UPDATE: On November 18, 2021, the FDIC issued a new final rule (“The Computer-Security Incident Notification Final Rule”) altering the obligations discussed below. Notably, all financial institutions subject to OCC, FDIC or Federal Reserve jurisdiction must now notify their primary federal regulator of any “notification incident” within 36 hours of discovery. Additionally, banks must notify customers as soon as possible following discovery of a “computer-security incident” that is reasonably likely to cause, “a material service disruption or degradation for four or more hours.” The below content is no longer up to date, and a more detailed article discussing the new FDIC Final Rule will be linked here once completed.
A bank or financial institution has a requirement to send a data breach notification to the FDIC “as soon as possible” if the breach involves sensitive customer information and the FDIC is the bank’s “primary federal regulator”.
Financial Institution Regulators GLBA Joint Guidance
Section 501(b) of the Gramm-Leach-Bliley Act (GLBA) requires financial institution regulators (the “Agencies”) to establish financial institution standards for protecting the security and confidentiality of financial institution customers’ non-public personal information. These agencies include the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Office of Thrift Supervision.
The objective behind establishing these standards was to ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.
Collectively, these agencies have issued joint guidance for financial institutions interpreting the related provisions of the GLBA and Interagency Guidelines Establishing Information Security Standards. The joint guidance was intended to develop and implement a response program designed to address incidents of unauthorized access to sensitive customer information maintained by financial institution (or its service provider), and describes the appropriate elements of a financial institution’s response program, including customer notification procedures and potential FDIC notification.
When Must a Bank Report a Data Breach to the FDIC?
A bank must report a data breach to the FDIC “as soon as possible” if it involves sensitive customer information and the FDIC is the bank’s “primary federal regulator”. A bank’s primary federal regulator could be the FDIC, the Federal Reserve Board, or the Office of the Comptroller of the Currency. The FDIC is the primary federal regulator of banks that are chartered by the states that do not join the Federal Reserve System.
A Bank’s Data Breach Obligations Under The GLBA
Under the GLBA, financial institution regulators determined that, at a minimum, financial institutions should employ a incident response program containing procedures for:
- Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;
- Notifying its primary federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined later in the final Guidance;
- Immediately notifying law enforcement in situations involving Federal criminal violations requiring immediate attention;
- Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, such as by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; and
- Notifying customers when warranted.
FDIC Data Breach Notification Requirements
Instead of a complicated process similar such as filling out detailed forms for a Suspicious Activity Report (SAR), financial institutions can notify their regulators informally. The Agencies determined that they should be notified, as quickly as possible, by telephone or “some other expeditious manner” once a financial institution becomes aware of a data breach incident. This informal process is due in part to the Agencies belief that the extent to which they will gather statistics on security incidents and customer notice is beyond the scope of the Final Guidance, and whether or not they decide track the number of incidents reported is left to the discretion of each individual Agency.
Sensitive Customer Information
A bank’s obligation to notify the FDIC only arises if the breach involves the access or use of sensitive customer information. Sensitive customer information include data such as a customer’s name, address or telephone number in conjunction with the customer’s Social Security number, driver’s license number, account number, credit or debit card number, a personal identification number (PIN) or a password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log on to or access the customer’s account, such as username and password or password and account number.