[Federal Register Volume 68, Number 155 (Tuesday, August 12, 2003)]
[Notices]
[Pages 47954-47960]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-20440]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

[Docket No. 03-18]

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

[No. 03-35]

BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM

[Docket No. OP-1155]

FEDERAL DEPOSIT INSURANCE CORPORATION


Interagency Guidance on Response Programs for Unauthorized Access 
to Customer Information and Customer Notice

AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); 
Board of Governors of the Federal Reserve System (Board); Federal 
Deposit Insurance Corporation (FDIC); and Office of Thrift Supervision, 
Treasury (OTS).\1\
---------------------------------------------------------------------------

    \1\ The National Credit Union Administration (NCUA) participated 
in the guidance of development process and will separately issue 
comparable proposed guidance.

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: The OCC, Board, FDIC, and OTS (the Agencies) are requesting 
comment on proposed guidance entitled Interagency Guidance on Response 
Programs for Unauthorized Access to Customer Information and Customer 
Notice (``the proposed Guidance'').
    In addition, as part of their continuing efforts to reduce 
paperwork and respondent burden, the Agencies invite the general public 
and other Federal agencies to take this opportunity to comment on a 
proposed information collection, as required by the Paperwork Reduction 
Act of 1995 (44 U.S.C. chapter 35).

DATES: Comments must be submitted on or before October 14, 2003

ADDRESSES: Interested parties are invited to submit written comments 
to:
    Office of the Comptroller of the Currency: Public Information Room, 
Office of the Comptroller of the Currency, 250 E Street, SW, Mail stop 
1-5, Washington, DC 20219, Attention: Docket No. 03-18, Fax number 
(202) 874-4448 or e-mail address: [email protected]. Due to 
delays in the delivery of paper mail in the Washington area, commenters 
are encouraged to submit their comments by fax or email. Comments may 
be inspected and photocopied at the OCC's Public Information Room, 250 
E Street, SW, Washington, DC. You can make an appointment to inspect 
the comments by calling (202) 874-5043.
    Board of Governors of the Federal Reserve System: Comments should 
refer to Docket No. OP-1155 and may be mailed to Ms. Jennifer J. 
Johnson, Secretary, Board of Governors of the Federal Reserve System, 
20th Street and Constitution Avenue, NW., Washington, DC 20551. 
However, because paper mail in the Washington area and at the Board of 
Governors is subject to delay, please consider submitting your comments 
by e-mail to [email protected], or faxing them to the 
Office of the Secretary at (202) 452-3819 or (202) 452-3102. Members of 
the public may inspect comments in Room MP-500 between 9 a.m. and 5 
p.m. on weekdays pursuant to 12 CFR 261.12, except as provided in 12 
CFR 261.14, of the Board's Rules Regarding Availability of Information, 
12 CFR sections 261.12 and 261.14.
    Federal Deposit Insurance Corporation: Send written comments to 
Robert E. Feldman, Executive Secretary, Attention: Comments/OES, 
Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429. Comments also may be mailed electronically to 
[email protected]. Comments may be hand delivered to the guard station 
at the rear of the 17th Street building (located on F Street) on 
business days between 7 a.m. and 5 p.m.; Fax Number (202) 898-3838. 
Comments may be inspected and photocopied in the FDIC Public 
Information Center, Room 100, 801 17th Street, NW., Washington, DC 
20429, between 9 a.m. and 5 p.m. on business days.
    Office of Thrift Supervision: Comments may be sent to Regulation 
Comments, Chief Counsel's Office, Office of Thrift Supervision, 1700 G 
Street, NW., Washington, DC 20552, Attention: No.03-35; FAX number 
(202) 906-6518, Attention: No. 03-35; or e-mail address 
[email protected]. gov, Attention: No. 03-35, and include your 
name and telephone number. Comments may also be hand delivered to the 
Guard's Desk, East Lobby Entrance, 1700 G Street, NW., from 9 a.m. to 4 
p.m. on business days, Attention: Regulation Comments, Chief Counsel's 
Office, No. 03-35. Commenters should be aware that there have been 
unpredictable and lengthy delays in postal deliveries to the 
Washington, DC area and may prefer to make their comments via 
facsimile, e-mail, or hand delivery. OTS will post

[[Page 47955]]

comments and the related index on the OTS Internet Site at http://www.ots.treas.gov. In addition, you may inspect comments at the Public 
Reading Room, 1700 G Street, NW., by appointment. To make an 
appointment for access, you may call (202) 906-5922, send an e-mail to 
public.info@ots.treas">public.info@ots.treas. gov, or send a facsimile transmission to (202) 
906-7555. (Please identify the materials you would like to inspect to 
assist us in serving you.) We schedule appointments on business days 
between 10 a.m. and 4 p.m. In most cases, appointments will be 
available the business day after the date we receive a request.

