Request for Comment on Interagency Guidance on Response Programs to  Protect Against Identity Theft

Request for Comment on Interagency Guidance on Response Programs to Protect Against Identity Theft

-

English
8 Pages
Read
Download
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description

ll★KFederal Reserve Bank of Dallas2200 N. PEARL ST.DALLAS, TX 75201-2272August 29, 2003Notice 03-46TO: The Chief Executive Officer of eachfinancial institution and others concernedin the Eleventh Federal Reserve DistrictSUBJECTRequest for Comment on Interagency Guidance on Response Programsto Protect Against Identity TheftDETAILSThe four federal bank and thrift regulatory agencies have requested comment on proposedguidance entitled Interagency Guidance on Response Programs for Unauthorized Access to CustomerInformation and Customer Notice. In addition, as part of their continuing efforts to reduce paperworkand respondent burden, the agencies invite the general public and other federal agencies to comment on aproposed information collection as required by the Paperwork Reduction Act of 1995 (44 U.S.C. chapter35).The Board must receive comments by October 14, 2003. Please address comments to JenniferJ. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and ConstitutionAvenue, N.W., Washington, DC 20551. However, because paper mail in the Washington area and at theBoard is subject to delay, please consider submitting your comments electronically toregs.comments@federalreserve.gov. All comments should refer to Docket No. OP–1155.ATTACHMENTA copy of the Board’s notice as it appears on pages 47954–60, Vol. 68, No. 155 of the Fed-eral Register dated August 12, 2003, is attached.MORE INFORMATIONFor more information, ...

Subjects

Informations

Published by
Reads 144
Language English
Report a problem

ll★K
Federal Reserve Bank of Dallas
2200 N. PEARL ST.
DALLAS, TX 75201-2272
August 29, 2003
Notice 03-46
TO: The Chief Executive Officer of each
financial institution and others concerned
in the Eleventh Federal Reserve District
SUBJECT
Request for Comment on Interagency Guidance on Response Programs
to Protect Against Identity Theft
DETAILS
The four federal bank and thrift regulatory agencies have requested comment on proposed
guidance entitled Interagency Guidance on Response Programs for Unauthorized Access to Customer
Information and Customer Notice. In addition, as part of their continuing efforts to reduce paperwork
and respondent burden, the agencies invite the general public and other federal agencies to comment on a
proposed information collection as required by the Paperwork Reduction Act of 1995 (44 U.S.C. chapter
35).
The Board must receive comments by October 14, 2003. Please address comments to Jennifer
J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution
Avenue, N.W., Washington, DC 20551. However, because paper mail in the Washington area and at the
Board is subject to delay, please consider submitting your comments electronically to
regs.comments@federalreserve.gov. All comments should refer to Docket No. OP–1155.
ATTACHMENT
A copy of the Board’s notice as it appears on pages 47954–60, Vol. 68, No. 155 of the Fed-
eral Register dated August 12, 2003, is attached.
MORE INFORMATION
For more information, please contact Gary Krumm, Banking Supervision Department, at
(214) 922-6218. Paper copies of this notice or previous Federal Reserve Bank notices can be printed from
our web site at www.dallasfed.org/banking/notices/index.html.
For additional copies, bankers and others are encouraged to use one of the following toll-free numbers in contacting the Federal
Reserve Bank of Dallas: Dallas Office (800) 333-4460; El Paso Branch Intrastate (800) 592-1631, Interstate (800) 351-1012;
Houston Branch Intrastate (800) 392-4162, Interstate (800) 221-0363; San Antonio Branch Intrastate (800) 292-5810.47954 Federal Register/Vol. 68, No. 155/Tuesday, August 12, 2003/Notices
inspected and photocopied at the OCC’s DEPARTMENT OF THE TREASURY
Public Information Room, 250 E Street,
Office of the Comptroller of the SW, Washington, DC. You can make an
Currency appointment to inspect the comments
by calling (202) 874–5043.
[Docket No. 03–18]
Board of Governors of the Federal
Reserve System: Comments should refer DEPARTMENT OF THE TREASURY
to Docket No. OP–1155 and may be
mailed to Ms. Jennifer J. Johnson, Office of Thrift Supervision
Secretary, Board of Governors of the
[No. 03–35]
Federal Reserve System, 20th Street
and Constitution Avenue, NW., BOARD OF GOVERNORS OF THE
Washington, DC 20551. However, FEDERAL RESERVE SYSTEM
because paper mail in the Washington
[Docket No. OP–1155] area and at the Board of Governors is
subject to delay, please consider
FEDERAL DEPOSIT INSURANCE submitting your comments by e-mail to
CORPORATION regs.comments@federalreserve.gov, or
faxing them to the Office of the
Interagency Guidance on Response
Secretary at (202) 452–3819 or (202)
Programs for Unauthorized Access to
452–3102. Members of the public may
Customer Information and Customer
inspect comments in Room MP–500
Notice
between 9 a.m. and 5 p.m. on weekdays
pursuant to 12 CFR 261.12, except as AGENCIES: Office of the Comptroller of
provided in 12 CFR 261.14, of the the Currency, Treasury (OCC); Board of
Board’s Rules Regarding Availability of Governors of the Federal Reserve
Information, 12 CFR sections 261.12 and System (Board); Federal Deposit
261.14.Insurance Corporation (FDIC); and
Federal Deposit Insurance Office of Thrift Supervision, Treasury
1 Corporation: Send written comments to (OTS).
Robert E. Feldman, Executive Secretary,
ACTION: Notice and request for comment.
