I’ve mentioned before that financial institutions would be wise to use news reports of security incidents as “what if” table-top training exercises. Here is another one that just occurred a couple of days ago:
- You receive a subpoena from a government agency requesting financial information on several customers. The subpoena includes names and social security numbers for the customers involved.
- You determine that information disclosure is necessary and appropriate in this case, and you provide the information.
- You send a letter to each affected customer explaining the reasons for the disclosure, as well as what information was disclosed.
- You include a copy of the original subpoena in the letter to the affected customers in it’s original form, including the names and social security numbers of all of the affected customers. In other words, you did not redact information pertaining to everyone other than the intended recipient of the letter, all affected customers received everyone else’s information in addition to their own.
- Does this qualify as a “security incident” as it is defined by your Incident Response Plan? It is clearly not an intrusion, but it does qualify as an irregular or adverse event which negatively impact the confidentiality of customer non-public information.
- Is customer or regulator notification required? In order to answer this question, answer the following: “Has misuse of non-public information occurred, or is it reasonably possible that misuse could occur?” If the answer is “yes”, customer and regulator notification is required, as well as credit monitoring services, ID theft insurance, credit freeze activation, and any other remedies the law, and your policies, require.
- Is a Suspicious Activity Report filing required? (Perhaps not, but I would err on the side of caution.)
- What, if anything, would we do differently? Under what exact circumstances will we disclose customer NPI? If disclosed, will we notify the affected customer? What are the legal implications?
Use these real world examples to fine tune your incident management policies and procedures. Perhaps they will prevent you from becoming someone else’s training exercise!