Communication Guidelines for Lyons Commercial Data Response to a Data Breach
The Patriot Act, which amends the Bank Secrecy Act (BSA), was adopted in response to the September 11, 2001 terrorist attacks. The Patriot Act is intended to strengthen U.S. measures to prevent, detect, and prosecute international money laundering and the financing of terrorism. These efforts include anti-money laundering (AML) tools that impact the banking, financial, and investment communities. An AML Program must be in writing and must include:
Open, Honest and Transparent Prevention response:
Lyons Commercial Data has an ongoing PCI DSS compliance program and regular certified security assessments. The PCI DSS is a security standard developed by the Payment Card Industry Security Standards Council to help create and promote consistent data security measures and prevent fraud. The standard is designed to help companies proactively protect customer data and includes requirements for security management, policies, procedures, software design, network architecture and other critical protective measures. Although no formula can account for the many variations and circumstances that may be involved in individual data breaches, our approach is to respond rapidly to assemble the correct information, and be honest, open, transparent and accountable through timely communication with partners, their customers, and other important audiences.
Detection, Investigation and Escalation:
Lyons Commercial Data asks its partners and customers to provide immediate notice if there is reason to believe a data breach may have occurred. If a data breach is known or suspected, Lyons Commercial Data and its affected originators and/or third party service providers will promptly investigate to determine (i) if a data breach has actually occurred, (ii) the scope of the data breach, including the type and amount of data affected, (iii) the risk that the affected data will be misused, and (iv) what steps are necessary to prevent further unauthorized access to Data.
Notification of Breach:
Lyons Commercial Data will provide the following findings concerning the data breach incident:
- Approximate cause(s) of the breach incident
- Approximate date of the breach incident
- The extent of data exposed
- Steps taken or in progress
- Other relevant findings, including any mitigating factors
Timeframe to Notify:
Lyons Commercial Data will take appropriate steps to provide initial notice to partners and their customers and each affected source as soon as reasonably possible. Lyons Commercial Data may not wait to complete its investigation before providing initial notice, if sufficient information has been elicited (i) to conclude that a data breach likely occurred and that misuse of Data is reasonably possible and (ii) to allow Lyons Commercial Data to take meaningful action in response to such notice. Notice may be required to be limited or delayed if disclosure of the information to partners and their customers would impede an on-going criminal investigation.
Policy Revisions and Updates:
It is Lyons Commercial Data’s goal to maintain a best practices approach to data security and communication with our customers. This policy is not a legal contract and may be modified and updated by Lyons Commercial Data in response to changing law, industry practice, or established public policy.