The Gramm-Leach-Bliley Act (GLB act), the landmark banking legislation that ended the Depression-era laws separating banking, insurance, and brokerage activities, also includes provisions designed to safeguard customer information held by financial institutions. Section 501(b) of the GLB act requires federal banking agencies—namely, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervision—to establish standards for the financial institutions they supervise to protect the security and confidentiality of customer information and to implement safeguards to help prevent unauthorized access to the information. In response to this mandate, the agencies previously published the Interagency Guidelines Establishing Information Security Standards (the guidelines).
Last March, the agencies published an interpretation of the guidelines, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (final guidance), which establishes the procedures financial institutions should follow after they determine that customer information was accessed without authorization.1 This article provides an overview of the final guidance for response programs.
Scope of the Guidance
The final guidance only applies to a financial institution’s “customers.” The GLB act distinguishes between a “consumer,” who is defined as “an individual who obtains or has obtained a financial product or service … that is to be used primarily for personal, family, or household purposes,” and a “customer,” who is defined as “a consumer who has a customer relationship with [the financial institution].” The “customer relationship” is defined as “a continuing relationship between a consumer and [the financial institution] under which [the financial institution] provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.” Generally, if the relationship between a financial institution and an individual is significant, then the individual is a customer. For example, a person who obtains a mortgage from a bank is considered a customer, while a person who only uses an ATM at a bank and has no other business there is a consumer. Strictly speaking, then, financial institutions are only required to implement the final guidance with respect to their customers.
As a practical matter, however, once a financial institution invests the time and resources to establish information security procedures, it would not make sense to only safeguard the information of customers. While financial institutions are not required to safeguard the information of noncustomers, institutions could expose themselves to liability for security breaches if they used weaker security standards for their noncustomer account holders.
The final guidance also defines the type of customer information to which it applies: nonpublic personal information, regardless of the format in which it is stored (electronic, paper, etc.), that is maintained by the institution or on behalf of the institution by a service provider. This definition is important because it clarifies that an institution is not liable for the loss of customer information not under its control. For example, if a customer divulged account information because of a phishing scam, in which a fraudulent website imitates a legitimate site, deceiving customers into divulging financial information, the financial institution would not be liable under the GLB act for resulting losses, because the information divulged was not under its control.2
The final guidance does not apply to a financial institution’s foreign offices, branches, or affiliates. However, a financial institution covered by the final guidance is responsible for the security of its customer information, regardless of whether the information is maintained in the United States.
Procedures Following Unauthorized Access
The final guidance requires that financial institutions establish a five-pronged response program to deal with unauthorized access of customer information:
|1.||Assess the nature and scope of the incident, and identify what customer information has been accessed or misused|
|2.||Notify the primary federal regulator promptly|
|3.||Notify law enforcement in situations involving federal criminal violations that require immediate attention|
|4.||Take appropriate steps to contain and control the incident to prevent further unauthorized access, such as monitoring, freezing, or closing affected accounts, while preserving records and other evidence|
|5.||Notify customers when warranted|
Assess the Nature and Scope of Incident
When a financial institution learns of unauthorized access to information, it must first assess the nature and scope of the incident and identify what customer information systems and types of customer information have been accessed.
Notice to Federal Bank Regulator and Law Enforcement
After assessing the nature and scope of the incidents, the final guidance states that financial institutions should notify their primary federal regulator if “sensitive customer information” was accessed without authorization. Sensitive information is defined as “a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account.” It also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password. Thus, if an institution learned of unauthorized access to customer information, but the information was not sensitive, the institution would not have to notify law enforcement and its regulator.
The final guidance does not mandate any particular method for notifying regulators, but instead it emphasizes expeditious contact, such as via telephone. The final guidance also clarifies that it is the responsibility of financial institutions—not their service providers—to report unauthorized access to their regulators. However, in the interest of efficiency and timeliness, when a breach occurs, financial institutions may authorize their service providers to notify their regulator on the institution’s behalf.
Regarding notice to law enforcement, the final guidance states that in addition to filing a timely Suspicious Activity Report (SAR), an institution should notify law enforcement by telephone when the unauthorized access involves violations of federal criminal laws. This is consistent with the federal banking agencies’ SAR regulations.
Contain and Control Incident
After learning of unauthorized access, the next step is to contain and control the problem. The following measures can be taken in response to unauthorized computer access: 1) shut down applications or third party connections, 2) reconfigure firewalls, 3) ensure that all known vulnerabilities in the financial institution’s computer systems have been addressed, 4) change computer access codes, 5) modify physical access controls, and 6) place additional controls on service provider arrangements.
The guidance employs a pragmatic approach to identifying the circumstances in which institutions must notify their customers of unauthorized access. If sensitive customer information has been accessed without authorization, the institution must determine whether it is likely the information has been or will be misused. If the institution reasonably believes that the information was or can be misused, it must notify the customer as soon as possible, unless a law enforcement agency believes that early notice to the customer might compromise a criminal investigation and notifies the institution in writing of its request to delay notice to the customer. But if the institution does not believe the information was misused or could be misused, it is not required to notify the customer.
When an institution determines that it must notify a customer of unauthorized access, the notice must:
The final guidance also encourages financial institutions to notify the three major credit bureaus.
In light of the final guidance, financial institutions should promptly review their existing security procedures and response programs to determine whether they satisfy the requirements of the final guidance and make any necessary changes to their existing program to ensure that they are in compliance.
If you have any questions about this article, please contact Consumer Regulations Specialist Kenneth J. Benton or Supervising Examiner John D. Fields through the Regulations Assistance Line at (215) 574-6568.
The addresses and phone numbers of the credit fraud departments of the three major agencies are:
P.O. Box 740241
Atlanta, GA 30374-0241
P.O. Box 9532
Allen, TX 75013
TransUnion Fraud Victim Assistance Division
P.O. Box 6790
Fullerton, CA 92834-6790
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.