We are not sure that we have sufficient information to answer your question. In general, under Illinois law, you must notify the customer of a data breach if it “compromises the security, confidentiality, or integrity” of a customer’s personal information. (A data breach is the “unauthorized acquisition of computerized data.”) However, you need not notify the customer when personal information is obtained in good faith by an agent of the bank “for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.” 815 ILCS 530/5. While it stands to reason that the other bank would not misuse the customer information that it received inadvertently, unless it received that information as an agent of your agent (i.e., unless it was assisting the data processor — your agent — in the services that your data processor was providing to your bank), it would not fit within that exception, and there does not appear to be any other exception in the state law that would cover this situation. If that is the case, notification to your affected customers (but only as to those whose information was improperly disclosed) would appear to be required.
If our data processor inadvertently released customer information, but only to another financial institution, do we still have to report the breach to our customers?
—
by