ICBA Opposes Detailed Rules for Hacker Response Programs
Commenting on a detailed set of proposed regulatory guidelines for responding to unauthorized access to customer information such as computer intrusion that could harm customers, the ICBA recommended the agencies offer best practices instead. The proposal was designed to build on the existing Interagency Guidelines Establishing Safeguards for Customer Information issued under the Gramm-Leach-Bliley Act.
While agreeing identity theft is a serious problem, the ICBA pointed out that the crime takes many forms, from simple fraud to outright theft of another's identity. A set of prescriptive response requirements, including notice to customers and securing, flagging and monitoring customer accounts when information security may have been compromised, would not be the best approach, ICBA wrote. Instead, the ICBA strongly urged the agencies institute "best practices" that would give the individual banks the flexibility to assess the risk and respond in the most appropriate manner. For example, if closing an account and reopening it with a new account number or changing a password would protect the customer, the bank shouldn't have to monitor the account.
The guidelines would be unnecessarily burdensome and costly, especially for community banks with limited human, financial and other resources, ICBA said. Overly broad requirements to notify customers might cause them undue alarm. The ICBA also opposed detailed requirements for the contents of customer notice, since each fact pattern is unique and may require different communications.
The ICBA recommended limiting any requirement to notify regulators of a security breach to situations where significant risk to customers is involved. The ICBA also urged that banks be allowed adequate time to investigate and assess the risk before being required to notify customers or regulators. The ICBA's letter is posted at www.icba.org.