Topic: Data Breach
-
If our data processor inadvertently released customer information, but only to another financial institution, do we still have to report the breach to our customers?
—
by
We are not sure that we have sufficient information to answer your question. In general, under Illinois law, you must notify the customer of a data breach if it “compromises the security, confidentiality, or integrity” of a customer’s personal information. (A data breach is the “unauthorized acquisition of computerized data.”) However, you need not notify the…
-
Our electronic payments vendor sent us a notification stating that a customer’s debit card “may have” been compromised. Do we need to notify the customer?
—
by
From the information provided by your vendor, it is not clear whether the Personal Information Protection Act applies, as it applies only to breaches of computerized personal information. 815 ILCS 530/5. We recommend that you contact the vendor for clarification on the type of breach that occurred.
-
If we inadvertently gave a customer a list of other customer names and account numbers, would we have to disclose the breach to our customers under the Personal Information Protection Act? If so, do we need to include contact information for the consumer reporting agencies in the notice of breach, even if we did not alert those agencies about the breach?
—
by
Although the Personal Information Protection Act (PIPA) does not define an owner or licensor of personal data, we believe that the bank would be considered an owner/licensor of personal data (as opposed to a maintainer/storer of personal data), given that the bank stores that data for its own purposes and not on behalf of another…
-
Another bank informed us that its shredding vendor had lost a box of checks that included our customers’ checks. Are we required to notify our customers of the breach?
—
by
We are not aware of any federal or Illinois laws that impose a duty of notification on a bank whose customers’ checks are lost by another financial institution. Federal Law — Gramm-Leach-Bliley Act Under the federal banking agencies’ Interagency Guidelines Establishing Information Security Standards, you should “develop and implement a risk-based response program to address…
-
If we write down an account number and balance on a piece of paper and give it to the wrong customer, does that qualify as a “breach of security of the system data” under the Illinois Personal Information Act? Would the answer be the same for a statement mailed to the wrong customer?
—
by
No. The Illinois law applies to unauthorized acquisitions of computerized data. We do not believe that providing an account number and balance in writing to someone other than the account owner, whether at a teller line or by mailing a monthly statement to the wrong address, would trigger the customer notification requirements of the Act.…