I. Introduction These Interagency Guidelines Establishing Information
Security Standards (guidelines) set forth standards pursuant to sections
501 and 505 of the Gramm-Leach-Bliley Act (15 USC 6801 and 6805),
in the same manner, to the extent practicable, as standards prescribed
pursuant to section 39 of the Federal Deposit Insurance Act (12 USC
1831p-1). These guidelines address standards for developing and implementing
administrative, technical, and physical safeguards to protect the
security, confidentiality, and integrity of customer information.
These guidelines also address standards with respect to the proper
disposal of consumer information by or on behalf of such entities.
A. Scope The guidelines apply to customer information maintained
by or on behalf of state member banks (banks) and their nonbank subsidiaries,
except for brokers, dealers, persons providing insurance, investment
companies, and investment advisors. Pursuant to sections 211.9 and
211.24 of this chapter, these guidelines also apply to customer information
maintained by or on behalf of Edge corporations, agreement corporations,
and uninsured state-licensed branches or agencies of a foreign bank.
These guidelines also apply to proper disposal of consumer information
by or on behalf of such entities.
B. Preservation of Existing Authority Neither section 39 nor these guidelines
in any way limit the authority of the Board to address unsafe or unsound
practices, violations of law, unsafe or unsound conditions, or other
practices. The Board may take action under section 39 and these guidelines
independently of, in conjunction with, or in addition to, any other
enforcement action available to the Board.
C. Definitions 1. Except as modified in the guidelines, or unless the context otherwise
requires, the terms used in these guidelines have the same meanings
as set forth in sections 3 and 39 of the Federal Deposit Insurance
Act (12 USC 1813 and 1831p-1).
2. For purposes
of the guidelines, the following definitions apply.
a. Board of directors, in the case
of a branch or agency of a foreign bank, means the managing official
in charge of the branch or agency.
b. Consumer information means any
record about an individual, whether in paper, electronic, or other
form, that is a consumer report or is derived from a consumer report
and that is maintained or otherwise possessed by or on behalf of the
bank for a business purpose. Consumer information also means a compilation
of such records. The term does not include any record that does not
identify an individual.
i. Examples.
(1) Consumer information includes—
(A) a consumer report that a bank obtains;
(B) information from a consumer report that
the bank obtains from its affiliate after the consumer has been given
a notice and has elected not to opt out of that sharing;
(C) information from a consumer
report that the bank obtains about an individual who applies for but
does not receive a loan, including any loan sought by an individual
for a business purpose;
(D) information from a consumer report that the bank obtains about
an individual who guarantees a loan (including a loan to a business
entity); or
(E) information
from a consumer report that the bank obtains about an employee or
prospective employee.
(2) Consumer information does
not include—
(A) aggregate information, such as the mean
credit score, derived from a group of consumer reports; or
(B) blind data, such as payment
history on accounts that are not personally identifiable, that may
be used for developing credit scoring models or for other purposes.
c. Consumer report has the same meaning as set forth in the
Fair Credit Reporting Act, 15 USC 1681a(d).
d. Customer means any customer of
the bank as defined in section 1016.3(i) of this chapter.
e. Customer information means any record containing nonpublic personal information, as defined
in section 1016.3(p) of this chapter, about a customer, whether in
paper, electronic, or other form, that is maintained by or on behalf
of the bank.
f. Customer
information systems means any methods used to access, collect,
store, use, transmit, protect, or dispose of customer information.
g. Service provider means any person or entity that maintains, processes, or otherwise
is permitted access to customer information or consumer information
through its provision of services directly to the bank.
h. Subsidiary means
any company controlled by a bank, except a broker, dealer, person
providing insurance, investment company, investment advisor, insured
depository institution, or subsidiary of an insured depository institution.
II. Standards for
Information Security A. Information Security Program Each bank shall implement a comprehensive written
information security program that includes administrative, technical,
and physical safeguards appropriate to the size and complexity of
the bank and the nature and scope of its activities. While all parts
of the bank are not required to implement a uniform set of policies,
all elements of the information security program must be coordinated.
A bank also shall ensure that each of its subsidiaries is subject
to a comprehensive information security program. The bank may fulfill
this requirement either by including a subsidiary within the scope
of the bank’s comprehensive information security program or by causing
the subsidiary to implement a separate comprehensive information security
program in accordance with the standards and procedures in sections
II and III of this appendix that apply to banks.
B. Objectives A bank’s information security program shall be designed to—
1.
ensure
the security and confidentiality of customer information;
2.
protect against any anticipated threats or hazards to the security
or integrity of such information;
3.
protect
against unauthorized access to or use of such information that could
result in substantial harm or inconvenience to any customer; and
4.
ensure the proper disposal of customer information and consumer
information.
