IBA Compliance Connection

Your go to source for compliance!

Another bank informed us that its shredding vendor had lost a box of checks that included our customers’ checks. Are we required to notify our customers of the breach?

by

We are not aware of any federal or Illinois laws that impose a duty of notification on a bank whose customers’ checks are lost by another financial institution.

Federal Law — Gramm-Leach-Bliley Act

Under the federal banking agencies’ Interagency Guidelines Establishing Information Security Standards, you should “develop and implement a risk-based response program to address incidents of unauthorized access to customer information.” However, the scope of “customer information” includes only information that is “maintained by or on behalf of the bank holding company [or financial institution].” Appendix D-2 to 12 CFR 208—Interagency Guidelines Establishing Information Security Standards, I.C.2.e. As explained in the notice accompanying the final Interpretive Guidance, that definition narrows the scope of the GLBA and agency interpretations “to information that is within the control of the institution and its service providers,” and not “to information directly disclosed by a customer to a third party, for example, through a fraudulent Web site.” (And, note that the Guidelines apply only to consumer accounts, not to business or commercial accounts.) Supplementary Information, 70 Fed. Reg. 15736, 15738 (March 29, 2005).

If the checks were deposited by your customers or by third party payees on the checks, they were not within your control when they were inadvertently released. Therefore, we do not believe that the GLBA’s requirements regarding a disclosure of nonpublic consumer information apply to you; instead, they apply to the bank that had control over the checks that were released. 

Illinois law — Personal Information Protection Act

Similarly, we do not believe that there are any Illinois laws requiring disclosure of a data breach by another financial institution. The Illinois law on data breaches — the Personal Information Protection Act — applies only to data “maintained by the data collector.” 815 ILCS 530/5. Further, the Act’s notification provisions apply only to breaches of “computerized data,” which would not include physical checks. Id. (The Illinois Attorney General introduced this legislation with a broad application, and the IBA (and others) negotiated and changed the language so that, as enacted, it only applies to computerized data.) (And note that an Illinois First District case applied the Act to a data breach in which physical letters containing nonpublic personal information were mailed out. Cooney v. Chicago Public Schools, 407 Ill. App. 3d 358, 362 (1st Dist. 2010).)