Law Requires Information Security Programs to Be Risk-based
The banking industry is one of the most highly regulated and closely supervised among those handling sensitive consumer information. Besides being subject to security breach disclosure laws at the state and federal levels, it must comply with industry-specific laws and regulations related to information security and privacy.
As a service-based business, banks must provide customers with confidentiality or else risk losing their trust and their business. Protecting information is critical to maintaining trust. Because they generally donâ€™t pass along losses associated with fraudulent transactions made on existing accounts to their customers, banks incur significant losses from ID theft and account fraud. This is in addition to reputation damage and other costs incurred in responding to the security breach.
The Gramm-Leach-Bliley Act requires banks to not only limit the disclosure of customer information, but also to protect that information from unauthorized access and to notify customers about security breaches. Under the guidance issued by federal regulators, banks must establish and maintain comprehensive information security programs to identify and assess the risks to customer information and then address these risks by adopting appropriate security measures.
Banks are also responsible for maintaining access controls to customer information, conducting background checks for employees with access to customer information, and developing a response program in the event of a security breach. GLB also requires that banks require service providers to implement measures to protect against unauthorized access to or use of customer information.
Each bankâ€™s information security program must be risk-based, meaning that it must tailor its information security program to the specific characteristics of its business, customer information, and customer information systems, and must assess the threats to those systems. As threats change or emerge, the program must be modified accordingly.
A risk-based response program must assess the nature and scope of a security incident involving unauthorized access to customer information, and identify what information systems and types of customer information have been accessed or misused. It must also trigger notifications to the bankâ€™s primary regulator about any threats to sensitive information, and file Suspicious Activity Reports with law enforcement agencies. Banks must take appropriate steps to contain the incentive to prevent further unauthorized access to or use of customer information, such as monitoring, freezing, or closing accounts, while preserving records and other evidence.
Customer notification is a central requirement of the guidance by federal regulators with respect to GLB compliance. The guidance dictates that when a bank discovers a breach of sensitive information, it must conduct a reasonable investigation to determine whether the information has been misused. In the recent incident involving T.J. Maxx, for example, banks have discovered preliminary evidence of fraudulent activity arising from the theft of 45.7 million debit and credit card accounts.
If a bank determines that misuse has occurred or is reasonable possible, then it must notify affected customers as soon as possible. Notification may be delayed if law enforcement determines that notification will interfere with n investigation. The bank need only notify customers affected by the breach to the extent such identification is possible. If it canâ€™t identify those affected, it should notify all customers if it determines that misuse of the information is possible.
The customer notification standards combine tough security measures with practical steps designed to help consumers, such as providing credit monitoring and other services. These standards are intended to assure a timely, coordinated response that enables consumers to protect themselves, in addition to knowing the step the bank has taken to address the incident.
Responsibility for protecting customer information doesnâ€™t rest with the bank alone. Retailers, data brokers, and others collect sensitive information, but not all of them are subject to data security and/or security breach notification requirements. Only a tiny fraction of the breaches that have been reported have occurred at banks. Any entity that maintains sensitive information should be required to protect the information and provide notice to affected consumers in the event of a breach.
The regulations that already apply to banks should serve as a model in establishing umbrella protections that span all industries. The extension of bank-like regulations to unregulated industries would go a long way toward limiting breaches in the future.