The Fed now requires customer notificatioin of security breaches under GLBA

The Office of the Comptroller of the Currency, Board of Governors of the Federal Reservem, the Federal Deposit Insurance Corporation, Office of Thrift Supervision, yesterday released a guidance document under the Gramm-Leach-Bliley Act requiring banks to notify customers of security breaches involving their sensitive personal information:

Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice

"III. Overview of Final Guidance

The final Guidance states that every financial institution should develop and implement a response program designed to address incidents of unauthorized access to customer information maintained by the institution or its service provider. The final Guidance provides each financial institution with greater flexibility to design a risk-based response program tailored to the size, complexity and nature of its operations. The final Guidance continues to highlight customer notice as a key feature of an institution’s response program. However, in response to the comments received, the final Guidance modifies the standard describing when notice should be given and provides for a delay at the request of law enforcement. It also modifies which customers should be given notice, what a notice should contain, and how it should be delivered. A more detailed discussion of the final Guidance and the manner..."