2023 July Legal Column

Data Breaches & Resources for Bankers & Customers

Written by David Boneno, LBA General Counsel

The announcement last month by the Louisiana Office of Motor Vehicles about the data breach involving MOVEit, a managed file transfer software product, has raised many questions. Banks and third-party venders are assessing whether they are impacted and deciding how best to respond based on their circumstances. Here is some helpful information and resources for bankers and bank customers in the event your data security has been breached. It should be noted that this is general information, and if a financial institution suspects that there has been a data breach or incident of unauthorized access to customer data, it is strongly urged that the financial institution consult with its own legal counsel to seek customized legal advice on how best to respond. Click here to see the announcement by Gov. John Bel Edwards’ office on June 15, 2023.

Customer Resources

The State of Louisiana’s June announcement about the OMV breach included a website called Next Steps (click here to view) that provides a list of steps that Louisiana citizens can take to mitigate the risk of identity theft. In July, the state issued a Notice of Data Security Incident by email to individuals whose information was involved in the incident and for whom OMV located an email address. Click here to download a copy of the notice. The notice explains that the state has set up a toll-free call center to answer questions that individuals may have. In addition, the notice explains that OMV is offering 12 months of free credit monitoring and identity theft protection through LifeLock. The notice also included an overview of additional steps that citizens could take, which are discussed below.

Monitor for fraud or identity theft

The publications by the state discussed above include information on additional steps that citizens can take in response to a data breach. They suggest that it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements, health insurance benefit statements, healthcare billing statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit  www.annualcreditreport.com or call toll free at (877) 322-8228. Contact information for the three nationwide credit reporting companies is as follows:

Equifax, P.O. Box 740241, Atlanta, GA 30374, www.equifax.com, (888) 378-4329
Experian, P.O. Box 2002, Allen, TX 75013, www.experian.com, (888) 397-3742
TransUnion, P.O. Box 1000, Chester, PA 19016, www.transunion.com, (800) 916-8800

Notify authorities of identity theft of fraud incident

The next suggestion by the state is that if you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Louisiana Attorney General’s Office. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:

Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue NW, Washington, DC 20580, (877) IDTHEFT (438-4338), www.identitytheft.gov

Fraud Alerts and Credit or Security Freezes

The state’s publications also suggest that citizens consider using fraud alerts and credit or security freezes.  There are two types of general fraud alerts you can place on your credit report to put your creditors on notice that you may be a victim of fraud—an initial alert and an extended alert. You may ask that an initial fraud alert be placed on your credit report if you suspect you have been, or are about to be, a victim of identity theft. An initial fraud alert stays on your credit report for one year. You may have an extended alert placed on your credit report if you have already been a victim of identity theft with the appropriate documentary proof. An extended fraud alert stays on your credit report for seven years.

To place a fraud alert on your credit reports, contact one of the nationwide credit bureaus. A fraud alert is free. The credit bureau you contact must tell the other two, and all three will place an alert on their versions of your report.

Credit or security freezes can be used to freeze your credit, which can make it difficult for fraudsters to open new accounts or borrow money in your name. In order to place a credit freeze there is no fee, and in order to place a credit freeze, you must separately contact each of the three major credit reporting agencies. Here is the contact information for each of the credit reporting agencies:

Experian Security Freeze, P.O. Box 9554, Allen, TX 75013, www.experian.com
TransUnion Security Freeze, P.O. Box 160, Woodlyn, PA 19094, www.transunion.com
Equifax Security Freeze, P.O. Box 105788, Atlanta, GA 30348, www.equifax.com

You will need to supply your name, address, date of birth, Social Security number and other personal information. After receiving your freeze request, each credit bureau will provide you with a unique personal identification number or password. Keep the PIN or password in a safe place. You will need it if you choose to lift the freeze.

Lifting a Credit or Security Freeze

It is important to point out that if you freeze your credit and you want to obtain a loan or open a new account, you will need to un-freeze your credit so that the bank can access your credit history in order to make a loan decision. This may require logging in to each of the three major credit reporting agencies’ websites and removing the credit freeze. A freeze remains in place until you ask the credit bureau to temporarily lift it or remove it altogether. If the request is made online or by phone, a credit bureau must lift a freeze within one hour. If the request is made by mail, then the bureau must lift the freeze no later than three business days after getting your request.

