March 20, 2005
The FDIC's five directors have voted to order banks to warn customers of suspected identity theft. The provision applies only to banks, not to data aggregators like ChoicePoint.

Under the FDIC's proposed new policy, banks would be required to notify customers when they detect unauthorized access to customer information and determine that there is a "reasonable possibility" that the information was or could be misused.

The changes have already been approved by the the Office of the Comptroller of the Currency and the Office of Thrift Supervision. They must still be approved by the Federal Reserve Board.

The ruling follows several highly publicized consumer privacy breaches that were disclosed over the last few weeks, including the loss of backup tapes containing the credit card information of 1.2 million federal workers by Bank of America; the loss of 145,000 customers' personal information to identity thieves at ChoicePoint, an aggregator and reseller of personal information; the loss and possible theft of customer credit card information from over 100 DSW Stores, a nationwide shoe retailer; and the disclosure from Lexis-Nexis, a compiler of legal and consumer information, that the Social Security numbers, names and addresses of 30,000 people may have been stolen by identity thieves.

Congress is mulling legislation that could extend the disclosure requirement to data aggregators like ChoicePoint.

The FDIC's proposal is similar to a California law that requires companies to notify consumers when their private data is inadvertently exposed to unauthorized users, although the FDIC's rule would apply only to banks.

Under the FDIC proposa, the notices would have to describe the incidents, detail measures taken to protect customers, provide phone numbers for further information, remind customers to be vigilant and describe how customers may put fraud alerts in their credit reports.

"The FDIC ruling, if approved by the Federal Reserve, could cause a significant increase in identity theft disclosures," said Jim Stickley, an internationally recognized banking security expert and the Chief Technology Officer for TraceSecurity, a security compliance software and services firm.

"Today, most large-scale identity thefts go unreported, either because the bank wants to avoid tarnishing their reputation or because they are simply unaware of the breaches," Stickley said. "Many banks employ archaic data privacy practices that haven't kept pace with the evolving threats. The exploits of identity thieves, however, which are often coordinated by international crime syndicates, have become increasingly creative and sophisticated."

"Many banks are caught in a catch-22 situation: Their customers are demanding greater online access to a broader range of financial services, yet as banks make their services available online to customers, they're also making them available to thieves," Stickley said.