charged with the following:
First, identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration or destruction of customer information or customer information systems;
Next, assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and
Finally, assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.
C. Management and Control of Risk
The Guidelines describe the steps each financial institution should take in order to manage and control risks.
1. Design its information security program to control the identified risks, commensurate with the sensitivity of the information as well as the complexity and scope of the financial institution’s activities. Each financial institution must consider whether the following security measures are appropriate for the institution and, if so, adopt those measures the financial institution concludes are appropriate:
a. “Access controls” on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means;
b. “Access restrictions” at physical locations containing customer information, such as buildings, computer facilities, and records storage facilities to permit access only to authorized individuals;
c. Encryption of electronic customer information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access;
d. Procedures designed to ensure that customer information system modifications are consistent with the financial institution’s information security program;
e. Dual control procedures, segregation of duties, and employee background checks for employees with responsibilities for or access to customer information;
f. Monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems;
g. Response programs that specify actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies; and
h. Measures to protect against destruction, loss, or damage of customer information due to potential environmental hazards, such as fire and water damage or technological failures.
COMMENT: The security measures listed above are not mandatory for all financial institutions and for all data. Rather, comments to the Guidelines state that it is the intent that an institution consider those protections listed above to determine if they are appropriate for the institution’s particular circumstances and to adopt those identified as appropriate. Elements within the list will be adapted and implemented by institutions of varying sizes, scope of operations and risk management structures.
2.Train staff to implement the financial institution’s information security program.
COMMENT: The training component should be designed to train employees to recognize, respond to and report unauthorized attempts to obtain customer information. A part of a training program should include the training of staff on bank procedures for reporting suspicious activities to the federal government, including attempts to obtain access to customer information without proper authority.
3. Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the financial institution’s risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
COMMENT: The frequency and nature of testing is to be determined by the institution’s risk assessment and adjusted as necessary to reflect changes in both internal and external conditions. Also, the Guidelines require that tests should be conducted or reviewed by persons who are independent of those who operate the systems, including the management of those systems.
4. Develop, implement and maintain, as part of its information security program, appropriate measures to properly dispose of customer information and consumer information.
COMMENT: This is a revised addition to the Guidelines that requires a financial institution to integrate into its information security program each of those risk-based measures in connection with the disposal of “consumer information.”
D. Oversee Service Provider Arrangements
Each financial institution is required to:
COMMENT: The exercise of due diligence should include a review of the measures taken by a service provider, including a review of the controls the service provider has in place to ensure that any sub servicer used by the service provider will be able to meet the objectives of the Guidelines.
In requiring that a service provider’s security measures need to achieve the Guideline’s objectives, the Guidelines further provide flexibility for a service provider’s information security measures to differ from a program that a financial institution implements.
A financial institution need only monitor its outsourcing arrangements if oversight is indicated by an institution’s own risk assessment. Not all outsourcing arrangements need to monitored or monitored identically since some service providers will be financial institutions already subject to the Guidelines while others may be subject to legal and professional standards requiring them to safeguard an institution’s customer information. Since the Guidelines allow an institution to do a risk assessment, such factors may be taken into account. Even where monitoring is necessary, the Guidelines do not require on-site inspections. For example, monitoring could be performed through the periodic review of the service provider’s associated audits, summaries of test results or equivalent measures of the service provider. An institution may provide, when appropriate, through contracts or otherwise, to receive copies of audits and test result information sufficient to assure the institution that the service provider implements information security measures that are consistent with its contract provisions regarding the security of customer information. The American Institute of Certified Public Accountants Statement of Auditing Standards No. 70, “Reports on the Processing of Transactions by Service Organizations” (SAS 70 report) is a common external audit tool for service providers that may allow an institution to assess whether its service provider has information security measures consistent with representations made to the institution during the service provider selection process.
E. Adjust the Program
Each financial institution must monitor, evaluate and adjust, as appropriate, the information security program in light of any relevant changes in technology, the sensitivity of its customer information, internal or external threats to information and the financial institution’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements and changes to customer information systems.
F. Report to the Board
Each financial institution must report to its board or an appropriate committee of the board at least annually. The report should describe the overall status of the information security program and the institution’s compliance with these Guidelines. The report, which will vary depending upon the complexity of each institution’s program, should discuss material matters related to its program, addressing issues such as: risk assessment; risk management and control decisions; service provider arrangements; results of testing; security breaches or violations and management’s responses; and recommendations for changes in the information security program.
G. Implementation of the Standards
1. Effective Date
Each financial institution was required to implement an information security program pursuant to the previous Guidelines by July 1, 2001. This date coincided with the Privacy Rule’s effective date since that rule required initial privacy notices to disclose a financial institution’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. A financial institution could satisfy this disclosure requirement by advising its customers that the institution maintains physical, electronic and procedural safeguards that comply with federal standards to guard customers’ nonpublic personal information. The effective date for measures relating to the disposal of consumer information under the amended Guidelines is by July 1, 2005.
