Ask the Expert

Data breach notification legislation: What info must be released?

When a bank's credit card or ATM records have been compromised by a "merchant," does the bank have any obligation to inform customers as to the specifics of the compromise?

    Requires Free Membership to View

To the best of my knowledge, there is currently no data breach notification legislation that requires this sort of disclosure by a bank. The legislation currently in place focuses solely on the initial person who lost the data and does not address anyone further up the chain. As a result, unless the bank is the one to lose the data, it doesn't have to notify customers; and if it doesn't have to notify customers about the existence of a breach, it certainly doesn't have to provide details of the breach. The closest thing to such a requirement is the Payment Card Industry Data Security Standard (PCI DSS), and while that mandate requires breach notification to the PCI Security Standards Council, it does not require notification to customers.

That being said, in the cases of larger breaches, such as the ones related to TJX Companies Inc. and Heartland Payment Systems Inc., the banks reissued credit and debit cards to customers whose data was lost and provided some customer data breach information.

Interestingly, after the fallout of the ChoicePoint breaches a few years ago and as more states have laws like California's SB-1386 (and now HITECH), it's more common for organizations to provide information about breaches to customers even when there is no requirement to do so! As it has been increasingly shown that a breach does not cause much customer turnover, the perceived risk of announcing a breach, even when a company doesn't have to, has gone down.

For more information:

This was first published in July 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: