New federal rules dictate bank ID theft notifications
The regulations are designed to protect consumers
March 24, 2005 12:00 PM ETComputerworld -
The Federal Reserve Board yesterday issued new rules requiring banks and other financial institutions to notify consumers "as soon as possible" when their personal data has been stolen.
In an announcement, the Federal Reserve and three other government banking agencies, including the Federal Deposit Insurance Corp. (FDIC), unveiled their "guidance" on how banks must treat personal information theft under federal laws enacted in 2003.
The rules come at a time when several companies have acknowledged that consumers' personal and sensitive information has either been stolen or accessed inappropriately.
David Barr, a spokesman for the FDIC in Washington, said the agencies spent the past 18 months reviewing the Fair and Accurate Credit Transactions (FACT) Act. The review included input from government officials as well as from security, banking industry and consumer groups and other entities to create the specific rules.
A key requirement is that consumers must now be notified when personal information has been stolen or illegally accessed and there is reason to believe it will be misused. In such cases, the institution must conduct a "reasonable investigation" to determine if the security breach was significant enough to require notification of affected consumers.
"If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible," the rules say. Notice can be delayed, however, if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation.
Specific timelines on how quickly such notice should be given hasn't been established.
A financial institution is also expected to notify its primary federal regulator of a security breach involving sensitive customer information, whether or not the institution notifies its customers.
According to the rules, sensitive customer information includes a customer's name, address or telephone number, in conjunction with the customer's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. The rules also state that such data breaches would include the release of any combination of sensitive data that would allow someone to log into or access a customer's account, such as a username and password or a password and account number.
"The customer notification [provision] is brand new," Barr said. "Banks were not required to do that before, though many had. Now, there's an official mandate that they must."
The new rules took time to develop, Barr said, because they were issued by four agencies working
Legislation/Regulation
Additional Resources



White Papers & Webcasts
Forrester Consulting - Optimizing Users and Applications in a Mobile World
Learn how to successfully deploy a WAN optimization solution that is specifically tuned for a mobile environment!
Faster, Cheaper and Easier to Maintain
Can you afford not to upgrade your servers to today's advanced, energy-efficient technologies?
Effectively Implementing Datacenter Automation
Effectively select and deploy the best datacenter automation solution today!
The State of PCI DSS Compliance at Organizations Today
Download this resource today!
Aligning IT to Business: The Rising Importance of Application Delivery Networks
Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives.
IDC Research Report: The Business Value of Consolidating on Energy-Efficient Servers
Download this Resource Now!
HP Technology Guide for Scalable Business Solutions
Download This Resource Now!
Mitigate Risk, Lower Costs and Improve Network Efficiency
Create a stable IP network that not only meets today's challenges, but is flexible enough to also meet future demands.
