Federal Register: August 12, 2003 (Volume 68, Number 155)
DOCID: FR Doc 03-20440
DEPARTMENT OF THE TREASURY
Thrift Supervision Office
Docket ID: [Docket No. 03-18]
ACTION: Reports and guidance documents; availability, etc.:
DOCUMENT ACTION: Notice and request for comment.
DEPARTMENT OF THE TREASURY
DATES: Comments must be submitted on or before October 14, 2003
The OCC, Board, FDIC, and OTS (the Agencies) are requesting comment on proposed guidance entitled Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (``the proposed Guidance'').
In addition, as part of their continuing efforts to reduce paperwork and respondent burden, the Agencies invite the general public and other Federal agencies to take this opportunity to comment on a proposed information collection, as required by the Paperwork Reduction Act of 1995 (44 U.S.C. chapter 35).
Response programs for unauthorized access to customer information and customer notice,
DOCUMENT BODY 2:
Office of Thrift Supervision
BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM
[Docket No. OP1155]
FEDERAL DEPOSIT INSURANCE CORPORATION
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice
The Agencies have published Interagency Guidelines Establishing
Standards for Safeguarding Customer Information (``Security
Guidelines'').\2\ These Security Guidelines were published to fulfill a
requirement in section 501(b) of the GrammLeachBliley Act in which
Congress directed the Agencies to establish standards for financial
institutions relating to administrative, technical, and physical
safeguards to: (1) Insure the security and confidentiality of customer
records and information; (2) protect against any anticipated threats or
hazards to the security or integrity of such records; and (3) protect
against unauthorized access to or use of such records or information
that could result in substantial harm or inconvenience to any customer.\3\
\2\ 12 CFR part 30, app. B (OCC); 12 CFR part 208, app. D2, and part 225, app. F (Board); 12 CFR part 364, app. B (FDIC); and 12 CFR part 570, app. B (OTS).
\3\ 15 U.S.C. 6805(b).
Among other things, the Security Guidelines direct financial institutions to: (1) Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems; (2) assess the likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information; and (3) assess the sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks.\4\
\4\ Security Guidelines, Paragraph III.B.2.
This proposed Guidance, published as an Appendix to this notice,
interprets section 501(b) of the GrammLeachBliley Act and the
provisions of the Security Guidelines noted above.\5\ It describes the
Agencies' expectations that every financial institution develop a
response program to protect against and address reasonably foreseeable
risks associated with internal and external threats to the security of
customer information maintained by the financial institution or its
service provider. The proposed Guidance further describes the
components of a response program, which includes procedures for
notifying customers about incidents of unauthorized access to customer
information that could result in substantial harm or inconvenience to
the customer. The proposed Guidance provides that a financial
institution is expected to expeditiously implement its response program
to address incidents of unauthorized access to or use of customer
information. A response program should contain policies and procedures that enable the financial institution to:
\5\ The Agencies may treat an institution's failure to implement final Guidance issued as a violation of the Security Guidelines.
A. Assess the situation to determine the nature and scope of the incident, and identify the information systems and types of customer information affected;
B. Notify the institution's primary Federal regulator and, in accordance with applicable regulations and guidance, file a Suspicious Activity Report and notify appropriate law enforcement agencies;
C. Take measures to contain and control the incident to prevent further unauthorized access to or use of customer information, including shutting down particular applications or third party connections, reconfiguring firewalls, changing computer access codes, and modifying physical access controls; and
D. Address and mitigate harm to individual customers.
The proposed Guidance describes the following corrective measures a financial institution should include as a part of its response program in order to effectively address and mitigate harm to individual customers:
A. Flag AccountsThe institution should identify accounts of customers whose information may have been compromised, monitor those accounts for unusual activity, and initiate appropriate controls to prevent the unauthorized withdrawal or transfer of funds from customer accounts.
B. Secure AccountsThe institution should secure all accounts associated with the customer information that has been the subject of unauthorized access or use.
C. Customer Notice and AssistanceThe institution should, under certain circumstances, notify affected customers when sensitive customer information about them is the subject of unauthorized access. Where the institution can specifically identify affected customers from its logs, notification may be limited to those persons only. Otherwise, the institution should notify each customer in those groups likely to be affected.
The proposed Guidance provides that a financial institution should
notify each affected customer when it becomes aware of unauthorized
access to sensitive customer information, unless the institution, after
an appropriate investigation, reasonably concludes that misuse of the
information is unlikely to occur, and takes appropriate steps to
safeguard the interests of affected customers, including by monitoring
affected customers' accounts for unusual or suspicious activity. For
the purposes of the proposed Guidance, the Agencies define sensitive
customer information to mean a customer's social security number,
personal identification number (PIN), password, or account number, in
conjunction with a personal identifier, such as the individual's name,
address, or telephone number. Sensitive customer information would also
include any combination of components of customer information [[Page 47956]]
that would allow someone to log onto or access another person's account, such as user name and password.
Under the Security Guidelines, an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. The Agencies believe that substantial harm or inconvenience is most likely to result from the improper access to and use of sensitive customer information. Accordingly, the proposed Guidance requires notice to mitigate or prevent substantial harm or inconvenience to a customer.
The Agencies note that the response program required under the proposed Guidance must address incidents involving the unauthorized access to or use of any form of customer information. However, the customer notice requirement applies only to security breaches involving sensitive customer information.
The proposed Guidance provides several examples the Agencies believe typify situations in which customer notification is required and those when it is not. As in other circumstances, the Agencies also expect financial institutions to notify customers upon the direction of the institution's primary Federal regulator.
