Topic: Data Breach
-
We inadvertently sent one business customer’s account statement to another business customer. The statement included the business customer’s name and address, but the account number was masked. Does federal or state law require us to provide notice to the business customer whose statement was inadvertently disclosed to a third party?
—
by
We believe that the federal data breach notification requirements are inapplicable to the unauthorized disclosure of a business customer’s account statement, and it is likely that Illinois’ data breach notification requirements also are inapplicable. However, your bank may wish to consider notifying this customer as a courtesy. The federal data breach notice requirements outlined in…
-
If we have personal information about payable on death beneficiaries for a deposit account, such as birth dates and social security numbers, and there is a security breach, may we contact the beneficiaries to let them know that their information has been compromised?
—
by
Yes, we strongly recommend contacting deposit account beneficiaries to notify them of a data breach affecting their personal information. The Illinois Personal Information Protection Act requires notification of any Illinois resident when there is “unauthorized acquisition of computerized data” containing the resident’s personal information. “Personal information” includes an individual’s name in combination with a social…
-
Thirty days ago, we discovered that a former loan officer sent emails from her bank email account to her personal email account (possibly related to her search for future employment with another bank). We still are sifting through hundreds of emails, but so far we know she sent herself at least one individual’s W-2 form. The loan officer quit as soon as we questioned her about the emails. We suspect that the loan officer obtained the W-2 from a loan applicant, and that the loan officer intended to steer the applicant to her new employer, but we have not been able to confirm this suspicion. Our attorney told us to notify the affected individual and any others that we discover. We are almost certain we also will file a Suspicious Activity Report (SAR). Is that something we should do? Should we also contact our primary federal regulator (the FDIC)?
—
by
We recommend filing a SAR, but at this point, we do not (and from what you have told us, the bank does not) have enough information to determine whether a data breach has occurred that would require your bank to notify its primary regulator or any affected individuals. The SAR regulations require a bank to…
-
If we discover that one of our ATMs has a skimming device, what is our potential liability? Would we have some sort of mass liability outside of fraudulent charges on our customers’ cards? We have upgraded our ATMs to accept chip cards.
—
by
It theoretically is possible that ATM users would sue your bank after a data breach stemming from a skimmer installed on one of your ATMs, but it is difficult to predict the chances of such a lawsuit hitting your bank, not to mention estimating the potential liability and costs. (An ATM skimmer is a device…
-
In a third party vendor contract, we want to require the vendor to notify us of data breaches within 24 hours. However, the vendor told us that there is no regulation or regulatory guidance that requires a 24 hour turnaround time for reporting incidents. Do you know of any regulatory guidance that imposes a specific time frame for a vendor to report data breach incidents to us? If so, what verbiage is required?
—
by
No, we are not aware of any guidance that imposes a specific time frame for a vendor to report a data breach to your financial institution. The Interagency Guidance regarding unauthorized access to customer information requires third party service providers to notify a financial institution “as soon as possible” after a data breach. However, the…
-
Our bank inadvertently released bank statements to the wrong customers. We plan to notify the affected customers, but do we also have to notify our regulators?
—
by
Yes, we recommend notifying your regulators pursuant to Interagency Guidance regarding unauthorized access of customer information. Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice requires banks to establish a security breach response program that contains procedures for notifying their primary Federal regulator as soon as possible “when the institution…
-
We recently responded to a subpoena by providing financial records about a customer. Now, this customer is contesting the subpoena and claims that we violated the Right to Financial Privacy Act. Is this a data breach incident that we need to report?
—
by
Privacy Laws First, we disagree with your customer that responding to a subpoena with financial information violated your customer’s privacy rights. Both Illinois and federal privacy laws include exceptions for responding to subpoenas with customers’ financial information. Under Regulation P, a financial institution may disclose a customer’s information “to comply with a properly authorized .…
-
A bug in our online banking system allowed one customer to view another customer’s account history. Do we need to notify the customer of the breach?
—
by
We believe that the situation you described would constitute a data breach that would necessitate disclosure under the Personal Information Protection Act, which would have to include “(i) the toll-free numbers and addresses for consumer reporting agencies, (ii) the toll-free number, address, and website address for the Federal Trade Commission, and (iii) a statement that…
-
If we discovered some evidence that a vendor may have sold customer names and addresses without our permission, do we need to notify customers?
—
by
At this point, we do not (and from what you have told us, the bank does not) have enough information to determine whether you will have to notify customers of this situation. Depending on your investigation and information provided by the third party service provider, federal and/or Illinois law may require the bank to notify…