Attention: Comments/OES, Federal
Deposit Insurance Corporation, 550 17th SUMMARY: The OCC, Board, FDIC, and
Street, NW., Washington, DC 20429. OTS (the Agencies) are requesting
Comments also may be mailed comment on proposed guidance entitled
electronically to comments@fdic.gov. Interagency Guidance on Response
Comments may be hand delivered to the Programs for Unauthorized Access to
guard station at the rear of the 17th Customer Information and Customer
Street building (located on F Street) on Notice (‘‘the proposed Guidance’’).
business days between 7 a.m. and 5 In addition, as part of their continuing
p.m.; Fax Number (202) 898–3838. efforts to reduce paperwork and
Comments may be inspected and respondent burden, the Agencies invite
photocopied in the FDIC Public the general public and other Federal
Information Center, Room 100, 801 17th agencies to take this opportunity to
Street, NW., Washington, DC 20429, comment on a proposed information
between 9 a.m. and 5 p.m. on business collection, as required by the Paperwork
days. Reduction Act of 1995 (44 U.S.C.
Office of Thrift Supervision: chapter 35).
Comments may be sent to Regulation
DATES: Comments must be submitted on
Comments, Chief Counsel’s Office,
or before October 14, 2003
Office of Thrift Supervision, 1700 G
ADDRESSES: Interested parties are Street, NW., Washington, DC 20552,
invited to submit written comments to: Attention: No.03–35; FAX number (202)
Office of the Comptroller of the 906–6518, Attention: No. 03–35; or e-
Currency: Public Information Room, mail address regs.comments@ots.treas. gov, Attention: No. 03–35, and include
Currency, 250 E Street, SW, Mail stop your name and telephone number.
1–5, Washington, DC 20219, Attention: Comments may also be hand delivered
Docket No. 03–18, Fax number (202) to the Guard’s Desk, East Lobby
874–4448 or e-mail address: Entrance, 1700 G Street, NW., from 9
regs.comments@occ.treas.gov. Due to a.m. to 4 p.m. on business days,
delays in the delivery of paper mail in Attention: Regulation Comments, Chief
the Washington area, commenters are Counsel’s Office, No. 03–35.
encouraged to submit their comments Commenters should be aware that there
by fax or email. Comments may be have been unpredictable and lengthy
delays in postal deliveries to the
1 The National Credit Union Administration Washington, DC area and may prefer to
(NCUA) participated in the guidance of
make their comments via facsimile, e-development process and will separately issue
comparable proposed guidance. mail, or hand delivery. OTS will post
VerDate jul<14>2003 15:12 Aug 11, 2003 Jkt 200001 PO 00000 Frm 00049 Fmt 4703 Sfmt 4703 E:\FR\FM\12AUN1.SGM 12AUN1Federal Register/Vol. 68, No. 155/Tuesday, August 12, 2003/Notices 47955
comments and the related index on the financial institutions relating to guidance, file a Suspicious Activity
OTS Internet Site at http:// administrative, technical, and physical Report and notify appropriate law
www.ots.treas.gov. In addition, you may safeguards to: (1) Insure the security and enforcement agencies;
C. Take measures to contain and inspect comments at the Public Reading confidentiality of customer records and
control the incident to prevent further Room, 1700 G Street, NW., by information; (2) protect against any
unauthorized access to or use of appointment. To make an appointment anticipated threats or hazards to the
customer information, including for access, you may call (202) 906–5922, security or integrity of such records; and
shutting down particular applications or send an e-mail to public.info@ots.treas. (3) protect against unauthorized access
third party connections, reconfiguring gov, or send a facsimile transmission to to or use of such records or information
firewalls, changing computer access (202) 906–7555. (Please identify the that could result in substantial harm or
3 codes, and modifying physical access materials you would like to inspect to inconvenience to any customer.
controls; and assist us in serving you.) We schedule Among other things, the Security
D. Address and mitigate harm to appointments on business days between Guidelines direct financial institutions
individual customers. 10 a.m. and 4 p.m. In most cases, to: (1) Identify reasonably foreseeable
The proposed Guidance describes the appointments will be available the internal and external threats that could
following corrective measures a business day after the date we receive a result in unauthorized disclosure,
financial institution should include as a request. misuse, alteration, or destruction of
part of its response program in order to customer information or customer FOR FURTHER INFORMATION CONTACT:
effectively address and mitigate harm to information systems; (2) assess the OCC: Aida Plaza Carter, Director,
individual customers: likelihood and potential damage of Bank Information Technology
A. Flag Accounts—The institution these threats, taking into consideration Operations Division, (202) 874–4740;
should identify accounts of customers the sensitivity of customer information; Clifford A. Wilke, Director, Bank whose information may have been
and (3) assess the sufficiency of policies, Technology Division, (202) 874–5920; compromised, monitor those accounts
procedures, customer information Amy Friend, Assistant Chief Counsel, for unusual activity, and initiate
systems, and other arrangements in (202) 874–5200; or Deborah Katz, Senior appropriate controls to prevent the
4place to control risks.Attorney, Legislative and Regulatory unauthorized withdrawal or transfer of
This proposed Guidance, published as Activities Division, (202) 874–5090. funds from customer accounts.
Board: Donna L. Parker, Supervisory an Appendix to this notice, interprets B. Secure Accounts—The institution
Financial Analyst, Division of Banking section 501(b) of the Gramm-Leach- should secure all accounts associated
Supervision & Regulation, (202) 452– Bliley Act and the provisions of the with the customer information that has
52614; Thomas E. Scanlon, Counsel, Security Guidelines noted above. It been the subject of unauthorized access
Legal Division, (202) 452–3594; or describes the Agencies’ expectations or use.
