The U.S. Federal Reserve Board Wednesday issued new rules requiring banks and other financial institutions to notify consumers "as soon as possible" when their personal data has been stolen.
In an announcement, the Federal Reserve and three other government banking agencies, including the Federal Deposit Insurance Corp. (FDIC), unveiled their "guidance" on how banks must treat personal information theft under federal laws enacted in 2003.
The rules come at a time when several companies have acknowledged that consumers" personal and sensitive information has either been stolen or accessed inappropriately.
David Barr, a spokesman for the FDIC in Washington, said the agencies spent the past 18 months reviewing the Fair and Accurate Credit Transactions (FACT) Act. The review included input from government officials as well as from security, banking industry and consumer groups and other entities to create the specific rules.
A key requirement is that consumers must now be notified when personal information has been stolen or illegally accessed and there is reason to believe it will be misused. In such cases, the institution must conduct a "reasonable investigation" to determine if the security breach was significant enough to require notification of affected consumers.
"If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible," the rules say. Notice can be delayed, however, if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation.
Specific timelines on how quickly such notice should be given hasn"t been established.
A financial institution is also expected to notify its primary federal regulator of a security breach involving sensitive customer information, whether or not the institution notifies its customers.
According to the rules, sensitive customer information includes a customer"s name, address or telephone number, in conjunction with the customer"s Social Security number, driver"s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer"s account. The rules also state that such data breaches would include the release of any combination of sensitive data that would allow someone to log into or access a customer"s account, such as a username and password or a password and account number.
"The customer notification (provision) is brand new," Barr said. "Banks were not required to do that before, though many had. Now, there"s an official mandate that they must."
The new rules took time to develop, Barr said, because they were issued by four agencies working together: the Federal Reserve, the FDIC, the Office of the Comptroller of the Currency and the Office of Thrift Supervision. "You have four voices instead of just one," he said. Building consensus meant a lot of deliberations, he said.
One of the greatest challenges for the agencies was determining where the legal bar should be set in terms of when consumers should be notified of breaches, he said. Some regulators thought notice should be given in all cases, while others thought notice should be given only if it was likely the data theft would bring harm to affected consumers.
The eventual standard is a reasonable one, he said, because it won"t inundate consumers with notices unless there is evidence of a real data security threat. "If there were too many notices, consumers could be desensitized" to the real dangers of actual data security breaches, he said.
Under the new guidelines, the FDIC and other agencies can oversee financial institutions to ensure that they adhere to the notification procedures, Barr said. The agencies can issue enforcement orders if the regulations are not followed, he said.
Douglas Heller, executive director of The Foundation for Taxpayer and Consumer Rights, an advocacy group in Santa Monica, Calif., said the new rules are a good start for U.S. consumers. "At the very least, we should be be notified when our personal information has been stolen."
California is the only state in the nation where such notification is already mandated by law in cases of security breaches and financial or credit information.
But notification after the fact isn"t really enough to protect consumers, he said.
"We really need to limit the scope of private information that is collected for resale" by companies that handle personal information, he said. "The only reasons that thieves have access to so much data is that the government hasn"t stopped these companies from trading our personal information like it"s a commodity."
Recent security breaches involving the theft or loss of sensitive consumer financial and credit data involve ChoicePoint Inc., Bank of America Corp. and LexisNexis.