New banking rules address banking information theft

Under rules approved this week, banks and financial institutions are now required to inform customers if their private banking information has been obtained by hackers or identity thieves and is likely to be misused.

Under the new regulations, breaches of private banking information have to be reported to the people who are affected should the financial institution determine that data have been, or could be, illicitly used. These rules take effect immediately for both federal and state-chartered banks, and savings and loans.

The rules come at a time of public fears about identity theft. In the past several weeks, two large information brokers (ChoicePoint, Inc. and Lexis/Nexis Group) had breaches resulting in records on over 175,000 consumers that fell into the hands of identity thieves.

It should be noted, however, that the new rules for reporting banking information theft do not apply to such firms, or to credit unions or credit-reporting agencies.

The rules cover thousands of financial institutions that are regulated by the four agencies coordinating their rulemaking: the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Office of Thrift Supervision.

That would include institutions such as Bank of America Corp., which recently disclosed that it had lost computer tapes that containing the financial banking information of 1.2 million federal workers, including members of Congress.

Under these new rules, which are part of several measures implemented since the passage of a banking modernization law in 1999, financial institutions must immediately report any security breaches to their regulators and to law enforcement agencies.

But, disclosure to consumers has an exception. After industry lobbying, the rules were modified to allow an institution to investigate to see whether a breach would likely result in misuse of the banking information. Should the institution determine that misuse is unlikely, then it need not report the breach to its customers.

Some privacy advocates fear that allowing institutions to make the decision as to whether a threat to consumers exists could diminish their incentive to improve security.

"If people are doing a good job [of security], there should be no notices" of breaches, said Deirdre K. Mulligan, director of the Samuelson Law, Technology & Public Policy Clinic at the University of California at Berkeley.

Ms. Mulligan further stated that banking informationcould be compromised in ways not apparent to the companies that have been breached.

Security breaches have been publicized by several organizations whose systems were compromised, but computer-security experts say many more are not reported because the companies do not want their customers to worry that their systems are vulnerable. Until recently, the only requirement that consumers were to be notified that their data may have been stolen is a California law which forces notification by any company that has customers in the state. But the recent breaches of banking information have prompted several members of Congress, the head of the FTC and industry groups to call for national notification legislation.