The guidance provides that, "when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible. Sensitive customer information is defined to mean a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account.
The guidance states that a financial institution's contract with each service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution's customer information, including notification to the institution as soon as possible of any such incident, to enable the institution to expeditiously implement its response program.
The guidance also provides that a financial institution should notify its primary federal regulator of a security breach involving sensitive customer information, whether or not the institution notifies its customers. A national bank should notify its supervisory office. Refer to the Help section for more detailed instructions. Select one Select one.. Clear All Search. Back to Previous Page. Federal Register Notices. Copy Export. Details You May Also Like.
Details: Format:. PDF ;. Effective Date:. Federal Register Citation Number:. D-2 and part , app. F Board ; 12 CFR part , app. B OTS. Section b of the GLBA required the Agencies to establish appropriate standards for financial institutions subject to their jurisdiction that include administrative, technical, and physical safeguards, to protect the security and confidentiality of customer information.
Accordingly, the Agencies issued Security Guidelines requiring every financial institution to have an information security program designed to:. The Security Guidelines direct every financial institution to assess the following risks, among others, when developing its information security program:. Reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems;.
The likelihood and potential damage of threats, taking into consideration the sensitivity of customer information; and. The sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks. Following the assessment of these risks, the Security Guidelines require a financial institution to design a program to address the identified risks.
The particular security measures an institution should adopt will depend upon the risks presented by the complexity and scope of its business. At a minimum, the financial institution is required to consider the specific security measures enumerated in the Security Guidelines, 4 and adopt those that are appropriate for the institution, including:. Access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals and controls to prevent employees from providing customer information to unauthorized individuals who may seek to obtain this information through fraudulent means;.
Response programs that specify actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information systems, including appropriate reports to regulatory and law enforcement agencies.
The Security Guidelines direct every financial institution to require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Millions of Americans, throughout the country, have been victims of identity theft. Therefore, financial institutions should take preventative measures to safeguard customer information against attempts to gain unauthorized access to the information.
For example, financial institutions should place access controls on customer information systems and conduct background checks for employees who are authorized to access customer information. A response program should be a key part of an institution's information security program. See Security Guidelines, I. In addition, each institution should be able to address incidents of unauthorized access to customer information in customer information systems maintained by its domestic and foreign service providers.
Therefore, consistent with the obligations in the Guidelines that relate to these arrangements, and with existing guidance on this topic issued by the Agencies, 11 an institution's contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution's customer information, including notification to the institution as soon as possible of any such incident, to enable the institution to expeditiously implement its response program.
Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;. Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below;. See 12 CFR National banks must file SARs in connection with computer intrusions and other computer crimes.
Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; 13 and. Where an incident of unauthorized access to customer information involves customer information systems maintained by an institution's service providers, it is the responsibility of the financial institution to notify the institution's customers and regulator.
However, an institution may authorize or contract with its service provider to notify the institution's customers or regulator on its behalf. Financial institutions have an affirmative duty to protect their customers' information against unauthorized access or use.
Notifying customers of a security incident involving the unauthorized access or use of the customer's information in accordance with the standard set forth below is a key part of that duty.
Timely notification of customers is important to manage an institution's reputation risk. Effective notice also may reduce an institution's legal risk, assist in maintaining good customer relations, and enable the institution's customers to take steps to protect themselves against the consequences of identity theft.
When customer notification is warranted, an institution may not forgo notifying its customers of an incident because the institution believes that it may be potentially embarrassed or inconvenienced by doing so. When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.
If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay.
However, the institution should notify its customers as soon as notification will no longer interfere with the investigation.
0コメント