Law Requires Information Security Programs to Be Risk-based
The financial services industry is one of the most highly regulated and closely supervised among those handling sensitive consumer information. Besides being subject to security breach disclosure laws at the state and federal levels, it must comply with industry-specific laws and regulations related to information security and privacy.
As a service-based business, financial institutions must provide customers with confidentiality or else risk losing their trust and their business. Protecting information is critical to maintaining trust. Because they generally donâ€™t pass along losses associated with fraudulent transactions made on existing accounts to their customers, financial institutions incur significant losses from ID theft and account fraud. This is in addition to reputation damage and other costs incurred in responding to the security breach.
The Gramm-Leach-Bliley Act requires financial institutions to not only limit the disclosure of customer information, but also to protect that information from unauthorized access and to notify customers about security breaches. Under the guidance issued by federal regulators, financial institutions must establish and maintain comprehensive information security programs to identify and assess the risks to customer information and then address these risks by adopting appropriate security measures.
Financial institutions are also responsible for maintaining access controls to customer information, conducting background checks for employees with access to customer information, and developing a response program in the event of a security breach. GLB also requires that financial institutions require service providers to implement measures to protect against unauthorized access to or use of customer information.
Each financial institutionsâ€™s information security program must be risk-based, meaning that it must tailor its information security program to the specific characteristics of its business, customer information, and customer information systems, and must assess the threats to those systems. As threats change or emerge, the program must be modified accordingly.
A risk-based response program must assess the nature and scope of a security incident involving unauthorized access to customer information, and identify what information systems and types of customer information have been accessed or misused. It must also trigger notifications to the institutionsâ€™s primary regulator about any threats to sensitive information, and file Suspicious Activity Reports with law enforcement agencies. Financial institutions must take appropriate steps to contain the incentive to prevent further unauthorized access to or use of customer information, such as monitoring, freezing, or closing accounts, while preserving records and other evidence.
Customer notification is a central requirement of the guidance by federal regulators with respect to GLB compliance. The guidance dictates that when a financial institution discovers a breach of sensitive information, it must conduct a reasonable investigation to determine whether the information has been misused. In the recent incident involving T.J. Maxx, for example, financial institutions have discovered preliminary evidence of fraudulent activity arising from the theft of 45.7 million debit and credit card accounts.
If a financial institution determines that misuse has occurred or is reasonable possible, then it must notify affected customers as soon as possible. Notification may be delayed if law enforcement determines that notification will interfere with n investigation. The institution need only notify members affected by the breach to the extent such identification is possible. If it canâ€™t identify those affected, it should notify all members if it determines that misuse of the information is possible.
The customer notification standards combine tough security measures with practical steps designed to help consumers, such as providing credit monitoring and other services. These standards are intended to assure a timely, coordinated response that enables consumers to protect themselves, in addition to knowing the steps the financial institution has taken to address the incident.
Responsibility for protecting customer information doesnâ€™t rest with the financial institution alone. Retailers, data brokers, and others collect sensitive information, but not all of them are subject to data security and/or security breach notification requirements. Only a tiny fraction of the breaches that have been reported have occurred at financial institutions. Any entity that maintains sensitive information should be required to protect the information and provide notice to affected consumers in the event of a breach.
The regulations that already apply to financial institutions should serve as a model in establishing umbrella protections that span all industries. The extension of financial services industry-like regulations to unregulated industries would go a long way toward limiting breaches in the future.