2. Two-Year Grandfathering of Agreements with Service Providers
Until July 1, 2003, a contract that a financial institution has entered into with a service provider to perform services for it or functions on its behalf, satisfies the provisions, even if the contract does not include a requirement that the servicer maintain the security and confidentiality of customer information as long as the institution entered into the contract on or before March 5, 2001. Notwithstanding the requirement, a financial institution’s contracts with its service providers that have access to consumer information and that may dispose of consumer information, entered into before July 1, 2005, must comply with the provisions of the Guidelines relating to the proper disposal of consumer information by July 1, 2006.
VII. REFERENCE TO REGULATION V (PART 222 – FAIR CREDIT REPORTING)
Subpart I, entitled Duties of Users of Consumer Reports Regarding Identity Theft, was added to Federal Reserve Board Regulation V (Fair Credit Reporting) in order to implement the FACT Act. Other federal financial regulatory agencies adopted substantially identical provisions in their respective regulations. Under amended Regulation V, § 222.83, “Disposal of consumer information” provides that financial institutions and their respective operating subsidiaries, branches and agencies of foreign banks (other than Federal branches, Federal agencies and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks and organizations operating under § 25 or 25A of the Federal Reserve Act must properly dispose of any consumer information that the institution maintains or otherwise possess in accordance with the Interagency Guidelines Establishing Information Security Standards. The regulation further provides that a financial institution is not required to maintain or destroy any record pertaining to a consumer that is not imposed under any other law or alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.
VIII. CONCLUSION
In creating and reviewing your financial institution’s “Safeguarding of Customer Information and Proper Disposal of Consumer Information” program, there are some key steps that the Board of Director’s and/or the appropriate committee and management should take. These steps are outlined below.
A. Perform Risk Assessment
i. Requests for information from non-governmental sources
ii. Electronic
iii. Fair Credit Reporting Act
i. Security system
ii. Management response
i. Security
B. Identify and Evaluate Existing Policies
i. Computer security policies regarding control of physical access and network security (e-mail and internet usage);
ii. Disaster recovery plans;
iii. Contingency plans; and
iv. Computer security relative to training, management and coordination.
C. Decide How Customer Information and Consumer Information will be Safeguarded
D. Decide How Assets are Protected
E. Obtain Support of Responsible Parties
F. Train Employees
G. Implement Program
H. Reevaluate Program
The following is a sample draft of language, portions of which might be considered when incorporating the appropriate language into a third party contract with service providers:
Confidentiality. (insert service provider’s name here) (hereinafter referred to as “service provider”) acknowledges that in performing services according to the terms of this contract, service provider will have access to and (insert name of financial institution here) (“bank”) will provide the service provider with information or documentation about the bank’s customer or consumer that is “confidential information”. The term “confidential information” as employed in this agreement includes, but is not limited to, any information about the bank’s customers or consumers or potential customers, regardless of whether the information is personally identifiable or anonymous. The service provider agrees that all present and future confidential information will be held in strict confidence and disclosed only to those employees whose duties reasonably require access to such information. The service provider may use such confidential information only in connection with its performance under this Agreement. The service provider will establish and maintain commercially reasonable policies and procedures to ensure compliance with this paragraph. The service provider agrees that such policies and procedures will be consistent with the bank’s customer information security program. The service provider will protect such confidential information in accordance with commercially reasonable standards and at a minimum using the same degree of care, but no less than a reasonable degree of care, to prevent the unauthorized use, disclosure or duplication of such confidential information as the service provider uses to protect its own confidential information. Confidential information will be returned to the bank or destroyed upon the bank’s request once the services contemplated by this Agreement have been completed or upon termination of this Agreement. The service provider acknowledges that the unauthorized use, disclosure or duplication of any such confidential information is likely to cause irreparable injury to the bank or to the bank’s customers for which bank or the bank’s customers may have no adequate remedy at law. In this regard, the service provider consents to the entry of injunctive relief against it to prevent or remedy any breach of the confidentiality obligation described in the Agreement without the bank being required to post bond. In addition, the service provider agrees that any violation of this paragraph by the service provider will be a material breach of this Agreement and will entitle the bank to immediately terminate this Agreement, without penalty, upon notice to the service provider. The service provider agrees to permit the bank and the bank’s regulatory agencies to audit the service provider’s compliance with this paragraph, and with all applicable laws and regulations, during regular business hours upon reasonable notice to the service provider. The provisions of this paragraph will survive any termination of this Agreement.
The sample language above is for illustrative purposes only and should be used only as an aid in drafting the actual language of an agreement. Any contractual language of this nature should be reviewed by appropriate professional counsel.