Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations




FDIC Federal Register Citations

Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429

RE: Comments/OES

Mr. Feldman:

We are writing you to provide feedback on the “Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.” Thank you for this opportunity.

We commend the Agencies on taking this initiative to clarify Section 501b of Gramm-Leach-Bliley. However, we believe the current draft, which focuses primarily on tracking customer database access, doesn’t address a major category of customer information leakage. We believe there is a need to clearly articulate that financial organizations have an affirmative obligation to enforce compliance by their workforce for data usage, and not just data access.

In an average financial services firm, thousands of workers have “authorized” access to millions of sensitive consumer records stored in electronic databases in order to provide appropriate service and customer relationship management.

However, with the rapid adoption of the Internet and tools such as electronic mail, consumer information can be leaked in a moments notice by an insider.

Consider the damage done in just one such incident. In November of 2002, a customer service employee of Teledata Communications Inc. who had easy access to consumer credit reports stole 30,000 customer records. This employee was paid almost $2 million by a fraud ring in exchange for this information. The theft caused millions of dollars in financial losses and demonstrates why it is critical to stop consumer information theft at the source. (*See Attached Article)

In another case, the OCC permanently banned two bank officers from the banking industry and assessed civil monetary penalties for e-mailing over 2,200 confidential customer loan files over the Internet to a third party (*See Attached News Release)

I can assure you that the risks of another Teledata or OCC incident are real. Many of our customers are financial services firms, and in working with them we have seen hundreds of incidents of customer data leaving the organization unprotected via e-mails, web mails, etc. from employees with legitimate access to the information.

In addition, in May 2003, we conducted a survey with Harris Interactive of 500 employees and managers, many in financial services, with access to customer data. Almost half of the respondents said it would be “easy” to take sensitive customer information from their employers’ network. Two-thirds believed their co-workers posed the greatest risk to consumer data security. Attached is an overview of some other findings from this survey. We’d be happy to send you the full survey results, if you like.

At a recent hearing on Identity Theft before the House Financial Services Committee, where I was a witness, Secret Service Special Agent Tim Caddigan said his law enforcement officers have been investigating incidents where fraud rings bribe or coerce a “collusive employee” into stealing consumer information from corporate databases. Chances are that this employee would already have access to the database being targeted by the fraud ring.

We believe adding a requirement in this Guidance document for companies to monitor and enforce employee compliance for data usage would go a long way toward cutting off this area of customer information loss. This is a requirement that is missing from GLBA, but was added to HIPAA’s security requirements. (*See Attachment)

Clarifying the requirement of enforcing compliance for not just database access but also customer data usage is critical. Federal courts have generally recognized that companies are vicariously liable for any acts of their employees or agents that violate the consumer privacy requirements. (See, e.g., Jones v. Federated Financial Reserve Corp., 144 F.3d 961 (6th Cir. 1998); Yohay v. City of Alexandria Employees Credit Union, 827 F.2d 967 (4th Cir. 1987).) Given these court cases and others currently pending, further clarification of a company’s obligations would go a long way to improve the protection of sensitive customer information.

As for what constitutes “sensitive data,” we would suggest this include all the data someone outside the company would need to access a customer account online or impersonate an account owner over the phone. Although we can’t say we’re familiar with the practices of all financial institutions, it would seem that account validation fields such as Maiden Name, Driver’s License or other Government-issued ID numbers are reasonable additions to the currently proposed list.

Again, thank you for this opportunity. I am more than willing to provide additional help or discuss this further with you and your staff.

Sincerely,
Joseph Ansanelli
Chairman and Chief Executive Officer
Vontu, Inc.
San Francisco, CA

*Attachments can be viewed in the FDIC Public Information Center, 550 17th St, NW, Washington, DC, during business days 8:00 am to 5:00 pm.

 

Last Updated 10/20/2003 regs@fdic.gov

Skip Footer back to content