Wednesday, August 20, 2003

FDIC Proposes Guidelines Telling Banks to Notify Customers of Breaches

SANS Newsbites informed me of a Washington Post article on the Federal Deposit Insurance Corporation's plans for new banking guidelines. From the story:

"Under the proposal, banks and other financial institutions would alert customers by mail, telephone or e-mail, when they find unauthorized access to personal data that could result in substantial harm or inconvenience. Banks also would be told to flag any accounts that may have been compromised and monitor them for unusual or suspicious activity."

This marks a significant break from standard practice. In the past banks had latitude to keep things quiet, at the discretion of the board and legal counsel. Of course, the details of the guidelines must dictate what constitutes "unauthorized access" and "personal data" and "substantial harm or inconvenience." Stay tuned.

No comments: