IBA Compliance Connection

Your go to source for compliance!

We inadvertently sent one business customer’s account statement to another business customer. The statement included the business customer’s name and address, but the account number was masked. Does federal or state law require us to provide notice to the business customer whose statement was inadvertently disclosed to a third party?

by

admin

We believe that the federal data breach notification requirements are inapplicable to the unauthorized disclosure of a business customer’s account statement, and it is likely that Illinois’ data breach notification requirements also are inapplicable. However, your bank may wish to consider notifying this customer as a courtesy. 

The federal data breach notice requirements outlined in the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice apply only to consumer accounts, not to business or commercial accounts.

The data breach notification requirements in the Illinois Personal Information Protection Act (IPIPA) are not expressly limited to consumer accounts. However, the IPIPA only requires notification to an Illinois “resident” when there is an “unauthorized acquisition of computerized data” containing the resident’s personal information. While the law does not define resident, it defines “personal information” as either an individual’s name in combination with other personally identifiable information, or a user name or email address in combination with a password or other credential that would permit access to an online account.

In this case, it is unlikely that the account statement included an individual’s name in combination with other personally identifiable information or a user name in combination with other login credentials. Nonetheless, we recommend carefully reviewing the account statement that was inadvertently disclosed to confirm that it does not contain either type of personal information covered by the Illinois law.

For resources related to our guidance, please see:

  • Personal Information Protection Act, 815 ILCS 530/10(a) (“Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach. . .”)
  • Personal Information Protection Act, 815 ILCS 530/5 (“‘Breach of the security of the system data’ or ‘breach’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.”)
  • Personal Information Protection Act, 815 ILCS 530/5 (“‘Personal Information’ means either of the following: (1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, . . . [or] (2) User name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security.”)
  • Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 Fed. Reg. 15736, 15738 (March 28, 2005) (“[T]his final Guidance does not apply to information involving business or commercial accounts. Instead, the final Guidance applies to nonpublic personal information about a ‘customer’ within the meaning of the Security Guidelines, namely, a consumer who obtains a financial product or service from a financial institution to be used primarily for personal, family, or household purposes, and who has a continuing relationship with the institution.”)
  • Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 12 CFR 208, Supplement A to Appendix D-2 (“At a minimum, an institution’s response program should contain procedures for the following: . . . b. Notifying its primary Federal regulator as soon as possible when the institution becomes aware of an incident involving unauthorized access to or use of sensitive customer information, as defined below; . . . and e. Notifying customers when warranted.”)
  • Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 12 CFR 208, Supplement A to Appendix D-2 (“For purposes of this Guidance, sensitive customer information means a customer’s name, address, or telephone number, in conjunction with the customer’s social security number, driver’s license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer’s account. Sensitive customer information also includes any combination of components of customer information that would allow someone to log onto or access the customer’s account, such as user name and password or password and account number.”)
  • Interagency Guidelines Establishing Information Security Standards, 12 CFR 208, Appendix D-2 (“Customer means any customer of the bank as defined in §1016.3(i) of this chapter.”)
  • Regulation P, 12 CFR 1016.3(i) (“Customer means a consumer who has a customer relationship with you.”)