SECURITY BREACHES: RESPONSE PROGRAMS STATE AND FEDERAL REGULATORY POLICIES AND STATE STATUTORY LAW

I.        INTRODUCTION

The Federal Financial Institutions Examination Council (FFIEC) agencies, comprised of the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC) and the Office of Thrift Supervision (OTS), jointly issued an interpretive guidance, entitled Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, on April 1, 2005, requiring financial institutions to “develop and implement a response program designed to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider.” The Guidance, as published by the FDIC in FIL-27-2005, may be accessed at http://www.fdic.gov/news/news/financial/2005/fil2705a.html.

The Guidance interprets § 501(b) of the Gramm-Leach-Bliley Act (GLBA) and the Interagency Guidelines Establishing Information Security Standards (12 C.F.R. 364, Appendix B) and describes appropriate elements of a financial institution's response program, including customer notification procedures. Section 501(b) (3) of GLBA provides that information security standards established by financial institution regulatory agencies must include various safeguards to protect against not only unauthorized access to but also the use of customer information in a manner that could result in “substantial harm or inconvenience to any customer.” Since the Guidance interprets § 501(b) of the GLBA and FFIEC Information Security Guidelines, the federal regulators reasoned that financial institutions were to implement the Guidance as soon as possible.  

On May 27, 2005, the Nebraska Department of Banking and Finance also issued an External Statement of Policy #31 entitled, Response Program for Unauthorized Access to Customer Information that became effective on June 1, 2005, requiring all state-chartered financial institutions to have a written Response Program in place detailing the method of handling unauthorized access to customer information. This was revised on March 31, 2016, and is now SOP #18.

II.       FFIEC GUIDANCE

Section 501(b) of GLBA requires FFIEC regulatory agencies to establish appropriate standards for financial institutions (including administrative, technical and physical safeguards) to protect the security and confidentiality of customer information. The scope of the Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Noticeand the terms used within this Guidance are identical to those used in the Guidelines Establishing Information Security Standards. For review purposes, Information Security Standards Guidelines require a financial institution to have an information security program that:

  • Ensures the security and confidentiality of customer information
     
  • Protects against any anticipated threats or hazards to the security or integrity of customer information;
     
  • Protects against unauthorized access to or use of customer information that could result in substantial risk or inconvenience to any customer.

The Information Security Standards Guidelines also direct every financial institution to assess the following risks, among others, when developing its information security program:

  • Reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;
     
  • The likelihood and potential damage of threats, taking into consideration the sensitivity of customer information; and
     
  • The sufficiency of policies, procedures, customer information systems and other arrangements in place to control risks.

After risk assessment, the Information Security Standards Guidelines require a financial institution to design a program to address the identified risks. The particular security measures an institution should adopt will depend upon the risks presented by the complexity and scope of its business. At a minimum, a financial institution must consider the specific security measures listed in the Information Security Standards Guidelines and adopt those appropriate for the institution, including:

  • Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means;
     
  • Background checks for employees with responsibilities for access to customer information; and
     
  • Response programs that specify actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.

The Information Security Standards Guidelines also direct financial institutions to require service providers, by contract, to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

A.        Components of a Response Program

The Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Noticenotes that millions of people have been victims of identity theft and that financial institutions are often placed on the front line to ensure that preventative measures are taken to safeguard customer information against attempts to gain unauthorized access to the information. In this regard, the FFIEC states that every financial institution should develop and implement a risk-based response program, as a key element of an information security program, to address incidents of unauthorized access to customer information in customer information systems that occur nonetheless. A response program should be tailored to the size and complexity of the financial institution and the nature and scope of its activities.

In addition, each institution should be able to address incidents of unauthorized access to customer information in customer information systems maintained by its service providers. The Guidance states that, consistent with obligations contained in other Guidelines that relate to these arrangements and with existing FFIEC guidance on this topic, an institution’s contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution’s customer information, including notification to the institution as soon as possible of any such incident, to enable the institution to expeditiously implement its response program.

The minimum requirements of a financial institution’s response program should contain the following procedures:

  • Assess the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused;
     
  • Notify the primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information;
     
  • File a timely Suspicious Activity Report (SAR) and in situations involving federal criminal violations requiring immediate attention (e.g., when a reportable violation is ongoing), promptly notifying appropriate law enforcement authorities;
     
  • Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and
     
  • Notify customers when warranted in a manner designed to ensure that a customer can reasonably be expected to receive it.

When an incident of unauthorized access to sensitive customer information involves customer information systems maintained by a financial institution’s service provider, it is the financial institution’s responsibility to notify its customers and primary federal regulator however, a financial institution may authorize or contract with its service provider to notify the institution’s customers or regulator on its behalf.

