IBA Compliance Connection

Your go to source for compliance!

If we inadvertently gave a customer a list of other customer names and account numbers, would we have to disclose the breach to our customers under the Personal Information Protection Act? If so, do we need to include contact information for the consumer reporting agencies in the notice of breach, even if we did not alert those agencies about the breach?

by

admin

Although the Personal Information Protection Act (PIPA) does not define an owner or licensor of personal data, we believe that the bank would be considered an owner/licensor of personal data (as opposed to a maintainer/storer of personal data), given that the bank stores that data for its own purposes and not on behalf of another entity. Therefore, we believe the notice requirements of the Act would apply in this situation.

PIPA does not make any exceptions to the requirement that data collectors include specific information when notifying customers about a data breach, including the consumer reporting agencies and FTC contact information. 815 ILCS 530/10. If the bank falls into PIPA’s scope, it should include all of the required information in the notices of breach.