Joshua H. Kaplan, Attorney, Legal that every financial institution develop C. Customer Notice and Assistance—
Division, (202) 452–2249. a response program to protect against The institution should, under certain
FDIC: Jeffrey M. Kopchik, Senior and address reasonably foreseeable risks circumstances, notify affected customers
Policy Analyst, Division of Supervision associated with internal and external when sensitive customer information
and Consumer Protection, (202) 898– threats to the security of customer about them is the subject of
3872; Patricia I. Cashman, Senior Policy information maintained by the financial unauthorized access. Where the
Analyst, Division of Supervision and institution or its service provider. The institution can specifically identify
Consumer Protection, (202) 898–6534; proposed Guidance further describes the affected customers from its logs,
or Robert A. Patrick, Counsel, Legal components of a response program, notification may be limited to those
Division, (202) 898–3757. which includes procedures for notifying persons only. Otherwise, the institution
OTS: Robert Engebreth, Director, customers about incidents of should notify each customer in those
Technology Risk Management, (202) unauthorized access to customer groups likely to be affected.
906–5631; Lewis C. Angel, Senior information that could result in The proposed Guidance provides that
Project Manager, Technology Risk substantial harm or inconvenience to a financial institution should notify
Management, (202) 906–5645; Elizabeth the customer. The proposed Guidance each affected customer when it becomes
Baltierra, Program Analyst provides that a financial institution is aware of unauthorized access to
(Compliance), Compliance Policy, (202) expected to expeditiously implement its sensitive customer information, unless
906–6540; or Paul Robin, Special response program to address incidents the institution, after an appropriate
Counsel, Regulations and Legislation of unauthorized access to or use of investigation, reasonably concludes that
Division, (202) 906–6648. customer information. A response misuse of the information is unlikely to
program should contain policies and SUPPLEMENTARY INFORMATION: occur, and takes appropriate steps to
procedures that enable the financial safeguard the interests of affected I. Background institution to: customers, including by monitoring
The Agencies have published A. Assess the situation to determine affected customers’ accounts for
Interagency Guidelines Establishing the nature and scope of the incident, unusual or suspicious activity. For the
Standards for Safeguarding Customer and identify the information systems purposes of the proposed Guidance, the
2Information (‘‘Security Guidelines’’). and types of customer information Agencies define sensitive customer
These Security Guidelines were affected; information to mean a customer’s social
published to fulfill a requirement in B. Notify the institution’s primary security number, personal identification
section 501(b) of the Gramm-Leach- Federal regulator and, in accordance number (PIN), password, or account
Bliley Act in which Congress directed with applicable regulations and number, in conjunction with a personal
the Agencies to establish standards for identifier, such as the individual’s
3 15 U.S.C. 6805(b). name, address, or telephone number.
42 Security Guidelines, Paragraph III.B.2.12 CFR part 30, app. B (OCC); 12 CFR part 208, Sensitive customer information would
5app. D–2, and part 225, app. F (Board); 12 CFR part The Agencies may treat an institution’s failure
also include any combination of 364, app. B (FDIC); and 12 CFR part 570, app. B to implement final Guidance issued as a violation
(OTS). of the Security Guidelines. components of customer information
VerDate jul<14>2003 15:12 Aug 11, 2003 Jkt 200001 PO 00000 Frm 00050 Fmt 4703 Sfmt 4703 E:\FR\FM\12AUN1.SGM 12AUN147956 Federal Register/Vol. 68, No. 155/Tuesday, August 12, 2003/Notices
that would allow someone to log onto or such forms of assistance to their investigation, reasonably concludes that
access another person’s account, such as customers and describe them in the misuse of the information is unlikely to
user name and password. customer notice. occur and takes appropriate steps to
Under the Security Guidelines, an safeguard the interests of affected
II. Request for Comments institution must protect against customers, including by monitoring
The Agencies invite comment on all unauthorized access to or use of affected customers’ accounts for
aspects of the proposed Guidance, customer information that could result unusual or suspicious activity. The
including each component of the in substantial harm or inconvenience to Agencies invite comment on whether
response program described in any customer. The Agencies believe that this is the appropriate standard for
Paragraph II of the proposed Guidance. substantial harm or inconvenience is requiring customer notice. For
Please consider the following questions most likely to result from the improper commenters who believe that this
in formulating your comments:access to and use of sensitive customer standard is inappropriate, the Agencies
• Should any component of the information. Accordingly, the proposed request that these commenters state
response program be clarified in some Guidance requires notice to mitigate or specifically their reasoning and offer
way and, if so, how? prevent substantial harm or alternative thresholds for requiring
• Are there additional components inconvenience to a customer. customer notice.
that should be included in a response The Agencies note that the response • The proposed Guidance defines
program to address incidents involving program required under the proposed sensitive customer information as a
unauthorized access to or use of Guidance must address incidents social security number, a personal
customer information? If so, please involving the unauthorized access to or identification number (PIN), password,
describe the component, and the use of any form of customer or an account number in conjunction
reasons that support it. information. However, the customer with a personal identifier. Sensitive
• Should each component of the notice requirement applies only to customer information would also
response program be retained? If not, security breaches involving sensitive include any combination of components
which components should be deleted customer information. of customer information that would
and why? The proposed Guidance provides allow someone to log onto or access
• In preparing the proposed several examples the Agencies believe another person’s account, such as user
Guidance, the Agencies have attempted typify situations in which customer name and password. The Agencies
to identify a standard that will lead to notification is required and those when request comment on which, if any,
customer notice when appropriate. The it is not. As in other circumstances, the additional types of information should
Agencies recognize that there is a Agencies also expect financial be included in this definition, such as
spectrum of alternatives for developing institutions to notify customers upon mother’s maiden name or driver’s
a requirement to notify customers. On the direction of the institution’s primary license number.
