At a minimum, the response program should contain procedures for the following:
• Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;
• Notifying the bank’s primary Federal regulator as soon as possible when the bank becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below;
• Consistent with the Agencies’ Suspicious Activity Report (“SAR”) regulations,notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing;
• Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence;and
• Notifying customers when warranted.
Where an incident of unauthorized access to customer information involves customer information systems maintained by the bank’s service providers, the bank shall notify the customers and its regulator. However, the bank may authorize or contract with its service provider to notify its customers or regulator on its behalf.