New federal rules dictate bank ID theft notifications

Computerworld - The Federal Reserve Board yesterday issued new rules requiring banks and other financial institutions to notify consumers "as soon as possible" when their personal data has been stolen.
In an announcement, the Federal Reserve and three other government banking agencies, including the Federal Deposit Insurance Corp. (FDIC), unveiled their "guidance" on how banks must treat personal information theft under federal laws enacted in 2003.
The rules come at a time when several companies have acknowledged that consumers' personal and sensitive information has either been stolen or accessed inappropriately.
David Barr, a spokesman for the FDIC in Washington, said the agencies spent the past 18 months reviewing the Fair and Accurate Credit Transactions (FACT) Act. The review included input from government officials as well as from security, banking industry and consumer groups and other entities to create the specific rules.
A key requirement is that consumers must now be notified when personal information has been stolen or illegally accessed and there is reason to believe it will be misused. In such cases, the institution must conduct a "reasonable investigation" to determine if the security breach was significant enough to require notification of affected consumers.
"If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible," the rules say. Notice can be delayed, however, if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation.
Specific timelines on how quickly such notice should be given hasn't been established.
A financial institution is also expected to notify its primary federal regulator of a security breach involving sensitive customer information, whether or not the institution notifies its customers.
According to the rules, sensitive customer information includes a customer's name, address or telephone number, in conjunction with the customer's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. The rules also state that such data breaches would include the release of any combination of sensitive data that would allow someone to log into or access a customer's account, such as a username and password or a password and account number.
"The customer notification [provision] is brand new," Barr said. "Banks were not required to do that before, though many had. Now, there's an official mandate that they must."
The new rules took time to develop, Barr said, because they were issued by four agencies working