Breach Notification Requirements Proposed for Banks
In 2005, the Federal Financial Institutions Examination Council (FFIEC) member agencies issued interpretive guidance recommending that financial institutions develop and implement programs designed to address incidents of unauthorized access to sensitive customer information. (See FIL-27-2005). For purposes of this guidance, “sensitive customer information” includes a customer’s name, address, or telephone number in conjunction with a Social Security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. It also includes any combination of components of customer information that would allow someone to log on to or access the customer's account, such as username and password or password and account number.
This guidance has largely informed financial institutions’ notification obligations to customers and regulators in the event of an incident, which may include: (1) notifying the institution’s primary federal regulator “as soon as possible” when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information; (2) notifying customers when warranted; and (3) filing a timely Suspicious Activity Report (SAR), consistent with relevant regulations and advisory guidance, and in situations involving federal criminal violations requiring immediate attention, promptly notifying appropriate law enforcement authorities.
On January 12, 2021, the Office of Comptroller of the Currency (OCC), the Federal Reserve Board (FRB), the Federal Deposit Insurance Company (FDIC), and the Office of Thrift Supervision (OTS) published a proposed rule that would substantially enhance banking organizations’ notification obligations in response to data security incidents. The organizations to which the proposed rule would apply include: national banks, federal savings associations, and federal branches and agencies; U.S. bank holding companies, savings and loan holding companies, state member banks, and the U.S. operations of foreign banking organizations; and insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations. (See Computer-Security Incident Notification Requirements). The proposed rule would require a banking organization to provide its primary federal regulator with prompt notification of any “computer-security incident” that rises to the level of a “notification incident.” In pertinent part, it includes three significant changes to existing data security incident notification obligations.
The proposed rule would broaden the definition of what constitutes a reportable incident by defining a “computer-security” incident as an occurrence that:
(i) Results in actual or potential harm to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or
(ii) Constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
The proposed rule would also define a “notification incident” as:
(i) A “computer-security incident” that a banking organization believes in good faith could materially disrupt, degrade, or impair –
… the ability of the banking organization to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
any business line of a banking organization, including associated operations, services, functions and support, and would result in a material loss of revenue, profit, or franchise value; or
those operations of a banking organization, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
The proposed rule would provide a non-exhaustive list of “computer-security incidents” that would be considered to be “notification incidents,” including but not limited to: a failed system upgrade or change that results in widespread user outages for customers and bank employees; an unrecoverable system failure that results in activation of a banking organization’s business continuity or disaster recovery plan; and a computer hacking incident that disables banking operations for an extended period of time. Notably, then, the proposed rule would address incidents that disrupt systems but might not result in the compromise of “sensitive customer information.”
Current regulations and guidelines have varying notification and reporting timelines. Banking organizations should notify their primary federal regulators “as soon as possible” when they become “aware of an incident involving unauthorized access to or use of sensitive customer information.” Under the Bank Secrecy Act (BSA), SARs are to be filed within 30 calendar days. Under the Bank Service Company Act (BSCA), a banking organization must notify the appropriate federal banking agency within 30 days of the existence of service relationships. However, there are no notification requirements should the service be disrupted.
The proposed rule would require a banking organization to notify its primary federal regulator as soon as possible but no later than 36 hours after any “computer-security incident” that rises to the level of a “notification incident.” Additionally, as described below, the proposed rule would establish new reporting requirements for banking service providers under BSCA.
Banking Service Providers Notification Obligations
The proposed rule would establish obligations on banking service providers to notify their customers of a “computer-security incident” that the provider believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours. The bank service provider would be required to notify immediately at least two individuals at an affected banking organization customer of the triggering event.
Comments to the proposed rule must be received by April 12, 2021. If adopted, this framework will dramatically heighten requirements imposed across the financial services sector. Immediate response, investigation, and written notification processes become more critical given the short turnaround times that are proposed. Development of a well-crafted incident response plan and third-party vendor management program are key immediate steps that can help prepare covered organizations.
Lewis Brisbois’ Data Privacy & Cybersecurity Team can assist with developing incident response plans. For more information, contact the authors of this post. You can also subscribe to this blog to receive email alerts when new posts go up.