Infotech and the Law: New data regulations guard against more than identity theft

Identity theft, as a subset of a wide-ranging debate on electronic data privacy and security, is a hot topic after recent admissions by banks, credit data aggregators and retail chains that they unintentionally had disclosed large numbers of personal financial records.The Federal Trade Commission estimates that in 2002, nearly 10 million Americans were victims of some form of identity theft. (FTC Identity Theft Survey Report, September 2003, http://www.ftc.gov/os/ 2003/09/synovatereport.pdf)Consumer financial institutions, such as banks, thrifts and credit card companies, have long had regulations governing their responsibility to maintain the security of their customers' personal financial information. Those regulations have been extended to a host of those institutions' service providers that previously were not required to maintain data security or make disclosures when customer financial information was lost or stolen.In a recent joint action, the Federal Reserve, Federal Deposit Insurance Corp. and the Treasury Department, which together regulate all federally charted financial institutions, have required the institutions to exert tighter control over customer financial data and have extended that duty to every entity that collects, maintains or processes that data in providing service to an institution.This means that many entities that do facilities and systems management, information processing, software development and maintenance, data transmission or provide other outsourcing services for the institutions now will be covered by the same security regulations.The new regulations will require service providers -- and through those service providers, their vendors and subcontractors -- to ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to the security or integrity of such information; and protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any bank customer.To meet these requirements, banks and their service providers must do a comprehensive assessment of foreseeable risks to data security, then design programs to address those risks, including providing access controls on customer information systems and background checks for employees with responsibilities for access to customer information. They also must identify specific actions they will take in the event of unauthorized access to customer information systems.The regulated institutions are required to ensure, through contracts with their service providers, that the service providers comply with the requirements imposed by regulation on the financial institutions.Service providers must implement their own comprehensive information security programs in accordance with federal standards if they are to continue to offer products and services to the regulated institutions. If current contracts between institution and service provider do not provide the necessary protection to the institution's customers, the institution can be expected to seek amendment to the deficient agreements.Any information systems integrator, outsourcing contractor or other service provider that counts financial institutions among its customers needs to be aware of the obligations imposed by these new regulations. Liability for failure to adequately protect customer financial information is becoming an increasingly more serious risk. Taking adequate steps to comply with the requirements will be essential to maintaining customer relationships with financial institutions.In addition, the financial institution regulations are a wake-up call for information service providers working with other regulated industries trading in sensitive personal or customer data. Federal regulators can and will reach out indirectly to those who touch that data to protect privacy or in the interests of domestic security.Jonathan Cain is a member of the law firm Mintz Levin Cohn Ferris Glovsky & Popeo PC in Reston, Va. The opinions expressed in this article are his. He can be reached by e-mail at jcain@mintz.com.