Rule: Response Programs For Unauthorized Access To Customer Information and Customer Notice Interagency Guidance

15736 Federal Register / Vol. 70, No.
59 / Tuesday, March 29, 2005 / Rules and Regulations
§ 1479.123 Misrepresentation, and scheme DEPARTMENT OF THE TREASURY institutions under applicable Federal
or device. law. OTS is also making a conforming,
(a) A producer who is determined to Office of the Comptroller of the technical change to its Security
have erroneously represented any fact Currency Procedures Rule.
affecting a program determination made DATES: Effective March 29, 2005.
in accordance with this part shall not be 12 CFR Part 30 FOR FURTHER INFORMATION CONTACT:
entitled to disaster payments and must [Docket No. 05–07] OCC: Aida Plaza Carter, Director, Bank
refund all such payments received, plus Information Technology, (202) 874–
interest as determined in accordance RIN 1557–AC92 4740; Amy Friend, Assistant Chief
with part 1403 of this chapter. Counsel, (202) 874–5200; or Deborah
(b) A producer shall refund to CCC all FEDERAL RESERVE SYSTEM Katz, Senior Counsel, Legislative and
disaster payments, plus interest as Regulatory Activities Division, (202)
determined in accordance with part 12 CFR Parts 208 and 225 874–5090, at 250 E Street, SW.,
1403 of this chapter, received by such [Docket No. OP–1155] Washington, DC 20219.
producer with respect to all applications Board: Donna L. Parker, Supervisory
under this part if the producer is FEDERAL DEPOSIT INSURANCE Financial Analyst, Division of Banking
determined to have knowingly done any CORPORATION Supervision & Regulation, (202) 452–
of the following: 2614; or Joshua H. Kaplan, Attorney,
(1) Adopted any scheme or device 12 CFR Part 364 Legal Division, (202) 452–2249, at 20th
that tends to defeat the purpose of the and C Streets, NW., Washington, DC
program; DEPARTMENT OF THE TREASURY 20551.
(2) Made any fraudulent FDIC: Jeffrey M. Kopchik, Senior
representation; or Office of Thrift Supervision Policy Analyst, Division of Supervision
(3) Misrepresented any fact affecting a and Consumer Protection, (202) 898–
program determination. 12 CFR Parts 568 and 570 3872; Kathryn M. Weatherby, Examiner
Specialist, Division of Supervision and
§ 1479.124 Offsets, assignments, and debt [No. 2005–11] Consumer Protection, (202) 898–6793;
settlement.
RIN 1550–AB97 or Robert A. Patrick, Counsel, Legal
(a) Except as provided in paragraph Division, (202) 898–3757, at 550 17th
(b) of this section, any payment or Interagency Guidance on Response Street, NW., Washington, DC 20429.
portion thereof to any person shall be Programs for Unauthorized Access to OTS: Lewis C. Angel, Program
made without regard to questions of title Customer Information and Customer Manager, (202) 906–5645; Glenn
under State law and without regard to Notice Gimble, Senior Project Manager,
any claim or lien against the crop, or Consumer Protection and Specialized
proceeds thereof, in favor of the owner AGENCIES: Office of the Comptroller of Programs, (202) 906–7158; or Richard
or any other creditor except agencies of the Currency, Treasury (OCC); Board of Bennett, Counsel, Regulations and
the U.S. Government. The regulations Governors of the Federal Reserve Legislation Division, (202) 906–7409, at
governing offsets and withholdings System (Board); Federal Deposit 1700 G Street, NW., Washington, DC
found at part 1403 of this chapter apply Insurance Corporation (FDIC); Office of 20552.
to any payments made under this part. Thrift Supervision, Treasury (OTS).
SUPPLEMENTARY INFORMATION: The
(b) Any producer entitled to any ACTION: Interpretive guidance and OTS
contents of this preamble are listed in
payment may assign any payments in final rule. the following outline:
accordance with regulations governing
the assignment of payments found at SUMMARY: The OCC, Board, FDIC, and I. Introduction
OTS (the Agencies) are publishing an II. Overview of Comments Received
part 1404 of this chapter.
interpretation of the Gramm-Leach- III. Overview of Final Guidance
(c) A debt or claim may be settled IV. Section-by-Section Analysis of the
according to part 1403 of this chapter. Bliley Act (GLBA) and the Interagency
Comments Received
Guidelines Establishing Information A. The ‘‘Background’’ Section
§ 1479.125 Compliance with highly Security Standards (Security B. The ‘‘Response Program’’ Section
erodible land and wetland conservation Guidelines).1 This interpretive C. The ‘‘Customer Notice’’ Section
provisions. guidance, titled ‘‘Interagency Guidance V. Effective Date
(a) The highly erodible land and on Response Programs for Unauthorized VI. OTS Conforming and Technical Change
wetland conservation provisions of part Access to Customer Information and VII. Impact of Guidance
12 of this title apply to the receipt of Customer Notice’’ (final Guidance), is VIII. Regulatory Analysis
disaster assistance for 2003, 2004, and being published as a supplement to the A. Paperwork Reduction Act
2005 crop losses made available under Security Guidelines in the Code of B. Regulatory Flexibility Act
this authority. C. Executive Order 12866
Federal Regulations in order to make the D. Unfunded Mandates Reform Act of 1995
(b) All eligible producers must be in interpretation more accessible to
compliance with the highly erodible financial institutions and to the general I. Introduction
land and wetland conservation public. The final Guidance will clarify The Agencies are jointly issuing final
compliance provisions for the year(s) for the responsibilities of financial Guidance that interprets the
which disaster assistance is requested. requirements of section 501(b) of the
1 This document renames the ‘‘Interagency
Signed in Washington, DC March 23, 2005. GLBA, 15 U.S.C. 6801, and the Security
Guidelines Establishing Standards for Safeguarding
Thomas B. Hofeller, Customer Information’’ as the ‘‘Interagency Guidelines 2 to include the development
Acting Executive Vice-President, Commodity Guidelines Establishing Information Security
Credit Corporation. Standards.’’ Therefore, all other references in the 2 12 CFR part 30, app. B (OCC); 12 CFR part 208,
Agencies’ regulations to the former title of the app. D–2, and part 225, app. F (Board); 12 CFR part
[FR Doc. 05–6080 Filed 3–28–05; 8:45 am] Security Guidelines shall be read to refer to the new 364, app. B (FDIC); and 12 CFR part 570, app. B
BILLING CODE 3410–05–P title. (OTS). In this Guidance, citations to the Agencies’
VerDate jul<14>2003 16:55 Mar 28, 2005 Jkt 205001 PO 00000 Frm 00012 Fmt 4700 Sfmt 4700 E:\FR\FM\29MRR1.SGM 29MRR1
Federal Register / Vol. 70, No. 59 / Tuesday, March 29, 2005 / Rules and Regulations 15737
and implementation of a response these comments to assess the impact of III. Overview of Final Guidance
program to address unauthorized access the proposed Guidance, and to address The final Guidance states that every
to, or use of customer information that the requirements of the Paperwork financial institution should develop and
could result in substantial harm or Reduction Act of 1995 (44 U.S.C. 3501 implement a response program designed
inconvenience to a customer. The et seq.). to address incidents of unauthorized
Guidance describes the appropriate access to customer information
II. Overview of Comments Received
elements of a financial institution’s maintained by the institution or its
response program, including customer The Agencies invited comment on all service provider. The final Guidance
notification procedures. aspects of the proposed Guidance and provides each financial institution with
Section 501(b) required the Agencies collectively received 65 comments on greater flexibility to design a risk-based
to establish standards for financial the proposed Guidance. In some response program tailored to the size,
institutions relating to administrative, instances, several commenters joined in complexity and nature of its operations.
technical, and physical safeguards to: filing a single comment. The The final Guidance continues to
(1) Ensure the security and commenters included 10 bank holding highlight customer notice as a key
confidentiality of customer information; companies, eight financial institution feature of an institution’s response
(2) protect against any anticipated trade associations, 25 financial program. However, in response to the
threats or hazards to the security or institutions (including three Federal comments received, the final Guidance
integrity of such information; and (3) Reserve Banks), five consumer groups, modifies the standard describing when
protect against unauthorized access to three payment systems, three software notice should be given and provides for
or use of such information that could companies, three non-financial a delay at the request of law
result in substantial harm or institution business associations, three enforcement. It also modifies which
inconvenience to any customer. service providers, two credit unions, a customers should be given notice, what
On February 1, 2001, the Agencies member of Congress, a state office, a a notice should contain, and how it
issued the Security Guidelines as compliance officer, a security and risk should be delivered.
required by section 501(b) (66 FR 8616). consultant, a trademark protection A more detailed discussion of the
Among other things, the Security service, and a trade association final Guidance and the manner in which
Guidelines direct financial institutions representing consumer reporting it incorporates comments the Agencies
to: (1) Identify reasonably foreseeable agencies. received follows.
internal and external threats that could Commenters generally agreed that
result in unauthorized disclosure, IV. Section-by-Section Analysis of the
financial institutions should have
misuse, alteration, or destruction of Comments Received
response programs. Indeed, many
customer information or customer financial institutions said that they have A. The ‘‘Background’’ Section
information systems; (2) assess the such programs in place. Comments from
likelihood and potential damage of Legal Authority
consumer groups and the Congressman
these threats, taking into consideration commended the Agencies for providing Section I of the proposed Guidance
the sensitivity of customer information; guidance on response programs and described the legal authority for the
and (3) assess the sufficiency of policies, customer notification. However, most Agencies’ position that every financial
procedures, customer information industry commenters thought that the institution should have a response
systems, and other arrangements in proposed Guidance was too program that includes measures to
place to control risks.3 prescriptive. These commenters stated protect customer information
To address the need for additional that the proposed approach would stifle maintained by the institution or its
interpretive guidance regarding section innovation and retard the effective service providers. The proposed
501(b) and the Security Guidelines, on evolution of response programs. Guidance also stated that the Agencies
August 12, 2003, the Agencies Industry commenters raised concerns expect customer notification to be a
published proposed Interagency that the proposed Guidance would not component of the response program.
Guidance on Response Programs for permit a financial institution to assess One commenter questioned the
Unauthorized Access to Customer different situations from its own Agencies’ legal authority to issue the
Information and Customer Notice business perspective, specific to its size, proposed Guidance. This commenter
(proposed Guidance) in the Federal operational and system structure, and asserted that section 501(b) only
Register (68 FR 47954). This proposed risk tolerances. These industry authorizes the Agencies to establish
Guidance made clear that the Agencies commenters suggested modifying the standards requiring financial
expect a financial institution’s proposed Guidance to give financial institutions to safeguard the
information security program, required institutions greater discretion to confidentiality and integrity of customer
under the Security Guidelines, to determine how to respond to incidents information and to protect that
include a response program. of unauthorized access to or use of information from unauthorized access,
The Agencies were interested in the customer information. but does not authorize standards that
public’s views on the proposed would require a response to incidents
Guidance and accordingly published it Two commenters also requested that
the Agencies include a transition period where the security of customer
for comment.4 The Agencies have used information actually has been breached.
allowing adequate time for financial
institutions to implement the final The final Guidance interprets those
Security Guidelines refer only to the appropriate
paragraph number, as these numbers are common Guidance. Some commenters asked for provisions of the Security Guidelines
to each of the Guidelines. a transition period only for the aspects issued under the authority of section
3 Security Guidelines, III.B.2.
of the final Guidance that address 501(b)(3) of the GLBA, which states
4 Under the Administrative Procedure Act (APA),
service provider arrangements. specifically that the standards to be
an agency may dispense with public notice and an established by the Agencies must
opportunity to comment for general statements of
policy. 5 U.S.C. 553(b)(A). Therefore, notice and comment were also not required under the APA for
include various safeguards to protect
comment were not required under the APA for this its conforming and technical change as discussed in against not only ‘‘unauthorized access
final Guidance. OTS has concluded that notice and part VI of this SUPPLEMENTARY INFORMATION. to,’’ but also the ‘‘use of,’’ customer
15738 Federal Register / Vol. 70, No. 59 / Tuesday, March 29, 2005 / Rules and Regulations
information that could result in Security Guidelines which largely cross- purposes, and who has a continuing
‘‘substantial harm or inconvenience to reference definitions used in the relationship with the institution.8
any customer.’’ This language Agencies’ Privacy Rules.5 Therefore,
Effect of Other Laws
authorizes standards that include consistent with section 501(b) and the
response programs to address incidents Security Guidelines, this final Guidance Several commenters requested that
of unauthorized access to customer applies to the entities enumerated in the Agencies explain how the final
information. A response program is the section 505(a) of the GLBA.6 This final Guidance interacts with additional and
principal means for a financial Guidance does not apply to a financial possibly conflicting state law
institution to protect against institution’s foreign offices, branches, or requirements. Most of these commenters
unauthorized ‘‘use’’ of customer affiliates. However, a financial urged that the final Guidance expressly
information that could lead to institution subject to the Security preempt state law. By contrast, one
‘‘substantial harm or inconvenience’’ to Guidelines is responsible for the commenter asked the Agencies to clarify
the institution’s customer. For example, security of its customer information, that a financial institution must also
customer notification is an important whether the information is maintained comply with additional state law
tool that enables a customer to take within or outside of the United States, requirements. In addition, some
steps to prevent identity theft, such as such as by a service provider located commenters asked that the final
by arranging to have a fraud alert placed outside of the United States. Guidance provide a safe harbor defense
in his or her credit file. Accordingly, This final Guidance also applies to against class action suits. They
when evaluating the adequacy of an ‘‘customer information,’’ meaning any suggested that the safe harbor should
institution’s information security record containing ‘‘nonpublic personal cover any financial institution that takes
program required by the Security information’’ (as that term is defined in reasonable steps that regulators require
Guidelines, the Agencies will consider § __.3(n) of the Agencies’ Privacy Rules) to protect customer information, but,
whether the institution has developed about a financial institution’s customer, nonetheless, experiences an event
and implemented a response program as whether in paper, electronic, or other beyond its control that leads to the
described in the final Guidance. form, that is maintained by or on behalf disclosure of customer information.
of the institution.7 Consequently, the These issues do not fall within the
Scope of Guidance
final Guidance applies only to scope of this final Guidance. The extent
In a number of places throughout the information that is within the control of
proposed Guidance, the Agencies to which section 501(b) of the GLBA,
the institution and its service providers, the Security Guidelines, and any related
referenced definitions in the Security and would not apply to information
Guidelines. However, the Agencies did Agency interpretations, such as this
directly disclosed by a customer to a final Guidance, preempt state law is
not specifically address the scope of the third party, for example, through a
proposed Guidance. Commenters had governed by Federal law, including the
fraudulent Web site. procedures set forth in section 507 of
questions and suggestions regarding the Moreover, this final Guidance does
scope of the proposed Guidance and the GLBA, 15 U.S.C. 6807.9 Moreover, there
not apply to information involving
meaning of terms used. is nothing in Title V of the GLBA that
business or commercial accounts.
authorizes the Agencies to provide
Entities and Information Covered Instead, the final Guidance applies to
institutions with a safe harbor defense.
nonpublic personal information about a
Some commenters had questions Therefore, the final Guidance does not
‘‘customer’’ within the meaning of the
about the entities and information address these issues.
