Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank

Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations

FDIC Federal Register Citations

via email

October 14, 2003

Public Information Room
Office of the Comptroller of the Currency
250 E Street, SW, Mailstop 1-5
Washington, D.C. 20219

Chief Counsel's Office
Office of Thrift Supervision
1700 G. Street, N.W.
Washington, DC 20522
Ms. Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve
20th Street and Constitution Ave, NW
Washington, D.C. 20551
Robert E. Feldman
Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, N.W.
Washington, D.C. 20429
Attention: Comments/OES

Re: Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“the proposed Guidance”)

Ladies and Gentlemen:

KeyCorp, a financial services company with assets of approximately $83 billion, (“Key”) appreciates the opportunity to comment on the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“the proposed Guidance”) applicable to financial institutions. The security of customer information is always of highest priority at Key.

KeyCorp is committed to the protection of our customer’s sensitive information. We have responded in the recent past with substantial efforts to protect this singularly most important asset of our business. Our safeguarding measures include a combination of encryption systems, rigorous standards, strict privacy policies, and employee training and awareness. In addition, implementation of the Customer Identification Program mandated in the USA Patriot Act enhances new customer verification techniques that will have additional deterrence effects on identity theft crimes.

The proposed Guidance acknowledges the need for continued vigilance in the area of potential identity theft. The banking industry is acutely aware and responsive at the individual institution level to potential consequences that directly impact them through financial losses, various risk exposures, and loss of customer and shareholder confidence. KeyCorp is deeply concerned that the specific approach in the proposed guidelines will not allow for individualized assessment of different situations from business risk perspectives specific to each institution. As a responsible financial entity, we have put much attention into responding to the Security Guidelines established under the Gramm-Leach-Bliley Act (15 U.S.C. 6801 and 6805) and believe that these Security Guidelines provide sufficient guidance and direction for the protection of sensitive customer information. KeyCorp already takes significant measures to maintain excellent business relationships with our customers including respect for their privacy and security concerns.


KeyCorp and the majority of financial institutions in the country over the past few years have paid significant attention to identity theft issues. Improved system access restrictions, refined processes to limit information use, improved encryption of data, increased employee training and awareness, and the development of policies and procedures surrounding the existing Security Guidelines have appropriately addressed business responses and risk assessments for incidents of unauthorized access of sensitive customer information. KeyCorp concludes Section 501(b) of the GLBA offers sufficient guidance pertaining to unauthorized access to sensitive customer information as it stands and needs no further Agency interpretation, clarification or modification. If Guidance is still considered necessary after further review and analysis, any proposed and final Interagency Guidelines must reflect the vast business experiences and practical operational issues and responses of the financial services industry. The Agencies should consider empanelling an Advisory Board comprised of institutions that would be substantially affected by these significant changes, which would then offer seasoned analysis, review and recommendations. At a minimum, another comment period should be provided to ensure the serious issues brought forth by the commenting institutions and organizations are appropriately addressed in any final Guidance.


The proposed Guidelines are constrictive and do not permit a flexible risk based approach, as defined by the affected financial institution, to each individual incident.

All response programs to the unauthorized access to or use of sensitive customer information have elements of assessment, containment, and addressing harm to customers. The manner and method of this process is currently heavily dependent on the institution’s size, operational and system structures, and risk tolerances and should remain as such. The Guidelines suggestions (which would quickly become “best practices”, “minimum standards”, then “mandates”) include “shutting down particular applications or third party connections, reconfiguring firewalls, changing computer access codes, and modifying access controls,” in situations that “could result” in substantial harm or inconvenience to the customer. These extreme measures are advanced to address incidents of potential, unpredictable criminal behavior if a customer is inconvenienced. The response determined by the financial institution should not be prescribed in such prohibitive, concrete terms while the individual nuances of each situation are not given due consideration.

Constraints are also visible in the Guidelines by the inclusion of notice to the institution’s primary regulator about any potential incident that remotely hints at unauthorized access to sensitive customer information. This threshold of regulatory notice for these incidents is unusually low and extremely burdensome for both regulatory agencies as well as the financial institution. While KeyCorp agrees that regulators should be informed of any significant incidents, the Guideline requirement for regulatory notice can be reasonably interpreted as encompassing all incidents.

Incidents involving encrypted sensitive customer data should be categorically and clearly exempted from any notice requirements.

Encrypted data, including relevant pieces of sensitive customer information, should be exempted from the notice requirements, both regulatory and customer. This exemption should also be applied if at least one piece of the required pieces of information is encrypted, as the remaining unencrypted information does not qualify as sensitive information. The storage and transmission of encrypted data is an accepted business practice that is widely acknowledged as a secure means of maintaining confidential information and the proposed Guidance should reflect that position.

Customer notice requirements, if required by regulation, should only be applicable to incidents and sensitive customer information under the control of the financial institution that are deemed to pose significant risk of substantial harm to a significant number of customers.

The proposed customer notice requirement is too expansive and includes “groups” of customers that may or may not be affected. The notice requirement, if one is established, should adhere to a much higher standard of scrutiny than likely to occur to a single individual after the financial institution takes appropriate steps. This simple characterization will certainly include customers who have no need to be concerned or anxious about theft of their identities. A notification requirement that errors on the conservative side will initially increase the customer’s anxiety and eventually, their apathy to these incidents. This is a serious risk of the notice requirement as proposed. Moreover, the value of the notice is questionable when the reality is in most situations a financial institution cannot possibly conclude, even after a thorough assessment of the situation, the potential for criminal behavior that may result in a particular customer’s potential financial loss or theft of identity. What concrete assistance a notice can provide is empathy and awareness for the future, however this benefit will be more than offset by the stress and anxiety the notice will surely create. Information as to what steps individuals can take to minimize the impact of identity theft, as proposed by the Guidelines, is more appropriately given in a proactive fashion by educating our customers and increasing their awareness before sensitive information has been breached.

The costs associated with widespread notice, both tangible and intangible, are potentially extreme. The concentration of necessary human resources at the financial institution to effectively support the type of notice process proposed (e.g. staffing and training a customer service area to answer calls) would be excessively costly and would eventually dramatically increase the cost of basic services to customers.

A less prescriptive model of customer notice would alleviate some of the heavy financial and reputation burden to the financial institution. Suggestions include providing a flexible time period for response and notice based on an assessment of the situation, deleting the superfluous requirements to “assist” the customer in updating consumer reports (which potentially could be a customer privacy violation, in and of itself) and the “offer to subscribe” the customer to a reporting service. All of these elements, as suggestions to be included in the notice, are cost prohibitive, restrictive and unlikely to be utilized as offers to the customers.

KeyCorp appreciates the opportunity to be an important part of the comment process surrounding appropriate response and notice to unauthorized access to sensitive customer information. The comments included here address the portions of the proposed Guidance that present the serious concerns from our perspective. We will continue to remain a collaborative partner with the Agencies, as this important topic is one of our highest business priorities. Thank you for your interest.


Cheryl A. Voigt
Chief Compliance Officer
127 Public Square
Cleveland, OH 44114

Last Updated 10/15/2003

Skip Footer back to content