The Gramm-Leach-Bliley Act of 1999 stepped up the requirements for banks to look after their customers' personal information. "Banks have data privacy requirements and safeguards requirements and have responsibilities to take various measures to protect their customers' data, both from external hacking and from internal malfeasance," says Satish Kini, a Washington-based partner at Goodwin Proctor LLP. "You audit and you attest to those programs on a regular basis."
"Does that mean a bank can prevent any outside person from hacking or prevent an insider person from committing a crime? No. You can just protect yourself as much as possible," he adds.
For those occasions where protection fails, banks can no longer pretend that it never happened. In addition to the ruling by U.S. banking regulators that breaches have to be made public, the U.S. Congress is considering several pieces of legislation that would require disclosure of security breaches across the entire chain of custody for customer data.
The alternative to a federal solution would be a patchwork of state-by-state legislation along the lines of the California Security Breach Information Act (SB 1386). "At one point, there were about 25 to 26 states considering similar legislation," says Kini.
Other provisions under consideration include requirements for credit agencies to freeze account opening for persons whose accounts have been breached and government-mandated standards for information retention, documentation and destruction.