Four Key Elements To Include In Your Customer Response Program
When your regulator comes to your institution during your next examination, will your incident response plan be your Achilleâ€™s heel? Ensuring your institution is ready to respond to any breach begins with the development of a response team.
Under the interpretive authority granted by the Gramm-Leach-Bliley Act (GLBA), federal banking regulators finalized guidance establishing standards financial organizations must follow to safeguard customer information. The Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice Guidance requires banks to establish a security breach response program and, in general, to notify affected customers when a breach occurs. In addition, financial organizations are responsible for ensuring that third party service providers take appropriate measures designed to meet the objectives of the guidelines and comply with Section 501(b) of GLBA. Establish Response Program
A customer response program is one component of an organization's overall information security program. Four key elements to a customer response program include:
- The development of a response team
- The customer notification and assistance process
- Third party service provider implications
- Working with law enforcement
An effective incident response team is an organization-wide group that includes all affected lines of business.
Among the components of the Guidelines regarding response programs, the agencies state that an organization's procedures should include, "consistent with the Agencies' Suspicious Activity Report (SAR) regulations, notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving federal criminal violations requiring immediate attention, such as when a reportable violating is ongoing."
The Federal Financial Institution Examination Council (FFIEC) Information Security Work Tier II examination guidelines require that examiners evaluate a financial organization to determine whether an incident response team is adequate.
The Federal Deposit Insurance Corporation (FDIC) has specific examination guidelines regarding such teams, instructing examiners to evaluate the effectiveness of incident response practices.
Notifying Customers of a Security Breach
A response program must include procedures to notify customers about incidents of unauthorized access to information that could result in substantial harm or inconvenience to the customer.
The Guidance states: "When a financial organization becomes aware of an incident of unauthorized access to sensitive customer information, the organization should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the organization determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible."
The guidance also allows for a delayed notification if the appropriate law enforcement agency determines notification will interfere with a criminal investigation.
The contents of a breach notification should contain the following elements:
â€¢ general description of the incident and the information that was the subject of unauthorized access;
â€¢ telephone number for further information and assistance;
â€¢ reminder "to remain vigilant" over the next 12 to 24 months;
â€¢ recommendation that incidents of suspected identity theft be reported promptly, and;
â€¢ general description of the steps taken by the financial institution to protect the information from further unauthorized access or use.