Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-migrate-db domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /srv/app/gotoiba-dev/htdocs/web/wp-includes/functions.php on line 6121
A bug in our online banking system allowed one customer to view another customer’s account history. Do we need to notify the customer of the breach? – IBA Compliance Connection

A bug in our online banking system allowed one customer to view another customer’s account history. Do we need to notify the customer of the breach?

by

We believe that the situation you described would constitute a data breach that would necessitate disclosure under the Personal Information Protection Act, which would have to include “(i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address, and website address for the Federal Trade Commission, and (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes.” 815 ILCS 530/10(a).

Once an unauthorized individual gained access to a customer’s personal information, that should be considered an “acquisition” of the data. Our law dictionary defines “acquisition” as “gaining of possession of control over something.” Black’s Law Dictionary 24 (7th ed. 1999). With online access to a customer’s account history, the unauthorized individual would automatically gain possession of the data, which would be copied into the memory of the computer used to sign into the account. Note that the statute does not require that the unauthorized user intend to acquire the data in order for the acquisition to be considered a breach.