FOR FURTHER INFORMATION CONTACT:
    OCC: Aida Plaza Carter, Director, Bank Information Technology 
Operations Division, (202) 874-4740; Clifford A. Wilke, Director, Bank 
Technology Division, (202) 874-5920; Amy Friend, Assistant Chief 
Counsel, (202) 874-5200; or Deborah Katz, Senior Attorney, Legislative 
and Regulatory Activities Division, (202) 874-5090.
    Board: Donna L. Parker, Supervisory Financial Analyst, Division of 
Banking Supervision & Regulation, (202) 452-2614; Thomas E. Scanlon, 
Counsel, Legal Division, (202) 452-3594; or Joshua H. Kaplan, Attorney, 
Legal Division, (202) 452-2249.
    FDIC: Jeffrey M. Kopchik, Senior Policy Analyst, Division of 
Supervision and Consumer Protection, (202) 898-3872; Patricia I. 
Cashman, Senior Policy Analyst, Division of Supervision and Consumer 
Protection, (202) 898-6534; or Robert A. Patrick, Counsel, Legal 
Division, (202) 898-3757.
    OTS: Robert Engebreth, Director, Technology Risk Management, (202) 
906-5631; Lewis C. Angel, Senior Project Manager, Technology Risk 
Management, (202) 906-5645; Elizabeth Baltierra, Program Analyst 
(Compliance), Compliance Policy, (202) 906-6540; or Paul Robin, Special 
Counsel, Regulations and Legislation Division, (202) 906-6648.

SUPPLEMENTARY INFORMATION:

I. Background

    The Agencies have published Interagency Guidelines Establishing 
Standards for Safeguarding Customer Information (``Security 
Guidelines'').\2\ These Security Guidelines were published to fulfill a 
requirement in section 501(b) of the Gramm-Leach-Bliley Act in which 
Congress directed the Agencies to establish standards for financial 
institutions relating to administrative, technical, and physical 
safeguards to: (1) Insure the security and confidentiality of customer 
records and information; (2) protect against any anticipated threats or 
hazards to the security or integrity of such records; and (3) protect 
against unauthorized access to or use of such records or information 
that could result in substantial harm or inconvenience to any 
customer.\3\
---------------------------------------------------------------------------

    \2\ 12 CFR part 30, app. B (OCC); 12 CFR part 208, app. D-2, and 
part 225, app. F (Board); 12 CFR part 364, app. B (FDIC); and 12 CFR 
part 570, app. B (OTS).
    \3\ 15 U.S.C. 6805(b).
---------------------------------------------------------------------------

    Among other things, the Security Guidelines direct financial 
institutions to: (1) Identify reasonably foreseeable internal and 
external threats that could result in unauthorized disclosure, misuse, 
alteration, or destruction of customer information or customer 
information systems; (2) assess the likelihood and potential damage of 
these threats, taking into consideration the sensitivity of customer 
information; and (3) assess the sufficiency of policies, procedures, 
customer information systems, and other arrangements in place to 
control risks.\4\
---------------------------------------------------------------------------

    \4\ Security Guidelines, Paragraph III.B.2.
---------------------------------------------------------------------------

    This proposed Guidance, published as an Appendix to this notice, 
interprets section 501(b) of the Gramm-Leach-Bliley Act and the 
provisions of the Security Guidelines noted above.\5\ It describes the 
Agencies' expectations that every financial institution develop a 
response program to protect against and address reasonably foreseeable 
risks associated with internal and external threats to the security of 
customer information maintained by the financial institution or its 
service provider. The proposed Guidance further describes the 
components of a response program, which includes procedures for 
notifying customers about incidents of unauthorized access to customer 
information that could result in substantial harm or inconvenience to 
the customer. The proposed Guidance provides that a financial 
institution is expected to expeditiously implement its response program 
to address incidents of unauthorized access to or use of customer 
information. A response program should contain policies and procedures 
that enable the financial institution to:
---------------------------------------------------------------------------

    \5\ The Agencies may treat an institution's failure to implement 
final Guidance issued as a violation of the Security Guidelines.
---------------------------------------------------------------------------

    A. Assess the situation to determine the nature and scope of the 
incident, and identify the information systems and types of customer 
information affected;
    B. Notify the institution's primary Federal regulator and, in 
accordance with applicable regulations and guidance, file a Suspicious 
Activity Report and notify appropriate law enforcement agencies;
    C. Take measures to contain and control the incident to prevent 
further unauthorized access to or use of customer information, 
including shutting down particular applications or third party 
connections, reconfiguring firewalls, changing computer access codes, 
and modifying physical access controls; and
    D. Address and mitigate harm to individual customers.
    The proposed Guidance describes the following corrective measures a 
financial institution should include as a part of its response program 
in order to effectively address and mitigate harm to individual 
customers:
    A. Flag Accounts--The institution should identify accounts of 
customers whose information may have been compromised, monitor those 
accounts for unusual activity, and initiate appropriate controls to 
prevent the unauthorized withdrawal or transfer of funds from customer 
accounts.
    B. Secure Accounts--The institution should secure all accounts 
associated with the customer information that has been the subject of 
unauthorized access or use.
    C. Customer Notice and Assistance--The institution should, under 
certain circumstances, notify affected customers when sensitive 
customer information about them is the subject of unauthorized access. 
Where the institution can specifically identify affected customers from 
its logs, notification may be limited to those persons only. Otherwise, 
the institution should notify each customer in those groups likely to 
be affected.
    The proposed Guidance provides that a financial institution should 
notify each affected customer when it becomes aware of unauthorized 
access to sensitive customer information, unless the institution, after 
an appropriate investigation, reasonably concludes that misuse of the 
information is unlikely to occur, and takes appropriate steps to 
safeguard the interests of affected customers, including by monitoring 
affected customers' accounts for unusual or suspicious activity. For 
the purposes of the proposed Guidance, the Agencies define sensitive 
customer information to mean a customer's social security number, 
personal identification number (PIN), password, or account number, in 
conjunction with a personal identifier, such as the individual's name, 
address, or telephone number. Sensitive customer information would also 
include any combination of components of customer information