Security Guidelines, namely, a
covered by the proposed Guidance. One consumer who obtains a financial Organizational Changes in the
commenter suggested that the Agencies product or service from a financial ‘‘Background’’ Section
clarify that foreign offices, branches, institution to be used primarily for
and affiliates of United States banks are personal, family, or household For the reasons described earlier, the
not subject to the final Guidance. Some Background section is adopted
commenters recommended that the 5 12 CFR part 40 (OCC); 12 CFR part 216 (Board); essentially as proposed, except that the
Agencies clarify that the final Guidance 12 CFR part 332 (FDIC); and 12 CFR part 573 (OTS). latter part of the paragraph on ‘‘Service
applies only to unauthorized access to In this final Guidance, citations to the Agencies’ Providers’’ and the entire paragraph on
sensitive information within the control Privacy Rules refer only to the appropriate section ‘‘Response Programs’’ are incorporated
number that is common to each of these rules.
of the financial institution. One 6 National banks, Federal branches and Federal
into the introductory discussion of
commenter thought that the final agencies of foreign banks and any subsidiaries of section II. The Agencies believe that the
Guidance should be broad and cover these entities (except brokers, dealers, persons Background section is now clearer, as it
frauds committed against bank providing insurance, investment companies, and focuses solely on the statutory and
investment advisers) (OCC); member banks (other regulatory framework upon which the
customers through the Internet, such as than national banks), branches and agencies of
through the misuse of online corporate foreign banks (other than Federal branches, Federal final Guidance is based. Comments and
identities to defraud online banking agencies, and insured State branches of foreign changes with respect to the paragraphs
customers through fake web sites banks), commercial lending companies owned or that were relocated are discussed in the
controlled by foreign banks, Edge and Agreement next section.
(commonly known as ‘‘phishing’’). Act Corporations, bank holding companies and
Several commenters requested their nonbank subsidiaries or affiliates (except
confirmation in the final Guidance that brokers, dealers, persons providing insurance, 8 See Security Guidelines, I.C.2.b.; Privacy Rules,
it applies to consumer accounts and not investment companies, and investment advisers) § __.3(h).
(Board); state non-member banks, insured State 9 Section 507 provides that state laws that are
to business and other commercial branches of foreign banks, and any subsidiaries of ‘‘inconsistent’’ with the provisions of Title V,
accounts. such entities (except brokers, dealers, persons Subtitle A of the GLBA are preempted ‘‘only to the
For greater clarity, the Agencies have providing insurance, investment companies, and extent of the inconsistency.’’ State laws are ‘‘not
revised the Background section of the investment advisers) (FDIC); and insured savings inconsistent’’ if they offer greater protection than
final Guidance to state that the scope associations and any subsidiaries of such savings Subtitle A, as determined by the Federal Trade
associations (except brokers, dealers, persons Commission, after consultation with the agency or
and definitions of terms used in the providing insurance, investment companies, and authority with jurisdiction under section 505(a) of
Guidance are identical to those in investment advisers) (OTS). either the person that initiated the complaint or that
section 501(b) of the GLBA and the 7 See Security Guidelines, I.C.2.c. is the subject of the complaint. See 15 U.S.C. 6807.
B. The ‘‘Response Program’’ Section specific provisions that a financial Existing Contracts With Service
The Security Guidelines enumerate a institution’s contracts with its service Providers
number of security measures that each providers should contain. The proposed Some commenters expressed concerns
financial institution must consider and Guidance stated that a financial that they would have to rewrite their
adopt, if appropriate, to control risks institution’s contract with its service contracts with service providers to
stemming from reasonably foreseeable provider should require the service require the disclosure described in this
internal and external threats to an provider to disclose fully to the provision. These commenters asked the
institution’s customer information.10 institution information related to any Agencies to grandfather existing
The introductory paragraph of section II breach in security resulting in an contracts and to apply this provision
of the final Guidance specifically states unauthorized intrusion into the only prospectively to new contracts.
that a financial institution should institution’s customer information Many commenters also suggested that
implement those security measures systems maintained by the service the final Guidance contain a transition
designed to prevent unauthorized access provider. It stated that this disclosure period to permit financial institutions to
to or use of customer information, such would permit an institution to modify their existing contracts.
as by placing access controls on expeditiously implement its response The Agencies have decided not to
customer information systems and program. grandfather existing contracts or to add
conducting background checks for Several commenters on the proposed a transition period to the final Guidance
employees 11 who are authorized to Guidance agreed that a financial because, as stated in the proposed
access customer information. The institution’s contracts with its service Guidance, this disclosure provision is
introductory paragraph also states that providers should require the service consistent with the obligations in the
every financial institution should provider to disclose fully to the Security Guidelines that relate to service
develop and implement security institution information related to any provider arrangements and with existing
measures designed to address incidents breach in security resulting in an guidance on this topic previously issued
of unauthorized access to customer unauthorized intrusion into the by the Agencies.13 In order to ensure the
information that occur despite measures institution’s customer information safeguarding of customer information,
to prevent security breaches. systems maintained by the service financial institutions that use service
The measures enumerated in the provider. However, many commenters providers likely have already arranged
Security Guidelines include ‘‘response suggested modifications to this section. to receive notification from the service
programs that specify actions to be The discussion of this aspect of a providers when customer information is
taken when the bank suspects or detects financial institution’s contracts with its accessed in an unauthorized manner. In
that unauthorized individuals have service providers is in section II of the light of the comments received,
gained access to customer information final Guidance. It has been revised as however, the Agencies recognize that
systems, including appropriate reports follows in response to the comments there are institutions that have not
to regulatory and law enforcement received. formally included such a disclosure
agencies.’’12 Prompt action by both the requirement in their contracts. Where
Timing of Service Provider Notification
institution and the customer following this is the case, the institution should
the unauthorized access to customer The Agencies received a number of exercise its best efforts to add a
information is crucial to limit identity comments regarding the timing of a disclosure requirement to its contracts
theft. As a result, every financial service provider’s notice to a financial and any new contracts should include
institution should develop and institution. One commenter suggested such a provision.
implement a response program requiring service providers to report Thus, the final Guidance adopts the
appropriate to the size and complexity incidents of unauthorized access to discussion on service provider
of the institution and the nature and financial institutions within 24 hours arrangements largely as proposed. To
scope of its activities, designed to after discovery of the incident. eliminate any ambiguity regarding the
address incidents of unauthorized In response to comments on the application of this section to foreign-
access to customer information. timing of a service provider’s notice to based service providers, however, the
The introductory language in section a financial institution, the final final Guidance now makes clear that a
II of the final Guidance states that a Guidance adds that a financial covered financial institution 14 should
response program should be a key part institution’s contract with its service be capable of addressing incidents of
of an institution’s information security provider should require the service unauthorized access to customer
program. It also emphasizes that a provider to take appropriate action to information in customer information
financial institution’s response program address incidents of unauthorized systems maintained by its domestic and
should be risk-based and describes the access to the institution’s customer foreign service providers.15
components of a response program in a information, including by notifying the
less prescriptive manner. institution as soon as possible of any 13 See FFIEC Information Technology
such incident, to enable the institution Examination Handbook, Outsourcing Technology

Service Provider Contracts Services Booklet, Jun. 2004; Federal Reserve SR Ltr.
to expeditiously implement its response 00–04, Outsourcing of Information and Transaction
The Background section of the program. The Agencies determined that Processing, Feb. 9, 2000; OCC Bulletin 2001–47,
proposed Guidance elaborated on the requiring notice within 24 hours of an ‘‘Third-party Relationships Risk Management
incident may not be practicable or Principles,’’ Nov. 1, 2001; FDIC FIL 68–99, Risk
10 Security Guidelines, III.B. and III.C. Assessment Tools and Practices for Information
11 A
appropriate in every situation, System Security, July 7, 1999; OTS Thrift Bulletin
footnote has been added to this section to
make clear that institutions should also conduct particularly where, for example, it takes 82a, Third Party Arrangements, Sept. 1, 2004.
background checks of employees to ensure that the a service provider time to investigate a 14 See footnote 6, supra.
institution does not violate 12 U.S.C. 1829, which breach in security. Therefore, the final 15 See, e.g., FFIEC Information Technology
prohibits an institution from hiring an individual Guidance does not specify a number of Examination Handbook, Outsourcing Technology
convicted of certain criminal offenses or who is Services Booklet, Jun. 2004; OCC Bulletin 2002–16
subject to a prohibition order under 12 U.S.C. hours or days by which the service (national banks); OTS Thrift Bulletin 82a, Third
1818(e)(6). provider must give notice to the Party Arrangements, Sept. 1, 2004 (savings
12 Security Guidelines, III.C.1.g. financial institution. associations).
Components of a Response Program customer information have been SAR. For the sake of clarity, the final
accessed or misused. Guidance discusses notice to regulators
As described earlier, commenters Some commenters stated that the and notice to law enforcement in two
criticized the prescriptive nature of Agencies should retain this provision in separate bulleted items.
proposed section II that described the the final Guidance. One commenter
four components a response program suggested that an institution should Standard for Notice to Regulators
should contain. The proposed Guidance focus its entire response program The provision regarding notice to
instructed institutions to design primarily on addressing unauthorized regulators in the proposed Guidance
programs to respond to incidents of access to sensitive customer prompted numerous comments. Many
unauthorized access to customer information. commenters suggested that the Agencies
information by: (1) Assessing the The Agencies have concluded that a adopt a narrow standard for notifying
situation; (2) notifying regulatory and financial institution’s response program regulators. These commenters were
law enforcement agencies; (3) should begin with a risk assessment that concerned that notice to regulators,
containing and controlling the situation; allows an institution to establish the provided under the circumstances
and (4) taking corrective measures. The nature of any information improperly described in the proposed Guidance,
proposed Guidance contained detailed accessed. This will allow the institution would be unduly burdensome for
information about each of these four to determine whether and how to institutions, service providers, and
components. respond to an incident. Accordingly, the regulators, alike.
The introductory discussion in this Agencies have not changed this Some of these commenters suggested
section of the final Guidance now makes provision. that the Agencies adopt the same
clear that, as a general matter, an Notify Regulatory and Law standard for notifying regulators and
institution’s response program should Enforcement Agencies. The proposed customers. These commenters
be risk-based. It applies this principle Guidance provided that an institution recommended that notification occur
by modifying the discussion of a should promptly notify its primary when an institution becomes aware of
number of these components. The Federal regulator when it becomes an incident involving unauthorized
Agencies determined that the detailed aware of an incident involving access to or use of ‘‘sensitive customer
instructions in these components of the unauthorized access to or use of information,’’ a defined term in the
proposed Guidance, especially in the customer information that could result proposed Guidance that specified a
‘‘Corrective Measures’’ section, would in substantial harm or inconvenience to subset of customer information deemed
not always be relevant or appropriate. customers. In addition, the proposed by the Agencies as most likely to be
Therefore, the final Guidance describes, Guidance stated that an institution misused.
through brief bulleted points, the should file a Suspicious Activity Report Other commenters recommended that
elements of a response program, giving (SAR), if required, in accordance with the Agencies narrow this provision so
financial institutions greater discretion the applicable SAR regulations 16 and that a financial institution would inform
to address incidents of unauthorized various Agency issuances.17 The a regulator only in connection with an
access to or use of customer information proposed Guidance stated that, incident that poses a significant risk of
that could result in substantial harm or consistent with the Agencies’ SAR substantial harm to a significant number
inconvenience to a customer. regulations, in situations involving of its customers, or only in a situation
At a minimum, an institution’s Federal criminal violations requiring where substantial harm to customers
response program should contain immediate attention, the institution has occurred or is likely to occur,
procedures for: (1) Assessing the nature immediately should notify, by instead of when it could occur.
