Companies announcing breaches of customer information feels like a routine occurrence in today’s news cycle. Headlines in 2018 included compromised customer data from Marriott, Facebook, Google, T-Mobile, and many others. The Marriott breach alone involved the data of over a half-billion customers. In addition, significant breaches of private information occurred affecting citizens of India and prominent German politicians. To underscore all of this, over 750 million email addresses and passwords were posted on the dark web during just the first three weeks of 2019.
These regular examples of data breaches serve as a stark reminder for financial institutions to maintain comprehensive and robust customer information security programs, including up-to-date and tested incident response programs. The Gramm-Leech-Bliley Act requires bank directors to create and maintain a written program to protect customer information against unauthorized access. Below is a refresher on some of the customer information security standards set forth in the Gramm-Leech-Bliley Act and additional guidance on responding to breaches of customer information.
A customer information security program starts with a risk assessment at its core and a framework of policies and procedures to implement controls to mitigate identified risks. Of course, the program will just sit on the shelf and be largely ineffective unless employees receive training on their roles and responsibilities.
The best place to start your risk assessment process is with an inventory of what customer information you have and where it is stored. This allows you to ensure that your program has the right controls in place to protect that information. This includes physical controls (e.g., locked file rooms) and logical controls (e.g., strong passwords, data access rules) to prevent unauthorized access and to verify encryption and backup of data. Controls also include monitoring systems to detect unauthorized access and incident response programs to direct actions when a data breach is suspected or detected.
The last item, an incident response program, is an important detail of the Gramm-Leech-Bliley Act. As the news reports show, there is always a risk of unauthorized access, so knowing what to do in advance of a breach is a prudent planning tool. While a good incident response program includes steps to contain the incident, another key step is to complete an assessment of whether customer information is involved. If sensitive customer data have been misused (or are likely to be), take appropriate steps to notify affected customers. Your plan should also include notifying your federal regulator and appropriate law enforcement authorities.
Finally, it is useful, and required, to test your incident response plans on a regular basis to ensure that they are both adequate and up to date. Typically, examiners look for at least annual testing of the incident response plan. However, examiners expect more frequent testing for organizations with riskier, more complex environments. Factors increasing complexity may include use of cloud computing, number of branches or operations centers, and use of third parties for accepting, processing, or storing customer information. Tabletop exercises to test the plans need to include management and staff, and management should communicate results to the board of directors. Regular involvement in testing also keeps staff vigilant and ready to respond appropriately when an event occurs.
Gramm-Leech-Bliley Act, Section 501(B) Appendix D-2 – Interagency Guidelines Establishing Standards for Safeguarding Customer Information (Effective July 1, 2001)
SR Letter 05-23 / CA 05-10 - Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (Issued December 1, 2005)