[[Page 47956]]

that would allow someone to log onto or access another person's 
account, such as user name and password.
    Under the Security Guidelines, an institution must protect against 
unauthorized access to or use of customer information that could result 
in substantial harm or inconvenience to any customer. The Agencies 
believe that substantial harm or inconvenience is most likely to result 
from the improper access to and use of sensitive customer information. 
Accordingly, the proposed Guidance requires notice to mitigate or 
prevent substantial harm or inconvenience to a customer.
    The Agencies note that the response program required under the 
proposed Guidance must address incidents involving the unauthorized 
access to or use of any form of customer information. However, the 
customer notice requirement applies only to security breaches involving 
sensitive customer information.
    The proposed Guidance provides several examples the Agencies 
believe typify situations in which customer notification is required 
and those when it is not. As in other circumstances, the Agencies also 
expect financial institutions to notify customers upon the direction of 
the institution's primary Federal regulator.
    The proposed Guidance discusses the content and delivery of 
customer notices. The notice should include a general description of 
the incident, and provide information to assist customers in mitigating 
potential harm, including a customer service number, steps customers 
can take to obtain and review their credit reports and to file fraud 
alerts with nationwide credit reporting agencies, and sources of 
information designed to assist individuals in protecting against 
identity theft.
    In addition, institutions are expected to inform each customer 
about the availability of the Federal Trade Commission's (``FTC'') 
online guidance regarding measures to protect against identity theft 
and to encourage the customer to report any suspected incidents of 
identity theft to the FTC. Further, institutions should provide the 
FTC's Web site address and telephone number for purposes of obtaining 
the guidance and reporting suspected incidents of identity theft. 
Currently, the Web site address is http://www.ftc.gov/idtheft, and the 
toll free number for the identity theft hotline is 1-877-IDTHEFT.
    The proposed Guidance also describes other forms of assistance that 
financial institutions have offered to their customers in incidents of 
this type. Financial institutions may wish to offer such forms of 
assistance to their customers and describe them in the customer notice.

II. Request for Comments

    The Agencies invite comment on all aspects of the proposed 
Guidance, including each component of the response program described in 
Paragraph II of the proposed Guidance. Please consider the following 
questions in formulating your comments:
    [sbull] Should any component of the response program be clarified 
in some way and, if so, how?
    [sbull] Are there additional components that should be included in 
a response program to address incidents involving unauthorized access 
to or use of customer information? If so, please describe the 
component, and the reasons that support it.
    [sbull] Should each component of the response program be retained? 
If not, which components should be deleted and why?
    [sbull] In preparing the proposed Guidance, the Agencies have 
attempted to identify a standard that will lead to customer notice when 
appropriate. The Agencies recognize that there is a spectrum of 
alternatives for developing a requirement to notify customers. On one 
side of the spectrum is a standard that would require a financial 
institution to notify its customers every time the mere possibility of 
misuse of customer information arises. On the other side is a standard 
that would require an institution to notify its customers only when it 
becomes aware of an incident involving unauthorized access to customer 
information and, based on unusual activity in customers' accounts or 
other indicia of identity theft, knows that the information is being 
misused. The Agencies propose a standard that lies in the middle of 
this spectrum. The Agencies believe that no useful purpose would be 
served if notices were sent due to the mere possibility of misuse of 
some customer information because, in general, the notices should alert 
customers to those situations where enhanced vigilance is necessary to 
protect against fraud or identity theft. Rather, the Agencies believe 
that notice to customers should be required in a narrower range of 
instances involving the unauthorized access to sensitive customer 
information. The standard proposed here would require a financial 
institution to send notice to each affected customer when the 
institution becomes aware of an incident of unauthorized access to 
sensitive customer information, unless the institution, after an 
appropriate investigation, reasonably concludes that misuse of the 
information is unlikely to occur and takes appropriate steps to 
safeguard the interests of affected customers, including by monitoring 
affected customers' accounts for unusual or suspicious activity. The 
Agencies invite comment on whether this is the appropriate standard for 
requiring customer notice. For commenters who believe that this 
standard is inappropriate, the Agencies request that these commenters 
state specifically their reasoning and offer alternative thresholds for 
requiring customer notice.
    [sbull] The proposed Guidance defines sensitive customer 
information as a social security number, a personal identification 
number (PIN), password, or an account number in conjunction with a 
personal identifier. Sensitive customer information would also include 
any combination of components of customer information that would allow 
someone to log onto or access another person's account, such as user 
name and password. The Agencies request comment on which, if any, 
additional types of information should be included in this definition, 
such as mother's maiden name or driver's license number.
    [sbull] The Agencies invite comment on the potential burden 
associated with the customer notice provisions. For example, what is 
the anticipated burden that may arise from the questions posed by those 
customers who receive the notices? Should the Agencies consider how the 
burden may vary depending upon the size and complexity of the 
institution?
    [sbull] As part of the response program, the Agencies describe 
certain corrective measures that an institution should take once an 
incident of unauthorized access occurs. One such measure is to ``secure 
accounts.'' Is the discussion of securing accounts sufficiently clear 
to enable institutions to know what is expected of them when instances 
of unauthorized access occur? To what extent would contracts between 
financial institutions and service providers need to be modified, if at 
all, to comply with the proposed Guidance? How much burden, if any, 
will the Guidance impose on service providers?
    [sbull] The Agencies also invite comment on whether the proposed 
standard should be modified to apply to other extraordinary 
circumstances that compel an institution to conclude that unauthorized 
access to information, other than sensitive customer information, 
likely will result in substantial harm or inconvenience to the affected 
customers.

