Inadvertent Release of Customer Information by Core Processor
The Bank was informed by its core processor that it inadvertently produced a de-conversion tape and sent it to another processor. The confusion resulted from the core processor de-converting another bank with a similar name. The Bank was assured that all customer information was destroyed by the second processor, but inquired about any necessary steps, if applicable.
As per an Interagency Guidelines giving effect to section 510 of the Gramm-Leach-Bliley Act, the Bank should perform the following in a timely manner:
- Begin an investigation to assess the nature and scope of the incident and identify whether sensitive customer information may have been accessed or misused. “Sensitive customer information” is a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to a customer’s account.
- Notify its primary federal regulator as soon as possible that there may have been unauthorized access to sensitive customer information and that an investigation has commenced
- File a Suspicious Activity Report, if the incident involves a criminal violation
- If a reasonable investigation determines that misuse of information has occurred or is reasonably possible, it should notify the affected customers as soon as possible.
The facts will determine how broad the scope of the investigation should be. The Agencies have acknowledged that a full-scale investigation may not be necessary in all cases, such as where the facts readily indicate that information will or will not be misused.
Law enforcement should be notified in instances involving a federal criminal violation.
If the investigation leads the Bank to conclude that misuse of the information is unlikely to occur and it has taken appropriate steps to safeguard the interests of the affected customers, such as monitoring, it does not need to notify its customers.
The contract between the Bank and its service provider should provide how such incidents are to be addressed, both with regards the investigation and what compensation will be provided both to the bank, for expenses incurred in this investigation, and to the bank and its customers, for damages in the event of misuse of the information.
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, Federal Register, vol. 70, No. 59; FIL-27-2005.