NEBRASKA BANKERS ASSOCIATION 17 1 Although state data breach notification laws may apply, this article will limit the discussion to the applicability of GLBA, the definition of sensitive data under GLBA, and the investigation standards under GLBA. This article will also not address the notification requirements under GLBA or applicable state statute. 2 15 USC § 6809(4) 3 2 CFR Appendix B to Part 364 4 12 CFR Appendix B to Part 364 - Interagency Guidelines Establishing Information Security Standards 5 Financial Institution Letter, FIL-27-2005, April 1, 2005, https://www.fdic. gov/news/financial-institution-letters/2005/fil2705.html 6 Supplement A to Appendix B to Part 364 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. 7 Supplement A to Appendix B to Part 364 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. 8 Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15739. 9Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15741. 10 Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15741. 11 Federal Register, Vol. 70, No. 59, Tuesday, March 29, 2005, Rules and Regulations, page 15744 (emphasis added). • Consider asking for a computer forensics expert to wipe the data; or • Consider asking for an affidavit that the data has been securely wiped from the network device. The above steps, if well documented, may allow a bank to reasonably conclude that the information has been secured and was not accessed or used for any illegal purpose, such as for opening credit cards or obtaining a new line of credit and meet the requirements of an investigation under the FDIC guidance. Conclusion Financial institutions are in a unique position to possess sensitive and personal information of customers. That information must be protected from hackers and employees seeking to email, download, copy, or otherwise remove the information from the bank’s possession. The regulations and notification requirements allow a bank to investigate whether the access and use will require notification. The threat of notification of regulators and law enforcement may provide leverage for the cooperation and interview of former employees. The interviews, the investigation, and the resulting affidavits and reports may provide the evidence necessary for a bank to conclude the actions of the employee; while a violation of an employee agreement is not grounds for data breach notification required under GLBA. For more information, please contact Robert (Bob) Kardell, at 402.636.8313, bkardell@bairdholm.com, or visit bairdholm.com.
RkJQdWJsaXNoZXIy MTIyNDg2OA==