[[Page 47957]]

    [sbull] The proposed Guidance includes examples of circumstances in 
which customer notice would be expected and those when it would not. 
Please comment on whether the examples in the proposed Guidance should 
be modified or supplemented and provide your rationale.

III. Paperwork Reduction Act

A. Request for Comment on Proposed Information Collection

    In accordance with the requirements of the Paperwork Reduction Act 
of 1995, the Agencies may not conduct or sponsor, and the respondent is 
not required to respond to, an information collection unless it 
displays a currently valid Office of Management and Budget (OMB) 
control number. The Agencies are requesting comment on a proposed 
information collection. The Agencies also give notice that, at the end 
of the comment period, the proposed collections of information, along 
with an analysis of the comments and recommendations received, will be 
submitted to OMB for review and approval.
    Comments are invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the Agency's functions, including whether the 
information has practical utility;
    (b) The accuracy of the estimates of the burden of the information 
collection, including the validity of the methodology and assumptions 
used;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) Ways to minimize the burden of the information collection on 
respondents, including through the use of automated collection 
techniques or other forms of information technology; and
    (e) Estimates of capital or start up costs and costs of operation, 
maintenance, and purchase of services to provide information.
    At the end of the comment period, the comments and recommendations 
received will be analyzed to determine the extent to which the 
information collections should be modified prior to submission to OMB 
for review and approval. The comments will also be summarized or 
included in the Agencies' requests to OMB for approval of the 
collections. All comments will become a matter of public record.
    Comments should be addressed to:
    OCC: Public Information Room, Office of the Comptroller of the 
Currency, 250 E Street, SW, Mail stop 1-5, Attention: Docket 03-18, 
Washington, DC 20219; fax number (202) 874-4448; Internet address: 
[email protected]. Due to delays in paper mail delivery in 
the Washington area, commenters are encouraged to submit their comments 
by fax or e-mail. You can make an appointment to inspect the comments 
at the Public Information Room by calling (202) 874-5043.
    Board: Comments should refer to Docket No. OP-1155 and may be 
mailed to Ms. Jennifer J. Johnson, Secretary, Board of Governors of the 
Federal Reserve System, 20th Street and Constitution Avenue, NW., 
Washington, DC 20551. However, because paper mail in the Washington 
area and at the Board of Governors is subject to delay, please consider 
submitting your comments by e-mail to [email protected], 
or faxing them to the Office of the Secretary at (202) 452-3819 or 
(202) 452-3102. Members of the public may inspect comments in Room MP-
500 between 9 a.m. and 5 p.m. on weekdays pursuant to 12 CFR section 
261.12, except as provided in 12 CFR section 261.14, of the Board's 
Rules Regarding Availability of Information, 12 CFR sections 261.12 and 
261.14.
    FDIC: Steven F. Hanft, Legal Division (Consumer and Compliance 
Unit), Room MB-3064, Federal Deposit Insurance Corporation, 550 17th 
Street, NW., Washington, DC 20429. All comments should refer to the 
title of the proposed collection. Comments may be hand-delivered to the 
guard station at the rear of the 17th Street Building (located on F 
Street), on business days between 7 a.m. and 5 p.m., Attention: 
Comments, Federal Deposit Insurance Corporation, 550 17th Street, NW., 
Washington, DC 20429.
    OTS: Information Collection Comments, Chief Counsel's Office, 
Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552; 
send a facsimile transmission to (202) 906-6518; or send an e-mail to 
[email protected]. OTS will post comments and the 
related index on the OTS Internet site at http://www.ots.treas.gov. In 
addition, interested persons may inspect the comments at the Public 
Reading Room, 1700 G Street, NW., by appointment. To make an 
appointment, call (202) 906-5922, send an e-mail to 
[email protected], or send a facsimile transmission to (202) 
906-7755.

B. Proposed Information Collection

    Title of Information Collection: Notice Regarding Unauthorized 
Access to Customer Information.
    Frequency of Response: On occasion.
    Affected Public:
    OCC: National banks, District of Columbia banks, and Federal 
branches and agencies of foreign banks.
    Board: State member banks, bank holding companies, affiliates and 
certain non-bank subsidiaries of bank holding companies, uninsured 
state agencies and branches of foreign banks, commercial lending 
companies owned or controlled by foreign banks, and Edge and agreement 
corporations.
    FDIC: Insured nonmember banks, insured state branches of foreign 
banks, and certain subsidiaries of these entities.
    OTS: Savings associations and certain of their subsidiaries.
    Abstract: The proposed Guidance describes the Agencies' 
expectations regarding a response program, including customer 
notification procedures, that a financial institution should develop 
and apply under the circumstances described in the Appendix to address 
unauthorized access to or use of customer information that could result 
in substantial harm or inconvenience to a customer.
    The information collections in the proposed Guidance would require 
financial institutions to: (1) Develop notices to customers; (2) 
determine which customers should receive the notices and send the 
notices to customers; and (3) ensure that their contracts with their 
service providers satisfy the proposed Guidance.
    Estimated Burden: It is estimated that it will initially take 
institutions 20 hours (2.5 business days) to develop and produce the 
notices described in the proposed Guidance and 24 hours per incident 
(three business days) to determine which customers should receive the 
notice and notify the customers. For the purposes of this analysis, it 
is estimated that two percent of supervised institutions will 
experience an incident of unauthorized access to customer information 
on an annual basis, resulting in customer notification.\6\
---------------------------------------------------------------------------

    \6\ This estimate is based upon the Agencies' experience and 
data gathered by the FDIC on 2,000 institutions that indicates 
slightly less than one percent of those institutions experienced 
some form of unauthorized access to customer information during any 
12 month period. However, the Agencies are assuming that other 
incidents of unauthorized access to customer information may have 
occurred, but were not reported.
---------------------------------------------------------------------------

    Thus, the burden associated with this collection of information may 
be summarized as follows. However, the burden estimate does not include 
time for financial institutions to adjust their contracts with service 
providers, if needed; nor for service providers to

[[Page 47958]]

disclose information pursuant to the proposed Guidance.

