|
Sent Federal Express
October 10, 2003
Robert E. Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, DC 20429
Dear Mr. Feldman:
Re: Comments on Proposed Interagency Guidance on Response Programs
for Unauthorized Access to Customer Information and Customer Notice
Dear Mr. Feldman:
This letter is written on behalf of the Connecticut Bankers
Association (the "CBA") for the purpose of submitting comments on the
Notice and Request for Comment on the proposed Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information and
Customer Notice (the "Proposed Guidance"). The Connecticut Bankers
Association is an industry trade association that represents
approximately 78commercial banks, savings banks, and savings and loan
associations of all sizes throughout Connecticut. The CBA has the
following comments on the Proposed Guidance:
1. The Proposed Guidance asks for comment on whether the discussion
of "securing accounts" is sufficiently clear. The CBA believes that this
discussion is not sufficiently clear, and requests clarification that
"securing accounts" does not require denying access to the accounts. A
bank holding a deposit account for a customer is in the position of a
debtor that owes the funds in the account to the customer, the creditor,
when the funds are requested by the customer. The bank generally does
not have the right to refuse to pay a depositor's funds to the
depositor. This obligation to pay the funds in the account to the
depositor is not changed by the fact that sensitive customer information
to the account may have been stolen. While the bank needs to protect
against paying the funds in an account to any person other than the
depositor, the guidance should clarify that the bank has flexibility in
how it "secures accounts". Thus, for example, a bank may determine that
it needs to limit online access to the account until access codes have
been changed, but can continue to allow (i) in person withdrawals,
because the bank will have the opportunity to check photo identification
and signatures, and (ii) payment of checks, because the bank will have
the opportunity to check signatures on the account. Clarifying that a
bank has the discretion to make a determination as to how and to what
extent accounts will be secured will allow a bank the flexibility to
continue to serve its customers while taking appropriate steps designed
to protect against withdrawal of funds by a person other than the
depositor.
2. The Proposed Guidance asks for comments on whether the examples of
when customer notice is required should be modified or supplemented. The
CBA believes that two examples in particular should be clarified. The
first is the example of an employee obtaining unauthorized access to
sensitive customer information. The Guidance should include examples of
situations in which the institution could conclude that the misuse of
the information is unlikely. For example, if the employee is apprehended
before the sensitive information has been used, then the institution may
be in a position to conclude that misuse of the information is unlikely
to occur. This is because an individual that has been apprehended may be
unlikely to misuse the information because such individual knows that he
or she will be immediately implicated in any misuse of the information.
The second example that should be clarified is the example of lost or
stolen computer equipment such as a laptop computer, floppy disk or
CD-ROM. The Proposed Guidance should clarify that if the institution
reasonably concludes that the item has been lost, rather than stolen,
that the institution may be able to reasonably determine that the misuse
of the sensitive customer information is unlikely. A floppy disk or CD
can occasionally be misplaced or lost, and unless there is evidence of
theft, there is generally no reason to believe that the information on
the floppy disk or CD will be misused.
3. The CBA respectfully requests that when final guidance is issued,
institutions be given sufficient time to develop response policies and
to amend vendor contracts. We would suggest a period of at least 9
months to develop a response program, and at least 12 months to modify
all vendor contracts as may be required by the final guidance.
Thank you for allowing us this opportunity to comment. If you have
any questions on this letter, please feel free to contact me.
Sincerely,
Fillis W. Stober
Tyler Cooper & Alcorn, LLP
185 Asylum Street
CityPlace/35th Floor
Hartford, CT 06103-3488
cc: Lindsey Pinkham
Connecticut Bankers Association
| 
