|
Office of
the Comptroller of the Currency
Public
Information Room
250 E Street, SW,
Mail stop 1-5
Washington, D.C. 20219
Attention: Docket No. 03-18 |
Robert E. Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429 |
Ms. Jennifer J. Johnson, Secretary
Board of Governors of the
Federal Reserve
System
20th Street and Constitution Ave, NW
Washington, D.C. 20551
Docket No. OP-1155 |
|
Re: Interagency Guidance on Response Programs for Unauthorized Access
to Customer Information and Customer Notice.
To Whom It May Concern:
I serve as General Counsel of the First National Bank Holding
Company, a bank holding company incorporated under the laws of the State
of Nevada, and its national bank subsidiaries, First National; Bank of
Arizona and First National Bank of Nevada. As General Counsel, I provide
counsel to our bank entities on a variety of matters, including
regulatory issues. After evaluating the above-referenced proposed
guidance (the "Proposal"), we feel compelled to share our objections to
the proposed rules with the various regulatory entities that interact
with our bank entities.
The Proposal would generally require disclosure of the fact that
sensitive customer information had been compromised to our customers.
Mandatory disclosure of this information would leave our institutions
open to potential class action lawsuits, which have become very common
upon disclosures of such information. Please do not read into this
objection that our institution believes there should be no standard in
place to protect consumer information. On the contrary, we believe the
standards should be stringent and very clearly designed to establish the
rules for banks to follow. However, banks who follow such rules should
not be subjected to liability if customer information is disseminated
despite the bank's adherence to standards.
While we applaud regulatory measures designed to reasonably protect
our customers, the Proposal would be much better for the financial
services industry as a whole if there were a "safe-harbor" protection
afforded to financial institutions that take reasonable precautions
(i.e. URSIT ratings of at least 4) yet have sensitive customer
information inadvertently disclosed through uncontrollable events. With
a safe-harbor provision in place, qualifying financial institutions
should be protected from liability from class actions or other lawsuits
if they had proper procedures in place, acted responsibility and
notified the customer after the disclosure occurred. As we all know,
even with adequate protections, an unintended disclosure (whether
internal or external) can occur in any number of situations.
Without a safe harbor for banks that act responsibly and take the
reasonable steps that regulators require for protection of customer
information, the disclosure the Proposal requires would spur class
action lawsuits and jeopardize back capital even for well-managed
institutions. Frankly, we believe it could even increase litigation
against supervisory agencies as well, which could directly threaten the
Bank Insurance Fund. Either way, any regulation should have a standard
for protection of data, but should also set a standard to protect the
banks themselves from undue liability from litigious consumers.
Very truly yours,
R. Patrick Lamb
General Counsel
14635 N.Kierland Blvd., Suite 201
Scottsdale, AZ 85254
