The federal bank and thrift regulatory agencies have jointly
issued Interagency Guidance on Response Programs for Unauthorized Access to
Customer Information and Customer Notice.
The guidance
interprets the agencies’ customer information security standards and states
that financial institutions should implement a response program to address
security breaches involving customer information.
The response program should include procedures to notify
customers about incidents of unauthorized access to customer information that
could result in substantial harm or inconvenience to the customer.
The guidance provides that, “when a financial institution
becomes aware of an incident of unauthorized access to sensitive customer
information, the institution should conduct a reasonable investigation to
promptly determine the likelihood that the information has been or will be
misused.”
“If the institution determines that misuse of its
information about a customer has occurred or is reasonably possible, it should
notify the affected customer as soon as possible,” the guidance states. However, notice may be delayed if an
appropriate law enforcement agency determines that notification will interfere
with a criminal investigation.
Under the guidance, a financial institution should notify
its primary federal regulator of a security breach involving sensitive customer
information, whether or not the institution notifies its customers.
# # #
Media contacts:
FDIC
- David Barr (202-898-6992)
Federal Reserve -
Susan K. Stawick (202) 452-2955
OCC
- Kevin Mukri (202) 874-5770
OTS
- Erin Hickman (202) 906-6677