The regulations, published Wednesday, arise from the agencies' interpretation of several provisions of the Gramm-Leach-Bliley Act. Those provisions call on financial institutions to prevent unauthorized access and use of customer information and to address any such incidents that do occur.
"We do expect our institutions to follow this guidance," said David Barr, a spokesman for the Federal Deposit Insurance Corporation, or FDIC, one of the agencies involved. "Whenever we examine institutions, we will look at...whether they have these consumer safety measures in place."
The finance industry and the data collection industry are reeling from the fallout of several recent high-profile data leaks. In late February, financial services giant Bank of Americathat backup tapes containing their sensitive data had gone missing. In addition, data brokers LexisNexis and ChoicePoint have .
The latest government rules say that if a bank becomes aware of "an incident of unauthorized access to sensitive customer information," the institution should investigate. They also require the company to notify account holders quickly if it's "reasonably possible" that the personal details will be misused.
The regulations apply to banks and savings and loan institutions, and not to credit unions, which fall under a different agency, the National Credit Union Administration. The regulations only cover nonpublic consumer information, not details on businesses or commercial accounts.
The rules were established after a period of public comment. They partly resemble California's, which requires all companies to notify consumers when sensitive personal information may have been compromised.
Others that helped author the regulations include two agencies that are part of the U.S. Treasury Department: the Office of the Comptroller of Currency and the Office of Thrift Supervision.
The Board of Governors of the Federal Reserve System also helped issue the guidelines.