Unnecessary notifications

In an effort to curb identity theft, bank regulators want to require banks to notify their customers when hackers invade computer systems. The rule, released Tuesday for public comment, is similar to a recently enacted California law that requires businesses in that state to notify customers of an electronic security breach. The rule would require banks to alert customers if a computer hacker, bank employee or other individual illegally obtains sensitive financial information, such as Social Security numbers, personal identification numbers, passwords or account numbers. Banks would also be required to tell customers how to protect themselves from identity theft. In addition to reporting cybertheft, banks would be required to notify customers if: • equipment or electronic media containing customer information is stolen. • The bank fails to properly dispose of customer records. • Someone gains illegal access to customer information through a company that provides services to the bank. Before a final rule is adopted, regulators will have to decide what constitutes a genuine security breach, says George French, a deputy director at the Federal Deposit Insurance Corp. Requiring banks to notify customers at the slightest hint of a problem could result in unnecessary notifications that would alarm customers and eventually lose their effectiveness, he says. At the same time, "We don't want to wait until it's too late and the damage has been done," he says.