NEBRASKA BANKERS ASSOCIATION 15 Counselor's Corner — continued on page 16 the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name or password or password and account number. 3 In combination with account numbers, social security numbers, a driver’s license number, and other information commonly collected by banks, the demographic information is “sensitive customer information” under GLBA. This sensitive information is not uncommon on internal sales or customer lists. Once that information is in possession of the bank, the bank has an affirmative obligation to: 1. Ensure the security and confidentiality of customer information; 2. Protect against any anticipated threats or hazards to the security or integrity of such information; 3. Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and 4. Ensure the proper disposal of customer information and consumer information. 4 And when the security or confidentiality of customer information is not protected: When an incident of unauthorized access to sensitive customer information involves customer information systems maintained by an institution’s service provider, it is the Financial Institution’s responsibility to notify its customers and regulator. 5 And the regulations state: Where an incident of unauthorized access to customer information involves customer information systems maintained by an institution’s service providers, it is the financial institution’s responsibility to notify the institution’s customers and regulator.6 When an incident of unauthorized access to customer information is discovered — such as when an employee may download, save, print, email, or otherwise copy customer data to take with them to a new financial institution or to start a new business — the bank may have a duty to report this data breach to its regulator, law enforcement, and its customers. While no bank wishes to notify its customers of a breach, there may be options, such as using the threat of providing notification to regulators or law enforcement to elicit the former employee’s cooperation in an investigation to determine the risk of harm. The regulations require an investigation to occur: When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.7 The question then becomes, “What is a ‘reasonable investigation’ for the bank to determine the likelihood of harm?” Reasonable Investigation First, the bank must have a “Response Program” “appropriate to the size and complexity of the institution and the nature and scope of its activities, designed to address incidents of unauthorized access to customer information.”8 At a minimum, a response program should include: 1. Assessing the nature and scope of an incident and identifying what customer information systems and types of customer information have been accessed or misused; 2. Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined later in the final guidance; 3. Immediately notifying law enforcement in situations involving federal criminal violations requiring immediate attention; 4. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, such as by monitoring, freezing, or closing affected accounts while preserving records and other evidence; and 5. Notifying customers when warranted.9 The provisions concerning the response program appear to leave little room for ambivalence as to whether notification needs to be made to federal regulators or law enforcement but do allow a measure of judgment when deciding as to whether to notify customers “when warranted.” The reading of the comments in the Federal Register can provide some further guidance regarding the notification
RkJQdWJsaXNoZXIy MTIyNDg2OA==