Banks ordered to tell customers about breaches

If it's "reasonably possible" that customer data will be misused as the result of a breach, a bank must act, four U.S. agencies say.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Four federal finance agencies have issued rules that force banks to tell customers when their personal data has been exposed.

The regulations, published Wednesday, arise from the agencies' interpretation of several provisions of the Gramm-Leach-Bliley Act. Those provisions call on financial institutions to prevent unauthorized access and use of customer information and to address any such incidents that do occur.

"We do expect our institutions to follow this guidance," said David Barr, a spokesman for the Federal Deposit Insurance Corporation, or FDIC, one of the agencies involved. "Whenever we examine institutions, we will look at...whether they have these consumer safety measures in place."

The finance industry and the data collection industry are reeling from the fallout of several recent high-profile data leaks. In late February, financial services giant Bank of America alerted government workers that backup tapes containing their sensitive data had gone missing. In addition, data brokers LexisNexis and ChoicePoint have revealed large-scale data leaks.

The latest government rules say that if a bank becomes aware of "an incident of unauthorized access to sensitive customer information," the institution should investigate. They also require the company to notify account holders quickly if it's "reasonably possible" that the personal details will be misused.

The regulations apply to banks and savings and loan institutions, and not to credit unions, which fall under a different agency, the National Credit Union Administration. The regulations only cover nonpublic consumer information, not details on businesses or commercial accounts.

The rules were established after a period of public comment. They partly resemble California's Security Breach Information Act, which requires all companies to notify consumers when sensitive personal information may have been compromised.

Others that helped author the regulations include two agencies that are part of the U.S. Treasury Department: the Office of the Comptroller of Currency and the Office of Thrift Supervision.

The Board of Governors of the Federal Reserve System also helped issue the guidelines.