Feds Rule Banks Must Tell Customers Of Security Gaffes

Four federal agencies this week issued rules to U.S. banks that require them to inform customers when their personal data has been made public because of a security breach.

The rules were issued by the FDIC (Federal Deposit Insurance Corporation), the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS).

Basing the rule on their interpretation the Graham-Leach-Bliley Act, the agencies told banks that they must implement a response program to warn consumers when information has been accessed without authorization if that "could result in substantial harm or inconvenience to the customer," the new rules, called a "guidance," said.

Additionally, the bank "should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused," continued the new rules. "If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible."

The financial and data collection sectors have been blasted by consumers and Congress alike for a recent spate of high-profile data security failures. In February, backup tapes containing credit card account information on some 1.2 million government workers, including over half of the Senate's members, were lost or stolen from a commercial airline flight. Data collection companies ChoicePoint and LexisNexis have both disclosed security breaches that involved the possible theft of thousands of consumer identities.

The new rules are available in their entirety as a PDF from the OCC Web site.