Cyber criminals are targeting banks, credit unions, and other financial institutions because these organizations hold a large amount of sensitive consumer data. Handling a data breach involving a financial institution requires an awareness of federal guidelines that spell out the specific steps to take when a financial institution is at risk.

The Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (the "Guidance") are the applicable regulations in the event of a financial institution data breach. This blog posting will discuss some of the key parts of the Guidance, such as applicability of the Guidance, investigating security breaches, and breach notification.

Applicability of the Guidance

The Guidance was promulgated by a number of institutions that regulate the financial system, known as the "Agencies":

• Office of the Comptroller of Currency
• Board of Governors of the Federal Reserve
• Federal Deposit Insurance Corporation
• Office of Thrift Supervision

The Agencies issued the Guidance to interpret the requirements of section 501(b) of the Gramm-Leach Bliley Act and the Security Guidelines in order to develop the implementation of a response plan to address unauthorized access to customer data. The Guidance applies to entities enumerated in Section 505(a) of the GLBA. The Guidance does not apply to a financial institution's foreign branches or affiliates.

Ultimately, a financial institution will be responsible for the security of its customer information, even if the information is held by a service provider outside of the United States. The Guidance applies to "customer information" containing "nonpublic personal information" about a customer that is maintained on behalf of the institution. In other words, the Guidance does not apply to information disclosed by the customer to a third party. Finally, the Guidance does not apply to commercial accounts.

Investigate Security Breaches

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

Pursuant to the Guidance, a financial institution must:

• investigate any security breaches involving unauthorized access to customer information.
• consider taking steps such as freezing or closing the account in order to prevent any additional damage to the customer
• preserve records related to the security incident
• determine whether misuse of sensitive customer information has occurred

Breach Notification

The Guidance contains instructions regarding breach notification. The financial institution should notify its primary federal regulator and law enforcement.

If the financial institution determines that sensitive customer information has been misused or that its misuse is reasonably possible, the affected customers need to be notified. Notification to the customer can be delayed if law enforcement finds that such notification could impacts its investigation and if law enforcement makes a written request that notification be delayed.

Customer notice should be given in a clear and conspicuous manner. The notice should:

• describe the incident
• inform the customer of the information that was subject to the breach
• describe the steps that the financial institution has taken to protect the customer’s information from any additional breach

Depending on the circumstances, the notification to the consumer should also possibly include:

1. a recommendation that the consumer review account statements regularly
2. an explanation of how the consumer may place a fraud alert on her file
3. an explanation regarding how the customer may obtain a free credit report
4. steps that the consumer can take to protect against identity theft

It is important for financial institutions to be aware of the specific steps that must be taken when handling a data breach to ensure compliance with the Interagency Guidance. Following the Guidance is an important step that a financial institution should take to mitigate the risks and liability arising out of a data breach.