Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations

FDIC Federal Register Citations

October 14, 2003

Office of the Comptroller of the Currency
Public Information Room
250 E Street, SW, Mail stop 1-5
Washington, D.C. 20219
Attention:  Docket No. 03-18

Robert E. Feldman
Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429
Ms. Jennifer J. Johnson, Secretary
Board of Governors of the
Federal Reserve System
20th Street and Constitution Ave, NW
Washington, D.C. 20551
Docket No. OP-1155

Re: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.

To Whom It May Concern:

I serve as General Counsel of the First National Bank Holding Company, a bank holding company incorporated under the laws of the State of Nevada, and its national bank subsidiaries, First National; Bank of Arizona and First National Bank of Nevada. As General Counsel, I provide counsel to our bank entities on a variety of matters, including regulatory issues. After evaluating the above-referenced proposed guidance (the "Proposal"), we feel compelled to share our objections to the proposed rules with the various regulatory entities that interact with our bank entities.

The Proposal would generally require disclosure of the fact that sensitive customer information had been compromised to our customers. Mandatory disclosure of this information would leave our institutions open to potential class action lawsuits, which have become very common upon disclosures of such information. Please do not read into this objection that our institution believes there should be no standard in place to protect consumer information. On the contrary, we believe the standards should be stringent and very clearly designed to establish the rules for banks to follow. However, banks who follow such rules should not be subjected to liability if customer information is disseminated despite the bank's adherence to standards.

While we applaud regulatory measures designed to reasonably protect our customers, the Proposal would be much better for the financial services industry as a whole if there were a "safe-harbor" protection afforded to financial institutions that take reasonable precautions (i.e. URSIT ratings of at least 4) yet have sensitive customer information inadvertently disclosed through uncontrollable events. With a safe-harbor provision in place, qualifying financial institutions should be protected from liability from class actions or other lawsuits if they had proper procedures in place, acted responsibility and notified the customer after the disclosure occurred. As we all know, even with adequate protections, an unintended disclosure (whether internal or external) can occur in any number of situations.

Without a safe harbor for banks that act responsibly and take the reasonable steps that regulators require for protection of customer information, the disclosure the Proposal requires would spur class action lawsuits and jeopardize back capital even for well-managed institutions. Frankly, we believe it could even increase litigation against supervisory agencies as well, which could directly threaten the Bank Insurance Fund. Either way, any regulation should have a standard for protection of data, but should also set a standard to protect the banks themselves from undue liability from litigious consumers.

Very truly yours,

R. Patrick Lamb
General Counsel
14635 N.Kierland Blvd., Suite 201
Scottsdale, AZ  85254

Last Updated 10/20/2003

Skip Footer back to content