OCC

Number of Respondents: 2,200.
Estimated Time per Response:
    Developing notices: 20 hrs. x 2,200 = 44,000 hours.
    Notifying customers: 24 hrs. x 44 = 1,056 hours.
Total Estimated Annual Burden = 45,056 hours.

Board

Number of Respondents: 6,692.
Estimated Time per Response:
    Developing notices: 20 hrs. x 6,692 = 133,840 hours.
    Notifying customers: 24 hrs. x 134 = 3,216 hours.
Total Estimated Annual Burden: 137,056 hours.

FDIC

Number of Respondents: 5,500.
Estimated Time per Response:
    Developing notices: 20 hrs. x 5,500 = 110,000 hours.
    Notifying customers: 24 hrs. x 110 = 2,640 hours.
Total Estimated Annual Burden: 112,640 hours.

OTS

Number of Respondents: 961.
Estimated Time per Response:
    Developing notices: 20 hrs. x 961 = 19,220 hours.
    Notifying customers: 24 hrs. x 19 = 456 hours.
Estimated Total Annual Burden: 19,676 hours.

Appendix--Interagency Guidance on Response Programs for Unauthorized 
Access to Customer Information and Customer Notice

I. Background

    This Guidance \1\ interprets section 501(b) of the Gramm-Leach-
Bliley Act (``GLBA'') and the Interagency Guidelines Establishing 
Standards for Safeguarding Customer Information (the ``Security 
Guidelines'')\2\ and describes the Agencies'' expectations regarding 
the response programs, including customer notification procedures, 
that a financial institution should develop and apply to address 
unauthorized access to or use of customer information that could 
result in substantial harm or inconvenience to a customer.
---------------------------------------------------------------------------

    \1\ This Guidance is being jointly issued by the Board of 
Governors of the Federal Reserve System (Board), the Federal Deposit 
Insurance Corporation (FDIC), the Office of the Comptroller of the 
Currency (OCC), and the Office of Thrift Supervision (OTS).
    \2\ 12 CFR part 30, app. B (OCC); 12 CFR part 208, app. D-2 and 
part 225, app. F (Board); 12 CFR part 364, app. B (FDIC); and 12 CFR 
part 570, app. B (OTS).
---------------------------------------------------------------------------

Interagency Security Guidelines

    Section 501(b) of the GLBA required the Agencies to establish 
appropriate standards for financial institutions subject to their 
jurisdiction that include administrative, technical, and physical 
safeguards, to protect the security and confidentiality of customer 
information.\3\ Accordingly, the Agencies issued Security Guidelines 
requiring every financial institution to have an information 
security program designed to:
---------------------------------------------------------------------------

    \3\ The term ``customer information'' is the same term used in 
the Security Guidelines and means any record containing nonpublic 
personal information whether in paper, electronic, or other form, 
maintained by or on behalf of the institution.
---------------------------------------------------------------------------

    [sbull] Ensure the security and confidentiality of customer 
information;
    [sbull] Protect against any anticipated threats or hazards to 
the security or integrity of such information; and
    [sbull] Protect against unauthorized access to or use of such 
information that could result in substantial harm or inconvenience 
to any customer.

Risk Assessment and Controls

    The Security Guidelines direct every financial institution to 
assess the following risks, among others, when developing its 
information security program:
    [sbull] Reasonably foreseeable internal and external threats 
that could result in unauthorized disclosure, misuse, alteration, or 
destruction of customer information or customer information systems;
    [sbull] The likelihood and potential damage of threats, taking 
into consideration the sensitivity of customer information; and
    [sbull] The sufficiency of policies, procedures, customer 
information systems, and other arrangements in place to control 
risks.\4\
---------------------------------------------------------------------------

    \4\ See Security Guidelines Paragraph III.B.
---------------------------------------------------------------------------

    Following the assessment of these risks, the Security Guidelines 
require a financial institution to design a program to address the 
identified risks. The particular security measures an institution 
should adopt will depend upon the risks presented by the complexity 
and scope of its business. At a minimum, the financial institution 
is required to consider the specific security measures enumerated in 
the Security Guidelines,\5\ and adopt those that are appropriate for 
the institution, including:
---------------------------------------------------------------------------

    \5\ See Security Guidelines Paragraph III.C.
---------------------------------------------------------------------------

    [sbull] Access controls on customer information systems, 
including controls to authenticate and permit access only to 
authorized individuals and controls to prevent employees from 
providing customer information to unauthorized individuals who may 
seek to obtain this information through fraudulent means;
    [sbull] Background checks for employees with responsibilities 
for access to customer information; and
    [sbull] Response programs that specify actions to be taken when 
the bank suspects or detects that unauthorized individuals have 
gained access to customer information systems, including appropriate 
reports to regulatory and law enforcement agencies.\6\
---------------------------------------------------------------------------

    \6\ See Security Guidelines Paragraph III.D.
---------------------------------------------------------------------------

