Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-migrate-db domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /srv/app/gotoiba-dev/htdocs/web/wp-includes/functions.php on line 6121
If our data processor inadvertently released customer information, but only to another financial institution, do we still have to report the breach to our customers? – IBA Compliance Connection

If our data processor inadvertently released customer information, but only to another financial institution, do we still have to report the breach to our customers?

by

We are not sure that we have sufficient information to answer your question. In general, under Illinois law, you must notify the customer of a data breach if it “compromises the security, confidentiality, or integrity” of a customer’s personal information. (A data breach is the “unauthorized acquisition of computerized data.”) However, you need not notify the customer when personal information is obtained in good faith by an agent of the bank “for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.” 815 ILCS 530/5. While it stands to reason that the other bank would not misuse the customer information that it received inadvertently, unless it received that information as an agent of your agent (i.e., unless it was assisting the data processor — your agent — in the services that your data processor was providing to your bank), it would not fit within that exception, and there does not appear to be any other exception in the state law that would cover this situation. If that is the case, notification to your affected customers (but only as to those whose information was improperly disclosed) would appear to be required.