The recent report of a data breach at JP Morgan, one of the country’s largest financial institutions, in which the names, addresses, phone numbers, and email addresses of approximately 76 million households and 7 million small business were stolen, has renewed national concern over the safety and security of digitally transmitted information. Thus far in 2014, there have been 600 data breaches, which is a 27% increase from 2013. Companies affected include Target, Home Depot, Neiman Marcus, EBay, UPS, Apple, Nintendo, Sony, Albertsons, SuperValu, CHS, etc. Banks are increasingly targeted for attacks since they hold valuable customer data that, if compromised, may potentially lead to fraud and identity theft. Now that JP Morgan has joined this list, even though the company states that no account numbers, passwords, social security numbers, or dates of birth were compromised, many questions are being raised over the security of customers’ information.
Today, banks, credit unions, and other financial institutions rely more and more heavily on digitally transmitted information. With each transaction, those institutions become potentially vulnerable to a breach of data and records and it can be challenging for these financial institutions to know if they have been breached. Financial institutions have varying levels of technological sophistication to deter cyber-attacks as well as detect potential breaches.
Banks and other participants in the payments system have certain responsibilities related to maintaining a secure, reliable, and functioning system that protects customer information and building a trusting relationship with customers. There are numerous rules and federal regulations that apply to banks to protect customer data and notify customers of a breach. The Gramm-Leach-Bliley Act’s (GLBA) Financial Privacy Rule governs how institutions collect and disclose personal financial information of customers. Regulation P, which implements GLBA, governs the treatment of consumers’ nonpublic personal information by the financial institutions for which the Consumer Financial Protection Bureau has primary supervisory authority. GLBA’s Safeguard Rules state that financial institutions must uphold policies and procedures to ensure the protection of customer data and records. Banks must also adhere to the regulators’ Red Flag Rules pertaining to identity theft under the Fair Credit Reporting Act. Under Regulations E and Z and network rules, as long as customers notify a bank of unauthorized transactions in a timely manner, they are not liable for any fraudulent transactions on their credit or debit cards.
As noted by the FDIC, in order to decrease the threat of security breaches, many organizations and financial institutions have found it necessary to develop formal incident response programs (IRPs). The increased regulatory presence and attention as noted above has effectively made the development of an IRP a legal necessity. The FDIC notes that for organizational purposes, the best practices have been categorized into several aspects of incident response: preparation, detection, containment, recovery, and follow-up. IRPs focus not only on prevention of a possible breach, since every bank and financial institution is susceptible to some sort of weaknesses, but also on reducing the sustained damage to the bank or financial institution and lessening the long-term negative affects of an attack.
Is your financial institution prepared? Have you developed and implemented an IRP? What is your risk appetite for not implementing an IRP appropriate for your financial institution? Answers to these questions will help you in determining your next move.
This article was written by Lily Sayers.