Curious to know others' opinions regarding encrypted data and the new guidance that was just issued. For example, if a laptop was taken, but all of the data contained on it was encrypted, would you still consider this as unauthorized access for purposes of this guidance? (assuming NPPI was contained on the laptop)

From the final guidance:

"...the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible."

It's a bit of a grey area. It's pretty much a matter of if the folks who currently have possession of the laptop are cabable of breaking the encryption, or otherwise find a way of stripping the data from the hard drive. I think contacting your regulator and asking them what their opinion is might be wise.

I agree with Czar. We see this kind of grey area all the time. At the same time, I know some banks don't like talking to their regulators because they fear such an inquiry could be used against them during an exam. I would say, call your regulator any way...it's better to have your answers now than worry about explanations later.