one side of the spectrum is a standard Federal regulator. • The Agencies invite comment on
that would require a financial The proposed Guidance discusses the the potential burden associated with the
institution to notify its customers every content and delivery of customer customer notice provisions. For
time the mere possibility of misuse of notices. The notice should include a example, what is the anticipated burden
customer information arises. On the general description of the incident, and that may arise from the questions posed
other side is a standard that would provide information to assist customers by those customers who receive the
require an institution to notify its in mitigating potential harm, including notices? Should the Agencies consider
customers only when it becomes aware a customer service number, steps how the burden may vary depending
of an incident involving unauthorized customers can take to obtain and review upon the size and complexity of the
access to customer information and, their credit reports and to file fraud institution?
based on unusual activity in customers’ alerts with nationwide credit reporting • As part of the response program, the
accounts or other indicia of identity agencies, and sources of information Agencies describe certain corrective
theft, knows that the information is designed to assist individuals in measures that an institution should take
being misused. The Agencies propose a protecting against identity theft. once an incident of unauthorized access
standard that lies in the middle of this In addition, institutions are expected occurs. One such measure is to ‘‘secure
spectrum. The Agencies believe that no to inform each customer about the accounts.’’ Is the discussion of securing
useful purpose would be served if availability of the Federal Trade accounts sufficiently clear to enable
notices were sent due to the mere Commission’s (‘‘FTC’’) online guidance institutions to know what is expected of
possibility of misuse of some customer regarding measures to protect against them when instances of unauthorized
information because, in general, the identity theft and to encourage the access occur? To what extent would
notices should alert customers to those customer to report any suspected contracts between financial institutions
situations where enhanced vigilance is incidents of identity theft to the FTC. and service providers need to be
necessary to protect against fraud or Further, institutions should provide the modified, if at all, to comply with the
identity theft. Rather, the Agencies FTC’s Web site address and telephone proposed Guidance? How much burden,
believe that notice to customers should number for purposes of obtaining the if any, will the Guidance impose on
be required in a narrower range of guidance and reporting suspected service providers?
instances involving the unauthorized • The Agencies also invite comment incidents of identity theft. Currently, the
access to sensitive customer on whether the proposed standard Web site address is http://www.ftc.gov/
information. The standard proposed should be modified to apply to other idtheft, and the toll free number for the
here would require a financial extraordinary circumstances that identity theft hotline is 1–877–
institution to send notice to each compel an institution to conclude that IDTHEFT.
The proposed Guidance also describes affected customer when the institution unauthorized access to information,
other forms of assistance that financial becomes aware of an incident of other than sensitive customer
institutions have offered to their unauthorized access to sensitive information, likely will result in
customers in incidents of this type. customer information, unless the substantial harm or inconvenience to
Financial institutions may wish to offer institution, after an appropriate the affected customers.
VerDate jul<14>2003 15:12 Aug 11, 2003 Jkt 200001 PO 00000 Frm 00051 Fmt 4703 Sfmt 4703 E:\FR\FM\12AUN1.SGM 12AUN1Federal Register/Vol. 68, No. 155/Tuesday, August 12, 2003/Notices 47957
• The proposed Guidance includes fax number (202) 874–4448; Internet Affected Public:
examples of circumstances in which address: regs.comments@occ.treas.gov. OCC: National banks, District of
customer notice would be expected and Due to delays in paper mail delivery in Columbia banks, and Federal branches
those when it would not. Please the Washington area, commenters are and agencies of foreign banks.
comment on whether the examples in encouraged to submit their comments Board: State member banks, bank
the proposed Guidance should be by fax or e-mail. You can make an holding companies, affiliates and
modified or supplemented and provide appointment to inspect the comments at certain non-bank subsidiaries of bank
your rationale. the Public Information Room by calling holding companies, uninsured state
(202) 874–5043. agencies and branches of foreign banks,
III. Paperwork Reduction Act Board: Comments should refer to commercial lending companies owned
Docket No. OP–1155 and may be mailed A. Request for Comment on Proposed or controlled by foreign banks, and Edge
to Ms. Jennifer J. Johnson, Secretary, Information Collection and agreement corporations.
Board of Governors of the Federal FDIC: Insured nonmember banks, In accordance with the requirements Reserve System, 20th Street and insured state branches of foreign banks, of the Paperwork Reduction Act of 1995, Constitution Avenue, NW., Washington, and certain subsidiaries of these the Agencies may not conduct or DC 20551. However, because paper mail entities. sponsor, and the respondent is not in the Washington area and at the Board OTS: Savings associations and certain required to respond to, an information of Governors is subject to delay, please of their subsidiaries. collection unless it displays a currently consider submitting your comments by Abstract: The proposed Guidance
valid Office of Management and Budget e-mail to describes the Agencies’ expectations
(OMB) control number. The Agencies regs.comments@federalreserve.gov, or regarding a response program, including
are requesting comment on a proposed faxing them to the Office of the customer notification procedures, that a
information collection. The Agencies Secretary at (202) 452–3819 or (202) financial institution should develop and
also give notice that, at the end of the 452–3102. Members of the public may apply under the circumstances
comment period, the proposed inspect comments in Room MP–500 described in the Appendix to address
collections of information, along with between 9 a.m. and 5 p.m. on weekdays unauthorized access to or use of
an analysis of the comments and pursuant to 12 CFR section 261.12, customer information that could result
recommendations received, will be except as provided in 12 CFR section in substantial harm or inconvenience to
submitted to OMB for review and 261.14, of the Board’s Rules Regarding a customer.
approval. Availability of Information, 12 CFR The information collections in the
Comments are invited on: sections 261.12 and 261.14. proposed Guidance would require
(a) Whether the collection of FDIC: Steven F. Hanft, Legal Division financial institutions to: (1) Develop
information is necessary for the proper (Consumer and Compliance Unit), Room notices to customers; (2) determine
performance of the Agency’s functions, MB–3064, Federal Deposit Insurance which customers should receive the
including whether the information has Corporation, 550 17th Street, NW., notices and send the notices to
practical utility; Washington, DC 20429. All comments customers; and (3) ensure that their
(b) The accuracy of the estimates of should refer to the title of the proposed contracts with their service providers
the burden of the information collection. Comments may be hand- satisfy the proposed Guidance.
