From the financial sector to the healthcare industry, and even the security business itself, hackers are creeping their way into business data systems and pilfering personal information. For financial institutions, security measures to prevent attacks are not foreign. Nor is the need for a response plan in case preventative measures fail. Financial institutions have been required to maintain data breach response plans since 2005, when the Office of the Comptroller of the Currency (“OCC”), the Federal Deposit Insurance Corporation (“FDIC”), the Board of Governors of the Federal Reserve System (“FRB”) and the Office of Thrift Supervision (“OTS”) jointly promulgated the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“Interagency Guidance”).
On the ten-year anniversary of the Interagency Guidance, we invite financial institutions to take a critical look at their response programs and refresh their knowledge about the key components of a defendable response (although financial institutions should regularly update their plans to account for changes in business assets, key personnel and applicable law). After all, the best way to minimize damages is to plan ahead, and during an attack is no time to be thinking about how to improve the plan.
Response plans are not one-size fits all. They should be risk-based and tailored to the size and complexity of the institution and the nature of its activities. The Interagency Guidance identifies the following procedures as the minimum requirements:
- Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misusedNotifying the institution’s primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information
- Notifying appropriate law enforcement authorities, in addition to filing a timely Suspicious Activity Report (“SAR”) consistent with SAR regulations, in situations involving federal criminal violations requiring immediate attention such as a reportable violation that is ongoing
- Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information by, for example, monitoring, freezing or closing affected accounts, while preserving records and other evidence
- Notifying customers when warranted
The process for determining whether notification is required and who must be notified is an important part of a financial institution’s response plan. Three of the five minimum requirements identified in the Guidance involve notification. These obligations vary depending on the circumstances of the incident. The following list identifies many, but not all, of the notifications that may be required or recommended depending on the circumstances:
- Law enforcement officials (local police, FBI, U.S. Secret Service) should be notified if the entity suspects the incident is a result of criminal activity or if the compromise could result in harm to a person or business.
- The institution’s primary federal regulator should be notified as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.
- An institution that has been attacked should also notify other businesses in its network, which may be potential victims. Some businesses may also have a right to notification under the terms of a contract between the institution and the business.
- The OCC, FDIC, FRB and OTS recommend that institutions notify the credit reporting agencies if a large number of customers’ personal information has been compromised, particularly if the institution will send notices to the customers that include contact information for the reporting agencies.
- The institution should review its insurance policy with legal counsel and determine if the incident is covered by the policy. The carrier should be notified in accordance with the applicable policy provisions.
- If the information compromise involved the improper posting of personal information on the internet, the institution should contact the search engines to ensure they do not archive personal information that was posted in error.
- Notice to the affected customer may or may not be required. Pursuant to the Interagency Guidance, an institution should notify the affected customer as soon as possible if the institution determines that misuse of its information about a customer has occurred or is reasonably possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay. The institution should notify the customer as soon as notification will no longer interfere with the investigation.
Timely and effective notification is important to manage the institution’s reputational risk and reduce the institution’s legal risk. Legal counsel can guide an institution through the process of determining who to notify and when and how to notify them based on the nature of the breach. Additionally, preparing draft forms of notice in advance of an incident can be time saving and result in a message that is better crafted to address all essential matters and present them in a light that best manages the reputational and legal risk of the institution. Institutions should consult legal counsel in the drafting of customer notices as the Interagency Guidance identifies content that should be included in such notices.
Please contact us
if you have any questions regarding this issue.