Topic: Cybersecurity
-
A bug in our online banking system allowed one customer to view another customer’s account history. Do we need to notify the customer of the breach?
—
by
We believe that the situation you described would constitute a data breach that would necessitate disclosure under the Personal Information Protection Act, which would have to include “(i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address, and website address for the Federal Trade Commission, and (iii) a statement that…
-
Do any laws require us to hold signature cards for dormant accounts under dual control in safe deposit boxes, or is this a bank policy decision?
—
by
We are not aware of any laws that would require the bank to hold signature cards for dormant accounts in dual control safety deposit boxes. While the Banking Act mandates the Commissioner of Banks to promulgate record retention rules, no such rules have been published. 205 ILCS 5/48.6. And, the federal agencies’ Interagency Guidelines Establishing…
-
Can we allow administrative personnel and registered securities representatives to access bank core systems?
—
by
Administrative employees and registered securities representatives may be allowed to access some aspects of core data processing, but their access should be strictly limited to what is needed to perform their jobs for the bank. The FFIEC’s IT Examination Handbook is an excellent guide for data processing system access questions. The “Access Control” section states…