Federal interagency guidance on response programs

Customer information systems encompass all the physical facilities and electronic facilities a financial institution uses to access, collect, store, use, transmit, protect, or dispose of customer information. The Security Guidelines apply specifically to customer information systems because customer information will be at risk if one or more of the components of these systems are compromised.

An information security program is the written plan created and implemented by a financial institution to identify and control risks to customer information and customer information systems and to properly dispose of customer information. Similarly, an attorney, accountant, or consultant who performs services for a financial institution and has access to customer information is a service provider for the institution.

Paragraphs II. A-B of the Security Guidelines require financial institutions to implement an information security program that includes administrative, technical, and physical safeguards designed to achieve the following objectives:. The various business units or divisions of the institution are not required to create and implement the same policies and procedures. If the business units have different security controls, the institution must include them in its written information security program and coordinate the implementation of the controls to safeguard and ensure the proper disposal of customer information throughout the institution.

Implementing an information security program begins with conducting an assessment of reasonably foreseeable risks. Like other elements of an information security program, risk assessment procedures, analysis, and results must be written. Under the Security Guidelines, a risk assessment must include the following four steps:. For example , a financial institution should review the structure of its computer network to determine how its computers are accessible from outside the institution.

For example , to determine the sensitivity of customer information, an institution could develop a framework that analyzes the relative value of this information to its customers based on whether improper access to or loss of the information would result in harm or inconvenience to them. In the course of assessing the potential threats identified, an institution should consider its ability to identify unauthorized changes to customer records.

In addition, it should take into consideration its ability to reconstruct the records from duplicate records or backup information systems. The risk assessment may include an automated analysis of the vulnerability of certain customer information systems.

However, an automated analysis likely will not address manual processes and controls, detection of and response to intrusions into information systems, physical security, employee training, and other key controls. Accordingly, an automated analysis of vulnerabilities should be only one tool used in conducting a risk assessment. When performing a risk assessment, an institution may want to consult the resources and standards listed in the appendix to this guide and consider incorporating the practices developed by the listed organizations when developing its information security program.

For example , a generic assessment that describes vulnerabilities commonly associated with the various systems and applications used by the institution is inadequate. For example , a financial institution should also evaluate the physical controls put into place, such as the security of customer information in cabinets and vaults. The Security Guidelines require a financial institution to design an information security program to control the risks identified through its assessment, commensurate with the sensitivity of the information and the complexity and scope of its activities.

Thus, an institution must consider a variety of policies, procedures, and technical controls and adopt those measures that it determines appropriately address the identified risks. The Security Guidelines provide a list of measures that an institution must consider and, if appropriate, adopt.

These are:. For example , the Security Guidelines require a financial institution to consider whether it should adopt controls to authenticate and permit only authorized individuals access to certain forms of customer information. Under this security control, a financial institution also should consider the need for a firewall for electronic records. If an institution maintains any sort of Internet or other external connectivity, its systems may require multiple firewalls with adequate capacity, proper placement, and appropriate configurations.

Similarly, an institution must consider whether the risk assessment warrants encryption of electronic customer information. If it does, the institution must adopt appropriate encryption measures that protect information in transit, in storage, or both.

However, the Security Guidelines do not impose any specific authentication 11 or encryption standards. A financial institution must consider the use of an intrusion detection system to alert it to attacks on computer systems that store customer information. In assessing the need for such a system, an institution should evaluate the ability of its staff to rapidly and accurately identify an intrusion.

It should also assess the damage that could occur between the time an intrusion occurs and the time the intrusion is recognized and action is taken. Financial institutions must develop, implement, and maintain appropriate measures to properly dispose of customer information in accordance with each of the requirements of paragraph III. Although the Security Guidelines do not prescribe a specific method of disposal, the Agencies expect institutions to have appropriate risk-based disposal procedures for their records.

In addition to considering the measures required by the Security Guidelines, each institution may need to implement additional procedures or controls specific to the nature of its operations. An institution may implement safeguards designed to provide the same level of protection to all customer information, provided that the level is appropriate for the most sensitive classes of information.