and scope of an incident, and telephone, the appropriate law Other commenters who advocated the
identifying what customer information enforcement authorities and its primary adoption of a narrower standard asked
systems and types of customer regulator, in addition to filing a timely the Agencies to take the position that
information have been accessed or filing a SAR constitutes sufficient notice
16 12 CFR 21.11 (national banks, Federal branches
misused; (2) notifying its primary and that notification of other regulatory
and agencies); 12 CFR 208.62 (State member banks);
Federal regulator as soon as possible 12 CFR 211.5(k) (Edge and agreement corporations); and law enforcement agencies is at the
when the institution becomes aware of 12 CFR 211.24(f) (uninsured State branches and sole discretion of the institution. One
an incident involving unauthorized agencies of foreign banks); 12 CFR 225.4(f) (bank commenter stated that it is difficult to
access to or use of sensitive customer holding companies and their nonbank subsidiaries);
12 CFR part 353 (State non-member banks); and 12
imagine any scenario that would trigger
information, as defined later in the final CFR 563.180 (savings associations). the response program without requiring
Guidance; (3) immediately notifying law 17 For example, national banks must file SARs in a SAR filing. Some commenters asserted
enforcement in situations involving connection with computer intrusions and other that if the Agencies believe a lower
Federal criminal violations requiring computer crimes. See OCC Bulletin 2000–14, threshold is advisable for security
‘‘Infrastructure Threats—Intrusion Risks’’ (May 15,
immediate attention; (4) taking 2000); OCC AL 97–9, ‘‘Reporting Computer Related breaches, the Agencies should amend
appropriate steps to contain and control Crimes’’ (November 19, 1997) (general guidance the SAR regulations.
the incident to prevent further still applicable though instructions for new SAR By contrast, some commenters
unauthorized access to or use of form published in 65 FR 1229, 1230 (January 7,
2000)). See also OCC AL 2001–4, Identity Theft and
recommended that the standard for
customer information, such as by Pretext Calling, April 30, 2001; Federal Reserve SR notification of regulators remain broad.
monitoring, freezing, or closing affected 01–11, Identity Theft and Pretext Calling, Apr. 26, One commenter advocated that any
accounts, while preserving records and 2001; SR 97–28, Guidance Concerning Reporting of event that triggers an internal
other evidence; and (5) notifying Computer Related Crimes by Financial Institutions,
Nov. 6, 1997; FDIC FIL 48–2000, Suspicious
investigation by the institution should
customers when warranted. Activity Reports, July 14, 2000; FIL 47–97, require notice to the appropriate
Assess the Situation. The proposed Preparation of Suspicious Activity Reports, May 6, regulator. Another commenter similarly
Guidance stated that an institution 1997; OTS CEO Memorandum 139, Identity Theft suggested that notification of all security
and Pretext Calling, May 4, 2001; http://
should assess the nature and scope of www.ots.treas.gov/BSA (for the latest SAR form and
events to Federal regulators is critical,
the incident and identify what customer filing instructions required by OTS as of July 1, not only those involving unauthorized
information systems and types of 2003). access to or use of customer information
that could result in substantial harm or incident, and track other statistical data an institution may authorize or contract
inconvenience to its customers. regarding security. The statistical data with its service provider to notify the
The Agencies have concluded that the could include the number of security institution’s regulator on the
standard for notification to regulators incidents reported annually and the institution’s behalf when a security
should provide an early warning to number of times the incidents incident involves an unauthorized
allow an institution’s regulator to assess warranted customer notice. intrusion into the institution’s customer
the effectiveness of an institution’s The Agencies do not wish to create information systems maintained by the
response plan, and, where appropriate, another SAR-like process that requires service provider.
to direct that notice be given to the completion of detailed forms.
customers if the institution has not Instead, the Agencies contemplate that a Notice to Law Enforcement
already done so. Thus, the standard in financial institution will notify Some commenters took issue with the
the final Guidance states that an regulators as quickly as possible, by provision in the proposed Guidance
institution should notify its primary telephone, or in some other expeditious regarding notification of law
Federal regulator as soon as possible manner when the institution becomes enforcement by telephone. One
when the institution becomes aware of aware of an incident involving commenter asked the Agencies to clarify
an incident involving unauthorized unauthorized access to or use of how notification of law enforcement by
access to or use of ‘‘sensitive customer sensitive customer information. The telephone would work since in many
information.’’ Agencies believe that the extent to cases it is unclear what telephone
‘‘Sensitive customer information’’ is which they will gather statistics on number should be used. This
defined in section III of the final security incidents and customer notice commenter maintained that size and
Guidance and means a customer’s name, is beyond the scope of the final sophistication of law enforcement
address, or telephone number, in Guidance. Whether or not an Agency authorities may differ from state to state
conjunction with the customer’s social will track the number of incidents and this requirement may create
security number, driver’s license reported is left to the discretion of confusion and unwarranted action by
number, account number, credit or debit individual Agencies. the law enforcement authority.
card number, or a personal The final Guidance adopts this
identification number or password that Notice to Regulators by Service provision as proposed. The Agencies
would permit access to the customer’s Providers note that the provision stating that an
account. ‘‘Sensitive customer Commenters on the proposed institution should notify law
information’’ also includes any Guidance questioned whether a enforcement by telephone in situations
combination of components of customer financial institution or its service involving Federal criminal violations
information that would allow someone provider should give notice to a requiring immediate attention is
to log onto or access the customer’s regulator when a security incident consistent with the Agencies’ existing
account, such as user name and involves an unauthorized intrusion into SAR regulations.18
password or password and account the institution’s customer information Contain and Control the Situation.
number. systems maintained by the service The proposed Guidance stated that the
This standard is narrower than that in provider. One commenter noted that if financial institution should take
the proposed Guidance because a a security event occurs at a large service measures to contain and control a
financial institution will need to notify provider, regulators could receive security incident to prevent further
its regulator only if it becomes aware of thousands of notices from institutions unauthorized access to or use of
an incident involving ‘‘sensitive relating to the same event. The customer information while preserving
customer information.’’ Therefore, commenter suggested that if a service records and other evidence.19 It also
under the final Guidance, there will be provider is examined by one of the stated that, depending upon the
fewer occasions when a financial Agencies the most efficient means of particular facts and circumstances of the
institution should need to notify its providing regulatory notice of such a incident, measures in connection with
regulators. However, under this security event would be to allow the computer intrusions could include: (1)
standard, a financial institution will servicer to notify its primary Agency Shutting down applications or third
need to notify its regulator at the time contact. The primary Agency contact party connections; (2) reconfiguring
that the institution initiates its then could disseminate the information firewalls in cases of unauthorized
investigation to determine the to the other regulatory agencies as electronic intrusion; (3) ensuring that all
likelihood that the information has been appropriate. known vulnerabilities in the financial
or will be misused, so that the regulator The Agencies believe that it is the institution’s computer systems have
will be able to take appropriate action, responsibility of the financial institution been addressed; (4) changing computer
if necessary. and not the service provider to notify access codes; (5) modifying physical
the institution’s regulator. Therefore, the access controls; and (6) placing
Method of Providing Notice to final Guidance states that a financial additional controls on service provider
Regulators institution should notify its primary arrangements.
Commenters on the proposed Federal regulator as soon as possible Few comments were received on this
Guidance also questioned how a when the institution becomes aware of section. One commenter suggested that
financial institution should provide an incident involving unauthorized the Agencies adopt this section
notice to its regulator. One commenter access to or use of sensitive customer unchanged in the final Guidance.
suggested that the Agencies should information. Nonetheless, a security Another commenter had questions
standardize the notice that financial incident at a service provider could about the meaning of the phrase
institutions provide to their regulators. have an impact on multiple financial
The commenter suggested that the institutions that are supervised by 18 Seefootnote 16, supra.
19 SeeFFIEC Information Technology
Agencies use these notices to track different Federal regulators. Therefore,
Examination Handbook, Information Security
institutions’ compliance with the in the interest of efficiency and burden Booklet, Dec. 2002, pp. 68–74 available at: http://
Security Guidelines, gather reduction, the last paragraph in section www.ffiec.gov/ffiecinfobase/html_pages/
comprehensive details regarding each II of the final Guidance makes clear that infosec_book_frame.htm.
‘‘known vulnerabilities.’’ Commenters described three corrective measures that monitor individual accounts. They
did, however, note the overlap between a financial institution should include as stated that the financial impact of
proposed section II.C., and the a part of its response program in order having to monitor accounts for unusual
corrective measures in proposed section to effectively address and mitigate harm activity would be enormous, as each
II.D., described as ‘‘flagging accounts’’ to individual customers: (1) Flagging institution would have to purchase
and ‘‘securing accounts.’’ accounts; (2) securing accounts; and (3) expensive technology, hire more
The Agencies agree that some sections notifying customers. The Agencies personnel, or both. These commenters
in the proposed Guidance overlapped. removed the first two corrective asked the Agencies to provide
Therefore, the Agencies modified this measures for the reasons that follow. institutions with the flexibility to close
section by incorporating concepts from Flagging and Securing Accounts. The an account if the institution detects
the proposed Corrective Measures first corrective measure in the proposed unusual activity.
component, and removing the more Guidance directed financial institutions With respect to ‘‘securing accounts,’’
specific examples in this section, to ‘‘flag accounts.’’ It stated that an several commenters stated that if
including the terms that confused institution should immediately begin ‘‘secure’’ means close or freeze, either
commenters. This section in the final identifying and monitoring the accounts action would be extreme and would
Guidance gives an institution greater of those customers whose information have significant adverse consequences
discretion to determine the measures it may have been accessed or misused. It for customers. Other commenters stated
will take to contain and control a also stated that an institution should that the requirement that the institution
security incident. It states that provide staff with instructions regarding and the customer ‘‘agree on a course of
institutions should take appropriate the recording and reporting of any action’’ is unrealistic, unworkable and
steps to contain and control the incident unusual activity, and if indicated given should be eliminated. Some
to prevent further unauthorized access the facts of a particular incident, commenters explained that if a
to or use of customer information, such implement controls to prevent the customer is traveling and the financial
as by monitoring, freezing, or closing unauthorized withdrawal or transfer of institution cannot contact the customer
affected accounts, while preserving funds from customer accounts. to obtain the customer’s consent,
records and other evidence. The second corrective measure freezing or closing a customer’s account
directed institutions to ‘‘secure could strand the customer with no
Preserving Evidence accounts.’’ The proposed Guidance means of taking care of expenses. They
One commenter stated that the final stated that when a checking, savings, or stated that, in the typical case, the
Guidance should require financial other deposit account number, debit or institution would monitor such an
institutions, as part of the response credit card account number, personal account for suspicious transactions.
process, to have an effective computer identification number (PIN), password, As described earlier, the Agencies are
forensics capability in order to or other unique identifier has been adopting an approach in the final
investigate and mitigate computer accessed or misused, the financial Guidance that is more flexible and risk-
security incidents as discussed in institution should secure the account based than that in the proposed
principle fourteen of the Basel and all other accounts and services that Guidance. The final Guidance
Committee’s ‘‘Risk Management for can be accessed using the same account incorporates the general concepts
Electronic Banking’’ 20 and the number or name and password described in the first two corrective
International Organization for combination. The proposed Guidance measures into the brief bullets
Standardization’s ISO 17799.21 stated that accounts should be secured describing components of a response
The Agencies note that the final until such time as the financial program enumerated in section II.C.
Guidance addresses not only computer institution and the customer agree on a Therefore, the first and second
security incidents, but also all other course of action. corrective measures no longer appear in
incidents of unauthorized access to Commenters were critical of these the final Guidance.
customer information. Thus, it is not proposed measures. Several commenters Customer Notice and Assistance. The
appropriate to include more detail about asserted that the final Guidance should third corrective measure in the
steps an institution should take to not prescribe responses to security proposed Guidance was titled
investigate and mitigate computer incidents with this level of detail. Other ‘‘Customer Notice and Assistance.’’ This
security incidents. However, the commenters recommended that if the proposed measure stated that a financial
Agencies believe that institutions Agencies chose to retain references to institution should notify and offer
should be mindful of industry standards ‘‘flagging’’ or ‘‘securing’’ accounts, they assistance to customers whose
when investigating an incident. should include the words ‘‘where information was the subject of an
Therefore, the final Guidance contains a appropriate’’ in order to give incident of unauthorized access or use
reference to forensics by generally institutions the flexibility to choose the under the circumstances described in
noting that an institution should take most effective solutions to problems. section III of the proposed Guidance.
appropriate steps to contain and control Commenters also stated that the The proposed Guidance also described
an incident, while preserving records decision to flag accounts, the nature of which customers should be notified. In
and other evidence. that flag, and the duration of the flag, addition, this corrective measure
Corrective Measures. The proposed should be left to an individual financial contained provisions discussing
Guidance stated that once a financial institution’s risk-based procedures delivery and contents of the customer
institution understands the scope of the developed under the Security notice.
incident and has taken steps to contain Guidelines. These commenters asked The final Guidance now states that an
and control the situation, it should take the Agencies to recognize that regular, institution’s response program should
measures to address and mitigate the ongoing fraud prevention and detection contain procedures for notifying
harm to individual customers. It then methods employed by an institution customers when warranted. For clarity’s
may be sufficient. sake, the discussion of which customers
20 http://www.bis.org/publ/bcbs35.htm. Commenters representing small should be notified, and the delivery and
21 http://www.iso.org/iso/en/prods-services/ institutions stated that they do not have contents of customer notice, is now in
popstds/informationsecurity.html. the technology or other resources to new section III, titled ‘‘Customer
Notice.’’ Comments and changes with institution’s customer information ‘‘to be reasonably likely,’’ or if
respect to the paragraphs that were systems maintained by the service circumstances indicated ‘‘a significant
relocated are discussed under the provider. risk’’ that the information will be
section titled ‘‘Customer Notice’’ that misused.
C. The ‘‘Customer Notice’’ Section Commenters maintained that because
follows.
