Data Breach Reporting Requirements Under Sarbanes-Oxley
One mildly consoling thought for bank fraud prevention managers is that the loss of customer data does not necessarily jeopardize the integrity of the institution’s financial statements. Accordingly, a data security breach does not necessarily force your bank into Sarbanes-Oxley reporting difficulties. Or does it?
The risk-based approach to data breach notification adopted by federal bank regulators and favored by a presidential task force would be the best standard for Congress to base a national notification requirement on, according to the General Accountability Office.
Federal Regulations and Clearinghouse Rules Can Alter the Midnight Deadline
The midnight deadline requires a bank to dishonor a check before midnight on the next banking day following the banking day on which the bank receives the check. See UCC 4-301(a). If the bank fails to act before the deadline, the bank is liable for the amount of the check. The Expedited Funds Availability Act and accompanying Regulation CC, as well as clearinghouse rules, can alter the deadline for returning a dishonored check, however. A Utah decision illustrates.
Community Banks Must Focus on a Multi-Layered Defense
The risk landscape for the U.S. financial institutions industry is not likely to improve significantly over the next several years. Social-engineering scams executed through malicious Web sites, electronic greeting cards, and other commonplace and overly trusted technologies have proven to be immensely successful as an attack strategy for cyber thieves. Until bank employees and customers become significantly more knowledgeable about malicious hacking techniques, these attacks will continue to escalate in both volume and intensity.
