March 24, 2005 5:46 PM PST

Banks ordered to tell customers about breaches

Four federal finance agencies have issued rules that force banks to tell customers when their personal data has been exposed.

The regulations, published Wednesday, arise from the agencies' interpretation of several provisions of the Gramm-Leach-Bliley Act. Those provisions call on financial institutions to prevent unauthorized access and use of customer information and to address any such incidents that do occur.

"We do expect our institutions to follow this guidance," said David Barr, a spokesman for the Federal Deposit Insurance Corporation, or FDIC, one of the agencies involved. "Whenever we examine institutions, we will look at...whether they have these consumer safety measures in place."

The finance industry and the data collection industry are reeling from the fallout of several recent high-profile data leaks. In late February, financial services giant Bank of America alerted government workers that backup tapes containing their sensitive data had gone missing. In addition, data brokers LexisNexis and ChoicePoint have revealed large-scale data leaks.

The latest government rules say that if a bank becomes aware of "an incident of unauthorized access to sensitive customer information," the institution should investigate. They also require the company to notify account holders quickly if it's "reasonably possible" that the personal details will be misused.

The regulations apply to banks and savings and loan institutions, and not to credit unions, which fall under a different agency, the National Credit Union Administration. The regulations only cover nonpublic consumer information, not details on businesses or commercial accounts.

The rules were established after a period of public comment. They partly resemble California's Security Breach Information Act, which requires all companies to notify consumers when sensitive personal information may have been compromised.

Others that helped author the regulations include two agencies that are part of the U.S. Treasury Department: the Office of the Comptroller of Currency and the Office of Thrift Supervision.

The Board of Governors of the Federal Reserve System also helped issue the guidelines.

1 comment

Join the conversation!
Add your comment
Banks as sellers of "trust"
The stuff that banks and other financial institutions are selling is basically "trust". People trust their bank to handle all of their life savings responsibly. Yet when it comes to the technological side of fuflfilling these expectations they fail again and again, instead of taking advantage of their traditional role as suppliers of "trust" and expanding their business to new territories usin technology.

Teechnologies such as micropayments could have become a reallity if financial institutions would have decided to invest in them. By not investing in such technologies they risk losing some of their business to others in the future. And by failing to invest enough in making the technology they currently use they risk eroding their image as entities that can be trusted, and perhaps lose some of their current business, as the internet enables more and more business to be done without the actual exchange of real money.
Posted by hadaso (468 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.