FIRMA April 2010

DATA BREACHES & PRIVACYChristine M. FarquharManaging Director, ComplianceJ.P. Morgan U.S. Private Banking

FIRMA April 2010 2

Introduction:

Not only are we mandated to design, implement and maintain safeguards to protect client information, but keeping client information private and secure is vital to our businesses.

In the case of private banking, the use of the word “private” is not coincidental. Maintaining trust confidentiality is equally important.

• How do financial institutions achieve these regulatory requirements and honor client expectations?

• When there is a breach of confidential information, is your institution ready to appropriately respond as quickly as possible?

FIRMA April 2010 3

Preserving Client Confidentiality within and outside your organization

 To keep client information under physical, electronic and procedural controls . . .   • Do your affiliates perform services for the benefit of your clients?

• Do you have control around how affiliates access your client information?

• Is staff dedicated to serving your client base within your affiliates• Dedicated office space—no space sharing with other lines of business without specific

approval and training for personnel • Dedicated printers/faxes/files

 • Are there “ring-fences” around your technology? If not, how are you vetting access?

• Consider confidentiality agreements for those people with access to your systems that are not dedicated solely to your clients

• Place “entitlements” on technology access • Do your contracts with third-party providers address client confidentiality ?

• Client information given over to them should be used solely for the stated contractual purposes

• Do your third-party providers have well defined privacy practices?

• Have you adopted internal policies and procedures around preserving client confidentiality?

• Make sure your personnel are aware of them• Examples:

• Written procedures for the transportation of paper containing confidential information• Policies around technology access—who monitors and approves access to your systems• Clean desk policies

FIRMA April 2010

Educating your personnel

 • Ongoing training—for example, mandatory annual privacy training

• Periodic reminders—complements formal training efforts• Examples:

• Protecting client information in e-mails• Never share passwords to your systems

• At every opportunity, stress the importance of your privacy practices  

Even when every reasonable precaution is taken and you have made every effort to educate your staff and your clients about safeguarding information, breaches can happen . . .

4

FIRMA April 2010 5

Privacy Breaches

Some background: •Data Protection/Breach—Interagency Guidelines: Requires financial institutions to establish response programs for unauthorized access to customer information:

• Applies to consumers only• Applies to paper as well as computer based information• Applies to information held in foreign countries • Must identify and assess breach of information• Must notify federal regulator if “sensitive” information involved• Must notify law enforcement and file SAR if crime involved• Must notify consumer customer if sensitive information is, or could

possibly be, misused •“Sensitive information” means:

• ID information in conjunction with SSN or account numbers, or• Any combination of information that would allow access to

customers account, e.g., name and password or PIN  

FIRMA April 2010 6

Considerations from the States:

• Many states, the District of Columbia and Puerto Rico have enacted laws that require the establishment of response programs for unauthorized access to customer information

• Similar to Federal Guidance but some state laws have these differences:

• Applies only to computer information (a few states apply to paper too)

• Must notify state Attorney General or other agency rather than law enforcement

• Must notify customer regardless of whether information is, or could possibly be, misused (a few states have risk of harm standard)

• Specify fines and/or penalties for violations 

Privacy Breaches

FIRMA April 2010

An organized approach to responding to privacy breaches

• Establish an umbrella Privacy Office or designated contact that is ultimately responsible for creating standards and guidelines for use by your institution when dealing with breaches

 • Establish escalation points within the various areas of your firm

• Form “Incident Response Teams” with legal, compliance and/or risk representation

• Incident Response Teams can serve as a control around proper escalation and response, including any required response to clients or reporting to regulatory agencies.

 • Adopt the use of an “Incident Report Form”

• Gives your folks a tool to report breaches effectively. Can include:• name and contact information of the person reporting incident• description of the incident with enough detail to allow an investigation

— date and time of the incident, when discovered, by whom, etc.

• Where did it occur—Country/City, etc.• A description of the information involved• Were third parties or outside service providers involved

 

7

FIRMA April 2010 8

An organized approach . . .

• Required elements of notification

• When sensitive information has been breached, notification must include:• a description of the incident, • what your institution has done to protect client information from

further unauthorized access, • a phone number for further information, and• a reminder that clients should be vigilant over the next 12-24 month

period and that they should promptly report incidents of suspected ID theft,

• Consider including in the notification• recommend clients review account statements for suspicious activity • describe fraud alerts and explain how to place alerts on their

consumer credit reports• recommend they obtain periodic credit reports from a nationwide

reporting agency

• Credit Monitoring• Consider offering credit monitoring services or providing clients with

the name of a credit monitoring service they can contact on their own.

FIRMA April 2010 9

THE MODEL PRIVACY FORM

• In October 2009, the Agencies adopted new model privacy notification forms –the Model Forms.

• Standardized--page layout, content, format, style, pagination, and shading are prescribed. Only certain fields may include variable text.

• Address information sharing and non-sharing practices. • May require an “opt-out” depending on how sharing reasons are

answered.• Did not generally contemplate private banking

• The Federal Regulators launched an “online form builder” • Since you have little latitude to change it, the form builder is quite useful

 • While the Agencies have indicated that use of the Model Forms is

voluntary, a financial institution that does NOT choose to use the Model Forms may:

• Receive new and enhanced scrutiny, as to format as well as content, from Agency examiners;

• Will lose its safe harbor; • Will appear different from other firms--consumers will not be able to do

the simple comparison of privacy practices the Agencies were seeking;• May find itself a focus of media and consumer advocates critical of

different forms.