Topic: Cybersecurity
-
Are banking personnel required take off work for five consecutive days? We would like to remove this requirement from our HR handbook. Also, since our employees can access our system remotely, many sign in even when on vacation to check their email or look something up. How would this impact a requirement to take off work?
—
by
We are not aware of any law or regulation requiring bank employees or officers to take vacation, but the federal banking agencies continue to recommend that bank employees take at least two consecutive weeks of vacation each year — along with several alternative recommendations, from rotating duties to having your board of directors review and…
-
If we discover that one of our ATMs has a skimming device, what is our potential liability? Would we have some sort of mass liability outside of fraudulent charges on our customers’ cards? We have upgraded our ATMs to accept chip cards.
—
by
It theoretically is possible that ATM users would sue your bank after a data breach stemming from a skimmer installed on one of your ATMs, but it is difficult to predict the chances of such a lawsuit hitting your bank, not to mention estimating the potential liability and costs. (An ATM skimmer is a device…
-
In a third party vendor contract, we want to require the vendor to notify us of data breaches within 24 hours. However, the vendor told us that there is no regulation or regulatory guidance that requires a 24 hour turnaround time for reporting incidents. Do you know of any regulatory guidance that imposes a specific time frame for a vendor to report data breach incidents to us? If so, what verbiage is required?
—
by
No, we are not aware of any guidance that imposes a specific time frame for a vendor to report a data breach to your financial institution. The Interagency Guidance regarding unauthorized access to customer information requires third party service providers to notify a financial institution “as soon as possible” after a data breach. However, the…
-
May a customer use online banking to transfer from a HELOC or line of credit to the customer’s checking account?
—
by
Yes, your bank may choose to permit customers to transfer line of credit or home equity line of credit (HELOC) disbursements into their checking or other deposit accounts using online banking. We are not aware of any Illinois or federal law that would prohibit or restrict this practice. However, we note that this practice can…
-
We are implementing a new online loan application system. When we send a confirmation email to online applicants, do we have to send that through a secure email program?
—
by
We believe that the automatic email sent to online loan applicants should be sent through the bank’s secure, encrypted email system. In our view, the emails would contain enough information about the customer to justify the added protection; even the fact that someone applied for a loan for the bank would be considered “personally identifiable…
-
Does the Gramm-Leach-Bliley Act (GLBA) require that appraisal firms email appraisals only by encrypted email?
—
by
We believe that federal and Illinois privacy requirements would require the encryption of appraisals only if the appraisal document contains “sensitive customer information” or “personal information.” While some appraisal reports may contain customer names and account numbers, others may contain no customer information at all. For example, we spoke to MountainSeed Appraisal Management, an appraisal…