collection, including the validity of the delivered to the guard station at the rear Estimated Burden: It is estimated that
methodology and assumptions used; of the 17th Street Building (located on it will initially take institutions 20 (c) Ways to enhance the quality, F Street), on business days between 7 hours (2.5 business days) to develop and utility, and clarity of the information to a.m. and 5 p.m., Attention: Comments, produce the notices described in the be collected; Federal Deposit Insurance Corporation, proposed Guidance and 24 hours per (d) Ways to minimize the burden of 550 17th Street, NW., Washington, DC incident (three business days) to the information collection on 20429. determine which customers should respondents, including through the use OTS: Information Collection receive the notice and notify the of automated collection techniques or Comments, Chief Counsel’s Office, customers. For the purposes of this other forms of information technology; Office of Thrift Supervision, 1700 G analysis, it is estimated that two percent and Street, NW., Washington, DC 20552; of supervised institutions will (e) Estimates of capital or start up send a facsimile transmission to (202) experience an incident of unauthorized costs and costs of operation, 906–6518; or send an e-mail to access to customer information on an maintenance, and purchase of services infocollection.comments@ots.treas.gov. annual basis, resulting in customer to provide information. OTS will post comments and the related 6notification.At the end of the comment period, the index on the OTS Internet site at http:/ Thus, the burden associated with this comments and recommendations /www.ots.treas.gov. In addition, collection of information may be received will be analyzed to determine interested persons may inspect the summarized as follows. However, the the extent to which the information comments at the Public Reading Room, burden estimate does not include time collections should be modified prior to 1700 G Street, NW., by appointment. To for financial institutions to adjust their submission to OMB for review and make an appointment, call (202) 906– contracts with service providers, if approval. The comments will also be 5922, send an e-mail to needed; nor for service providers to summarized or included in the publicinfo@ots.treas.gov, or send a
Agencies’ requests to OMB for approval facsimile transmission to (202) 906– 6 This estimate is based upon the Agencies’
of the collections. All comments will 7755. experience and data gathered by the FDIC on 2,000
become a matter of public record. institutions that indicates slightly less than one
B. Proposed Information Collection percent of those institutions experienced some form Comments should be addressed to:
of unauthorized access to customer information OCC: Public Information Room, Office Title of Information Collection: Notice
during any 12 month period. However, the of the Comptroller of the Currency, 250 Regarding Unauthorized Access to Agencies are assuming that other incidents of
E Street, SW, Mail stop 1–5, Attention: Customer Information. unauthorized access to customer information may
Docket 03–18, Washington, DC 20219; Frequency of Response: On occasion. have occurred, but were not reported.
VerDate jul<14>2003 15:12 Aug 11, 2003 Jkt 200001 PO 00000 Frm 00052 Fmt 4703 Sfmt 4703 E:\FR\FM\12AUN1.SGM 12AUN147958 Federal Register/Vol. 68, No. 155/Tuesday, August 12, 2003/Notices
in substantial harm or inconvenience to a Service Providers disclose information pursuant to the
customer.proposed Guidance. The Security Guidelines direct every
financial institution to require its service Interagency Security Guidelines OCC providers by contract to implement
Section 501(b) of the GLBA required the
appropriate measures designed to protect Number of Respondents: 2,200. Agencies to establish appropriate standards
against unauthorized access to or use of Estimated Time per Response: for financial institutions subject to their
customer information that could result in
jurisdiction that include administrative, Developing notices: 20 hrs. × 2,200 =
substantial harm or inconvenience to any
technical, and physical safeguards, to protect 44,000 hours. 7customer. Consistent with existing guidance
the security and confidentiality of customer Notifying customers: 24 hrs. × 44 = issued by the Agencies, an institution’s 3information. Accordingly, the Agencies
contract with its service provider should 1,056 hours. issued Security Guidelines requiring every
require the service provider to fully disclose Total Estimated Annual Burden = financial institution to have an information
to the institution information relating to any 45,056 hours. security program designed to:
breach in security resulting in an • Ensure the security and confidentiality
unauthorized intrusion into the institution’s Board of customer information;
customer information systems maintained by • Protect against any anticipated threats or Number of Respondents: 6,692. 8the service provider. In view of these hazards to the security or integrity of such
Estimated Time per Response: contractual obligations, the service provider information; and
Developing notices: 20 hrs. × 6,692 = would be required to take appropriate actions • Protect against unauthorized access to or
to address incidents of unauthorized access 133,840 hours. use of such information that could result in
to or use of the financial institution’s substantial harm or inconvenience to any Notifying customers: 24 hrs. × 134 =
customer information to enable the customer. 3,216 hours.
institution to expeditiously implement its
Total Estimated Annual Burden: Risk Assessment and Controls 9response program.
137,056 hours. The Security Guidelines direct every
Response Program
financial institution to assess the following FDIC
As internal and external threats to the risks, among others, when developing its
security of customer information are Number of Respondents: 5,500. information security program:
reasonably foreseeable and may lead to the • Reasonably foreseeable internal and Estimated Time per Response:
misuse of customer information, the external threats that could result in Developing notices: 20 hrs. × 5,500 =
Agencies expect every financial institution to unauthorized disclosure, misuse, alteration, 110,000 hours.
or destruction of customer information or develop a response program to protect
Notifying customers: 24 hrs. × 110 = customer information systems; against the risks associated with these
2,640 hours. • The likelihood and potential damage of threats. The response program should
Total Estimated Annual Burden: threats, taking into consideration the include measures to protect customer
sensitivity of customer information; and information in customer information systems 112,640 hours.