Service Providers

    The Security Guidelines direct every financial institution to 
require its service providers by contract to implement appropriate 
measures designed to protect against unauthorized access to or use 
of customer information that could result in substantial harm or 
inconvenience to any customer.\7\ Consistent with existing guidance 
issued by the Agencies, an institution's contract with its service 
provider should require the service provider to fully disclose to 
the institution information relating to any breach in security 
resulting in an unauthorized intrusion into the institution's 
customer information systems maintained by the service provider.\8\ 
In view of these contractual obligations, the service provider would 
be required to take appropriate actions to address incidents of 
unauthorized access to or use of the financial institution's 
customer information to enable the institution to expeditiously 
implement its response program.\9\
---------------------------------------------------------------------------

    \7\ See Security Guidelines Paragraphs II.B. and III.D.
    \8\ See Federal Reserve SR Ltr. 00-04, Outsourcing of 
Information and Transaction Processing, Feb. 9, 2000; SR Ltr. 00-17, 
Guidance on Risk Management of Outsourced Technology Services, Nov. 
30, 2000; OCC Bulletin 2001-47, ``Third-party Relationships Risk 
Management Principles,'' Nov. 1, 2001; AL 2000-12, ``FFIEC Guidance 
on Risk Management of Outsourced Technology Services,'' Nov. 28, 
2000; FDIC FIL 81-2000, Risk Management of Technology Outsourcing, 
Nov. 29, 2000; FIL 68-99, Risk Assessment Tools and Practices for 
Information System Security, July 7, 1999; OTS Thrift Bulletin 82, 
Third Party Arrangements, Mar. 4, 2003; OTS CEO Memorandum 133, Risk 
Management of Technology Outsourcing, Dec. 13, 2000; CEO Memorandum 
109, Transactional Web Sites, June 10, 1999; CEO Memorandum 70, 
Statement on On-Line Personal Computer Banking, June 23, 1997.
    \9\ The Agencies note that, in addition to contractual 
obligations to a financial institution, a service provider may be 
required to implement its own comprehensive information security 
program in accordance with the Safeguards Rule promulgated by the 
FTC. 12 CFR part 314 applies to the handling of all customer 
information possessed by any financial institution subject to the 
jurisdiction of the FTC, regardless of whether such information 
pertains to individuals with whom the institution has a customer 
relationship or pertains to the customers of other financial 
institutions that have provided such information to that 
institution.
---------------------------------------------------------------------------

Response Program

    As internal and external threats to the security of customer 
information are reasonably foreseeable and may lead to the misuse of 
customer information, the Agencies expect every financial 
institution to develop a response program to protect against the 
risks associated with these threats. The response program should 
include measures to protect customer information in customer 
information systems maintained by the institution or its service 
providers. The Agencies expect that customer notification will be a 
component of an institution's response program, as described below.

II. Components of a Response Program

    A response program should be a key part of an institution's 
information security

[[Page 47959]]

program.\10\ Having such a program in place will allow the 
institution to quickly respond \11\ to incidents involving the 
unauthorized access to or use of customer information in its own 
customer information systems that could result in substantial harm 
or inconvenience to a customer. Under the Guidelines, an 
institution's customer information systems consist of all of the 
methods used to access, collect, store, use, transmit, protect, or 
dispose of customer information, including the systems maintained by 
its service providers.\12\
---------------------------------------------------------------------------

    \10\ See FFIEC Information Security Booklet, Dec. 2002; Federal 
Reserve SR 97-32, Sound Practice Guidance for Information Security 
for Networks, Dec. 4, 1997; OCC Bulletin 2000-14, ``Infrastructure 
Threats `` Intrusion Risks'' (May 15, 2000); OTS CEO Memorandum 109, 
Transactional Web Sites, June 10, 1999; CEO Memorandum 70, Statement 
on On-Line Personal Computer Banking, June 23, 1997; CEO Memorandum 
59, Risk Management of Client/Server Systems, Oct. 24, 1996, for 
additional guidance on preventing, detecting, and responding to 
intrusions into financial institution computer systems.
    \11\ Financial institutions are expected to provide employees 
with the training necessary to understand their roles and 
responsibilities in order to expeditiously implement the 
institution's response program to address incidents of unauthorized 
access to and use of customer information.
    \12\ See Security Guidelines Paragraph I.C.f.
---------------------------------------------------------------------------

    Timely notification of customers, under the circumstances 
described below, is important to manage an institution's reputation 
risk. Effective notice may reduce legal risk, assist in maintaining 
good customer relations, and enable the institution's customers to 
take steps to protect themselves against the consequences of 
identity theft.
    A response program should contain the following components:

A. Assess the Situation.

    The institution should assess the nature and scope of the 
incident, and identify what customer information systems and types 
of customer information have been accessed or misused.

B. Notify Regulatory and Law Enforcement Agencies

    The institution should promptly notify its primary Federal 
regulator when it becomes aware of an incident involving 
unauthorized access to or use of customer information that could 
result in substantial harm or inconvenience to its customers.
    An institution also should file a Suspicious Activity Report 
(``SAR''), if required, in accordance with the applicable SAR 
regulations \13\ and Agency guidance.\14\ Consistent with the 
Agencies' SAR regulations, in situations involving Federal criminal 
violations requiring immediate attention, such as when a reportable 
violation is ongoing, the institution should immediately notify, by 
telephone, appropriate law enforcement authorities and its primary 
regulator, in addition to filing a timely SAR.
---------------------------------------------------------------------------

