In the realm of protecting confidential customer information, an ounce of prevention is certainly worth a pound of cure – in terms of money, time, and reputation, explains Davenport Evans lawyer Dixie K. Hieb. However, despite a financial institution’s adherence to regulatory requirements and best practices, breaches do occur. The possibilities for unauthorized access are many: an employee opening a link in a phishing email, an officer leaving a laptop in a taxi, an employee inadvertently sending a list containing customer names and identifying information to an outsider due to an auto-populate in the email’s address. No matter the cause, a financial institution must be prepared to respond in the event of unauthorized access to customer information.
As those working with sensitive customer information know, the expectations as to preventing unauthorized access are high. The Interagency Guidelines Establishing Information Security Standards require financial institutions to implement detailed information security programs. When developing such a program, a financial institution must analyze the risk of unauthorized disclosure of or access to customer information, the potential damage caused by such disclosure or access, and the policies and procedures it has in place to address such risks. Once the risk analysis has been completed, the institution is required to design programs to address the identified risks. The institution must also contractually require third-party service providers to implement appropriate measures designed to protect against unauthorized access.
The final piece in an information security program is the development of a response program that specifies the actions to be taken when the financial institution suspects or detects that unauthorized individuals have gained access to customer information. The response program should, at a minimum, include procedures for the following:
Information Security Programs
- Assessing the nature and scope of the unauthorized access and identifying customer information that may have been accessed.
- Notifying the institution’s primary federal regulator.
- Consistent with SAR requirements, notifying law enforcement in situations involving criminal violations.
- Taking steps to contain and control the incident, e.g., by monitoring, freezing, or closing affected accounts, while preserving records and other evidence.
- Notifying customers when warranted.
Another important component of an incident response program is the establishment of an incident response team. While not specifically required by the Interagency Guidelines, having a team in place, ready to respond in connection with the first warning that unauthorized access may have occurred, can ensure the appropriate post-breach actions based on the written response program and help minimize the negative repercussions to the financial institution. The incident response team should include individuals from various departments or functions, including IT, risk management, and compliance. Once a team is established, members can be assigned responsibilities to ensure the appropriate handling and reporting of an unauthorized access incident. These responsibilities could cover the following:
Incident Response Procedures
- Developing a call list containing contact information in the event of a breach.
- Defining an “incident” that would trigger the use of the response team.
- Identifying indicators of unauthorized access.
- Preparing guidelines for document retention.
- Implementing a post-breach public relations program.
- Drafting post-incident recovery procedures.
- Providing staff training regarding breach indicators and responses.
The directors, officers, and employees of financial institutions are well aware of the importance of protecting customer information. However, despite a financial institution’s best efforts, breaches may occur. Having a well-informed incident response team in place can minimize the negative effects of such a breach and ensure that the financial institution’s incident response program is implemented as intended.
Davenport, Evans, Hurwitz & Smith, LLP, located in Sioux Falls, South Dakota, is one of the state’s largest law firms. The firm’s attorneys provide business and litigation counsel to individuals and corporate clients in a variety of practice areas. For more information about Davenport Evans, visit www.dehs.com.