• The sufficiency of policies, procedures, maintained by the institution or its service
OTS customer information systems, and other providers. The Agencies expect that customer
4arrangements in place to control risks. notification will be a component of an Number of Respondents: 961.
Following the assessment of these risks, institution’s response program, as described
Estimated Time per Response: the Security Guidelines require a financial below.
Developing notices: 20 hrs. × 961 = institution to design a program to address the
II. Components of a Response Program identified risks. The particular security 19,220 hours.
measures an institution should adopt will A response program should be a key part Notifying customers: 24 hrs. × 19 =
depend upon the risks presented by the of an institution’s information security 456 hours.
complexity and scope of its business. At a
Estimated Total Annual Burden: 19,676 minimum, the financial institution is 7 See Security Guidelines Paragraphs II.B. and hours. required to consider the specific security III.D.
measures enumerated in the Security 8 See Federal Reserve SR Ltr. 00–04, Outsourcing Appendix—Interagency Guidance on
5Guidelines, and adopt those that are of Information and Transaction Processing, Feb. 9, Response Programs for Unauthorized
appropriate for the institution, including: 2000; SR Ltr. 00–17, Guidance on Risk Management
Access to Customer Information and • Access controls on customer information of Outsourced Technology Services, Nov. 30, 2000;
Customer Notice OCC Bulletin 2001–47, ‘‘Third-party Relationships systems, including controls to authenticate
Risk Management Principles,’’ Nov. 1, 2001; AL and permit access only to authorized I. Background 2000–12, ‘‘FFIEC Guidance on Risk Management of individuals and controls to prevent
1 Outsourced Technology Services,’’ Nov. 28, 2000; This Guidance interprets section 501(b) of employees from providing customer
FDIC FIL 81–2000, Risk Management of Technology the Gramm-Leach-Bliley Act (‘‘GLBA’’) and information to unauthorized individuals who
Outsourcing, Nov. 29, 2000; FIL 68–99, Risk the Interagency Guidelines Establishing may seek to obtain this information through Assessment Tools and Practices for Information
Standards for Safeguarding Customer fraudulent means; System Security, July 7, 1999; OTS Thrift Bulletin
2Information (the ‘‘Security Guidelines’’) and • Background checks for employees with 82, Third Party Arrangements, Mar. 4, 2003; OTS
describes the Agencies’’ expectations responsibilities for access to customer CEO Memorandum 133, Risk Management of
regarding the response programs, including information; and Technology Outsourcing, Dec. 13, 2000; CEO
customer notification procedures, that a Memorandum 109, Transactional Web Sites, June • Response programs that specify actions
10, 1999; CEO Memorandum 70, Statement on On-financial institution should develop and to be taken when the bank suspects or detects
Line Personal Computer Banking, June 23, 1997.apply to address unauthorized access to or that unauthorized individuals have gained
9 The Agencies note that, in addition to use of customer information that could result access to customer information systems,
contractual obligations to a financial institution, a including appropriate reports to regulatory
service provider may be required to implement its 6and law enforcement agencies.1 This Guidance is being jointly issued by the own comprehensive information security program
Board of Governors of the Federal Reserve System in accordance with the Safeguards Rule
3(Board), the Federal Deposit Insurance Corporation The term ‘‘customer information’’ is the same promulgated by the FTC. 12 CFR part 314 applies
(FDIC), the Office of the Comptroller of the term used in the Security Guidelines and means to the handling of all customer information
any record containing nonpublic personal Currency (OCC), and the Office of Thrift possessed by any financial institution subject to the
information whether in paper, electronic, or other Supervision (OTS). jurisdiction of the FTC, regardless of whether such
form, maintained by or on behalf of the institution.2 12 CFR part 30, app. B (OCC); 12 CFR part 208, information pertains to individuals with whom the
4 See Security Guidelines Paragraph III.B.app. D–2 and part 225, app. F (Board); 12 CFR part institution has a customer relationship or pertains
5364, app. B (FDIC); and 12 CFR part 570, app. B See Security Guidelines Paragraph III.C. to the customers of other financial institutions that
6(OTS). See Security Guidelines Paragraph III.D. have provided such information to that institution.
VerDate jul<14>2003 15:12 Aug 11, 2003 Jkt 200001 PO 00000 Frm 00053 Fmt 4703 Sfmt 4703 E:\FR\FM\12AUN1.SGM 12AUN1Federal Register/Vol. 68, No. 155/Tuesday, August 12, 2003/Notices 47959
10program. Having such a program in place Consistent with the Agencies’ SAR 3. Customer Notice and Assistance
will allow the institution to quickly regulations, in situations involving Federal Under the Security Guidelines, financial
11respond to incidents involving the criminal violations requiring immediate institutions have an affirmative duty to
unauthorized access to or use of customer attention, such as when a reportable violation protect their customers’ information against
information in its own customer information is ongoing, the institution should unauthorized access or use. An institution
immediately notify, by telephone, systems that could result in substantial harm may not forgo notifying its customers of an
appropriate law enforcement authorities and or inconvenience to a customer. Under the incident because the institution believes that
its primary regulator, in addition to filing a Guidelines, an institution’s customer it may be potentially embarrassed or
timely SAR.information systems consist of all of the inconvenienced by doing so. Under the
methods used to access, collect, store, use, C. Contain and Control the Situation circumstances described in Paragraph III., the
transmit, protect, or dispose of customer institution should notify and offer assistance The financial institution should take
information, including the systems
to customers whose information was the measures to contain and control the incident 12maintained by its service providers. 17subject of the incident. If the institution is to prevent further unauthorized access to or
Timely notification of customers, under the
able to determine from its logs or other data use of customer information, while
circumstances described below, is important
15 precisely which customers’ information was preserving records and other evidence.
to manage an institution’s reputation risk.
