Under the interpretive authority granted by the Gramm-Leach-Bliley Act (GLBA), federal banking regulators in March 2005 finalized guidance establishing standards financial organizations must follow to safeguard customer information.
Issued in March 2005, the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Guidance) requires banks to establish a security breach response program and, in general, to notify affected customers when a breach occurs. In addition, financial organizations are responsible for ensuring that third party service providers take appropriate measures designed to meet the objectives of the guidelines and comply with Section 501(b) of GLBA.
A customer response program is one component of an organization's overall information security program.Four key elements to a customer response program include the development of a response team, the customer notification and assistance process, third party service provider implications, and working with law enforcement. An effective incident response team is an organization-wide group that includes all affected lines of business.
Among the components of the Guidelines regarding response programs, the agencies state that an organization's procedures should include, "consistent with the Agencies' Suspicious Activity Report (SAR) regulations, notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving federal criminal violations requiring immediate attention, such as when a reportable violating is ongoing."
A response program must include procedures to notify customers about incidents of unauthorized access to information that could result in substantial harm or inconvenience to the customer.
The Guidance states:
"When a financial organization becomes aware of an incident of unauthorized access to sensitive customer information, the organization should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused.If the organization determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible."
The Guidance allows for a delayed notification if an appropriate law enforcement agency determines such notification will interfere with a criminal investigation.
The contents of a breach notification should contain the following elements: