To the best of my knowledge, there is currently no data breach notification legislation that requires this sort of disclosure by a bank. The legislation currently in place focuses solely on the initial person who lost the data and does not address anyone further up the chain. As a result, unless the bank is the one to lose the data, it doesn't have to notify customers; and if it doesn't have to notify customers about the existence of a breach, it certainly doesn't have to provide details of the breach. The closest thing to such a requirement is the Payment Card Industry Data Security Standard (PCI DSS), and while that mandate requires breach notification to the PCI Security Standards Council, it does not require notification to customers.
That being said, in the cases of larger breaches, such as the ones related to TJX Companies Inc. and Heartland Payment Systems Inc., the banks reissued credit and debit cards to customers whose data was lost and provided some customer data breach information.
Interestingly, after the fallout of the ChoicePoint breaches a few years ago and as more states have laws like California's SB-1386 (and now HITECH), it's more common for organizations to provide information about breaches to customers even when there is no requirement to do so! As it has been increasingly shown that a breach does not cause much customer turnover, the perceived risk of announcing a breach, even when a company doesn't have to, has gone down.
For more information:
- What are the key provisions of Massachusetts' new data breach law? Read more.
- During a data breach, how much information should be given out? Find out more in this expert response.
This was first published in July 2009