Depending upon the particular facts and accessed or misused, it may restrict its
Effective notice may reduce legal risk, assist
circumstances of the incident, these notification to those individuals. However, if
in maintaining good customer relations, and
measures could include, in connection with the institution cannot identify precisely
enable the institution’s customers to take
computer intrusions: (i) Shutting down which customers are affected, it should
steps to protect themselves against the
applications or third party connections; (ii) notify each customer in groups likely to have
consequences of identity theft.
reconfiguring firewalls in cases of been affected, such as each customer whose
A response program should contain the
unauthorized electronic intrusion; (iii) information is stored in the group of files in
following components:
ensuring that all known vulnerabilities in the question.
A. Assess the Situation. financial institution’s computer systems have a. Delivery of Customer Notice—Customer
been addressed; (iv) changing computer notice should be timely, clear, and The institution should assess the nature
access codes; (v) modifying physical access conspicuous, and delivered in any manner and scope of the incident, and identify what
controls; and (vi) placing additional controls that will ensure that the customer is likely to customer information systems and types of
on service provider arrangements. receive it. For example, the institution may customer information have been accessed or
choose to contact all customers affected by misused. D. Corrective Measures
telephone or by mail, or for those customers
B. Notify Regulatory and Law Enforcement Once an institution understands the scope
who conduct transactions electronically, of the incident and has taken steps to contain Agencies
using electronic notice. and control the situation, it should take
The institution should promptly notify its b. Content of Customer Notice—The notice measures to address and mitigate the harm to
primary Federal regulator when it becomes should describe the incident in general terms individual customers. For example, the
aware of an incident involving unauthorized and the customer’s information that was the institution should take the following
access to or use of customer information that subject of unauthorized access or use. It measures:
could result in substantial harm or should also include a number that customers
1. Flag Accounts inconvenience to its customers. can call for further information and
An institution also should file a Suspicious The institution should immediately begin assistance. The notice also should remind
Activity Report (‘‘SAR’’), if required, in identifying and monitoring the accounts of customers of the need to remain vigilant,
accordance with the applicable SAR those customers whose information may have over the next twelve to twenty-four months,
13 14regulations and Agency guidance. been accessed or misused. In particular, the and to promptly report incidents of
institution should provide staff with suspected identity theft.
10 instructions regarding the recording and See FFIEC Information Security Booklet, Dec. Key Elements: In addition, the notice
2002; Federal Reserve SR 97–32, Sound Practice reporting of any unusual activity, and if should:
Guidance for Information Security for Networks, indicated given the facts of a particular • Inform affected customers that the
Dec. 4, 1997; OCC Bulletin 2000–14, ‘‘Infrastructure incident, implement controls to prevent the institution will assist the customer to correct
Threats ‘‘Intrusion Risks’’ (May 15, 2000); OTS unauthorized withdrawal or transfer of funds and update information in any consumer CEO Memorandum 109, Transactional Web Sites, from customer accounts. report relating to the customer, as required by June 10, 1999; CEO Memorandum 70, Statement on
2. Secure Accounts the Fair Credit Reporting Act; On-Line Personal Computer Banking, June 23, 1997;
CEO Memorandum 59, Risk Management of Client/ • Recommend that the customer notify When a checking, savings, or other deposit
Server Systems, Oct. 24, 1996, for additional each nationwide credit reporting agency to account number, debit or credit card account
guidance on preventing, detecting, and responding 18place a fraud alert in the customer’s number, personal identification number
to intrusions into financial institution computer consumer reports;(PIN), password, or other unique identifier systems. • Recommend that the customer has been accessed or misused, the financial 11 Financial institutions are expected to provide
periodically obtain credit reports from each institution should secure the account, and all employees with the training necessary to
nationwide credit reporting agency and have other accounts and bank services that can be understand their roles and responsibilities in order
information relating to fraudulent accessed using the same account number or to expeditiously implement the institution’s
transactions deleted; response program to address incidents of name and password combination until such
unauthorized access to and use of customer • Inform the customer of the right to obtain time as the financial institution and the
information. 16 a credit report free of charge, if the customer customer agree on a course of action.
12 See Security Guidelines Paragraph I.C.f. has reason to believe that the file at the
13 12 CFR 21.11 (national banks, federal branches consumer reporting agency contains published in 65 FR 1229, 1230 (January 7, 2000)).
and agencies); 12 CFR 208.62 (state member banks); See also Federal Reserve SR 01–11, Identity Theft inaccurate information due to fraud, together
12 CFR 211.5(k) (Edge and agreement corporations); and Pretext Calling, Apr. 26, 2001; SR 97–28, with contact information regarding the
12 CFR 211.24(f) (uninsured state branches and Guidance Concerning Reporting of Computer nationwide credit reporting agencies; and
agencies of foreign banks); 12 CFR 225.4(f) (bank Related Crimes by Financial Institutions, Nov. 6,
holding companies and their nonbank subsidiaries); 1997; FDIC FIL 48–2000, Suspicious Activity
customers do not reuse the same or a similar 12 CFR part 353 (state non-member banks); and 12 Reports, July 14, 2000; FIL 47–97, Preparation of
personal identification number.CFR part 563 (savings associations). Suspicious Activity Reports, May 6, 1997; OTS CEO
1714 The institution should, therefore, ensure that a National banks must file SARs in connection Memorandum 139, Identity Theft and Pretext
Calling, May 4, 2001; CEO Memorandum 126, New sufficient number of appropriately trained with computer intrusions and other computer
Suspicious Activity Report Form, July 5, 2000. employees are available to answer customer crimes. See OCC Bulletin 2000–14, ‘‘Infrastructure
15 inquiries and provide assistance.Threats—Intrusion Risks’’ (May 15, 2000); Advisory See FFIEC Information Security Booklet, Dec.