Insurance coverage is not a substitute for an information security program. Although insurance may protect an institution or its customers against certain losses associated with unauthorized disclosure, misuse, alteration, or destruction of customer information, the Security Guidelines require a financial institution to implement and maintain controls designed to prevent those acts from occurring. One commenter suggested that the Agencies adopt this section unchanged in the final Guidance.

Therefore, the Agencies modified this section by incorporating concepts from the proposed Corrective Measures component, and removing the more specific examples in this section, including the terms that confused commenters.

This section in the final Guidance gives an institution greater discretion to determine the measures it will take to contain and control a security incident. It states that institutions should take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, such as by monitoring, freezing, or closing affected accounts, while preserving records and other evidence.

The Agencies note that the final Guidance addresses not only computer security incidents, but also all other incidents of unauthorized access to customer information. Thus, it is not appropriate to include more detail about steps an institution should take to investigate and mitigate computer security incidents. However, the Agencies believe that institutions should be mindful of industry standards when investigating an incident. Therefore, the final Guidance contains a reference to forensics by generally noting that an institution should take appropriate steps to contain and control an incident, while preserving records and other evidence.

Corrective Measures. The proposed Guidance stated that once a financial institution understands the scope of the incident and has taken steps to contain and control the situation, it should take measures to address and mitigate the harm to individual customers. It then described three corrective measures that a financial institution should include as a part of its response program in order to effectively address and mitigate harm to individual customers: 1 Flagging accounts; 2 securing accounts; and 3 notifying customers.

The Agencies removed the first two corrective measures for the reasons that follow. Flagging and Securing Accounts. It also stated that an institution should provide staff with instructions regarding the recording and reporting of any unusual activity, and if indicated given the facts of a particular incident, implement controls to prevent the unauthorized withdrawal or transfer of funds from customer accounts. The proposed Guidance stated that accounts should be secured until such time as the financial institution and the customer agree on a course of action.

Commenters were critical of these proposed measures. Several commenters asserted that the final Guidance should not prescribe responses to security incidents with this level of detail. Commenters also stated that the decision to flag accounts, the nature of that flag, and the duration of the flag, should be left to an individual financial institution's risk-based procedures developed under the Security Guidelines.

These commenters asked the Agencies to recognize that regular, ongoing fraud prevention and detection methods employed by an institution may be sufficient. Commenters representing small institutions stated that they do not have the technology or other resources to monitor individual accounts. They stated that the financial impact of having to monitor accounts for unusual activity would be enormous, as each institution would have to purchase expensive technology, hire more personnel, or both.

These commenters asked the Agencies to provide institutions with the flexibility to close an account if the institution detects unusual activity. Some commenters explained that if a customer is traveling and the financial institution cannot contact the customer to obtain the customer's consent, freezing or closing a customer's account could strand the customer with no means of taking care of expenses.

They stated that, in the typical case, the institution would monitor such an account for suspicious transactions. As described earlier, the Agencies are adopting an approach in the final Guidance that is more flexible and risk-based than that in the proposed Guidance.

The final Guidance incorporates the general concepts described in the first two corrective measures into the brief bullets describing components of a response program enumerated in section II.

Therefore, the first and second corrective measures no longer appear in the final Guidance. Customer Notice and Assistance. The proposed Guidance also described which customers should be notified. In addition, this corrective measure contained provisions discussing delivery and contents of the customer notice.

The final Guidance now states that an institution's response program should contain procedures for notifying customers when warranted. Responsibility for Notice to Customers Some commenters were confused by the discussion in the proposed Guidance stating that a financial institution's contract with its service provider should require the service provider to disclose fully to the institution information related to any breach in security resulting in an unauthorized intrusion into the institution's customer information systems maintained by the service provider.

Commenters stated that this provision appears to create an obligation for both financial institutions and their service providers to provide notice of security incidents to the institution's customers. These commenters recommended that the service provider notify its financial institution customer so that the financial institution could provide appropriate notice to its customers.