Section III of the proposed Guidance the proposed standard states that a
Responsibility for Notice to Customers described the standard for providing financial institution should give notice
Some commenters were confused by notice to customers and defined the when fraud or identity theft is merely
the discussion in the proposed term ‘‘sensitive customer information’’ possible, notification under these
Guidance stating that a financial used in that standard. This section also circumstances would needlessly alarm
institution’s contract with its service gave examples of circumstances when a customers where little likelihood of
provider should require the service financial institution should give notice harm exists. Commenters claimed that,
provider to disclose fully to the and when the Agencies do not expect a eventually, frequent notices in non-
institution information related to any financial institution to give notice. It threatening situations would be
breach in security resulting in an also discussed contents of the notice perceived by customers as routine and
unauthorized intrusion into the and proper delivery. commonplace, and therefore reduce
institution’s customer information Section III of the final Guidance their effectiveness.
systems maintained by the service similarly describes the standard for The Agencies believe that articulating
provider. Commenters stated that this providing notice to customers and as part of the guidance a standard that
provision appears to create an obligation defines both the terms ‘‘sensitive sets forth when notice to customers is
for both financial institutions and their customer information’’ and ‘‘affected warranted is both helpful and
service providers to provide notice of customers.’’ It also discusses the appropriate. However, the Agencies
security incidents to the institution’s contents of the notice and proper agree with commenters and are
customers. These commenters delivery. concerned that the proposed threshold
recommended that the service provider Standard for Providing Notice inappropriately required institutions to
notify its financial institution customer prove a negative proposition, namely,
so that the financial institution could A key feature of the proposed that misuse of the information accessed
provide appropriate notice to its Guidance was the description of when is unlikely to occur. In addition, the
customers. Thus, customers would a financial institution should provide Agencies do not want customers of
avoid receiving multiple notices relating customer notice. The proposed financial institutions to receive notices
to a single security incident. Guidance stated that an institution that would not be useful to them.
Other commenters asserted that a should notify affected customers Therefore, the Agencies have revised the
financial institution should not have to whenever it becomes aware of standard for customer notification.
notify its customers if an incident has unauthorized access to ‘‘sensitive The final Guidance provides that
occurred because of the negligence of its customer information’’ unless the when an institution becomes aware of
service provider. These commenters institution, after an appropriate an incident of unauthorized access to
recommended that in this situation, the investigation, reasonably concludes that sensitive customer information, the
service provider should be responsible misuse of the information is unlikely to institution should conduct a reasonable
for providing notice to the financial occur and takes appropriate steps to investigation to determine promptly the
institution’s customers. safeguard the interests of affected likelihood that the information has been
As discussed above in connection customers, including by monitoring or will be misused. If the institution
with notice to regulators, the Agencies affected customers’ accounts for determines that misuse of the
believe that it is the responsibility of the unusual or suspicious activity. information has occurred or is
institution, and not of the service The Agencies believed that this reasonably possible, it should notify
provider, to notify the institution’s proposed standard would strike a affected customers as soon as possible.
customers in connection with an balance between notification to An investigation is an integral part of
unauthorized intrusion into an customers every time the mere the standard in the final Guidance. A
institution’s customer information possibility of misuse of customer financial institution should not forego
systems maintained by the service information arises from unauthorized conducting an investigation to avoid
provider. The responsibility to notify access and a situation where the reaching a conclusion regarding the
customers remains with the institution financial institution knows with likelihood that customer information
whether the incident is inadvertent or certainty that information is being has been or will be misused and cannot
due to the service provider’s negligence. misused. However, the Agencies unreasonably limit the scope of the
The Agencies note that the costs of specifically requested comment on investigation. However, the Agencies
providing notice to the institution’s whether this is the appropriate standard acknowledge that a full-scale
customers as a result of negligence on and invited commenters to offer investigation may not be necessary in all
the part of the service provider may be alternative thresholds for customer cases, such as where the facts readily
addressed in the financial institution’s notification. indicate that information will or will
contract with its service provider. Some commenters stated that the not be misused.
The last paragraph in section II of the proposed standard was reasonable and
final Guidance, therefore, states that it is sufficiently flexible. However, many Monitoring for Suspicious Activity
the responsibility of the financial commenters recommended that the The proposed Guidance stated that an
institution to notify the institution’s Agencies provide financial institutions institution need not notify customers if
customers. It also states that the with greater discretion to determine it reasonably concludes that misuse of
institution may authorize or contract when a financial institution should the information is unlikely to occur and
with its service provider to notify notify its customers. Some of these takes appropriate steps to safeguard the
customers on the institution’s behalf, commenters asserted that a financial interests of affected customers,
when a security incident involves an institution should not have to give including by monitoring affected
unauthorized intrusion into the notice unless the institution believes it customers’ accounts for unusual or
suspicious activity. A number of investigation to assess the risk resulting protect themselves from identity theft
comments addressed the standard in the from a security incident. and other misuse of their sensitive
proposed Guidance on monitoring The Agencies have responded to these information. Thus, the final Guidance
affected customers’ accounts for various comments on the timing of also provides that a financial institution
unusual or suspicious activity. notice by providing that a financial should notify its customers as soon as
Some commenters stated that the final institution notify an affected customer notification will no longer interfere with
Guidance should grant institutions the ‘‘as soon as possible’’ after concluding the investigation and should maintain
discretion to monitor the affected that misuse of the customer’s contact with the law enforcement
customer accounts for a period of time information has occurred or is agency that has requested a delay, in
and to the extent warranted by the reasonably possible. As the scope and order to learn, in a timely manner, when
particular circumstances. Some timing of a financial institution’s customer notice will no longer interfere
commenters suggested that monitoring investigation is dictated by the facts and with the investigation.
occur during the investigation. One circumstances of a particular case, the
Agencies have not designated a specific Sensitive Customer Information
commenter noted that an institution’s
investigation may reveal that monitoring number of hours or days by which Scope of Standard
is unnecessary. One commenter noted financial institutions should provide
notice to customers. The Agencies The Agencies received many
that monitoring the customer’s accounts comments on the limitation of notice in
at the institution may not protect the believe that doing so may inhibit an
institution’s ability to investigate the proposed Guidance to incidents
customer, because unauthorized access involving unauthorized access to
to customer information may result in adequately a particular incident or may
result in notice that is not timely. sensitive customer information. The
identity theft beyond the accounts held Agencies invited comment on whether
at the specific financial institution. Delay for Law Enforcement to modify the proposed standard for
The Agencies agree that under certain Investigation notice to apply to other circumstances
circumstances, monitoring may be The proposed Guidance did not that compel an institution to conclude
unnecessary, for example when, on the address delay of notice to customers that unauthorized access to information,
basis of a reasonable investigation, an while a law enforcement investigation is other than sensitive customer
institution determines that information conducted. Many commenters information, likely will result in
was not misused. The Agencies also recommended permitting an institution substantial harm or inconvenience to
agree that the monitoring requirement to delay notification to customers to the affected customers.
may not protect the customer. Indeed, avoid compromising a law enforcement Most commenters recommended that
an identity thief with unauthorized investigation. These commenters noted the standard remain as proposed rather
access to certain sensitive customer that the California Database Protection than covering other types of
information likely will open accounts at Act of 2003 (CDPA) requires notification information. One commenter suggested
other financial institutions in the of California residents whose that the Agencies continue to allow a
customer’s name. Accordingly, the unencrypted personal information was, financial institution the discretion to
Agencies conclude that monitoring or is reasonably believed to have been, notify affected customers in any other
under the circumstances described in acquired by an unauthorized person.22 extraordinary circumstances that
the standard for notice would be However, the CDPA permits a delay in compel it to conclude that unauthorized
burdensome for financial institutions notification if a law enforcement agency access to information other than
without a commensurate benefit to determines that the notification will sensitive customer information likely
customers. For these reasons, the impede a criminal investigation.23 will result in substantial harm or
Agencies have removed the reference to Another commenter suggested that an inconvenience to those affected.
monitoring in the final Guidance. institution should not have to obtain a However, the commenter did not
Timing of Notice formal determination from a law provide any examples of such
enforcement agency before it is able to extraordinary circumstances.
The proposed Guidance did not delay notice. The Agencies continue to believe that
include specific language on the timing The Agencies agree that it is the rationale for limiting the standard to
of notice to customers and the Agencies appropriate to delay customer notice if sensitive customer information
received many comments on this issue. such notice will jeopardize a law expressed in the proposed Guidance is
Some commenters requested enforcement investigation. However, to correct. The proposed Guidance
clarification of the time frame for ensure that such a delay is necessary explained that, under the Security
customer notice. One commenter and justifiable, the final Guidance states Guidelines, an institution must protect
recommended that the Agencies adopt that customer notice may be delayed if against unauthorized access to or use of
the approach in the proposed Guidance an appropriate law enforcement agency customer information that could result
because it did not set forth any determines that notification will in substantial harm or inconvenience to
circumstances that may delay interfere with a criminal investigation a customer. Substantial harm or
notification of the affected customers. and provides the institution with a inconvenience is most likely to result
Yet another commenter maintained that, written request for the delay.24 from improper access to sensitive
in light of a customer’s need to act The Agencies are concerned that a customer information because this type
expeditiously against identity theft, an delay of notification for a law of information is most likely to be
outside limit of 48 hours after the enforcement investigation could misused, as in the commission of
financial institution learns of the breach interfere with the ability of customers to identity theft.
is a reasonable and timely requirement The Agencies have not identified any
22 See
CAL. CIV. CODE § 1798.82 (West 2005).
for notice to customers. Many other circumstances that should prompt
23 See
CAL. CIV. CODE § 1798.82(c) (West 2005).
commenters, however, recommended 24 This includes circumstances when an
customer notice and continue to believe
that the Agencies make clear that an institution confirms that an oral request for delay
that it is not likely that a customer will
institution may take the time it from law enforcement will be followed by a written suffer substantial harm or
reasonably needs to conduct an request. inconvenience from unauthorized
access to other types of information. considered components of customer that the definition of account number
Therefore, the standard in the final information that allow someone to log should not be limited as suggested by
Guidance continues to be limited to onto or access another person’s account. commenters. The Agencies also believe
unauthorized access to sensitive Therefore, these specific elements have that a blanket exclusion for all
customer information. Of course, a not been added to the definition. encrypted information is not
financial institution still may send appropriate, because there are many
Exclusions
notices to customers in any additional levels of encryption, some of which do
circumstances that it determines are Commenters also asserted that the not effectively protect customer
appropriate. proposed definition of sensitive information.
customer information was too broad and
Definition of Sensitive Customer proposed various exclusions. For Alternative Definitions
Information example, some commenters asked the Most alternative definitions suggested
The Agencies received many Agencies to exclude publicly available by commenters resembled the definition
comments on the proposed definition of information, and also suggested that the of ‘‘personal information’’ under the
‘‘sensitive customer information’’ in the final Guidance apply only to account CDPA.28 Under the CDPA, ‘‘personal
proposed Guidance. The first part of the numbers for transaction accounts or information’’ includes a resident of
proposed definition stated that other accounts from which withdrawals California’s name together with an
‘‘sensitive customer information’’ is a or transfers can be initiated. These account number, or credit or debit card
customer’s social security number, commenters explained that access to a number only if the information accessed
personal identification number (PIN), mortgage account number (which may also includes any required security
password or account number, in also be a public record) does not permit code, access code, or password that
conjunction with a personal identifier withdrawal of additional funds or would permit access to an individual’s
such as the customer’s name, address, or otherwise damage the customer. Other financial account. Therefore, some
telephone number. In addition, the commenters requested that the Agencies commenters asked that the final
second part of the proposed definition exclude encrypted information. Some of Guidance clarify that a name and an
stated that ‘‘sensitive customer these commenters noted that only account number, together, is not
information’’ includes any combination unencrypted information is covered by sensitive customer information unless
of components of customer information the CDPA.25 these elements are combined with other
that allow someone to log onto or access The final Guidance does not adopt information that permits access to a
another person’s account, such as user any of the proposed exclusions. The customer’s financial account.
name and password. Agencies believe it would be The Agencies concluded that it would
Some commenters agreed with this inappropriate to exclude publicly be helpful if financial institutions could
definition of ‘‘sensitive customer available information from the more easily compare and contrast the
information.’’ They said that it was definition of sensitive customer definition of ‘‘personal information’’
sound, workable, and sufficiently information, where publicly available under the CDPA with the definition of
detailed. However, many commenters information is otherwise covered by the ‘‘sensitive information’’ under the Final
proposed additions, exclusions, or definition of ‘‘customer information.’’ 26 Guidance. Therefore, the elements in
alternative definitions. So for instance, while a personal the definition of sensitive information
Additional Elements identifier, i.e., name, address, or phone in the final Guidance are re-ordered and
number, may be publicly available, it is the Agencies added the elements
Some commenters suggested that the sensitive customer information when discussed earlier.
