Yes, we recommend notifying your regulators pursuant to Interagency Guidance regarding unauthorized access of customer information.
Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice requires banks to establish a security breach response program that contains procedures for notifying their primary Federal regulator as soon as possible “when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information.” Sensitive customer information includes a customer's name, address, or telephone number, in conjunction with the customer’s social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account.
Importantly, the Interagency Guidance does not distinguish between intentional and unintentional access of sensitive customer information. In addition, the agencies have noted that “the final Guidance addresses not only computer security incidents, but also all other incidents of unauthorized access to customer information.”
In this case, some customers inadvertently received unauthorized access to sensitive customer information, which reasonably could result in the unauthorized use of that information. Consequently, the Interagency Guidance requires you to notify your regulators.
In addition to notifying your regulators, the Interagency Guidance also requires you to provide timely notice to affected customers, which you have indicated you plan to do.
We also note that you may have similar customer notice requirements under Illinois law. The Personal Information Protection Act (PIPA) requires customer notification in the event of a data breach. We note that unlike the Interagency Guidance, PIPA limits a “breach” to unauthorized acquisition of computerized data. Here, customers received unauthorized access to physical bank statements — not computerized data.
However, an Illinois appellate court determined that inadvertently mailing nonpublic personal information to unauthorized recipients constituted a data breach under PIPA. Because of the court’s decision, we recommend treating this as a data breach and sending out the notifications required by PIPA, which must include the toll-free numbers and addresses for consumer reporting agencies, the toll-free number, address, and website address for the Federal Trade Commission, and a statement that the individual can obtain information from these sources about fraud alerts and security freezes.
For resources related to our guidance, please see:
- Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“At a minimum, an institution's response program should contain procedures for the following: … b. Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below…”)
- Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“For purposes of this Guidance, sensitive customer information means a customer's name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number.”)
- 70 Federal Register 15736, 15742 (“The Agencies note that the final Guidance addresses not only computer security incidents, but also all other incidents of unauthorized access to customer information.”)
- 70 Federal Register 15736, 15740 (discussion regarding industry comments on reporting to regulators and conclusion that “the standard for notification to regulators should provide an early warning to allow an institution's regulator to assess the effectiveness of an institution's response plan, and, where appropriate, to direct that notice be given to customers if the institution has not already done so. Thus, the standard in the final Guidance states that an institution should notify its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of ‘sensitive customer information.’ ”)
- Personal Information Protection Act, 815 ILCS 530/5 (“ ‘Breach of the security of the system data’ or ‘breach’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.”) (emphasis added)
- Cooney v. Chicago Public Schools, 407 Ill. App. 3d 358, 362 (1st Dist. 2010) (where inadvertently mailing nonpublic personal information constituted a data breach under PIPA, triggering the Act’s notice requirements)
- Personal Information Protection Act, 815 ILCS 530/10(a) (“Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach.”)
- Personal Information Protection Act, 815 ILCS 530/10(a) (“The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system. The disclosure notification to an Illinois resident shall include, but need not be limited to, (i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address, and website address for the Federal Trade Commission, and (iii) a statement that the individual can obtain information from these sources about fraud alerts and security freezes. The notification shall not, however, include information concerning the number of Illinois residents affected by the breach.”)