III. Development and
Implementation of Information Security Program A. Involve the Board of Directors The board of directors or an appropriate
committee of the board of each bank shall—
1.
approve
the bank’s written information security program; and
2.
oversee
the development, implementation, and maintenance of the bank’s information
security program, including assigning specific responsibility for
its implementation and reviewing reports from management.
B. Assess Risk Each bank shall—
1.
identify
reasonably foreseeable internal and external threats that could result
in unauthorized disclosure, misuse, alteration, or destruction of
customer information or customer information systems;
2.
assess
the likelihood and potential damage of these threats, taking into
consideration the sensitivity of customer information; and
3.
assess
the sufficiency of policies, procedures, customer information systems,
and other arrangements in place to control risks.
C. Manage and
Control Risk Each bank shall—
1.
Design
its information security program to control the identified risks,
commensurate with the sensitivity of the information as well as the
complexity and scope of the bank’s activities. Each bank must consider
whether the following security measures are appropriate for the bank
and, if so, adopt those measures the bank concludes are appropriate:
a.
access
controls on customer information systems, including controls to authenticate
and permit access only to authorized individuals and controls to prevent
employees from providing customer information to unauthorized individuals
who may seek to obtain this information through fraudulent means
b.
access
restrictions at physical locations containing customer information,
such as buildings, computer facilities, and records storage facilities
to permit access only to authorized individuals
c.
encryption
of electronic customer information, including while in transit or
in storage on networks or systems to which unauthorized individuals
may have access
d.
procedures designed to ensure that customer information system modifications
are consistent with the bank’s information security program
e.
dual
control procedures, segregation of duties, and employee background
checks for employees with responsibilities for or access to customer
information
f.
monitoring systems and procedures to detect actual and attempted
attacks on or intrusions into customer information systems
g.
response programs that specify actions to be taken when the bank
suspects or detects that unauthorized individuals have gained access
to customer information systems, including appropriate reports to
regulatory and law enforcement agencies
h.
measures
to protect against destruction, loss, or damage of customer information
due to potential environmental hazards, such as fire and water damage
or technological failures
2.
Train
staff to implement the bank’s information security program
3.
Regularly
test the key controls, systems and procedures of the information security
program. The frequency and nature of such tests should be determined
by the bank’s risk assessment. Tests should be conducted or reviewed
by independent third parties or staff independent of those that develop
or maintain the security programs.
4.
Develop, implement, and maintain, as part of its information security
program, appropriate measures to properly dispose of customer information
and consumer information in accordance with each of the requirements
in this paragraph III.
D. Oversee
Service Provider Arrangements Each bank
shall—
1.
exercise
appropriate due diligence in selecting its service providers;
2.
require
its service providers by contract to implement appropriate measures
designed to meet the objectives of these guidelines; and
3.
where
indicated by the bank’s risk assessment, monitor its service providers
to confirm that they have satisfied their obligations as required
by paragraph D.2. As part of this monitoring, a bank should review
audits, summaries of test results, or other equivalent evaluations
of its service providers.
E. Adjust the
Program Each bank shall monitor, evaluate,
and adjust, as appropriate, the information security program in light
of any relevant changes in technology, the sensitivity of its customer
information, internal or external threats to information, and the
bank’s own changing business arrangements, such as mergers and acquisitions,
alliances and joint ventures, outsourcing arrangements, and changes
to customer information systems.
F. Report to the Board Each bank shall report to its board or an appropriate
committee of the board at least annually. This report should describe
the overall status of the information security program and the bank’s
compliance with these guidelines. The reports should discuss material
matters related to its program, addressing issues such as risk assessment;
risk management and control decisions; service-provider arrangements;
results of testing; security breaches or violations and management’s
responses; and recommendations for changes in the information security
program.
G. Implement
the Standards 1. Effective date. Each bank must implement
an information security program pursuant to these guidelines by July
1, 2001.
2. Two-year
grandfathering of agreements with service providers. Until July
1, 2003, a contract that a bank has entered into with a service provider
to perform services for it or functions on its behalf satisfies the
provisions of section III.D., even if the contract does not include
a requirement that the servicer maintain the security and confidentiality
of customer information, as long as the bank entered into the contract
on or before March 2, 2001.
3. Effective date for measures relating to the
disposal of consumer information. Each bank must satisfy these
Guidelines with respect to the proper disposal of consumer information
by July 1, 2005.
4. Exception
for existing agreements with service providers relating to the disposal
of consumer information. Notwithstanding the requirement in paragraph
III.G.3., a bank’s contracts with its service providers that have
access to consumer information and that may dispose of consumer information,
entered into before July 1, 2005, must comply with the provisions
of the guidelines relating to the proper disposal of consumer information
by July 1, 2006.
Supplement
A—Interagency Guidance on Response Programs for Unauthorized Access
to Customer Information and Customer Notice 12 CFR 208, appendix D-2.