Agencies add various data elements to linked with particular nonpublic The final Guidance states that
the definition of sensitive customer information such as a credit card sensitive customer information means a
information, including a driver’s license account number. However, where the customer’s name, address, or telephone
number or number of other government- definition of ‘‘customer information’’ number, in conjunction with the
issued identification, mother’s maiden does not cover publicly available customer’s social security number,
name, and date of birth. One commenter information, sensitive customer driver’s license number, account
suggested inclusion of other information information also would not cover number, credit or debit card number, or
that institutions maintain in their publicly available information. For a personal identification number or
customer information systems such as a instance, where an individual’s name or password that would permit access to
customer’s account balance, account address is linked with a mortgage loan the customer’s account. The final
activity, purchase history, and account number that is in the public Guidance also states that sensitive
investment information. The commenter record and, therefore, would not be customer information includes any
noted that misuse of this information in considered ‘‘customer information,’’ 27 it combination of components of customer
combination with a personal identifier also would not be considered ‘‘sensitive information that would allow someone
can just as easily result in substantial customer information’’ for purposes of to log onto or access the customer’s
harm or inconvenience to a customer. the final Guidance. account, such as user name and
The Agencies have added to the first In addition, access to a customer’s
part of the definition several more personal information and account 28 Under California law requiring notice,
specific components, such as driver’s number, regardless of whether it is an ‘‘personal information’’ means an individual’s first
license number and debit and credit account from which withdrawals or name or first initial and last name in combination
card numbers, because this information with any one or more of the following data
transfers can be initiated, may permit an elements, when either the name or the data
is commonly sought by identity thieves. identity thief to access other accounts elements are not encrypted: (1) Social security
However, the Agencies determined that from which withdrawals can be made. number; (2) driver’s license number or California
the second part of the definition would Thus, the Agencies have determined Identification Card number; (3) account number,
cover the remaining suggestions. For credit or debit card number, in combination with
any required security code access code, or password
example, where date of birth or mother’s 25 See CAL. CIV. CODE § 1798.82(a) (West 2005). that would permit access to an individual’s
maiden name are used as passwords, 26 See Security Guidelines, I.C.2.c. financial account. See CAL. CIV. CODE § 1798.82(e)
under the final Guidance they will be 27 See § __.3(p)(3)(i). (West 2005).
password or a password and account The discussion of ‘‘affected that was the subject of unauthorized
number. customers’’ has been relocated and is access or use. It stated that the notice
The Agencies decline to adopt the separately set forth following the should also include a number that
CDPA standard for several reasons. definition of ‘‘sensitive customer customers can call for further
First, for example, under the CDPA, information,’’ in the final Guidance. The information and assistance, remind
personal information includes a discussion of ‘‘affected customers’’ in customers of the need to remain vigilant
person’s name in combination with the final Guidance states that if a over the next 12 to 24 months, and
other data elements. By contrast, the financial institution, based upon its recommend that customers promptly
final Guidance treats address and investigation, can determine from its report incidents of suspected identity
telephone number in the same manner logs or other data precisely which theft. The proposed Guidance described
as a customer’s name, because reverse customers’ information has been several ‘‘key elements’’ that a notice
directories may permit an address or improperly accessed,30 it may notify should contain. It also provided a
telephone number to be traced back to only those customers with respect to number of ‘‘optional elements’’ namely,
an individual customer. whom the institution determines that examples of additional assistance that
In addition, under the CDPA, misuse of their information has institutions have offered.
‘‘personal information’’ includes name occurred or is reasonably possible. Some commenters agreed that the
together with an account number, or However, the final Guidance further proposed Guidance sufficiently
credit or debit card number only if the notes that there may be situations where addressed most of the key elements
information accessed also includes any the institution determines that a group necessary for an effective notice.
required security code, access code, or of files has been accessed improperly, However, many commenters requested
password that would permit access to but is unable to identify which specific greater discretion to determine the
an individual’s financial account. The customers’ information has been content of the notices that financial
Agencies note that a name and account accessed. If the circumstances of the institutions provide to customers.
number, alone, is sufficient to create unauthorized access lead the institution Commenters suggested that the
fraudulent checks, or to direct the to determine that misuse of the Agencies make clear that the various
unauthorized debit of a customer’s information contained in the group of items suggested for inclusion in any
account even without an access code.29 files is reasonably possible, it should customer notice are suggestions, and
Further, a name and credit card number notify all customers in the group. In this that not every item is mandatory in
may permit unauthorized access to a way, the Agencies have reduced the every notice.
customer’s account. Therefore, the final number of notices that should be sent. Some commenters took issue with the
Guidance continues to define a Examples. The proposed Guidance enumerated items in the proposed
customer’s name and account number, described several examples of when a Guidance identified as key elements
or credit or debit card number as financial institution should give notice that a notice should contain. For
sensitive customer information. and when the Agencies do not expect a example, many commenters asserted
Affected Customers. The Agencies financial institution to give notice. that customers should not necessarily be
received many comments on the The Agencies received a number of encouraged to place fraud alerts with
discussion of notice to ‘‘affected comments on the examples. Some credit bureaus in every circumstance.
customers’’ in the proposed Guidance. commenters thought the examples were Some of these commenters noted that
Section II.D.3. of the proposed Guidance helpful and suggested that the Agencies not all situations will warrant having a
provided that if the institution could add more. Other commenters criticized fraud alert posted to the customer’s
determine from its logs or other data the examples as too broad. Many credit file, especially if the financial
precisely which customers’ information commenters suggested numerous ways institution took appropriate action to
was accessed or misused, it could to modify and clarify the examples. render the information accessed
restrict its notification to those Since the examples in the proposed worthless. According to these
individuals. However, if the institution Guidance led to interpretive questions, commenters, the consequences of a
could not identify precisely which rather than interpretive clarity, the fraud alert, such as increased obstacles
customers were affected, it should Agencies concluded that it is not to obtaining credit, may outweigh any
notify each customer in any group likely particularly helpful to offer examples of benefit. Some commenters also noted
to have been affected, such as each when notice is and is not expected. In that a proliferation of fraud alerts not
customer whose information was stored addition, the Agencies believe that the related to actual fraud would dilute the
in the group of files in question. standard for notice itself has been effectiveness of the alerts.
Commenters were concerned that this clarified and examples are no longer Other commenters criticized the
provision in the proposed Guidance was necessary. Therefore, there are no optional elements in the proposed
overly broad. These commenters stated examples in the final Guidance. Guidance. For instance, some
that providing notice to all customers in Content of Customer Notice. The commenters stated that a notice should
groups likely to be affected would result Agencies received many comments on not inform the customer about
in many notices that are not helpful. the discussion of the content of subscription services that provide
The commenters suggested that the final customer notice located in section notification to the customer when there
Guidance narrow the standard for II.D.3.b. of the proposed Guidance. The is a request for the customer’s credit
notifying customers to only those proposed Guidance stated that a notice report, or offer to subscribe the customer
customers whose information has been should describe the incident in general to this service, free of charge, for a
or is likely to be misused. terms and the customer’s information period of time. These commenters
asserted that customer notices should
29 See, e.g., Griff Witte, Bogus Charges, 30 The Agencies note that system logs may permit not be converted into a marketing
Unknowingly Paid: FTC Accuses 2 of Raiding an institution to determine precisely which opportunity for subscription services
90,000 Bank Accounts in Card Fraud, Washington customers’ data has been improperly accessed. See, provided by consumer credit bureaus.
Post, May 29, 2004, at E1 (list of names with e.g., FFIEC Information Technology Handbook,
associated checking account numbers used by Information Security Booklet, page 64 available at
They stated that offering the service
bogus company to debit bank accounts without http://www.ffiec.gov/ffiecinfobase/html_pages/ could mislead the customer into
customer authorization). infosec_book_frame.htm. believing that these expensive services
are essential. If the service is offered free a financial institution should refrain Given the flexibility that financial
of charge, an institution’s choice of from issuing notices suggesting that institutions now have to craft a notice
service could be interpreted as an customers contact nationwide consumer tailored to the circumstances of a
endorsement for a specific company and reporting agencies. particular incident, the Agencies believe
its product. The commenter also stated that a that any single model notice will be of
As a result of the Fair and Accurate financial institution that includes such little use. Therefore, the final Guidance
Credit Transactions Act of 2003, Pub. L. suggestions in a notice to its customers does not contain a model notice.
108–159, 117 Stat. 1985–86 (the FACT should work with the credit reporting
Act), many of the descriptions of ‘‘key agencies to purchase the services the Other Changes Regarding the Content of
elements’’ and ‘‘optional elements’’ in financial institution believes are a Notice
the proposed Guidance, and comments necessary to protect its customers. The The general discussion of the content
on these elements, have been commenter stated that the costs of of a notice in the final Guidance states
superceded. For example, the frequency serving the millions of consumers it that financial institutions should give
and circumstances under which a projects would receive notices under the the customer notice in a ‘‘clear and
customer may obtain a credit report proposed Guidance cannot be borne by conspicuous manner.’’ In addition, the
free-of-charge have changed. the nationwide consumer reporting final Guidance adopts a commenter’s
The final Guidance continues to agencies. suggestion that financial institutions
specify that a notice should describe the The commenter also noted that the should generally describe what the
incident in general terms and the State of California has provided clear institution has done to protect a
customer’s information that was the guidance in connection with its law customer’s information from further
subject of unauthorized access or use. It requiring notice and also suggested that unauthorized access so that a customer
also continues to state that the notice coordination with consumer reporting can make decisions regarding the
should include a number that customers agencies is vital to ensure that a institution’s customer service. This
can call for further information and consumer can in fact request a file addition allows a customer to take
assistance, remind customers of the disclosure in a timely manner. This measures to protect his or her accounts
need to remain vigilant over the next 12 commenter stated that similar guidance that are not redundant or in conflict
to 24 months, and recommend that at the federal level is essential. with the institution’s actions.
customers promptly report incidents of The Agencies believe that the final The final Guidance also states that
suspected identity theft. In addition, the Guidance addresses this commenter’s notice should include a telephone
final Guidance also states that the notice concerns in several ways. First, for the number that customers can call for
should generally describe what the reasons described earlier, the standard further information and assistance. The
institution has done to protect the for customer notice in the final Agencies added a new footnote to this
customers’ information from further Guidance likely will result in financial text, which explains that the institution
unauthorized access. institutions sending fewer notices than should ensure that it has reasonable
However, the final Guidance no under the proposed Guidance. Second, policies and procedures in place,
longer distinguishes between certain the final Guidance no longer advises including trained personnel, to respond
other ‘‘key’’ items that the notice should financial institutions to send notices appropriately to customer inquiries and
contain and those that are ‘‘optional.’’ suggesting that consumers contact the requests for assistance.
The Agencies added greater flexibility to nationwide credit reporting agencies in Delivery of Customer Notice. The
this section to accommodate any new every case. Institutions can use their Agencies received numerous
protections afforded to consumers that discretion to determine whether such suggestions regarding the delivery of
flow from the FACT Act. Instead of information should be included in a customer notice located in section
distinguishing between items that the notice. II.D.3.a. of the proposed Guidance. The
notice should contain and those that are It is clear, however, that customer proposed Guidance stated that customer
optional, an institution may now select notice may prompt more consumer notice should be timely, clear, and
those items that are appropriate under contacts with credit reporting agencies, conspicuous, and delivered in any
the circumstances, and that are as predicted by the commenter. manner that will ensure that the
compatible with the FACT Act. Of Therefore, the final Guidance customer is likely to receive it. The
course, institutions may incorporate encourages a financial institution that proposed Guidance provided several
additional information that is not includes in its notice contact examples of proper delivery and stated
mentioned in the final Guidance, where information for nationwide consumer that an institution may choose to
appropriate. reporting agencies to notify the contact all customers affected by
consumer reporting agencies in telephone or by mail, or for those
Coordination With Credit Reporting customers who conduct transactions
advance, prior to sending large numbers
Agencies electronically, using electronic notice.
of such notices. In this way, the
A trade association representing reporting agencies will be on notice that One commenter representing a large
credit reporting agencies commented they may have to accommodate bank trade association agreed that this
that its members are extremely additional requests for the placement of was a correct standard. However, many
concerned about their ability to comply fraud alerts, where necessary. other commenters recommended that if
with all of the duties (triggered under it costs an institution more than
the FACT Act) that result from notices Model Notice $250,000 to provide notice to customers,
financial institutions send to their Some commenters stated that if if the affected class of persons to be
customers. This commenter strongly mandatory elements are included in the notified exceeds 500,000, or if an
recommended that until a financial final Guidance, the Agencies should incident warrants large distributions of
institution has contacted each develop a model notice that notices, the final Guidance should
nationwide consumer reporting agency incorporates all the mandated elements permit various forms of mass
to coordinate the timing, content, and yet allows financial institutions to distribution of information, such as by
staging of notices as well as the incorporate additional information postings on an Internet Web page and in
placement of fraud alerts, as necessary, where appropriate. national or regional media outlets.
Commenters explained that the CDPA telephone. There is no requirement that date is not required under the APA, 12
contains such a provision.31 notice be provided in writing. U.S.C. 553(d)(2), or the Riegle
One commenter suggested that a Therefore, the final Guidance does not Community Development and
financial institution should only trigger any consent requirements under Regulatory Improvement Act of 1994, 12
provide notice in response to inquiries. the E-Sign Act.32 U.S.C. 4802, which requires a delayed
By contrast, other commenters stated Still other commenters requested effective date for new regulations,
that the final Guidance should make clarification that a telephone call made because the final Guidance is a
clear that general notice on a Web site to a customer for purposes of complying statement of policy.
is inadequate and that financial with the final Guidance is for Given the comments received, the
institutions should provide individual ‘‘emergency purposes’’ under the Agencies recognize that not every
notice to customers. Telephone Consumer Protection Act, 47 financial institution currently has a
The Agencies determined that the U.S.C. 227 (TCPA). These commenters response program that is consistent with
provision in the proposed Guidance that noted that this is important because the final Guidance. The Agencies expect
notice be delivered in a ‘‘timely, clear, under the TCPA and its implementing these institutions to implement the final
and conspicuous’’ manner already regulation,33 it is unlawful to initiate a Guidance as soon as possible. However,
appears elsewhere in the Guidance and telephone call to any residential phone we appreciate that some institutions
does not relate to manner of delivery. line using an artificial or prerecorded may need additional time to develop
This phrase appears elsewhere in the voice to deliver a message, without the new compliance procedures, modify
final Guidance and is unnecessary here. prior express consent of the called systems, and train staff in order to
The Agencies have decided not to party, unless such call is for ‘‘emergency implement an adequate response
include a provision in the final purposes.’’ program. The Agencies will take into
Guidance that permits notice through a The final Guidance does not address account the good faith efforts made by
posting on the Web or through the the TCPA, because the TCPA is each institution to develop a response
media in order to provide notice to a interpreted by the Federal program that is consistent with the final
specific number of customers or where Communications Commission (FCC), Guidance, together with all other
the cost of notice to individual and the FCC has not yet taken a position relevant circumstances, when
customers would exceed a specific on this issue.34 examining the adequacy of an
dollar amount. The Agencies believe institution’s information security
that the thresholds suggested by V. Effective Date program.
commenters would not be appropriate Many commenters noted that the VI. OTS Conforming and Technical
in every case, especially in connection proposed Guidance did not contain a Change
with incidents involving smaller delayed effective date. They suggested
institutions. that the Agencies include a transition OTS is making a conforming,
Therefore, the final Guidance states period to allow adequate time for technical change to its Security
that customer notice should be financial institutions to implement the Procedures Rule at 12 CFR 568.5. That
delivered in any manner that is final Guidance. regulation currently provides that
designed to ensure that a customer can The final Guidance is an savings associations and subsidiaries
reasonably be expected to receive it. interpretation of existing provisions in that are not functionally regulated must
This standard places the responsibility section 501(b) of the GLBA and the comply with the Security Guidelines in
on the financial institution to select a Security Guidelines. A delayed effective Appendix B to part 570. OTS is adding
method to deliver notice that is a sentence to make clear that
designed to ensure that a customer is 32 Under the E-Sign Act, if a statute, regulation, Supplement A to Appendix B is
likely to receive notice. or other rule of law requires that information be intended as interpretive guidance only.
