The 5-0 vote by the agency's board of directors come in the wake of a flurry of announcements of the theft of personal data affecting hundreds of thousands of consumers.
The changes have won approval from the Office of the Comptroller of the Currency and Office of Thrift Supervision, and still require Federal Reserve Board approval. Fed spokesman Andrew Williams said the board is considering the matter.
Banks will be required to notify customers when they learn of unauthorized access to sensitive customer information and, after a reasonable investigation, determine the information was misused or there is a "reasonable possibility" of misuse.
The notices must describe the incidents, detail measures taken to protect customers, provide phone numbers for further information, remind customers to be vigilant and describe how customers may put fraud alerts in their credit reports.
Sensitive customer information is defined as a customer's name, address or phone number, in conjunction with his or her Social Security or driver's license numbers; account, credit or debit card numbers; or an identification number or password that would permit access to an account.
It also includes any combination of data that would allow a thief to access an account.
Obtaining Social Security numbers is often considered a key to identity theft scams involving banks, which regularly use the numbers as a unique way to identify customers.
Identity theft cost businesses $47.6 billion and consumers $5 billion in 2002, Federal Trade Commission estimates show.
Financial institutions regularly targeted by scammers include Citibank, Wells Fargo, Washington Mutual, U.S. Bank, SunTrust, and Capital One.
A common form of identity theft involving banks is "phishing," derived from the act of computer thieves who "fish" for private data.
Phishers typically tell prospective victims in e-mails that there is a problem with their accounts, and ask them to verify personal information through a link to a real-looking Web site. They e-mail either known customers of a particular bank, or many people with the hope of reaching actual bank customers.
Many phishing e-mails contain return addresses at sites such as Yahoo.com, or typographical or grammatical errors.
Among companies to have reported thefts of customer data this year are data brokers ChoicePoint Inc. and LexisNexis, a unit of Anglo-Dutch Reed Elsevier (ELSN.AS) (REL.L), as well as DSW Shoe Warehouse, a unit of Retail Ventures Inc.
Meanwhile, Bank of America Corp. the No. 3 U.S. bank, last month said computer tapes with credit card records of more than 1 million U.S. government employees were lost.
NOTE: For more telecom/internet/networking/computer news from the daily media, check out our feature 'Telecom Digest Extra' each day at
For more information go to: