October 10, 2003
|
Ms. Jennifer Johnson, Secretary
Board of Governors of the Federal Reserve
System
20th Street and Constitution Ave, NW
Washington, D.C. 20551 |
Office of
the Comptroller of the Currency
250 E Street, SW
Mailstop 1-5
Washington, D.C. 20219 |
Robert E.
Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429 |
Chief Counsel's Office
Office of Thrift Supervision
1700 G. Street, N.W.
Washington, DC 20522 |
Re: Interagency Guidance on Response
Programs for Unauthorized Access to Customer Information and Customer
Notice
Dear Madame and Messrs:
These comments are submitted on behalf of
the Florida Bankers Association ("FBA"). FBA is the trade association
representing the vast majority of commercial banks and savings
institutions doing business in the State of Florida. FBA represents both
national banks and state banks, as well as federally and state chartered
savings institutions.
FBA Concerns Regarding Proposed
Guidance
The Florida Bankers Association is
concerned that certain aspects of the Guidance discussed below may be
construed to establish standards that are greater than is appropriate or
required and so may expose financial institutions regulatory burden and
civil claims.
Background
Section 501(b) of the Gramm-Leach-Bliley
Act ("GLBA") required the federal financial regulatory agencies to
establish appropriate standards for financial institutions with respect
to safeguarding customer's confidential information. The Agencies have
now issued proposed guidance with respect to those standards. FBA
recognizes and appreciates the efforts of the Agencies to set reasonable
standards and its issuance of guidance with respect to those standards.
These comments are for the purpose of bringing to attention the
possibility of some unintended consequences that could result from the
language chosen.
Comments
In matters of law and regulation the
choice of words can be everything. FBA has no disagreement with the
intent of the regulation or the guidance. Rather it is concerned that
several specific word choices may be read to impose standards that are
not appropriate. The proposed guidance will be looked to not only when
evaluating the conduct of financial institutions in the regulatory
framework but also potentially in the arena of civil litigation It is
therefore important that the language not be overbroad or susceptible to
unreasonable interpretation.
1. "Reasonably Foreseeable". Section I
Response Program begins with the statement that internal and external
threats to the security of customer information are "reasonably
foreseeable". Some are and some are not. The language of the statement
could be interpreted to mean that all threats are foreseeable. We
believe the statement is intended to convey the fact that there will be
threats is foreseeable, not that any particular threat is foreseeable.
In order to avoid any ambiguity FBA suggests that the sentence be
modified to reflect that the response program should be directed to
"reasonably foreseeable threats".
2. "Inconvenience". Section II.B. of the
Guidance states that the institution should promptly notify its primary
Federal regulator when it becomes aware of unauthorized access or use of
consumer information that could result in substantial harm or
inconvenience to its customers. FBA is concerned that what is an
"inconvenience" is extremely subjective. What is inconvenient to one is
of no moment to another. It would be helpful if by example or by other
qualifying language guidance as to what is "inconvenient" were provided.
In other circumstances this might not be significant, but here the
existence of "inconvenience" triggers a required reporting event.
Clarification would be appreciated.
3. "Prevent". Section II.C. directs that
the institution should take measurers to "prevent" unauthorized access
or use of unauthorized information. "Prevent" is an absolute term. FBA
is concerned that although reasonable measures were taken to stop the
use or access they in fact did not "prevent" it. We believe it would be
preferable to modify the language to reflect the concept of deterrence
and not use the absolute language of prohibition.
Conclusion
FBA appreciates the Guidance and this
opportunity to comment upon it. We believe that the suggested
clarifications will make the guidance of even greater use and that it
will avoid misunderstanding and misconstruction. We stand ready to
further discuss this matter with you.
Sincerely,
J. Thomas Cardwell
General Counsel - Florida Bankers Association
| 