The final Guidance also provides provided or made available to a consumer in With regard to this rule change, OTS
writing, certain consent procedures apply. See 15 finds that there is good cause to
examples of proper delivery noting that U.S.C. 7001(c).
an institution may choose to contact all 33 47 CFR 64.1200.
dispense with prior notice and comment
customers affected by telephone or by 34 The Agencies note, however, that the TCPA and with the 30-day delay of effective
mail, or by electronic mail for those and its implementing regulations generally exempt date mandated by the Administrative
customers for whom it has a valid e- calls made to any person with whom the caller has Procedure Act. 5 U.S.C. 553. OTS
an established business relationship at the time the believes that these procedures are
mail address and who have agreed to call is made. See, e.g., 47 CFR 64.1200(a)(1)(iv).
receive electronic communications from Thus, the TCPA would not appear to prohibit a unnecessary and contrary to the public
the institution. financial institution’s telephone calls to its own interest because the revision merely
Some commenters questioned the customers. In addition, the FCC’s regulations state makes conforming and technical
that the phrase for ‘‘emergency purposes’’ means changes to an existing provision. A
effect of other laws on the proposed calls made necessary in any situation affecting the
Guidance. A few commenters noted that health and safety of consumers. 47 CFR conforming and technical change is
electronic notice should conform to the 64.1200(f)(2). See also FCC Report and Order necessary to make clear that
requirements of the Electronic adopting rules and regulations implementing the Supplement A to Appendix B to part
TCPA, October 16, 1992, available at http:// 570 is intended as interpretive guidance
Signatures in Global and National www.fcc.gov/cgb/donotcall/, paragraph 51 (calls
Commerce Act (E-Sign Act), 15 U.S.C. from utilities to notify customers of service outages, only. Because the amendment in the
7001 et seq. and to warn customers of discontinuance of service rule is not substantive, it will not affect
The final Guidance does not discuss are included within the exemption for savings associations.
emergencies). Financial institutions will give With regard to this rule change, OTS
a financial institution’s obligations customer notice under the final Guidance for a
under the E-Sign Act. The Agencies note public safety purpose, namely, to permit their
further finds that the Riegle Community
that the final Guidance specifically customers to protect themselves where their Development and Regulatory
contemplates that a financial institution sensitive information is likely to be misused, for Improvement Act of 1994 does not
example, to facilitate identity theft. Therefore, the apply because the revision imposes no
may give notice electronically or by Agencies believe that the exemption for emergency
purposes likely would include customer notice that
additional requirements and makes only
31 See CAL. CIV. CODE § 1798.82(g)(3) (West is provided by telephone using an artificial or a technical and conforming change to an
2005). prerecorded voice message call. existing regulation.
VII. Impact of Guidance of under $500 million from having to have provided institutions with greater
The Agencies invited comment on the comply with the Guidance. discretion to determine what should be
potential burden associated with the Finally, a trade association contained in a notice to customers.
commenter stated that the notice The Agencies do not believe that there
customer notice provisions for financial
requirements in the proposed Guidance is a basis for exempting small
institutions implementing the proposed
would impose a large burden on the institutions from the Guidance. For
Guidance. The Agencies also asked for
nationwide consumer reporting example, many small institutions
information about the anticipated
agencies, over which they have no outsource functions to large service
burden that may arise from the
control and no means of recouping providers that have been the target of
questions posed by customers who
costs. those seeking to misuse customer
receive the notices. In addition, the The Agencies have addressed the information. Therefore, the Agencies
proposed Guidance asked whether the burdens identified by commenters as believe that all institutions should
Agencies should consider how the follows. First, the Agencies eliminated prepare customer response programs
burden may vary depending upon the many of the more prescriptive elements including customer notification
size and complexity of a financial of the response program described in procedures that can be used in the event
institution. The Agencies also asked for the proposed Guidance. The final the institution determines that misuse of
information about the amount of Guidance states that an institution’s its information about a customer has
burden, if any, the proposed Guidance response program should be risk-based. occurred or is reasonably possible.
would impose on service providers. It lists a number of components that the However, as noted above, the Agencies
Although many commenters program should contain. recognize that within the framework of
representing financial institutions stated The final Guidance does not detail the the Guidance, an institution’s program
that they already have a response steps that an institution should take to will vary depending on the size and
program in place, they also noted that contain and control a security incident complexity of the institution and the
the Agencies had underestimated the to prevent further unauthorized access nature and scope of its activities.
burden that would be imposed on to or use of customer information. It also Finally, to address comments relating
financial institutions and their does not state that an institution should to the potential burden on the
customers by the proposed Guidance. secure all accounts that can be accessed nationwide consumer reporting
Some commenters stated that the using the same account number or name agencies, as noted previously, the
proposed Guidance would require and password combination until such Guidance no longer suggests that
greater time, expenditure, and time as the institution and the customer customer notice always include advice
documentation for audit and can agree on a course of action. Instead, to contact the nationwide consumer
compliance purposes. Other the final Guidance leaves such measures reporting agencies. The Agencies
commenters stated that the costs of to the discretion of the institution and recognize that not all security breaches
providing notice and requiring a gives examples of the steps that an warrant such contacts. For example, we
sufficient number of appropriately institution should consider, such as recognize that it may not always be in
trained employees to be available to monitoring, freezing, or closing affected the best interest of a consumer to have
answer customer inquiries and provide accounts. Thus, under the final a fraud alert placed in the consumer’s
assistance could be substantial. Guidance a small institution may file because the fraud alert may have an
Yet other commenters stated that the choose to close an affected account in adverse impact on the consumer’s
Agencies failed to adequately consider place of monitoring the account, an ability to obtain credit.
the burden to customers who begin to element of the proposed Guidance that
receive numerous notices of smaller institutions identified as VIII. Regulatory Analysis
‘‘unauthorized access’’ to their data. potentially very costly. A. Paperwork Reduction Act
They stated that the stress to customers Though the final Guidance still states
of having to change account numbers, that notification to regulators should be Burden Estimates for the OCC, FDIC,
change passwords, and monitor their a part of an institution’s response and OTS
credit reports would be enormous and program, it states that notice should Certain provisions of the final
could be unnecessary because the only be given when the institution Guidance contain ‘‘collection of
standard in the proposed Guidance becomes aware of an incident of information’’ requirements as defined in
would require notice when information unauthorized access to or use of the Paperwork Reduction Act of 1995
subject to unauthorized access might be, ‘‘sensitive’’ customer information. This (44 U.S.C. 3501 et seq.) (PRA). An
but would not necessarily be, misused. standard should result in fewer agency may not conduct or sponsor, and
Some commenters maintained that instances of notice to the regulators than a respondent is not required to respond
the proposed Guidance would be under the proposed Guidance. The final to, an information collection unless it
especially burdensome for small Guidance also makes clear that when displays a currently valid Office of
community banks, which one the security incident involves a service Management and Budget (OMB) control
commenter asserted are the lowest risk provider, the institution may authorize number.
targets. These commenters stated that the service provider to notify the The Agencies requested comment on
the most burdensome elements of the institution’s regulator. a proposed information collection as
proposed Guidance would be creating a The standard of notice to customers part of the notice requesting comment
general policy, establishing procedures also has been modified to be less on the proposed Guidance. An analysis
and training staff. They added that burdensome to institutions and their of the comments related to paperwork
developing and implementing new customers. The Agencies believe that burden and commenters’
procedures for determining when, under this new standard, customers will recommendations is provided below.
where and how to provide notice and be less likely to be alarmed needlessly, The OCC, FDIC, and OTS submitted
procedures for monitoring accounts and institutions will no longer be asked their proposed information collections
would also be burdensome. One to prove a negative ‘‘namely, that to OMB for review and approval and the
commenter recommended that the misuse of information is unlikely to collections have been approved.
agencies exempt institutions with assets occur. In addition, the Agencies also OCC: 1557–0227
FDIC: 3064–0145 Developing Notices: 24 hours × 6,692 associated with the information
OTS: 1550–0110 = 160,608 hours. collection in the proposed Guidance.
The Agencies have reconsidered the Notifying Customers: 29 hours × 110 For example, one commenter stated
burden estimates published in the = 3,190 hours. that the Agencies’ estimates did not
Proposed Guidance in light of the Total Estimated Annual Burden = include $0.60 per customer for a one-
comments received asserting that the 163,798 hours. page letter, envelope, and first class
paperwork burden associated with the Discussion of Comments: postage; the customer service time,
The information collection in the handling the enormous number of calls
information collection were
proposed Guidance stated that financial from customers who receive notice; or
underestimated, and in light of
institutions should: (1) Develop notices the costs associated with closing or
measures taken by the Agencies to
to customers; and (2) determine which reopening accounts, printing new
reduce burden in this final Guidance.
customers should receive the notices checks or embossing new cards. This
The Agencies agreed to increase the
and send the notices to customers. The commenter stated that printing and
estimate for the time it will take an Agencies received various comments
institution to develop notices and mailing costs, alone, for one notice to its
regarding the Agencies’ burden customer database, at current postal
determine which customers should be estimates, including the estimated time
notified. However, revisions rates, would be at least $500,000.
per response and the number of Some of the costs mentioned in this
incorporated into the final Guidance recordkeepers involved. comment are non-labor costs associated
will result in the issuance of fewer Some commenters stated that the with providing disclosures. The
notices than was originally estimated. A burden estimates of twenty hours to Agencies assumed that non-labor costs
discussion of the comments received develop and produce notices and three associated with the disclosures would
follows the revised estimates. days to determine which customers be negligible, because institutions
New Estimates: should receive notice in the proposed already have in place well-developed
OCC Guidance were too low. These systems for providing disclosures to
commenters stated that the Guidance their customers. This comment and any
Number of Respondents: 2,200.
should include language indicating that other comments received regarding the
Estimated Time per Response:
an institution be given as much time as Agencies’ assumptions about non-labor
Developing Notices: 24 hours × 2,200
necessary to determine the scope of an costs will be taken into account in any
= 52,800 hours.
incident and examine which customers future estimate of the burden for this
Notifying Customers: 29 hours × 36 =
may be affected. One of these collection.
1,044 hours.
Total Estimated Annual Burden = commenters stated that ten business Other costs mentioned in this
53,844 hours. days, as recommended by the California comment, such as the cost of customer
Department of Consumer Affairs Office service time, printing checks, and
FDIC of Privacy Protection, should provide an embossing cards, are costs that the
Number of Respondents: 5,200. institution with a known safe harbor to institution would incur regardless of the
Estimated Time per Response: complete the steps described lest implementation of the final Guidance.
Developing Notices: 24 hours × 5,200 regulated entities be subject to These costs are not associated with an
= 124,800 hours. inconsistent notification deadlines from information collection, and, therefore,
Notifying Customers: 29 hours × 91 = the same incident. have not been factored into the
2,639 hours. These commenters misunderstood the Agencies’ cost estimates.