18Letter 97–9, ‘‘Reporting Computer Related Crimes’’ 2002, pp. 68–74. A fraud alert will put the customer’s creditors
16(November 19, 1997) (general guidance still on notice that the customer may be a victim of The institution should also consider the use of
applicable though instructions for new SAR form new account numbers and steps to ensure that fraud.
VerDate jul<14>2003 15:12 Aug 11, 2003 Jkt 200001 PO 00000 Frm 00054 Fmt 4703 Sfmt 4703 E:\FR\FM\12AUN1.SGM 12AUN147960 Federal Register/Vol. 68, No. 155/Tuesday, August 12, 2003/Notices
• Inform the customer about the as user name and password. Therefore, Dated: July 31, 2003.
availability of the FTC’s online guidance institutions are expected to notify affected Mark J. Tenhundfeld.
regarding steps a consumer can take to customers when sensitive customer Assistant Director, Office of the Comptroller
protect against identity theft, and encourage information has been improperly accessed, of the Currency.
the customer to report any incidents of
unless the institution, after an appropriate
identity theft to the FTC. The notice should By the Board of Governors of the Federal investigation, reasonably concludes that
provide the FTC’s Web site address and toll- Reserve System on August 5, 2003. misuse of the information is unlikely to occur
free telephone number that customers may
Jennifer J. Johnson, and takes appropriate steps to safeguard the use to obtain the identity theft guidance and
Secretary of the Board.19 interests of affected customers. report suspected incidents of identity theft.
Optional Element: Institutions also may
Examples of When Notice Should Be Given Dated: August 6, 2003.
wish to provide customers with the following
An institution should notify affected Michael J. Zamorski, additional assistance that other institutions
customers when it is aware of the following have offered under these circumstances: Director, Division of Supervision and
Consumer Protection, Federal Deposit • Provide a toll-free telephone number that incidents unless the institution, after an
Insurance Corporation.customers can call for assistance; appropriate investigation, can reasonably
• Offer to assist the customer in notifying conclude that misuse of the information is
Dated: July 30, 2003. the nationwide credit reporting agencies of unlikely to occur and takes appropriate steps
the incident and in placing a fraud alert in James E. Gilleran, to safeguard the interests of affected
the customer’s consumer reports; and Director.customers:
• Inform the customer about subscription
• An employee of the institution has [FR Doc. 03–20440 Filed 8–11–03; 8:45 am] services that provide notification anytime
obtained unauthorized access to sensitive BILLING CODE 6720–01–P; 4810–33–P; 6210–-1–P; 6714–there is a request for the customer’s credit
01–Pcustomer information maintained in either report or offer to subscribe the customer to
paper or electronic form; this service, free of charge, for a period of
• A cyber intruder has broken into an time.
The institution may also wish to include institution’s unencrypted database that
with the notice a brochure regarding steps a contains sensitive customer information;
consumer can take to protect against identity • Computer equipment such as a laptop
theft, prepared by the Agencies that can be computer, floppy disk, CD-ROM, or other
20downloaded from the Internet. electronic media containing sensitive
customer information has been lost or stolen; III. Circumstances for Customer Notice
• An institution has not properly disposed
Standard for Providing Notice
of customer records containing sensitive
An institution should notify affected customer information; or
customers whenever it becomes aware of • The institution’s third party service
unauthorized access to sensitive customer
provider has experienced any of the
information unless the institution, after an
incidents described above, in connection
appropriate investigation, reasonably
with the institution’s sensitive customer
concludes that misuse of the information is
information. unlikely to occur and takes appropriate steps
to safeguard the interests of affected Examples of When Notice Is Not Expected
customers, including by monitoring affected
An institution is not expected to give customers’ accounts for unusual or
notice when it becomes aware of an incident suspicious activity.
of unauthorized access to customer
Sensitive Customer Information
information, and the institution, after an
Under the Guidelines, an institution must appropriate investigation, can reasonably
protect against unauthorized access to or use conclude that misuse of the information is
of customer information that could result in
unlikely to occur and takes appropriate steps
substantial harm or inconvenience to any
to safeguard the interests of affected
customer. Substantial harm or inconvenience
customers. For example, an institution would
is most likely to result from improper access
not need to notify affected customers in to sensitive customer information because
connection with the following incidents: this type of information is easily misused, as
• The institution is able to retrieve in the commission of identity theft. For
sensitive customer information that has been purposes of this Guidance, sensitive
customer information means a customer’s stolen, and reasonably concludes, based
social security number, personal upon its investigation of the incident, that it
identification number, password or account has done so before the information has been
number, in conjunction with a personal copied, misused or transferred to another
identifier such as the customer’s name, person who could misuse it;
address, or telephone number. Sensitive • The institution determines that sensitive
customer information would also include any
customer information was improperly
combination of components of customer
disposed of, but can establish that the information that would allow someone to log
information was not retrieved or used before onto or access another person’s account, such
it was destroyed;
• A hacker accessed files that contain only 19 Currently, the FTC Web site for the ID Theft
brochure and the FTC Hotline phone number are customer names and addresses; or
http://www.ftc.gov/idtheft and 1–877–IDTHEFT. • A laptop computer containing sensitive
20 http://www.occ.treas.gov/idtheft.pdf; http:// customer information is lost, but the data is
www.federalreserve.gov/consumers.htm; http://
encrypted and may only be accessed with a
www.fdic.gov/consumers/consumer/news/
secure token or similarly secure access cnsum00/idthft.html; http://www.ots.treas.gov/
docs/25139.pdf. device.