Privacy Laws
First, we disagree with your customer that responding to a subpoena with financial information violated your customer’s privacy rights. Both Illinois and federal privacy laws include exceptions for responding to subpoenas with customers’ financial information. Under Regulation P, a financial institution may disclose a customer’s information “to comply with a properly authorized . . . subpoena.” 12 CFR 1016.15(a)(7)(ii). Similarly, under the Illinois Banking Act, a financial institution may disclose information in response to a “lawful subpoena.” 205 ILCS 5/48.1(d).
Note that the Illinois Banking Act requires that a financial institution mail a copy of the subpoena “to the person establishing the relationship with the bank, if living, and, otherwise his personal representative, if known, at his last known address by first class mail, postage prepaid, unless the bank is specifically prohibited from notifying the person by order of court or by applicable State or federal law.” 205 ILCS 5/48.1(d). Financial institutions must mail a copy of the subpoena before responding to the subpoena, as the law states that “[a] bank shall disclose records . . . under a lawful subpoena . . . only after the bank mails a copy of the subpoena . . . .” However, at least two cases have held that this section of the law does not create a private right of action for customers to claim that their privacy rights have been harmed. CSY Liquidating Corp. v. Harris Trust & Sav. Bank, 162 F.3d 929, 931 (7th Cir. 1998); Stern v. Great W. Bank, 959 F.Supp. 478, 485 (N.D. Ill. 1997).
Also, though your customer cited the Right to Financial Privacy Act, we do not believe that law would apply to this issue. That law governs a customer’s rights as to requests for financial information from governmental entities, but it would not apply to a dispute between private parties. See 12 USC 3402.
Data Breach Laws
We do not believe that responding to a lawful subpoena would be considered a data breach, either under Illinois or federal law. Of course, we recommend following your internal policies and procedures as to when an incident response is necessary, but we are not aware of any legal requirements that would require you to report a contested subpoena response as a data breach.
We do not believe that your institution’s response to a lawful subpoena would be considered a data breach under the Illinois law on data breaches, the Personal Information Protection Act. The law defines “breach” as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information . . . .” 815 ILCS 530/5. Because your bank was responding to a subpoena, there was no unauthorized acquisition of your customer’s personal information. (You could also argue that the subpoena did not involve any “computerized data.”)
Similarly, the federal data breach requirements apply only to “unauthorized” access to customer information. The federal regulators’ Interagency Guidelines Establishing Information Security Standards require each financial institution to “address incidents of unauthorized access to customer information.” Again, because there was no unauthorized acquisition of your data, we don’t believe that any federal guidelines would require you to report a data breach.