Total Estimated Annual Burden = meaning of PRA burden estimates. PRA In addition, the estimates in this
127,439 hours. burden estimates are judgments by comment are based on the assumption
Agencies regarding the length of time that notice should always be provided
OTS that it would take institutions to comply by mail. However, the final Guidance
Number of Respondents: 880. with information collection states that financial institutions should
Estimated Time per Response: requirements. These estimates do not deliver customer notice in any manner
Developing Notices: 24 hours × 880 = impose a deadline upon institutions to designed to ensure that a customer can
21,120 hours. complete a requirement within a reasonably be expected to receive it,
Notifying Customers: 29 hours × 15 = specific period of time. such as by telephone, mail, or
435 hours. The final Guidance states that an electronically for those customers for
Total Estimated Annual Burden = institution should notify customers ‘‘as whom it has a valid e-mail address and
21,555 hours. soon as possible’’ after an investigation who have agreed to receive
Burden Estimate for the Board: leads it to conclude that misuse of communications electronically. The
While this represents a statement of customer information has occurred or is Agencies assume that given this
policy, certain provisions of the final reasonably possible. It also states that flexibility, financial institutions may not
Guidance encourage ‘‘collection of notification may be delayed at the necessarily choose to mail notices in
information.’’ See 44 U.S.C. 3501 et seq. written request of law enforcement. every case, but may choose less
In the spirit of the PRA, the Board The cost of disclosing information is expensive methods of delivery that
requested comment on the burden considered part of the burden of an ensure customers will reasonably be
associated with a proposed information information collection. 5 CFR expected to receive notice.
collection as part of the notice 1320.3(b)(1)(ix). Many commenters Another commenter concerned about
requesting comment on the proposed stated that the Agencies had the burdens imposed on consumer
Guidance. The Board has approved this underestimated the cost associated with reporting agencies provided an example
final information collection under its disclosing security incidents to of a security breach involving a single
delegated authority from OMB. customers pursuant to the proposed company from which identifying
Guidance. However, these commenters information about 500,000 military
FRB [To Be Assigned] did not distinguish between the usual families was stolen. Among other
Number of Respondents: 6,692. and customary costs of doing business things, the company’s notice to its
Estimated Time per Response: and the costs of the disclosures customers advised them to contact the
nationwide consumer reporting concluded that the UMRA does not or destruction of customer information or
agencies. The commenter stated that the require an unfunded mandates analysis. customer information systems;
nationwide consumer reporting agencies b. The likelihood and potential damage of
Text of Common Final Guidance threats, taking into consideration the
spent approximately $1.5 million per sensitivity of customer information; and
company, handling approximately The text of the Agencies’ common
c. The sufficiency of policies, procedures,
365,000 inquiries from the company’s final Guidance reads as follows: customer information systems, and other
customers. Supplement A to Appendix _ to Part _— arrangements in place to control risks.3
The final Guidance contains a number Interagency Guidance on Response 2. Following the assessment of these risks,
of changes that will diminish the costs Programs for Unauthorized Access to the Security Guidelines require a financial
identified by these commenters. First, Customer Information and Customer Notice institution to design a program to address the
the standard for notification in the final identified risks. The particular security
I. Background measures an institution should adopt will
Guidance likely will result in fewer depend upon the risks presented by the
This Guidance 1 interprets section 501(b) of
notices. In addition, the final Guidance the Gramm-Leach-Bliley Act (‘‘GLBA’’) and complexity and scope of its business. At a
no longer states that all notices should the Interagency Guidelines Establishing minimum, the financial institution is
advise customers to contact the Information Security Standards (the required to consider the specific security
nationwide consumer reporting ‘‘Security Guidelines’’)2 and describes measures enumerated in the Security
agencies. Therefore, the Agencies’ response programs, including customer Guidelines,4 and adopt those that are
estimates do not factor in the costs to notification procedures, that a financial appropriate for the institution, including:
the reporting agencies. institution should develop and implement to a. Access controls on customer information
address unauthorized access to or use of systems, including controls to authenticate
B. Regulatory Flexibility Act customer information that could result in and permit access only to authorized
substantial harm or inconvenience to a individuals and controls to prevent
The Regulatory Flexibility Act applies customer. The scope of, and definitions of employees from providing customer
only to rules for which an agency terms used in, this Guidance are identical to information to unauthorized individuals who
publishes a general notice of proposed those of the Security Guidelines. For may seek to obtain this information through
rulemaking pursuant to 5 U.S.C. 553(b). example, the term ‘‘customer information’’ is fraudulent means;
See 5 U.S.C. 601(2). As previously the same term used in the Security b. Background checks for employees with
noted, a general notice of proposed Guidelines, and means any record containing responsibilities for access to customer
rulemaking was not published because nonpublic personal information about a information; and
customer, whether in paper, electronic, or c. Response programs that specify actions
this final Guidance is a general other form, maintained by or on behalf of the to be taken when the financial institution
statement of policy. Thus, the institution. suspects or detects that unauthorized
Regulatory Flexibility Act does not individuals have gained access to customer
apply to the final Guidance. A. Interagency Security Guidelines
information systems, including appropriate
With respect to OTS’s revision to its Section 501(b) of the GLBA required the reports to regulatory and law enforcement
regulation at 12 CFR 568.5, as noted Agencies to establish appropriate standards agencies.5
above, OTS has concluded that there is for financial institutions subject to their
jurisdiction that include administrative, C. Service Providers
good cause to dispense with prior notice
technical, and physical safeguards, to protect The Security Guidelines direct every
and comment. Accordingly, OTS has the security and confidentiality of customer financial institution to require its service
further concluded that the Regulatory information. Accordingly, the Agencies providers by contract to implement
Flexibility Act does not apply to this issued Security Guidelines requiring every appropriate measures designed to protect
final rule. financial institution to have an information against unauthorized access to or use of
security program designed to: customer information that could result in
C. Executive Order 12866 1. Ensure the security and confidentiality substantial harm or inconvenience to any
The OCC and OTS have determined of customer information; customer.6
that this final Guidance is not a 2. Protect against any anticipated threats or
hazards to the security or integrity of such II. Response Program
significant regulatory action under
information; and Millions of Americans, throughout the
Executive Order 12866. With respect to
3. Protect against unauthorized access to or country, have been victims of identity theft.7
OTS’s revision to its regulation at 12 use of such information that could result in Identity thieves misuse personal information
CFR 568.5, OTS has further determined substantial harm or inconvenience to any they obtain from a number of sources,
that this final rule is not a significant customer. including financial institutions, to perpetrate
regulatory action under Executive Order identity theft. Therefore, financial
B. Risk Assessment and Controls institutions should take preventative
12866.
1. The Security Guidelines direct every measures to safeguard customer information
D. Unfunded Mandates Reform Act of financial institution to assess the following against attempts to gain unauthorized access
1995 risks, among others, when developing its to the information. For example, financial
The OCC and OTS have determined information security program:
a. Reasonably foreseeable internal and 3 See Security Guidelines, III.B.
that this final Guidance is not a external threats that could result in 4 See Security Guidelines, III.C.
regulatory action that would require an unauthorized disclosure, misuse, alteration, 5 See Security Guidelines, III.C.
assessment under the Unfunded 6 See Security Guidelines, II.B. and III.D. Further,
Mandates Reform Act of 1995 (UMRA), 1 This Guidance is being jointly issued by the the Agencies note that, in addition to contractual
2 U.S.C. 1531. The final Guidance is a Board of Governors of the Federal Reserve System obligations to a financial institution, a service
general statement of policy and, (Board), the Federal Deposit Insurance Corporation provider may be required to implement its own
(FDIC), the Office of the Comptroller of the comprehensive information security program in
therefore, the OCC and OTS have Currency (OCC), and the Office of Thrift accordance with the Safeguards Rule promulgated
determined that the UMRA does not Supervision (OTS). by the Federal Trade Commission (‘‘FTC’’), 12 CFR
apply. 2 12 CFR part 30, app. B (OCC); 12 CFR part 208, part 314.
With respect to OTS’s revision to its app. D–2 and part 225, app. F (Board); 12 CFR part 7 The FTC estimates that nearly 10 million
regulation at 12 CFR 568.5, as noted 364, app. B (FDIC); and 12 CFR part 570, app. B Americans discovered they were victims of some
(OTS). The ‘‘Interagency Guidelines Establishing form of identity theft in 2002. See The Federal
above, OTS has concluded that there is Information Security Standards’’ were formerly Trade Commission, Identity Theft Survey Report,
good cause to dispense with prior notice known as ‘‘The Interagency Guidelines Establishing (September 2003), available at http://www.ftc.gov/
and comment. Accordingly, OTS has Standards for Safeguarding Customer Information.’’ os/2003/09/synovatereport.pdf.
institutions should place access controls on c. Consistent with the Agencies’ institution believes that it may be potentially
customer information systems and conduct Suspicious Activity Report (‘‘SAR’’) embarrassed or inconvenienced by doing so.
background checks for employees who are regulations,12 notifying appropriate law
authorized to access customer information.8 enforcement authorities, in addition to filing A. Standard for Providing Notice
However, every financial institution should a timely SAR in situations involving Federal When a financial institution becomes
also develop and implement a risk-based criminal violations requiring immediate aware of an incident of unauthorized access
response program to address incidents of attention, such as when a reportable violation to sensitive customer information, the
unauthorized access to customer information is ongoing; institution should conduct a reasonable
in customer information systems 9 that occur d. Taking appropriate steps to contain and investigation to promptly determine the
nonetheless. A response program should be control the incident to prevent further likelihood that the information has been or
a key part of an institution’s information unauthorized access to or use of customer will be misused. If the institution determines
security program.10 The program should be information, for example, by monitoring, that misuse of its information about a
appropriate to the size and complexity of the freezing, or closing affected accounts, while customer has occurred or is reasonably
institution and the nature and scope of its preserving records and other evidence;13 and possible, it should notify the affected
activities. e. Notifying customers when warranted. customer as soon as possible. Customer
In addition, each institution should be able 2. Where an incident of unauthorized notice may be delayed if an appropriate law
to address incidents of unauthorized access access to customer information involves enforcement agency determines that
to customer information in customer customer information systems maintained by notification will interfere with a criminal
information systems maintained by its an institution’s service providers, it is the investigation and provides the institution
domestic and foreign service providers. responsibility of the financial institution to with a written request for the delay.
Therefore, consistent with the obligations in notify the institution’s customers and However, the institution should notify its
the Guidelines that relate to these regulator. However, an institution may customers as soon as notification will no
arrangements, and with existing guidance on authorize or contract with its service longer interfere with the investigation.
this topic issued by the Agencies,11 an provider to notify the institution’s customers
1. Sensitive Customer Information
institution’s contract with its service or regulator on its behalf.
provider should require the service provider Under the Guidelines, an institution must
III. Customer Notice protect against unauthorized access to or use
to take appropriate actions to address
incidents of unauthorized access to the Financial institutions have an affirmative of customer information that could result in
duty to protect their customers’ information substantial harm or inconvenience to any
financial institution’s customer information,
against unauthorized access or use. Notifying customer. Substantial harm or inconvenience
including notification to the institution as
customers of a security incident involving is most likely to result from improper access
soon as possible of any such incident, to
the unauthorized access or use of the to sensitive customer information because
enable the institution to expeditiously
customer’s information in accordance with this type of information is most likely to be
implement its response program.
the standard set forth below is a key part of misused, as in the commission of identity
A. Components of a Response Program that duty. Timely notification of customers is theft. For purposes of this Guidance,
1. At a minimum, an institution’s response important to manage an institution’s sensitive customer information means a
program should contain procedures for the reputation risk. Effective notice also may customer’s name, address, or telephone
following: reduce an institution’s legal risk, assist in number, in conjunction with the customer’s
a. Assessing the nature and scope of an maintaining good customer relations, and social security number, driver’s license
incident, and identifying what customer enable the institution’s customers to take number, account number, credit or debit card
information systems and types of customer steps to protect themselves against the number, or a personal identification number
information have been accessed or misused; consequences of identity theft. When or password that would permit access to the
b. Notifying its primary Federal regulator customer notification is warranted, an customer’s account. Sensitive customer
as soon as possible when the institution institution may not forgo notifying its information also includes any combination of
becomes aware of an incident involving customers of an incident because the components of customer information that
unauthorized access to or use of sensitive would allow someone to log onto or access
customer information, as defined below;
12 An institution’s obligation to file a SAR is set the customer’s account, such as user name
out in the Agencies’ SAR regulations and Agency and password or password and account
guidance. See 12 CFR 21.11 (national banks, number.
8 Institutions should also conduct background
Federal branches and agencies); 12 CFR 208.62
checks of employees to ensure that the institution (State member banks); 12 CFR 211.5(k) (Edge and 2. Affected Customers
does not violate 12 U.S.C. 1829, which prohibits an agreement corporations); 12 CFR 211.24(f) If a financial institution, based upon its
institution from hiring an individual convicted of (uninsured State branches and agencies of foreign
certain criminal offenses or who is subject to a
investigation, can determine from its logs or
banks); 12 CFR 225.4(f) (bank holding companies other data precisely which customers’
prohibition order under 12 U.S.C. 1818(e)(6). and their nonbank subsidiaries); 12 CFR part 353
9 Under the Guidelines, an institution’s customer
(State non-member banks); and 12 CFR 563.180
information has been improperly accessed, it
information systems consist of all of the methods (savings associations). National banks must file may limit notification to those customers
used to access, collect, store, use, transmit, protect, SARs in connection with computer intrusions and with regard to whom the institution
or dispose of customer information, including the other computer crimes. See OCC Bulletin 2000–14, determines that misuse of their information
systems maintained by its service providers. See ‘‘Infrastructure Threats—Intrusion Risks’’ (May 15, has occurred or is reasonably possible.
Security Guidelines, I.C.2.d (I.C.2.c for OTS). 2000); Advisory Letter 97–9, ‘‘Reporting Computer However, there may be situations where the
10 See FFIEC Information Technology Related Crimes’’ (November 19, 1997) (general institution determines that a group of files
Examination Handbook, Information Security guidance still applicable though instructions for has been accessed improperly, but is unable
Booklet, Dec. 2002 available at http:// new SAR form published in 65 FR 1229, 1230
www.ffiec.gov/ffiecinfobase/html_pages/ (January 7, 2000)). See also Federal Reserve SR 01–
to identify which specific customers’
infosec_book_frame.htm. Federal Reserve SR 97–32, 11, Identity Theft and Pretext Calling, Apr. 26, information has been accessed. If the
Sound Practice Guidance for Information Security 2001; SR 97–28, Guidance Concerning Reporting of circumstances of the unauthorized access
for Networks, Dec. 4, 1997; OCC Bulletin 2000–14, Computer Related Crimes by Financial Institutions, lead the institution to determine that misuse
‘‘Infrastructure Threats—Intrusion Risks’’ (May 15, Nov. 6, 1997; FDIC FIL 48–2000, Suspicious of the information is reasonably possible, it
2000), for additional guidance on preventing, Activity Reports, July 14, 2000; FIL 47–97, should notify all customers in the group.
detecting, and responding to intrusions into Preparation of Suspicious Activity Reports, May 6,
financial institution computer systems. 1997; OTS CEO Memorandum 139, Identity Theft B. Content of Customer Notice
11 See Federal Reserve SR Ltr. 00–04, Outsourcing and Pretext Calling, May 4, 2001; CEO 1. Customer notice should be given in a
of Information and Transaction Processing, Feb. 9, Memorandum 126, New Suspicious Activity Report
Form, July 5, 2000; http://www.ots.treas.gov/BSA
clear and conspicuous manner. The notice
2000; OCC Bulletin 2001–47, ‘‘Third-Party
Relationships Risk Management Principles,’’ Nov. (for the latest SAR form and filing instructions should describe the incident in general terms
1, 2001; FDIC FIL 68–99, Risk Assessment Tools required by OTS as of July 1, 2003). and the type of customer information that
and Practices for Information System Security, July 13 See FFIEC Information Technology was the subject of unauthorized access or
7, 1999; OTS Thrift Bulletin 82a, Third Party Examination Handbook, Information Security use. It also should generally describe what
Arrangements, Sept. 1, 2004. Booklet, Dec. 2002, pp. 68–74. the institution has done to protect the
customers’ information from further List of Subjects Dated: March 8, 2005.

