Agencies Propose Guidance on Response Programs to Fight Identity Theft
Federal bank regulators this week proposed guidelines requiring banks to have programs to respond to instances of unauthorized access to customer information, including procedures for notifying customers when unauthorized access has occurred. The proposal comes as Congress continues to debate the extension of the Fair Credit Reporting Act, where attention has focused on the growing problem of identity theft.
The proposal would expand existing regulations for Safeguarding Customer Information under the Gramm-Leach-Bliley Act that took effect on July 1, 2001. Those regulations require every bank to have a written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. The proposal would require banks to have procedures in place for responding when the security of customer information maintained by the bank or its service provider may have been compromised.
The new proposal outlines the components of a response program. Upon unauthorized access to customer information, the bank would be expected to assess the situation, notify its federal regulator, take measures to contain and control the incident, and address and mitigate harm to individual customers.
Appropriate corrective measures under the guidelines would include flagging accounts that may have been affected, monitoring those accounts for unusual or suspicious activity, securing accounts that may have been affected, and providing notice and customer assistance where appropriate.
If sensitive customer information, such as the customer's social security number, personal identification number, password or account number may have been compromised by unauthorized access, the proposal would require the bank to notify affected customers. If the bank can identity which customers have been affected, only those customers need to be notified, but if the bank can only identify a group of customers that may have been affected, all members of the group must be notified.
The notice would include a general description of the incident, and provide information so customers can address the situation, such as a number to call for additional information, steps for obtaining and reviewing credit reports and filing fraud alerts with national credit bureaus, and the availability of the Federal Trade Commission's online guidance on identity theft. The notice should also inform affected customers that the bank will help them correct and update credit information.
Notice will not be required if the bank, after reasonable investigation, concludes that misuse of the information is unlikely (for example, because it is encrypted) and takes appropriate steps to safeguard the information of affected customers.
The ICBA has published a brochure on identity theft, Protect Your Good Name, that banks can distribute to customers to help them protect against identity theft. An order form for the brochures is available here.
The proposed guidelines were published in the Aug. 12 Federal Register. Comments are due Oct. 14. Additional information and link to the full proposal are available at www.fdic.gov/news/news/press/2003/pr7803.html.