Thus, customers would avoid receiving multiple notices relating to a single security incident. Other commenters asserted that a financial institution should not have to notify its customers if an incident has occurred because of the negligence of its service provider.

These commenters recommended that in this situation, the service provider should be responsible for providing notice to the financial institution's customers. As discussed above in connection with notice to regulators, the Agencies believe that it is the responsibility of the institution, and not of the service provider, to notify the institution's customers in connection with an unauthorized intrusion into an institution's customer information systems maintained by the service provider.

The responsibility to notify customers remains with the institution whether the incident is inadvertent or due to the service provider's negligence. The Agencies note that the costs of providing notice to the institution's customers as a result of negligence on the part of the service provider may be addressed in the financial institution's contract with its service provider.

The last paragraph in section II of the final Guidance, therefore, states that it is the responsibility of the financial institution to notify the institution's customers. It also states that the institution may authorize or contract with its service provider to notify customers on the institution's behalf, when a security incident involves an unauthorized intrusion into the institution's customer information systems maintained by the service provider.

This section also gave examples of circumstances when a financial institution should give notice and when the Agencies do not expect a financial institution to give notice. It also discussed contents of the notice and proper delivery. Standard for Providing Notice A key feature of the proposed Guidance was the description of when a financial institution should provide customer notice. The Agencies believed that this proposed standard would strike a balance between notification to customers every time the mere possibility of misuse of customer information arises from unauthorized access and a situation where the financial institution knows with certainty that information is being misused.

However, the Agencies specifically requested comment on whether this is the appropriate standard and invited commenters to offer alternative thresholds for customer notification. Some commenters stated that the proposed standard was reasonable and sufficiently flexible. However, many commenters recommended that the Agencies provide financial institutions with greater discretion to determine when a financial institution should notify its customers.

Commenters maintained that because the proposed standard states that a financial institution should give notice when fraud or identity theft is merely possible, notification under these circumstances would needlessly alarm customers where little likelihood of harm exists. Commenters claimed that, eventually, frequent notices in non- threatening situations would be perceived by customers as routine and commonplace, and therefore reduce their effectiveness.

The Agencies believe that articulating as part of the guidance a standard that sets forth when notice to customers is warranted is both helpful and appropriate. However, the Agencies agree with commenters and are concerned that the proposed threshold inappropriately required institutions to prove a negative proposition, namely, that misuse of the information accessed is unlikely to occur. In addition, the Agencies do not want customers of financial institutions to receive notices that would not be useful to them.

Therefore, the Agencies have revised the standard for customer notification. The final Guidance provides that when an institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine promptly the likelihood that the information has been or will be misused.

If the institution determines that misuse of the information has occurred or is reasonably possible, it should notify affected customers as soon as possible. An investigation is an integral part of the standard in the final Guidance. A financial institution should not forego conducting an investigation to avoid reaching a conclusion regarding the likelihood that customer information has been or will be misused and cannot unreasonably limit the scope of the investigation.

However, the Agencies acknowledge that a full-scale investigation may not be necessary in all cases, such as where the facts readily indicate that information will or will not be misused. Monitoring for Suspicious Activity The proposed Guidance stated that an institution need not notify customers if it reasonably concludes that misuse of the information is unlikely to occur and takes appropriate steps to safeguard the interests of affected customers, including by monitoring affected customers' accounts for unusual or [[Page ]] suspicious activity.

A number of comments addressed the standard in the proposed Guidance on monitoring affected customers' accounts for unusual or suspicious activity. Some commenters stated that the final Guidance should grant institutions the discretion to monitor the affected customer accounts for a period of time and to the extent warranted by the particular circumstances.

Some commenters suggested that monitoring occur during the investigation. One commenter noted that an institution's investigation may reveal that monitoring is unnecessary.

One commenter noted that monitoring the customer's accounts at the institution may not protect the customer, because unauthorized access to customer information may result in identity theft beyond the accounts held at the specific financial institution. The Agencies agree that under certain circumstances, monitoring may be unnecessary, for example when, on the basis of a reasonable investigation, an institution determines that information was not misused.

