The FDIC decision comes at a time when lawmakers in Washington are mulling legislation that could force companies to disclose material breaches of customer information, and follows in the wake of several highly publicised consumer privacy breaches.
These include the loss of backup tapes containing the credit card information of 1.2 million federal workers by Bank of America; the loss of 145,000 customers' personal information to identity thieves at data broker ChoicePoint; and the disclosure from LexisNexis, a compiler of legal and consumer information, that the social security numbers, names and addresses of 30,000 people may have been stolen.
The FDIC proposal is somewhat similar to California's Information Practice Act, which mandates public disclosure for companies that have exposed California residents to privacy breaches.
"The FDIC ruling, if approved by the Federal Reserve, could cause a significant increase in identity theft disclosures," said Jim Stickley, Chief Technology Officer for security software firm TraceSecurity. "Today, most large-scale identity thefts go unreported, either because the bank wants to avoid tarnishing their reputation or because they are simply unaware of the breaches."
"There's no single silver bullet that can eliminate identity theft," he warned. "Based on our experience, the banks that do the best job of protecting their customers' information are the banks that view information security not as a static one-time fix, but as a regularly monitored business process that requires continuous improvement."
Identity theft is an increasing problem for both banks and for consumers.
Earlier this month, UK consumer group Which? released a survey showing that one quarter of UK adults have had their identity stolen or know someone who has been a victim of ID fraud. And today, security firm Symantec released a report stating that, by the end of December 2004, its Brightmail AntiSpam anti-fraud filters were blocking an average of 33 million phishing attempts per week, up from an average of 9 million per week in July 2004.