B.        Sensitive Customer Information

The Guidance defines “sensitive customer information” as any record containing nonpublic personal information regarding a customer, whether in paper, electronic or other form, that is maintained by or on behalf of a financial institution (e.g., a customer’s name, address or telephone number in conjunction with the customer’s Social Security number, driver’s license number, account number, credit or debit card number or a personal identification number or password that would permit access to a customer’s account). The term also includes any combination of components of customer information that would allow someone to log on to or access a customer’s account (e.g., user name and password or password and account number).

C.        Providing Customer Notification, The Contents of Such Notice And Delivery of The Notice

The Guidance provides that a financial institution should provide customer notification whenever the institution becomes aware of an incident of unauthorized access to customer information and, at the conclusion of a reasonable investigation, determines that misuse of the information has occurred or it is reasonably possible that misuse will occur. Timely customer notification should not be delayed because an institution may be embarrassed or inconvenienced, for it is considered important by the FFIEC in order to manage an institution’s reputation risk. The Guidance states that effective notice also may reduce an institution’s legal risk, assist in maintaining good customer relations and allow the institution’s customers to take steps to protect themselves against the consequences of identity theft. Therefore, notice should be delivered as soon as possible, but goes on to allow that the notice may be delayed if an appropriate law enforcement agency determines that such notice would interfere with a criminal investigation.

Customer notices are to be given in a clear and conspicuous manner and include the following information:

  • Description of the incident;
     
  • Type of information subject to unauthorized access;
     
  • Measures taken by the institution to protect customers from further unauthorized access;
     
  • A telephone number that customers can call for information and assistance; and
     
  • Remind customers to remain vigilant over the next 12 to 24 and report suspected identity theft incidents to the institution.

When appropriate, customer notices should include the following additional items:

  • A recommendation that the customer review account statements and immediately report any suspicious activity to the institution;
     
  • A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer’s consumer reports to put the customer’s creditors on notice that the customer may be a victim of fraud;
     
  • A recommendation that the customer periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;
     
  • An explanation of how the customer may obtain a credit report free of charge; and
     
  • Information about the availability of the FTC’s online guidance regarding steps a consumer can take to protect against identity theft.

The notice should encourage the customer to report any incidents of identity theft to the FTC, and should provide the FTC’s Web site address and toll-free telephone number that customers may use to obtain the identity theft guidance and report suspected incidents of identity theft.

The Guidance encourages financial institutions to notify nationwide consumer reporting agencies before sending notices that include contact information for the reporting agencies to a large number of customers.

Customer notice should be delivered in a manner designed to ensure that a customer can reasonably be expected to receive it (e.g., a financial institution may choose to contact all customers affected by telephone, by mail or for those customers for whom there are valid e-mail addresses and who have agreed to receive communications electronically, by e-mail).

III.       NEBRASKA DEPARTMENT OF BANKING STATEMENT OF POLICY # 18

The Nebraska Department of Banking and Finance issued an External Statement of Policy #18 (“SOP #18”) entitled, Response Program/Notification for Unauthorized Access to Customer Information that was effective on June 1, 2005. SOP #18 requires all financial institutions to have a written Response Program in place detailing the method of handling unauthorized access to customer information. The policy also provides that the Department’s examiners will review the Response Program as part of a regular examination of an institution.

SOP #18 also states that when a financial institution becomes aware of an incident involving unauthorized access to, or use of, sensitive customer information, the institution must immediately notify the Department. When an incident requires a SAR filing, a copy of the SAR must also be delivered to the Department. When an incident requires customer notification, the Department is to be provided with a sample copy of the customer notice or other documentation, prior to, or simultaneously with, the customers receiving the notice.

IV.       STATE STATUTORY LAW – DATA SECURITY BREACH

The Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 became effective July 14, 2006 and can be found at Neb.Rev.Stat. § 87-801 et seq. The Act establishes consumer notification requirements for any “breach of the security of the system,” (defined as the unauthorized acquisition of unencrypted computerized data thatcompromises the security, confidentiality, or integrity of personal information). Personal information means a Nebraska resident’s first name or first initial and last name in combination with certain data elements that relate to the resident if either the name or the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable.

Importantly, the legislation exempts any individual or commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator from the requirements of the legislation, if the individual or commercial entity notifies affected Nebraska residents in accordance with the maintained procedures in the event of a breach of the security of the system. The Act expressly applies to the discovery of or notification pertaining to a breach of the security of the system that occurs on or after July 14, 2006.

V.        CONCLUSION

Strict standards have been established for reporting incidents to federal and state financial institution regulatory agencies and for customer notification. This is likely to be an area that institutions should expect bank regulators to examine, therefore bankers are encouraged to develop and establish a Response Program that includes appropriate risk assessment, procedures and controls in order to provide an effective response to potential security breaches of sensitive customer information.

Compliance Handbook Search

STAY CONNECTED

Nebraska Bankers Association

233 South 13th Street, Suite 700
Lincoln, NE 68508
402-474-1555
​Digital Millennium Copyright Act Policy