The Agencies also agree that the monitoring requirement may not protect the customer. Indeed, an identity thief with unauthorized access to certain sensitive customer information likely will open accounts at other financial institutions in the customer's name.

Accordingly, the Agencies conclude that monitoring under the circumstances described in the standard for notice would be burdensome for financial institutions without a commensurate benefit to customers. For these reasons, the Agencies have removed the reference to monitoring in the final Guidance. Timing of Notice The proposed Guidance did not include specific language on the timing of notice to customers and the Agencies received many comments on this issue.

Some commenters requested clarification of the time frame for customer notice. One commenter recommended that the Agencies adopt the approach in the proposed Guidance because it did not set forth any circumstances that may delay notification of the affected customers.

Yet another commenter maintained that, in light of a customer's need to act expeditiously against identity theft, an outside limit of 48 hours after the financial institution learns of the breach is a reasonable and timely requirement for notice to customers. Many commenters, however, recommended that the Agencies make clear that an institution may take the time it reasonably needs to conduct an investigation to assess the risk resulting from a security incident.

As the scope and timing of a financial institution's investigation is dictated by the facts and circumstances of a particular case, the Agencies have not designated a specific number of hours or days by which financial institutions should provide notice to customers.

The Agencies believe that doing so may inhibit an institution's ability to investigate adequately a particular incident or may result in notice that is not timely. Delay for Law Enforcement Investigation The proposed Guidance did not address delay of notice to customers while a law enforcement investigation is conducted.

Many commenters recommended permitting an institution to delay notification to customers to avoid compromising a law enforcement investigation. These commenters noted that the California Database Protection Act of CDPA requires notification of California residents whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

CODE Sec. However, to ensure that such a delay is necessary and justifiable, the final Guidance states that customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay. Thus, the final Guidance also provides that a financial institution should notify its customers as soon as notification will no longer interfere with the investigation and should maintain contact with the law enforcement agency that has requested a delay, in order to learn, in a timely manner, when customer notice will no longer interfere with the investigation.

Sensitive Customer Information Scope of Standard The Agencies received many comments on the limitation of notice in the proposed Guidance to incidents involving unauthorized access to sensitive customer information.

The Agencies invited comment on whether to modify the proposed standard for notice to apply to other circumstances that compel an institution to conclude that unauthorized access to information, other than sensitive customer information, likely will result in substantial harm or inconvenience to the affected customers.

Most commenters recommended that the standard remain as proposed rather than covering other types of information.

One commenter suggested that the Agencies continue to allow a financial institution the discretion to notify affected customers in any other extraordinary circumstances that compel it to conclude that unauthorized access to information other than sensitive customer information likely will result in substantial harm or inconvenience to those affected. However, the commenter did not provide any examples of such extraordinary circumstances. The Agencies continue to believe that the rationale for limiting the standard to sensitive customer information expressed in the proposed Guidance is correct.

The proposed Guidance explained that, under the Security Guidelines, an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to a customer.

Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information because this type of information is most likely to be misused, as in the commission of identity theft. The Agencies have not identified any other circumstances that should prompt customer notice and continue to believe that it is not likely that a customer will suffer substantial harm or inconvenience from unauthorized [[Page ]] access to other types of information.

Therefore, the standard in the final Guidance continues to be limited to unauthorized access to sensitive customer information. Of course, a financial institution still may send notices to customers in any additional circumstances that it determines are appropriate. However, many commenters proposed additions, exclusions, or alternative definitions. Additional Elements Some commenters suggested that the Agencies add various data elements to the definition of sensitive customer information, including a driver's license number or number of other government-issued identification, mother's maiden name, and date of birth.

One commenter suggested inclusion of other information that institutions maintain in their customer information systems such as a customer's account balance, account activity, purchase history, and investment information. The commenter noted that misuse of this information in combination with a personal identifier can just as easily result in substantial harm or inconvenience to a customer.

