The U.S. Federal Reserve Board today issued new rules requiring banks and other financial institutions to notify consumers "as soon as possible" when their personal data has been stolen.
In an announcement, the Federal Reserve and three other government banking agencies, including the Federal Deposit Insurance Corporation, unveiled their "guidance" on how banks must treat personal information theft under federal laws enacted in 2003.
The rules come at a time when several companies have acknowledged that consumers' personal and sensitive information has either been stolen or accessed inappropriately.
David Barr, a spokesperson for the FDIC in Washington, D.C., says the agencies spent the past 18 months reviewing the Fair and Accurate Credit Transactions (FACT) Act. The review included input from government officials as well as from security, banking industry, and consumer groups and other entities to create the specific rules.
Timelines Still Fuzzy
A key requirement is that consumers must now be notified when personal information has been stolen or illegally accessed and there is reason to believe it will be misused. In such cases, the institution must conduct a "reasonable investigation" to determine if the security breach was significant enough to require notification of affected consumers.
"If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible," the rules say. Notice can be delayed, however, if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation.
Specific timelines on how quickly such notice should be given haven't been established.
A financial institution is also expected to notify its primary federal regulator of a security breach involving sensitive customer information, whether or not the institution notifies its customers.
What Is Sensitive?
According to the rules, sensitive customer information includes a customer's name, address, or telephone number, in conjunction with the customer's Social Security number, driver's license number, account number, credit card number, or debit card number, or a personal identification number or password that would permit access to the customer's account. The rules also state that such data breaches would include the release of any combination of sensitive data that would allow someone to log in to or access a customer's account, such as a username and password or a password and account number.
"The customer notification [provision] is brand new," Barr says. "Banks were not required to do that before, though many had. Now, there's an official mandate that they must."
The new rules took time to develop, Barr says, because they were issued by four agencies working together: the Federal Reserve, the FDIC, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision. "You have four voices instead of just one," he says. Building consensus meant a lot of deliberations, he says.
One of the greatest challenges for the agencies was determining where the legal bar should be set in terms of when consumers should be notified of breaches, Barr says. Some regulators thought notice should be given in all cases, while others thought notice should be given only if the data theft would likely bring harm to affected consumers.
The eventual standard is a reasonable one, Barr says, because it won't inundate consumers with notices unless there is evidence of a real data security threat. "If there were too many notices, consumers could be desensitized" to the real dangers of actual data security breaches, he says.
Under the new guidelines, the FDIC and other agencies can oversee financial institutions to ensure that they adhere to the notification procedures, Barr says. The agencies can issue enforcement orders if the regulations are not followed, he says.
Douglas Heller, executive director of The Foundation for Taxpayer and Consumer Rights, an advocacy group in Santa Monica, California, says the new rules are a good start for U.S. consumers. "At the very least, we should be notified when our personal information has been stolen."
California is the only state in the nation where such notification is already mandated by law in cases of security breaches and financial or credit information.
Recent security breaches involving the theft or loss of sensitive consumer financial and credit data involve ChoicePoint, Bank of America, and LexisNexis.
This story, "New Federal Rules Dictate Bank ID Theft Notifications" was originally published by Computerworld.