Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations

FDIC Federal Register Citations

October 10, 2003

Ms. Jennifer Johnson, Secretary
Board of Governors of the Federal Reserve
20th Street and Constitution Ave, NW
Washington, D.C. 20551

Office of the Comptroller of the Currency
250 E Street, SW
Mailstop 1-5
Washington, D.C. 20219
Robert E. Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429
Chief Counsel's Office
Office of Thrift Supervision
1700 G. Street, N.W.
Washington, DC 20522

Re: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

Dear Madame and Messrs:

These comments are submitted on behalf of the Florida Bankers Association ("FBA"). FBA is the trade association representing the vast majority of commercial banks and savings institutions doing business in the State of Florida. FBA represents both national banks and state banks, as well as federally and state chartered savings institutions.

FBA Concerns Regarding Proposed Guidance

The Florida Bankers Association is concerned that certain aspects of the Guidance discussed below may be construed to establish standards that are greater than is appropriate or required and so may expose financial institutions regulatory burden and civil claims.


Section 501(b) of the Gramm-Leach-Bliley Act ("GLBA") required the federal financial regulatory agencies to establish appropriate standards for financial institutions with respect to safeguarding customer's confidential information. The Agencies have now issued proposed guidance with respect to those standards. FBA recognizes and appreciates the efforts of the Agencies to set reasonable standards and its issuance of guidance with respect to those standards. These comments are for the purpose of bringing to attention the possibility of some unintended consequences that could result from the language chosen.


In matters of law and regulation the choice of words can be everything. FBA has no disagreement with the intent of the regulation or the guidance. Rather it is concerned that several specific word choices may be read to impose standards that are not appropriate. The proposed guidance will be looked to not only when evaluating the conduct of financial institutions in the regulatory framework but also potentially in the arena of civil litigation It is therefore important that the language not be overbroad or susceptible to unreasonable interpretation.

1. "Reasonably Foreseeable". Section I Response Program begins with the statement that internal and external threats to the security of customer information are "reasonably foreseeable". Some are and some are not. The language of the statement could be interpreted to mean that all threats are foreseeable. We believe the statement is intended to convey the fact that there will be threats is foreseeable, not that any particular threat is foreseeable. In order to avoid any ambiguity FBA suggests that the sentence be modified to reflect that the response program should be directed to "reasonably foreseeable threats".

2. "Inconvenience". Section II.B. of the Guidance states that the institution should promptly notify its primary Federal regulator when it becomes aware of unauthorized access or use of consumer information that could result in substantial harm or inconvenience to its customers. FBA is concerned that what is an "inconvenience" is extremely subjective. What is inconvenient to one is of no moment to another. It would be helpful if by example or by other qualifying language guidance as to what is "inconvenient" were provided. In other circumstances this might not be significant, but here the existence of "inconvenience" triggers a required reporting event. Clarification would be appreciated.

3. "Prevent". Section II.C. directs that the institution should take measurers to "prevent" unauthorized access or use of unauthorized information. "Prevent" is an absolute term. FBA is concerned that although reasonable measures were taken to stop the use or access they in fact did not "prevent" it. We believe it would be preferable to modify the language to reflect the concept of deterrence and not use the absolute language of prohibition.


FBA appreciates the Guidance and this opportunity to comment upon it. We believe that the suggested clarifications will make the guidance of even greater use and that it will avoid misunderstanding and misconstruction. We stand ready to further discuss this matter with you.

J. Thomas Cardwell
General Counsel - Florida Bankers Association


Last Updated 10/14/2003

Skip Footer back to content