Banks and some other financial institutions will be required to tell customers if their private information has been obtained by hackers or identity thieves and is likely to be misused, under rules approved this week and announced yesterday.
Under the new regulations, breaches of private information must be reported to people affected if the financial institution determines that data have been, or could be, illicitly used. The rules take effect immediately for federal and state-chartered banks, and savings and loans.
The rules come at a time of growing public fears about identity theft. In the past several weeks, two large information brokers had breaches that resulted in records on roughly 175,000 consumers falling into the hands of identity thieves. The new rules, however, do not apply to such brokers, or to credit unions or credit-reporting agencies.
The rules cover thousands of financial institutions regulated by four agencies that coordinated their rulemaking: the Federal Deposit Insurance Corp., the Federal Reserve, the Office of the Comptroller of the Currency and the Office of Thrift Supervision.
That would include organizations such as Bank of America Corp., which disclosed recently that it had lost computer tapes containing financial data on more than 1.2 million federal workers, including members of Congress.
Under the new rules, part of several measures implemented since the passage of a banking modernization law in 1999, financial institutions must immediately report security breaches to their regulators and to law enforcement agencies.
Disclosure to consumers, however, has an exception. After industry lobbying, the rules were modified to allow an institution to investigate whether a breach would be likely to result in misuse of the data. If the organization determines that misuse is unlikely, it need not report the breach to its customers.
Financial-services firms were concerned that they might be burdened by expensive reporting requirements and could subject consumers to needless worry if systems were breached but the data had not been taken by identity thieves.
Some privacy advocates fear that allowing the institutions to decide whether a threat to consumers exists could diminish their incentive to improve security.
"If people are doing a good job [of security], there should be no notices" of breaches, said Deirdre K. Mulligan, director of the Samuelson Law, Technology & Public Policy Clinic at the University of California at Berkeley.
She said data could be compromised in ways not immediately apparent to the companies that have been breached.
Security breaches have been publicized by several organizations whose systems are compromised, but computer-security experts say many more are not because companies do not want customers to be worried that their systems are vulnerable.
Until now, the only requirement that consumers be told that their data might have been stolen is a California law that forces notification by any company that has customers in the state. But the recent breaches have prompted several members of Congress, the head of the Federal Trade Commission and some industry groups to call for national notification legislation.
A spokesman for the National Credit Union Administration said he expects the organization to develop notification guidelines in the next two months.