As news continues to surface that banks' customer data are being compromised, institutions are being forcefully reminded that consumer notification is the right thing to do. Wachovia, Commerce Bancorp, PNC Financial Services Group, Bank of America and Citigroup recently have all admitted being victims of either internal or external security breaches, unauthorized account access or the mishandling of data.
Why the rush to confess? California's Assembly Bill 1950 took effect in January, and is aimed at stopping ID thieves, check counterfeiters and cyber-extortionists by requiring businesses to protect private information, defined as a person's name, Social Security number, driver's license/state ID and financial-account number. Six states-Georgia, North Dakota, Montana, Arkansas, Washington and Indiana-have passed some version of this law. Meanwhile, Congress is considering a handful of federal bills, including one written by California Democratic Sen. Dianne Feinstein, which could set a federal notification standard.
Those laws, along with new federal legislation governing the release of medical and corporate financial information, have prompted a rash of mea culpas. In February, ChoicePoint, an Atlanta data-collection agency, admitted it had unwittingly sold Social Security numbers and other personal data of 145,000 people to businesses posing as debt-collection firms. Breaches were soon after reported at LexisNexis, DSW and Ralph Lauren.
Many banks remain confused about what is required of them, leading them to do nothing. "There is a lot of apathy among banks with respect to this subject," says Mary Beth Guard, CEO of Glia Group and a trainer at BankersOnline.com, which offers courses on the topic. "It's a bottom-line issue, when you consider that [the laws] place no fault on consumers for unauthorized transactions."
Guard recalls one bank that was attacked by a phishing scam after work hours on a Friday and found itself trying to devise a game plan Monday morning. "They had no response program in place," she says. "They were scrambling to figure out, 'Okay, do we need to shut down debit-card access? ATM-card access? Should we assign new account numbers to customers?' They didn't know the basic questions to ask." One preventive step Guard suggests is to announce on their Web sites how employees will contact customers; many banks do not use e-mail. She also urged banks to work harder to make their Web sites more difficult to clone.
Though banks have been subject to the reporting guidelines of the Gramm-Leach-Bliley Act, which required a clear customer-notification plan for data breaches in place by July 1, 2001, some banks haven't written one, say sources. In March 29 guidance, regulators nudged banks again, warning them of their duty to inform regulators of any data compromises, though customers only need to be notified "if a bank determines that misuse of its customer information has occurred or is reasonably possible." However, notice may be delayed if a law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for a delay.
The issue is a very real one for business. Nearly 40 percent of firms surveyed by the Computing Technology Industry Association reported a major IT security breach in the last six months, according to a spokesman. About six percent of respondents were financial services firms. Some 79.3 percent of concerns were caused by human error, either alone or with a technical malfunction.
Moreover, failure to take preventive steps could backfire for banks caught unprepared. Banks' good-faith efforts in customer-notification cases count, says the guidance, but failure to implement a plan could violate security guidelines or prohibitions against unsafe and unsound practices. And that could prompt more than a slap on the wrist.
