Yes, both Illinois law and federal guidelines on data breach notifications require you to notify the affected customers. The specifics on the notification requirements are described below (note that nothing in either the Illinois law or federal guidelines prevents you from providing one notice that meets both laws’ requirements).
State Law Requirements
The situation you described would constitute a data breach necessitating disclosure under the Personal Information Protection Act (“PIPA”). The PIPA requires you to notify affected customers of a data breach if the breach “compromises the security, confidentiality, or integrity” of a customer’s personal information. “Personal information” includes an individual’s name in combination with an account number, among other types of data, if that information was not encrypted. 815 ILCS 530/5.
Once an unauthorized individual has gained access to a customer’s personal information, that should be considered an “acquisition” of the data. Our law dictionary defines “acquisition” as “gaining of possession of control over something.” Black’s Law Dictionary 24 (7th ed. 1999). With online access to a customer’s account history, the unauthorized individual has inherently possession of the data, which would have been copied into the memory of the computer used to sign into the account. Note that the statute does not require that the unauthorized user intended to acquire the data in order for the acquisition to be considered a breach.
The PIPA notice must include: “(i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address, and website address for the Federal Trade Commission, and (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes.” 815 ILCS 530/10(a). Importantly, the PIPA prohibits you from including in the notice “information concerning the number of Illinois residents affected by the breach.” 815 ILCS 530/10(a). The notice should be made in the “most expedient time possible” and “without reasonable delay.” 815 ILCS 530/10. If your institution has its own notification procedures as part of an information security policy, you may provide notifications in accordance with your own policies (provided that you comply with PIPA’s timing requirements), you will be deemed to be in compliance with PIPA’s notification provisions. 815 ILCS 530/10(d).
Federal Interagency Guidelines Establishing Information Security Standards
This situation also necessitates disclosure under the federal Interagency Guidelines Establishing Information Security Standards (“Guidelines”). The Guidelines require you to notify your regulator and the affected customers of a data breach when there has been unauthorized access to or use of “sensitive customer information,” as defined in the Guidelines. “Sensitive customer information” includes a customer’s name in conjunction with an account number, among other types of data. Because you have confirmed that the unauthorized access to names and account numbers occurred, the Guidelines require you to provide notification “as soon as possible.”
The Guidelines specifically state that you may limit the notification to those customers whose information was improperly accessed: “If a financial institution, based upon its investigation, can determine from its logs or other data precisely which customers’ information has been improperly accessed, it may limit notification to those customers with regard to whom the institution determines that misuse of their information has occurred or is reasonably possible.”
The contents of a data breach notification under the federal Guidelines extend beyond those in the Illinois law (PIPA):
Customer notice should be given in a clear and conspicuous manner. The notice should describe the incident in general terms and the type of customer information that was the subject of unauthorized access or use. It also should generally describe what the institution has done to protect the customers’ information from further unauthorized access. In addition, it should include a telephone number that customers can call for further information and assistance. The notice also should remind customers of the need to remain vigilant over the next twelve to twenty-four months, and to promptly report incidents of suspected identity theft to the institution. The notice should include the following additional items, when appropriate:
a. A recommendation that the customer review account statements and immediately report any suspicious activity to the institution;
b. A description of fraud alerts and an explanation of how the customer may place a fraud alert in the customer’s consumer reports to put the customer’s creditors on notice that the customer may be a victim of fraud;
c. A recommendation that the customer periodically obtain credit reports from each nationwide credit reporting agency and have information relating to fraudulent transactions deleted;
d. An explanation of how the customer may obtain a credit report free of charge; and
e. Information about the availability of the FTC’s online guidance regarding steps a consumer can take to protect against identity theft. The notice should encourage the customer to report any incidents of identity theft to the FTC, and should provide the FTC’s Web site address and toll-free telephone number that customers may use to obtain the identity theft guidance and report suspected incidents of identity theft.
The Guidelines include several other steps that should be considered in your data breach program:
a. Assessing the nature and scope of an incident, and identifying what customer information systems and types of customer information have been accessed or misused;
b. Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information [the term “sensitive customer information” is defined in the first paragraph under Federal Interagency Guidelines Establishing Information Security Standards above]
c. Consistent with the Agencies’ Suspicious Activity Report (“SAR”) regulations, notifying appropriate law enforcement authorities, in addition to filing a timely SAR in situations involving Federal criminal violations requiring immediate attention, such as when a reportable violation is ongoing;
d. Taking appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information, for example, by monitoring, freezing, or closing affected accounts, while preserving records and other evidence; and
e. Notifying customers when warranted.
In the present case, at a minimum, the above steps indicate to us that you should notify your primary federal regulator of the incidents, and you should take steps to ensure that use of the 00-0000000 TIN number by multiple customers will not cause future incidents of this nature.