The proposed Guidance discusses the content and delivery of customer notices. The notice should include a general description of the incident, and provide information to assist customers in mitigating potential harm, including a customer service number, steps customers can take to obtain and review their credit reports and to file fraud alerts with nationwide credit reporting agencies, and sources of information designed to assist individuals in protecting against identity theft.
In addition, institutions are expected to inform each customer about the availability of the Federal Trade Commission's (``FTC'') online guidance regarding measures to protect against identity theft and to encourage the customer to report any suspected incidents of identity theft to the FTC. Further, institutions should provide the FTC's Web site address and telephone number for purposes of obtaining the guidance and reporting suspected incidents of identity theft. Currently, the Web site address is http://www.ftc.gov/idtheft, and the toll free number for the identity theft hotline is 1877IDTHEFT.
The proposed Guidance also describes other forms of assistance that financial institutions have offered to their customers in incidents of this type. Financial institutions may wish to offer such forms of assistance to their customers and describe them in the customer notice. II. Request for Comments
The Agencies invite comment on all aspects of the proposed
Guidance, including each component of the response program described in
Paragraph II of the proposed Guidance. Please consider the following questions in formulating your comments:
[sbull] Should any component of the response program be clarified in some way and, if so, how?
[sbull] Are there additional components that should be included in a response program to address incidents involving unauthorized access to or use of customer information? If so, please describe the component, and the reasons that support it.
[sbull] Should each component of the response program be retained? If not, which components should be deleted and why?
[sbull] In preparing the proposed Guidance, the Agencies have attempted to identify a standard that will lead to customer notice when appropriate. The Agencies recognize that there is a spectrum of alternatives for developing a requirement to notify customers. On one side of the spectrum is a standard that would require a financial institution to notify its customers every time the mere possibility of misuse of customer information arises. On the other side is a standard that would require an institution to notify its customers only when it becomes aware of an incident involving unauthorized access to customer information and, based on unusual activity in customers' accounts or other indicia of identity theft, knows that the information is being misused. The Agencies propose a standard that lies in the middle of this spectrum. The Agencies believe that no useful purpose would be served if notices were sent due to the mere possibility of misuse of some customer information because, in general, the notices should alert customers to those situations where enhanced vigilance is necessary to protect against fraud or identity theft. Rather, the Agencies believe that notice to customers should be required in a narrower range of instances involving the unauthorized access to sensitive customer information. The standard proposed here would require a financial institution to send notice to each affected customer when the institution becomes aware of an incident of unauthorized access to sensitive customer information, unless the institution, after an appropriate investigation, reasonably concludes that misuse of the information is unlikely to occur and takes appropriate steps to safeguard the interests of affected customers, including by monitoring affected customers' accounts for unusual or suspicious activity. The Agencies invite comment on whether this is the appropriate standard for requiring customer notice. For commenters who believe that this standard is inappropriate, the Agencies request that these commenters state specifically their reasoning and offer alternative thresholds for requiring customer notice.
[sbull] The proposed Guidance defines sensitive customer information as a social security number, a personal identification number (PIN), password, or an account number in conjunction with a personal identifier. Sensitive customer information would also include any combination of components of customer information that would allow someone to log onto or access another person's account, such as user name and password. The Agencies request comment on which, if any, additional types of information should be included in this definition, such as mother's maiden name or driver's license number.
[sbull] The Agencies invite comment on the potential burden associated with the customer notice provisions. For example, what is the anticipated burden that may arise from the questions posed by those customers who receive the notices? Should the Agencies consider how the burden may vary depending upon the size and complexity of the institution?
[sbull] As part of the response program, the Agencies describe certain corrective measures that an institution should take once an incident of unauthorized access occurs. One such measure is to ``secure accounts.'' Is the discussion of securing accounts sufficiently clear to enable institutions to know what is expected of them when instances of unauthorized access occur? To what extent would contracts between financial institutions and service providers need to be modified, if at all, to comply with the proposed Guidance? How much burden, if any, will the Guidance impose on service providers?
[sbull] The Agencies also invite comment on whether the proposed standard should be modified to apply to other extraordinary circumstances that compel an institution to conclude that unauthorized access to information, other than sensitive customer information, likely will result in substantial harm or inconvenience to the affected customers.
[sbull] The proposed Guidance includes examples of circumstances in which customer notice would be expected and those when it would not. Please comment on whether the examples in the proposed Guidance should be modified or supplemented and provide your rationale.
III. Paperwork Reduction Act
A. Request for Comment on Proposed Information Collection
In accordance with the requirements of the Paperwork Reduction Act
of 1995, the Agencies may not conduct or sponsor, and the respondent is
not required to respond to, an information collection unless it
displays a currently valid Office of Management and Budget (OMB)
control number. The Agencies are requesting comment on a proposed
information collection. The Agencies also give notice that, at the end
of the comment period, the proposed collections of information, along
with an analysis of the comments and recommendations received, will be submitted to OMB for review and approval.
Comments are invited on:
(a) Whether the collection of information is necessary for the proper performance of the Agency's functions, including whether the information has practical utility;
(b) The accuracy of the estimates of the burden of the information collection, including the validity of the methodology and assumptions used;
(c) Ways to enhance the quality, utility, and clarity of the information to be collected;
(d) Ways to minimize the burden of the information collection on respondents, including through the use of automated collection techniques or other forms of information technology; and
(e) Estimates of capital or start up costs and costs of operation, maintenance, and purchase of services to provide information.
At the end of the comment period, the comments and recommendations received will be analyzed to determine the extent to which the information collections should be modified prior to submission to OMB for review and approval. The comments will also be summarized or included in the Agencies' requests to OMB for approval of the collections. All comments will become a matter of public record.
Comments should be addressed to: