Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-migrate-db domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /srv/app/gotoiba-dev/htdocs/web/wp-includes/functions.php on line 6121
Another bank informed us that its shredding vendor had lost a box of checks that included our customers’ checks. Are we required to notify our customers of the breach? – IBA Compliance Connection

Another bank informed us that its shredding vendor had lost a box of checks that included our customers’ checks. Are we required to notify our customers of the breach?

by

We are not aware of any federal or Illinois laws that impose a duty of notification on a bank whose customers’ checks are lost by another financial institution.

Federal Law — Gramm-Leach-Bliley Act

Under the federal banking agencies’ Interagency Guidelines Establishing Information Security Standards, you should “develop and implement a risk-based response program to address incidents of unauthorized access to customer information.” However, the scope of “customer information” includes only information that is “maintained by or on behalf of the bank holding company [or financial institution].” Appendix D-2 to 12 CFR 208—Interagency Guidelines Establishing Information Security Standards, I.C.2.e. As explained in the notice accompanying the final Interpretive Guidance, that definition narrows the scope of the GLBA and agency interpretations “to information that is within the control of the institution and its service providers,” and not “to information directly disclosed by a customer to a third party, for example, through a fraudulent Web site.” (And, note that the Guidelines apply only to consumer accounts, not to business or commercial accounts.) Supplementary Information, 70 Fed. Reg. 15736, 15738 (March 29, 2005).

If the checks were deposited by your customers or by third party payees on the checks, they were not within your control when they were inadvertently released. Therefore, we do not believe that the GLBA’s requirements regarding a disclosure of nonpublic consumer information apply to you; instead, they apply to the bank that had control over the checks that were released. 

Illinois law — Personal Information Protection Act

Similarly, we do not believe that there are any Illinois laws requiring disclosure of a data breach by another financial institution. The Illinois law on data breaches — the Personal Information Protection Act — applies only to data “maintained by the data collector.” 815 ILCS 530/5. Further, the Act’s notification provisions apply only to breaches of “computerized data,” which would not include physical checks. Id. (The Illinois Attorney General introduced this legislation with a broad application, and the IBA (and others) negotiated and changed the language so that, as enacted, it only applies to computerized data.) (And note that an Illinois First District case applied the Act to a data breach in which physical letters containing nonpublic personal information were mailed out. Cooney v. Chicago Public Schools, 407 Ill. App. 3d 358, 362 (1st Dist. 2010).)