The Bank That Cried Breach: Knowing When It's Time to Send a Security Breach Notice to Customers
Posted on 08/03/2018 at 11:56 AM by Jesse Johnston
Data breaches can occur in a myriad of ways: by the hacker, by an employee’s departure with customer information, or through a vendor’s oversights. There is one constant among all of these scenarios though—the affected organization must determine if it needs to send a data breach notice to its customers. Some state laws require notice be sent to a customer if there was any unauthorized access to the customer’s private information. For example, in Iowa, the law requires notice be provided to a customer where there has been an unauthorized acquisition of personal information that “compromises the security, confidentiality, or integrity of the personal information.”
The Gramm-Leach-Bliley Act (GLBA) governs financial institutions’ use and protection of consumer’s personal information. Many state laws regarding data breach contain a clause that exempts entities subject to the GLBA from the state requirements. And the GLBA standard is a bit different because a notice to customer’s regarding unauthorized access of customer information is only required if, after an investigation, the financial institution determines that there is or is likely to be misuse of the customer’s information.
In order to assist financial institutions in understanding and complying with the GLBA, the federal regulators issued the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. This guidance states that:
[If] a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to promptly determine the likelihood that the information has been or will be misused. If the institution determines that misuse of its information about a customer has occurred or is reasonably possible, it should notify the affected customer as soon as possible.
What is “misuse”? The term is not clearly defined in the GLBA or in the implementing regulations or guidance. The interagency guidelines rightly co-opt identity theft into the realm of misuse. Recent court decisions in the Eighth Circuit have considered the issue of “misuse” unrelated to the GLBA. These decisions have also reiterated that identity theft will qualify as misuse, as will unauthorized use of a customer’s credit card number.
What does this mean for a bank when it discovers that there has been unauthorized access to customer information but the bank does not believe the information has been misused? The internal investigation will become very important to determining whether to send the breach notice. The interagency guidance cautions against sending notices when there is no threat of misuse in order to prevent customer numbness to such notices and in order to prevent reputational harm for banks. If a bank has any inclination that there has been unauthorized access to customer information, it must act quickly and nimbly to conduct an investigation and take subsequent steps depending on the conclusions of the investigation. At the first sign of a data breach, contact counsel who can assist navigating this process.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.