unauthorized access. In addition, it should Julie L. Williams,
include a telephone number that customers 12 CFR Part 30
Acting Comptroller of the Currency.
can call for further information and Banks, banking, Consumer protection,
assistance.14 The notice also should remind National banks, Privacy, Reporting and FEDERAL RESERVE SYSTEM
customers of the need to remain vigilant over recordkeeping requirements.
the next twelve to twenty-four months, and 12 CFR CHAPTER II
to promptly report incidents of suspected 12 CFR Part 208 Authority and Issuance
identity theft to the institution. The notice Banks, banking, Consumer protection,
should include the following additional Information, Privacy, Reporting and ■ For the reasons set out in the joint
items, when appropriate: recordkeeping requirements. preamble, the Board amends part 208
a. A recommendation that the customer and 225 of chapter II of title 12 of the
review account statements and immediately 12 CFR Part 225
Code of Federal Regulations to read as
report any suspicious activity to the Banks, banking, Holding companies, follows:
institution;
Reporting and recordkeeping
b. A description of fraud alerts and an
requirements. PART 208—MEMBERSHIP OF STATE
explanation of how the customer may place
BANKING INSTITUTIONS IN THE
a fraud alert in the customer’s consumer 12 CFR Part 364
reports to put the customer’s creditors on
FEDERAL RESERVE SYSTEM
notice that the customer may be a victim of
Administrative practice and (REGULATION H)
fraud; procedure, Bank deposit insurance,
c. A recommendation that the customer Banks, banking, Reporting and ■ 1. The authority citation for 12 CFR
periodically obtain credit reports from each recordkeeping requirements, Safety and part 208 continues to read as follows:
nationwide credit reporting agency and have Soundness. Authority: 12 U.S.C. 24, 36, 92a, 93a,
information relating to fraudulent 12 CFR Part 568 248(a), 248(c), 321–338a, 371d, 461, 481–486,
transactions deleted; 601, 611, 1814, 1816, 1820(d)(9), 1823(j),
d. An explanation of how the customer Consumer protection, Privacy, 1828(o), 1831, 1831o, 1831p–1, 1831r–1,
may obtain a credit report free of charge; and Reporting and recordkeeping 1831w, 1831x, 1835a, 1882, 2901–2907,
e. Information about the availability of the requirements, Savings associations, 3105, 3310, 3331–3351, and 3906–3909, 15
FTC’s online guidance regarding steps a Security measures. U.S.C. 78b, 78l(b), 78l(g), 78l(i), 78o–4(c)(5),
consumer can take to protect against identity 78q, 78q–1, 78w, 1681s, 1681w, 6801 and
12 CFR Part 570
theft. The notice should encourage the 6805; 31 U.S.C. 5318, 42 U.S.C. 4012a, 4104a,
customer to report any incidents of identity Accounting, Administrative practice 4104b, 4106, and 4128.
theft to the FTC, and should provide the and procedure, Bank deposit insurance,
FTC’s Web site address and toll-free Consumer protection, Holding ■ 2. Revise the heading of Appendix D–
telephone number that customers may use to companies, Privacy, Reporting and Z to read as follows:
obtain the identity theft guidance and report recordkeeping requirements, Safety and
suspected incidents of identity theft.15 soundness, Savings associations. Appendix D–2 to Part 208—Interagency
2. The Agencies encourage financial Guidelines Establishing Information
institutions to notify the nationwide Department of the Treasury Security Standards.
consumer reporting agencies prior to sending Office of the Comptroller of the
notices to a large number of customers that * * * * *
Currency
include contact information for the reporting ■ 3. Amend Appendix D–2 to part 208 by
agencies. 12 CFR CHAPTER I adding a new Supplement A to the end
C. Delivery of Customer Notice Authority and Issuance of the appendix to read as set forth at the
Customer notice should be delivered in end of the common preamble.
■ For the reasons set out in the joint
any manner designed to ensure that a
preamble, the OCC amends part 30 of PART 225—BANK HOLDING
customer can reasonably be expected to
chapter I of title 12 of the Code of Federal COMPANIES AND CHANGE IN BANK
receive it. For example, the institution may
choose to contact all customers affected by
Regulations to read as follows: CONTROL (REGULATION Y)
telephone or by mail, or by electronic mail
PART 30—SAFETY AND SOUNDNESS
for those customers for whom it has a valid ■ 4. The authority citation for 12 CFR
STANDARDS
e-mail address and who have agreed to part 225 is revised to read as follows:
receive communications electronically. ■ 1. The authority citation for part 30 Authority: 12 U.S.C. 1817(j)(13), 1818,
Adoption of Final Guidance continues to read as follows: 1828(o), 1831i, 1831p–1, 1843(c)(8), 1844(b),
The agency-specific adoption of the Authority: 12 U.S.C. 93a, 371, 1818, 1831p, 1972(1), 3106, 3108, 3310, 3331–3351, 3906,
common final Guidance, which appears at 3102(b); 15 U.S.C. 1681s, 1681w, 6801, 3907, and 3909; 15 U.S.C. 1681s, 1681w,
the end of the common preamble, follows. 6805(b)(1). 6801 and 6805.
■ 5. Revise the heading of Appendix F to
14 The institution should, therefore, ensure that it
■ 2. Revise the heading of Appendix B to
read as follows:
has reasonable policies and procedures in place, read as follows:
including trained personnel, to respond
Appendix B to Part 30—Interagency Appendix F to Part 225—Interagency
appropriately to customer inquiries and requests for Guidelines Establishing Information
assistance. Guidelines Establishing Information
15 Currently, the FTC Web site for the ID Theft Security Standards Security Standards
brochure and the FTC Hotline phone number are * * * * *
http://www.consumer.gov/idtheft and 1–877– * * * * *
IDTHEFT. The institution may also refer customers ■ 3. Amend Appendix B to part 30 by ■ 6. Amend Appendix F to part 225 by
to any materials developed pursuant to section
151(b) of the FACT Act (educational materials
adding a new Supplement A to the end adding a new Supplement A to the end
developed by the FTC to teach the public how to of the appendix to read as set forth at the of the appendix to read as set forth at the
prevent identity theft). end of the common preamble. end of the common preamble.
By order of the Board of Governors of the § 568.5 Protection of customer Aviation Administration, P.O. Box
Federal Reserve System, March 21, 2005. information. 20636, Atlanta, Georgia 30320;
Jennifer J. Johnson, * * * Supplement A to Appendix B telephone (404) 305–5586.
Secretary of the Board. to part 570 provides interpretive
SUPPLEMENTARY INFORMATION:
guidance.
FEDERAL DEPOSIT INSURANCE History
CORPORATION PART 570—SAFETY AND SOUNDNESS
12 CFR CHAPTER III
GUIDELINES AND COMPLIANCE On January 21, 2005, the FAA
PROCEDURES proposed to amend part 71 of the
Authority and Issuance Federal Aviation Regulations (14 CFR
■ 4. Revise the authority citation for part part 71) by establishing Class E4
■ For the reasons set out in the joint 570 to read as follows: airspace Cocoa Beach Patrick AFB, FL,
preamble, the FDIC amends part 364 of Authority: 12 U.S.C. 1462a, 1463, 1464, (70 FR 3155). This action provides
chapter III of title 12 of the Code of 1467a, 1828, 1831p–1, 1881–1884; 15 U.S.C. adequate Class E4 airspace for IFR
Federal Regulations to read as follows: 1681s and 1681w; 15 U.S.C. 6801 and operations at Cocoa Beach Patrick AFB.
6805(b)(1). Class E airspace designations for
PART 364—STANDARDS FOR SAFETY airspace areas designated as an
■ 5. Revise the heading of Appendix B to
AND SOUNDNESS extension to a Class D airspace area are
part 570 to read as follows:
published in Paragraph 6004 of FAA
■ 1. The authority citation for part 364 is Appendix B to Part 570—Interagency Order 7400.9M, dated August 30, 2004,
revised to read as follows: Guidelines Establishing Information and effective September 16, 2004, which
Authority: 12 U.S.C. 1818 and 1819 Security Standards is incorporated by reference in 14 CFR
(Tenth); 15 U.S.C. 1681b, 1681s, and 1681w. * * * * * 71.1. The Class E airspace designation
■ 6. Amend Appendix B to part 570 by listed in this document will be
■ 2. Revise the heading of Appendix B to adding a new Supplement A to the end published subsequently in the Order.
read as follows: of the appendix to read as set forth at the Interested parties were invited to
Appendix B to Part 364—Interagency end of the common preamble. participate in this rulemaking
Guidelines Establishing Information Dated: March 8, 2005. proceeding by submitting written
Security Standards By the Office of Thrift Supervision. comments on the proposal to the FAA.
No comments objecting to the proposal
* * * * * James E. Gilleran,
were received.
Director.
■ 3. Amend Appendix B to part 364 by The Rule
adding a new Supplement A to the end [FR Doc. 05–5980 Filed 3–28–05; 8:45 am]
of the appendix to read as set forth at the BILLING CODE 4810–33–P; (25%); 6210–01–P; (25%);
6714–01–P; (25%); 6720–01–P (25%) This amendment to Part 71 of the
end of the common preamble. Federal Aviation Regulations (14 CFR
Dated at Washington, DC, this 18th day of part 71) establishes Class E4 airspace
March, 2005. DEPARTMENT OF TRANSPORTATION and at Cocoa Beach Patrick AFB, FL.
By order of the Board of Directors. The FAA has determined that this
Federal Deposit Insurance Corporation. Federal Aviation Administration regulation only involves an established
Robert E. Feldman, body of technical regulations for which
14 CFR Part 71 frequent and routine amendments are
Executive Secretary.
[Docket No. FAA–2004–19911; Airspace necessary to keep them operationally
DEPARTMENT OF THE TREASURY Docket No. 04–ASO–20] current. It, therefore, (1) is not a
Office of Thrift Supervision ‘‘significant regulatory action’’ under
Establishment of Class E Airspace; Executive Order 12866; (2) is not a
12 CFR CHAPTER V Cocoa Beach Patrick AFB, FL ‘‘significant rule’’ under DOT
Authority and Issuance Regulatory Policies and Procedures (44
AGENCY: Federal Aviation
FR 11034; February 26, 1979); and (3)
Administration (FAA), DOT.
■ For the reasons set out in the joint does not warrant preparation of a
ACTION: Final rule. regulatory evaluation as the anticipated
preamble, the OTS amends parts 568 and
570 of chapter V of title 12 of the Code SUMMARY: This action establishes Class impact is so minimal. Since this is a
of Federal Regulations to read as follows: E4 airspace at Cocoa Beach Patrick AFB, routine matter that will only affect air
FL. Class E4 airspace designated as an traffic procedures and air navigation, it
PART 568—SECURITY PROCEDURES extension to Class D airspace is required is certified that this rule will not have
when the control tower is open to a significant economic impact on a
■ 1. Revise the part heading for part 568 contain existing Standard Instrument substantial number of small entities
to read as shown above. Approach Procedures (SIAPs) and other under the criteria of the Regulatory
Instrument Flight Rules (IFR) operations Flexibility Act.
■ 2. Revise the authority citation for part
568 to read as follows: at the airport. This action establishes a List of Subjects in 14 CFR Part 71
Class E4 airspace extension that is 6.8
Authority: 12 U.S.C. 1462a, 1463, 1464, Airspace, Incorporation by reference,
miles wide and extends 7.3 miles
1467a, 1828, 1831p–1, 1881–1884; 15 U.S.C. Navigation (air).
1681s and 1681w; 15 U.S.C. 6801 and
northeast of the airport.
6805(b)(1). EFFECTIVE DATE: 0901 UTC, July 7, 2005. Adoption of Amendment
FOR FURTHER INFORMATION CONTACT:
■ 3. Amend § 568.5 by adding a new Mark D. Ward, Manager, Airspace and ■ In consideration of the foregoing, the
sentence after the final sentence to read Operations Branch, Eastern En Route Federal Aviation Administration
as follows: and Oceanic Service Area, Federal amends 14 CFR part 71 as follows:

Rule: Response Programs For Unauthorized Access To Customer Information and Customer Notice Interagency Guidance

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rule: Response Programs For Unauthorized Access To Customer Information and Customer Notice Interagency Guidance

Uploaded by

Copyright:

Available Formats

15736 Federal Register / Vol. 70, No.

59 / Tuesday, March 29, 2005 / Rules and Regulations

such incident, to enable the institution Examination Handbook, Outsourcing Technology

customers’ information from further List of Subjects Dated: March 8, 2005.

You might also like