Banker Cybersecurity Resources

Bankers looking for cybersecurity resources may want to look at the FDIC’s Cybersecurity Resources webpage (click here to view). In addition, the FDIC’s Information Technology and Cybersecurity webpage includes a helpful list of key laws and regulations that pertain to FDIC-supervised institutions and supervisory resources—click here to view. National banks and federal savings associations may want to look at the OCC’s Bank Information Technology Issuances webpage—click here to view.

Notification to federal banking regulators

Both state and federally chartered financial institutions should be familiar with the Joint Federal Banking Agency Final Rule—Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers—click here to view. If a state or federally chartered bank or savings bank or holding company has a suspicion that they may be affected, they are required to notify their federal regulator. According to the regulation, financial institutions must provide notice to their federal regulator as soon as possible and no later than 36 hours after the financial institution determines that a notification incident has occurred. See 12 CFR 304.23; 12 CFR 53.3; or 12 CFR 225.302.

Here are the definitions contained in the regulations for the terms “notification incident” and “computer-security incident.” Links to the regulations are included below.

A “notification incident” is a defined term, which means a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization's—

(i) Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business;
(ii) Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or
(iii) Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.

See 12 CFR 304.22(b)(7); 12 CFR 53.2(b)(7); or 12 CFR 225.301(b)(7).

A “computer-security incident” is also a defined term and means an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
See 12 CFR 304.22(b)(4); 12 CFR 53.2(b)(4); or 12 CFR 225.301(b)(4).

FDIC-supervised insured depository institutions, click here to see 12 CFR 304.21 through 304.24.
National banks and federal savings associations, click here to see 12 CFR 53.1 through 53.4.
U.S. bank holding companies and U.S. savings and loan holding companies and state member banks, click here to see 12 CFR 225.300 through 225.303.

The FDIC also issued a Financial Institution Letter in connection with the final rule for FDIC-supervised institutions. Click here to see FIL 74-2021, Computer Security Incident Notification Final Rule.

Notification to bank customers

The Interagency Guidelines Establishing Information Security Standards provide requirements for when a bank must notify its customers about a data breach. The interagency guidelines also discuss affected customers, content of customer notice and delivery of customer notice. Click here to see Supplement A to Appendix B to Part 364 Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice.

Here is pertinent language from Supplement A to Appendix B to Part 364 of the Interagency Guidelines which provides that if the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible:

III. Customer Notice

A. Standard for Providing Notice
When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible. Customer notice may be delayed if an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay. However, the institution should notify its customers as soon as notification will no longer interfere with the investigation.

1. Sensitive Customer Information
Under the Guidelines, an institution must protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information because this type of information is most likely to be misused, as in the commission of identity theft. For purposes of this guidance, sensitive customer information means a customer's name, address or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number or a personal identification number or password that would permit access to the customer's account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name or password or password and account number.

FDIC Information Technology Contact

If your bank would like to speak with a regulator about regulations pertaining to banks and data breaches, Matt Cheney with the FDIC is someone that you can contact. Here is his contact information:

Matt Cheney
FDIC IT Examination Specialist in the Division of Risk Management Supervision
Dallas Regional Office
600 North Pearl Street, Suite 700
Dallas, Texas 75201
Office: (972) 761-2032
Email: mcheney@fdic.gov

Louisiana Database Security Breach Notification Law

On the state level, we have Louisiana Database Security Breach Notification Law, R.S. 51:3071, et seq. Click here to see R.S. 51: 3071 et seq. This is a broad law that covers any person that conducts business in the state or that owns or licenses computerized data that includes personal information, or any agency that owns or licenses computerized data.

Note: There is a safe harbor provided in Section 3076 for financial institutions who are subject to and in compliance with certain Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. Click here to see R.S. 51:3076.

Bank Cyber Insurance

If a bank has a suspicion that they may be affected, they should notify their cyber insurance carrier of a potential breach.

Third-Party Vendors

Bankers should also consider discussing the MOVEit data breach with their third-party vendors to determine whether there are any potential issues.

LBA Complimentary Webinar

The LBA has scheduled a complimentary member webinar on cybersecurity and data breaches titled, "The Rising Tide of Data Breaches," presented by J. T. Malatesta, partner with the law firm of Maynard Nexsen. J. T. practices in the areas of cybersecurity and privacy law. The webinar will be held Aug. 18, 2023, from 10-11 a.m. We will be releasing information about it soon—check the LBA's online education calendar for more information and to register.