    \13\ 12 CFR 21.11 (national banks, federal branches and 
agencies); 12 CFR 208.62 (state member banks); 12 CFR 211.5(k) (Edge 
and agreement corporations); 12 CFR 211.24(f) (uninsured state 
branches and agencies of foreign banks); 12 CFR 225.4(f) (bank 
holding companies and their nonbank subsidiaries); 12 CFR part 353 
(state non-member banks); and 12 CFR part 563 (savings 
associations).
    \14\ National banks must file SARs in connection with computer 
intrusions and other computer crimes. See OCC Bulletin 2000-14, 
``Infrastructure Threats--Intrusion Risks'' (May 15, 2000); Advisory 
Letter 97-9, ``Reporting Computer Related Crimes'' (November 19, 
1997) (general guidance still applicable though instructions for new 
SAR form published in 65 FR 1229, 1230 (January 7, 2000)). See also 
Federal Reserve SR 01-11, Identity Theft and Pretext Calling, Apr. 
26, 2001; SR 97-28, Guidance Concerning Reporting of Computer 
Related Crimes by Financial Institutions, Nov. 6, 1997; FDIC FIL 48-
2000, Suspicious Activity Reports, July 14, 2000; FIL 47-97, 
Preparation of Suspicious Activity Reports, May 6, 1997; OTS CEO 
Memorandum 139, Identity Theft and Pretext Calling, May 4, 2001; CEO 
Memorandum 126, New Suspicious Activity Report Form, July 5, 2000.
---------------------------------------------------------------------------

C. Contain and Control the Situation

    The financial institution should take measures to contain and 
control the incident to prevent further unauthorized access to or 
use of customer information, while preserving records and other 
evidence.\15\ Depending upon the particular facts and circumstances 
of the incident, these measures could include, in connection with 
computer intrusions: (i) Shutting down applications or third party 
connections; (ii) reconfiguring firewalls in cases of unauthorized 
electronic intrusion; (iii) ensuring that all known vulnerabilities 
in the financial institution's computer systems have been addressed; 
(iv) changing computer access codes; (v) modifying physical access 
controls; and (vi) placing additional controls on service provider 
arrangements.
---------------------------------------------------------------------------

    \15\ See FFIEC Information Security Booklet, Dec. 2002, pp. 68-
74.
---------------------------------------------------------------------------

D. Corrective Measures

    Once an institution understands the scope of the incident and 
has taken steps to contain and control the situation, it should take 
measures to address and mitigate the harm to individual customers. 
For example, the institution should take the following measures:

1. Flag Accounts

    The institution should immediately begin identifying and 
monitoring the accounts of those customers whose information may 
have been accessed or misused. In particular, the institution should 
provide staff with instructions regarding the recording and 
reporting of any unusual activity, and if indicated given the facts 
of a particular incident, implement controls to prevent the 
unauthorized withdrawal or transfer of funds from customer accounts.

2. Secure Accounts

    When a checking, savings, or other deposit account number, debit 
or credit card account number, personal identification number (PIN), 
password, or other unique identifier has been accessed or misused, 
the financial institution should secure the account, and all other 
accounts and bank services that can be accessed using the same 
account number or name and password combination until such time as 
the financial institution and the customer agree on a course of 
action.\16\
---------------------------------------------------------------------------

    \16\ The institution should also consider the use of new account 
numbers and steps to ensure that customers do not reuse the same or 
a similar personal identification number.
---------------------------------------------------------------------------

3. Customer Notice and Assistance

    Under the Security Guidelines, financial institutions have an 
affirmative duty to protect their customers' information against 
unauthorized access or use. An institution may not forgo notifying 
its customers of an incident because the institution believes that 
it may be potentially embarrassed or inconvenienced by doing so. 
Under the circumstances described in Paragraph III., the institution 
should notify and offer assistance to customers whose information 
was the subject of the incident.\17\ If the institution is able to 
determine from its logs or other data precisely which customers' 
information was accessed or misused, it may restrict its 
notification to those individuals. However, if the institution 
cannot identify precisely which customers are affected, it should 
notify each customer in groups likely to have been affected, such as 
each customer whose information is stored in the group of files in 
question.
---------------------------------------------------------------------------

    \17\ The institution should, therefore, ensure that a sufficient 
number of appropriately trained employees are available to answer 
customer inquiries and provide assistance.
---------------------------------------------------------------------------

    a. Delivery of Customer Notice--Customer notice should be 
timely, clear, and conspicuous, and delivered in any manner that 
will ensure that the customer is likely to receive it. For example, 
the institution may choose to contact all customers affected by 
telephone or by mail, or for those customers who conduct 
transactions electronically, using electronic notice.
    b. Content of Customer Notice--The notice should describe the 
incident in general terms and the customer's information that was 
the subject of unauthorized access or use. It should also include a 
number that customers can call for further information and 
assistance. The notice also should remind customers of the need to 
remain vigilant, over the next twelve to twenty-four months, and to 
promptly report incidents of suspected identity theft.
    Key Elements: In addition, the notice should:
    [sbull] Inform affected customers that the institution will 
assist the customer to correct and update information in any 
consumer report relating to the customer, as required by the Fair 
Credit Reporting Act;
    [sbull] Recommend that the customer notify each nationwide 
credit reporting agency to place a fraud alert \18\ in the 
customer's consumer reports;
---------------------------------------------------------------------------

    \18\ A fraud alert will put the customer's creditors on notice 
that the customer may be a victim of fraud.
---------------------------------------------------------------------------

    [sbull] Recommend that the customer periodically obtain credit 
reports from each nationwide credit reporting agency and have 
information relating to fraudulent transactions deleted;
    [sbull] Inform the customer of the right to obtain a credit 
report free of charge, if the customer has reason to believe that 
the file at the consumer reporting agency contains inaccurate 
information due to fraud, together with contact information 
regarding the nationwide credit reporting agencies; and

