Breach Notification Requirements Proposed For Banks – Finance and Banking

In 2005, the Federal Financial Institutions Examination Council
(FFIEC) member agencies issued interpretive guidance recommending
that financial institutions develop and implement programs designed
to address incidents of unauthorized access to sensitive customer
information. (See FIL-27-2005). For purposes of this guidance,
"sensitive customer information" includes a
customer's name, address, or telephone number in conjunction
with a Social Security number, driver's license number, account
number, credit or debit card number, or a personal identification
number or password that would permit access to the customer's
account. It also includes any combination of components of customer
information that would allow someone to log on to or access the
customer's account, such as username and password or password
and account number. 

This guidance has largely informed financial institutions'
notification obligations to customers and regulators in the event
of an incident, which may include: (1) notifying the
institution's primary federal regulator "as soon as
possible" when the institution becomes aware of an incident
involving unauthorized access to or use of sensitive customer
information; (2) notifying customers when warranted; and (3) filing
a timely Suspicious Activity Report (SAR), consistent with relevant
regulations and advisory guidance, and in situations involving
federal criminal violations requiring immediate attention, promptly
notifying appropriate law enforcement authorities. 

On January 12, 2021, the Office of Comptroller of the Currency
(OCC), the Federal Reserve Board (FRB), the Federal Deposit
Insurance Company (FDIC), and the Office of Thrift Supervision
(OTS) published a proposed rule that would substantially enhance
banking organizations' notification obligations in response to
data security incidents. The organizations to which the proposed
rule would apply include: national banks, federal savings
associations, and federal branches and agencies; U.S. bank holding
companies, savings and loan holding companies, state member banks,
and the U.S. operations of foreign banking organizations; and
insured state nonmember banks, insured state-licensed branches of
foreign banks, and state savings associations. (See Computer-Security Incident Notification
Requirements). The proposed rule would require a banking
organization to provide its primary federal regulator with prompt
notification of any "computer-security incident" that
rises to the level of a "notification incident." In
pertinent part, it includes three significant changes to existing
data security incident notification obligations. 

Strict Definitions 

The proposed rule would broaden the definition of what
constitutes a reportable incident by defining a
"computer-security" incident as an occurrence
that: 

The proposed rule would also define a "notification
incident" as: 

The proposed rule would provide a non-exhaustive list of
"computer-security incidents" that would be considered to
be "notification incidents," including but not limited
to: a failed system upgrade or change that results in widespread
user outages for customers and bank employees; an unrecoverable
system failure that results in activation of a banking
organization's business continuity or disaster recovery plan;
and a computer hacking incident that disables banking operations
for an extended period of time. Notably, then, the proposed rule
would address incidents that disrupt systems but might not result
in the compromise of "sensitive customer
information."

Notification Timelines 

Current regulations and guidelines have varying notification and
reporting timelines. Banking organizations should notify their
primary federal regulators "as soon as possible" when
they become "aware of an incident involving unauthorized
access to or use of sensitive customer information." Under the
Bank Secrecy Act (BSA), SARs are to be filed within 30 calendar
days. Under the Bank Service Company Act (BSCA), a banking
organization must notify the appropriate federal banking agency
within 30 days of the existence of service relationships. However,
there are no notification requirements should the service be
disrupted. 

The proposed rule would require a banking organization to notify
its primary federal regulator as soon as possible but no later than
36 hours after any "computer-security incident" that
rises to the level of a "notification incident."
Additionally, as described below, the proposed rule would establish
new reporting requirements for banking service providers under
BSCA. 

Banking Service Providers Notification Obligations 

The proposed rule would establish obligations on banking service
providers to notify their customers of a "computer-security
incident" that the provider believes in good faith could
disrupt, degrade, or impair services provided subject to the BSCA
for four or more hours. The bank service provider would be required
to notify immediately at least two individuals at an affected
banking organization customer of the triggering
event. 

Conclusion

Comments to the proposed rule must be received by April 12,
2021. If adopted, this framework will dramatically heighten
requirements imposed across the financial services sector.
Immediate response, investigation, and written notification
processes become more critical given the short turnaround times
that are proposed. Development of a well-crafted incident response
plan and third-party vendor management program are key immediate
steps that can help prepare covered organizations. 

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Comments are closed.