IBA Compliance Connection

Your go to source for compliance!

If we have personal information about payable on death beneficiaries for a deposit account, such as birth dates and social security numbers, and there is a security breach, may we contact the beneficiaries to let them know that their information has been compromised?

by

admin

Yes, we strongly recommend contacting deposit account beneficiaries to notify them of a data breach affecting their personal information.

The Illinois Personal Information Protection Act requires notification of any Illinois resident when there is “unauthorized acquisition of computerized data” containing the resident’s personal information. “Personal information” includes an individual’s name in combination with a social security number, provided that this information has not been encrypted or redacted. “Personal information” also includes an individual’s name in combination with the individual’s health insurance information, which likely would include their birth date.

These requirements apply regardless of whether the residents are customers of your bank. (By contrast, the federal requirements for data breach notifications apply only to bank customers, which we do not believe would include deposit account beneficiaries.)

For resources related to our guidance, please see:

  • Personal Information Protection Act, 815 ILCS 530/10(a) (“Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach.”)
  • Personal Information Protection Act, 815 ILCS 530/5 (“‘Breach of the security of the system data’ or ‘breach’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. . . .”)
  • Personal Information Protection Act, 815 ILCS 530/5 (“‘Personal information’ means . . . (1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security: (A) Social Security number. . . (E) Health insurance information. . . .”)
  • Personal Information Protection Act, 815 ILCS 530/5 (“‘Health insurance information’ means . . . any unique identifier used by a health insurer to identify the individual, or any medical information in an individual’s health insurance application and claims history, including any appeals records.”)
  • Interagency Guidelines Establishing Information Security Standards, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“When a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible. . . .”)
  • Interagency Guidelines Establishing Information Security Standards, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice (“Substantial harm or inconvenience is most likely to result from improper access to sensitive customer information because this type of information is most likely to be misused, as in the commission of identity theft. For purposes of this Guidance, sensitive customer information means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.”)
  • Regulation P, 12 CFR 1016.3(i) (“Customer means a consumer who has a customer relationship with you.”)
  • Regulation P, 12 CFR 1016.3(e) (“(1) Consumer means an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative. . . . (2)(vii) An individual is not your consumer solely because he or she is a beneficiary of a trust for which you are a trustee.”)