The Agencies have added to the first part of the definition several more specific components, such as driver's license number and debit and credit card numbers, because this information is commonly sought by identity thieves. However, the Agencies determined that the second part of the definition would cover the remaining suggestions.

For example, where date of birth or mother's maiden name are used as passwords, under the final Guidance they will be considered components of customer information that allow someone to log onto or access another person's account. Therefore, these specific elements have not been added to the definition.

Exclusions Commenters also asserted that the proposed definition of sensitive customer information was too broad and proposed various exclusions. For example, some commenters asked the Agencies to exclude publicly available information, and also suggested that the final Guidance apply only to account numbers for transaction accounts or other accounts from which withdrawals or transfers can be initiated.

These commenters explained that access to a mortgage account number which may also be a public record does not permit withdrawal of additional funds or otherwise damage the customer. Other commenters requested that the Agencies exclude encrypted information. Some of these commenters noted that only unencrypted information is covered by the CDPA.

Thus, the Agencies have determined that the definition of account number should not be limited as suggested by commenters. The Agencies also believe that a blanket exclusion for all encrypted information is not appropriate, because there are many levels of encryption, some of which do not effectively protect customer information.

Therefore, some commenters asked that the final Guidance clarify that a name and an account number, together, is not sensitive customer information unless these elements are combined with other information that permits access to a customer's financial account. See CAL. Therefore, the elements in the definition of sensitive information in the final Guidance are re-ordered and the Agencies added the elements discussed earlier.

The final Guidance states that sensitive customer information means a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account.

The final Guidance also states that sensitive customer information includes any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and [[Page ]] password or a password and account number. First, for example, under the CDPA, personal information includes a person's name in combination with other data elements. By contrast, the final Guidance treats address and telephone number in the same manner as a customer's name, because reverse directories may permit an address or telephone number to be traced back to an individual customer.

The Agencies note that a name and account number, alone, is sufficient to create fraudulent checks, or to direct the unauthorized debit of a customer's account even without an access code. Therefore, the final Guidance continues to define a customer's name and account number, or credit or debit card number as sensitive customer information.

Section II. However, if the institution could not identify precisely which customers were affected, it should notify each customer in any group likely to have been affected, such as each customer whose information was stored in the group of files in question. Commenters were concerned that this provision in the proposed Guidance was overly broad. These commenters stated that providing notice to all customers in groups likely to be affected would result in many notices that are not helpful.

The commenters suggested that the final Guidance narrow the standard for notifying customers to only those customers whose information has been or is likely to be misused. However, the final Guidance further notes that there may be situations where the institution determines that a group of files has been accessed improperly, but is unable to identify which specific customers' information has been accessed.

When reporting security breaches involving sensitive customer information, an institution should provide the central point of contact with information on the steps taken to contain and control the incident, the number of customers potentially affected, whether customer notification is warranted, and whether a service provider was involved.

A financial institution should not delay providing prompt initial notification to its central point of contact. Upon receipt of notification of a security breach, unauthorized access, or misuse of sensitive customer information, Reserve Banks should notify appropriate Board staff if it has been determined that misuse of the information has occurred or is reasonably possible and customer notification will likely be required.

Board staff will follow the progress of the incident and will utilize this information to inform future supervisory guidance and identify trends in information security developments.

The guidance is effective immediately. Financial institutions should implement the guidance as soon as possible. Financial Institution Letters FIL April 1, Final Guidance on Response Programs Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice The Federal Financial Institutions Examination Council FFIEC agencies are issuing the attached interpretive guidance stating that every financial institution should develop and implement a response program designed to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider.

The notice should include the following items: Description of the incident; Type of information subject to unauthorized access; Measures taken by the institution to protect customers from further unauthorized access; Telephone number customers can call for information and assistance; and Remind customers to remain vigilant over next twelve to twenty four months, and report suspected identity theft incidents to the institution.

Michael J. FIL April 1, The FFIEC agencies are jointly issuing the attached interpretive guidance for financial institutions to develop and implement a response program designed to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider.