News

ABA says security requirements should be uniform, risk-based

September 22, 2005

WASHINGTON - Testifying before the Senate Banking Committee Sept. 22, the American Bankers Association called on Congress to consider three points when debating data security legislation, according to a news release. Unlike other industries, financial institutions are already subject to specific regulatory requirements and examinations, the committee said, making it a necessity to have a uniform national standard to promote information security and consumer convenience and risk-based security-breach notification requirements.

"Banking institutions have a strong interest in protecting customer information," said Oliver I. Ireland, partner in the law firm Morrison and Foerster, who testified on behalf of ABA. "Banks that fail to earn and to maintain the trust of their customers will lose those customers."

FIs already regulated

Ireland said bank regulators also recognize the importance of consumer protection and recently issued revised guidance on information security, which was originally issued under the Gramm-Leach-Bliley Act in 2001.

"We support the agencies' action and recommend their general approach as a model for going forward," Ireland said.

Already in force, the guidance requires that banks must implement a risk-based response program to address unauthorized access to customer information. If a bank determines that misuse of their customers' information "has occurred or is reasonably possible," it must notify those affected customers. And the bank must always "immediately" inform its primary regulator of any security breach, regardless of whether misuse is deemed possible.

Uniform approach

In order to provide meaningful and consistent protection for all consumers, Ireland said, all entities that handle sensitive consumer information - not just FIs - should be subject to similar security standards. For example, retailers, data brokers and even employers collect sensitive consumer information, but are not subject to data security and/or security breach notification requirements.

"It is not necessary to design a completely new system to address the issue," Ireland said. "The regulations that already apply to banking institutions offer policymakers both a model and a measure of experience to aid in establishing umbrella consumer protections that span all industries that maintain sensitive consumer information.

"In considering the extension of bank-like regulation to unregulated industries that maintain sensitive consumer information, we believe that Congress should focus on a uniform approach that is designed to protect consumers from actual harm," he added. "National uniformity is critical to preserving a fully functioning and efficient national marketplace."

Risk-based security breach notification

In order to avoid immunizing consumers to security breach notices, notification requirements - like the federal banking agencies' guidance - should be limited to cases where consumers need to take action to protect themselves from substantial harm, according to ABA.

Ireland said a breach involving consumers' names and Social Security numbers may expose them to the risk of identity theft, while a breach involving account information may pose no risk or cost to the consumer.

"In each case, the need for notification and the form of notification will differ," Ireland said. "Any federal legislative requirement must recognize and accommodate these differences."

Ireland also asked for Congress to remember that regulatory compliances costs fall disproportionately on community banks.

"Any legislative solution to data security must consider these and other costs that would be imposed on community banks and their customers," he said.