OCC Bulletin 2005-13| April 14, 2005
Response Programs for Unauthorized Access to Customer Information and Customer Notice - Final Guidance: Interagency Guidance
Chief Executive Officers of All National Banks, Federal Branches and Agencies, Technology Service Providers, Department and Division Heads, and All Examining Personnel
The guidance attached to this bulletin continues to apply to federal savings associations.
The OCC, FRB, FDIC, and OTS are issuing the attached final "Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice." The guidance was published in the Federal Register on March 29, 2005, and became effective upon publication.
The guidance interprets the Interagency Guidelines Establishing Information Security Standards (Security Guidelines)1 and states that each financial institution should implement a response program to address unauthorized access to customer information maintained by the institution or its service providers. The guidance describes the components that a response program should contain including procedures to notify customers about incidents that involve unauthorized access to sensitive customer information.
The guidance provides that, "when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible." However, notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for a delay.
Sensitive customer information is defined to mean a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.
The guidance states that a financial institution's contract with each service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution's customer information, including notification to the institution as soon as possible of any such incident, to enable the institution to expeditiously implement its response program.
The guidance also provides that a financial institution should notify its primary federal regulator of a security breach involving sensitive customer information, whether or not the institution notifies its customers. A national bank should notify its supervisory office.
When evaluating the adequacy of a national bank's information security program required by the Security Guidelines, the OCC will consider whether the bank has developed and implemented a response program including notification procedures as described in the guidance. The OCC will take into account the good faith efforts made by each bank to develop a response program that is consistent with the guidance, together with all other relevant circumstances. The OCC may treat a bank's failure to implement the final guidance as a violation of the Security Guidelines that are enforceable under the procedures set forth in 12 USC 1831p-1, or as an unsafe and unsound practice under 12 USC 1818.
For questions concerning the guidance, contact Bank Information Technology at (202) 649-6340.
Daniel P. Stipano
Acting Chief Counsel
Emory W. Rushton
Senior Deputy Comptroller and Chief National Bank Examiner
1 This guidance will be published in the Code of Federal Regulations as a supplement to the Security Guidelines that are codified at 12 CFR 30, Appendix B. The Security Guidelines were formerly known as the "Interagency Guidelines Establishing Safeguards for Customer Information."