Feds set security breach rules for banks, credit unions
Banks and credit unions will be expected to follow stricter guidelines about reporting accidental disclosures of customers' personal information.
Federal regulators on Wednesday outlined what steps they expect financial institutions to take after a security breach happens. (Alert readers will remember a series of recent incidents involving Bank of America, payroll provider PayMaxx, and of course, ChoicePoint.)
Among the guidelines: A notice to customers "should describe the incident in general terms and the type of customer information that was the subject of unauthorized access or use. It also should generally describe what the institution has done to protect the customers' information from further unauthorized access."
Notice is expected to be given "as soon as possible" in e-mail or written form, and should include a telephone number that customers can call for additional assistance, according to the document prepared by the Federal Reserve System, the Federal Deposit Insurance Corporation, the Comptroller of the Currency, and the Office of Thrift Supervision in response to the Gramm-Leach-Bliley Act.
A brief digression: The new guidelines seem to make sense, but it's difficult to figure out whether they go too far or not far enough. Normally consumers can shop around and choose products based on a whole range of different options.
For instance, a hypothetical BankSuperSecure might employ only bonded employees with government security clearances and hire armed guards to watch these employees all the time. Those security measures would probably reduce the chance of insider shenanigans -- but would come at a substantial cost that would be passed on to consumers in the form of lower interest rates on savings accounts and higher interest rates on loans and credit cards.
Its hypothetical competitor CheapDiscountBank might take less rigorous security mechanisms but offer far better terms on savings accounts and loans. In this scenario (let's assume that the banks were required to disclose their respective approaches to security), consumers could choose what risks they're willing to take and companies could experiment. Because that process doesn't exist today, we end up with a one-size-fits-all rule that sets both a security floor and also a de facto ceiling that banks seem unwilling to exceed. It's difficult to know whether that security "level" is the best one for consumers.