[[Page 47960]]

    [sbull] Inform the customer about the availability of the FTC's 
online guidance regarding steps a consumer can take to protect 
against identity theft, and encourage the customer to report any 
incidents of identity theft to the FTC. The notice should provide 
the FTC's Web site address and toll-free telephone number that 
customers may use to obtain the identity theft guidance and report 
suspected incidents of identity theft.\19\
---------------------------------------------------------------------------

    \19\ Currently, the FTC Web site for the ID Theft brochure and 
the FTC Hotline phone number are http://www.ftc.gov/idtheft and 1-
877-IDTHEFT.
---------------------------------------------------------------------------

    Optional Element: Institutions also may wish to provide 
customers with the following additional assistance that other 
institutions have offered under these circumstances:
    [sbull] Provide a toll-free telephone number that customers can 
call for assistance;
    [sbull] Offer to assist the customer in notifying the nationwide 
credit reporting agencies of the incident and in placing a fraud 
alert in the customer's consumer reports; and
    [sbull] Inform the customer about subscription services that 
provide notification anytime there is a request for the customer's 
credit report or offer to subscribe the customer to this service, 
free of charge, for a period of time.
    The institution may also wish to include with the notice a 
brochure regarding steps a consumer can take to protect against 
identity theft, prepared by the Agencies that can be downloaded from 
the Internet.\20\
---------------------------------------------------------------------------

    \20\ http://www.occ.treas.gov/idtheft.pdf; http://www.federalreserve.gov/consumers.htm; http://www.fdic.gov/consumers/consumer/news/cnsum00/idthft.html; http://www.ots.treas.gov/docs/25139.pdf.
---------------------------------------------------------------------------

III. Circumstances for Customer Notice

Standard for Providing Notice

    An institution should notify affected customers whenever it 
becomes aware of unauthorized access to sensitive customer 
information unless the institution, after an appropriate 
investigation, reasonably concludes that misuse of the information 
is unlikely to occur and takes appropriate steps to safeguard the 
interests of affected customers, including by monitoring affected 
customers' accounts for unusual or suspicious activity.

Sensitive Customer Information

    Under the Guidelines, an institution must protect against 
unauthorized access to or use of customer information that could 
result in substantial harm or inconvenience to any customer. 
Substantial harm or inconvenience is most likely to result from 
improper access to sensitive customer information because this type 
of information is easily misused, as in the commission of identity 
theft. For purposes of this Guidance, sensitive customer information 
means a customer's social security number, personal identification 
number, password or account number, in conjunction with a personal 
identifier such as the customer's name, address, or telephone 
number. Sensitive customer information would also include any 
combination of components of customer information that would allow 
someone to log onto or access another person's account, such as user 
name and password. Therefore, institutions are expected to notify 
affected customers when sensitive customer information has been 
improperly accessed, unless the institution, after an appropriate 
investigation, reasonably concludes that misuse of the information 
is unlikely to occur and takes appropriate steps to safeguard the 
interests of affected customers.

Examples of When Notice Should Be Given

    An institution should notify affected customers when it is aware 
of the following incidents unless the institution, after an 
appropriate investigation, can reasonably conclude that misuse of 
the information is unlikely to occur and takes appropriate steps to 
safeguard the interests of affected customers:
    [sbull] An employee of the institution has obtained unauthorized 
access to sensitive customer information maintained in either paper 
or electronic form;
    [sbull] A cyber intruder has broken into an institution's 
unencrypted database that contains sensitive customer information;
    [sbull] Computer equipment such as a laptop computer, floppy 
disk, CD-ROM, or other electronic media containing sensitive 
customer information has been lost or stolen;
    [sbull] An institution has not properly disposed of customer 
records containing sensitive customer information; or
    [sbull] The institution's third party service provider has 
experienced any of the incidents described above, in connection with 
the institution's sensitive customer information.

Examples of When Notice Is Not Expected

    An institution is not expected to give notice when it becomes 
aware of an incident of unauthorized access to customer information, 
and the institution, after an appropriate investigation, can 
reasonably conclude that misuse of the information is unlikely to 
occur and takes appropriate steps to safeguard the interests of 
affected customers. For example, an institution would not need to 
notify affected customers in connection with the following 
incidents:
    [sbull] The institution is able to retrieve sensitive customer 
information that has been stolen, and reasonably concludes, based 
upon its investigation of the incident, that it has done so before 
the information has been copied, misused or transferred to another 
person who could misuse it;
    [sbull] The institution determines that sensitive customer 
information was improperly disposed of, but can establish that the 
information was not retrieved or used before it was destroyed;
    [sbull] A hacker accessed files that contain only customer names 
and addresses; or
    [sbull] A laptop computer containing sensitive customer 
information is lost, but the data is encrypted and may only be 
accessed with a secure token or similarly secure access device.

    Dated: July 31, 2003.
Mark J. Tenhundfeld.
Assistant Director, Office of the Comptroller of the Currency.



    By the Board of Governors of the Federal Reserve System on 
August 5, 2003.
Jennifer J. Johnson,
Secretary of the Board.



    Dated: August 6, 2003.
Michael J. Zamorski,
Director, Division of Supervision and Consumer Protection, Federal 
Deposit Insurance Corporation.



    Dated: July 30, 2003.
James E. Gilleran,
Director.

[FR Doc. 03-20440 Filed 8-11-03; 8:45 am]
BILLING CODE 6720-01-P; 4810-33-P; 6210--1-P; 6714-01-P