With all of the stories about information security breaches during the recent election, it is pretty obvious that the computer hackers are more sophisticated than the computer protectors. I am not technically literate enough to understand all of the issues, but it seems pretty obvious that if you have a computer that is in anyway attached to the internet, somewhere there is a hacker that can access your computer and gain access to the information. Every regulated financial institution is required to have an information security program, but what do you do if it is not sufficient?
When a regulated financial institution discovers that its information systems have been breached, it has several responsibilities. It must notify its primary federal regulator. It must notify appropriate law enforcement and file a suspicious activity report. If the breach provided access to "sensitive customer information", then it must notify all customers affected.
Sensitive customer information is information that could result in substantial harm or inconvenience to any customer. Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information because this type of information is most likely to be misused, as in the commission of identity theft. Sensitive customer information means a customer's name, address or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number or a personal identification number or password that would permit access to the customer's account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log into or access the customer's account, such as user-name and password or password and account number.
The notice must be sent to all affected customers as quickly as they can be identified. The notice must describe the incident in general terms and the type of customer information that was accessed. It must describe the steps the institution has taken to prevent further unauthorized access and a telephone number that the customer may call for further information. It should advise the customer to be vigilant over the next 12 to 24 months in his or her financial transactions.
The notice should also advise the customer to review all account statements and immediately report any suspicious activity. It must also advise the customer on how he or she may place a fraud alert on their credit reports. It should recommend that the customer periodically obtain his or her credit report and information on how to obtain free credit reports.
Regulated financial institutions should be proactive and not reluctant to notify customers when the customers' data has been accessed. While the notice may be embarrassing and harmful to the institution's reputation, sending the notice is far less harmful than not sending it.
CFPB Fall Agenda
The CFPB recently published its 2016 fall regulatory agenda. Fortunately, there does not appear to be anything new or significant in it. It will continue to tweak the TRID rules and work on the implementation of the new HMDA data collection and reporting rules. It is working on the final rules on arbitration provisions and will probably outlaw them in consumer situations. It will also finalize its debt collection rules, which will probably carry forward the present debt collector rules to financial institutions collecting their own debts. It is also continuing to work on the data collection requirements for women and minority-owned small businesses.