
	Home > Ask the Security Experts > Security Management Questions & Answers > Data breach notification legislation: What info must be released?

Ask The Security Expert: Questions & Answers

EMAIL THIS

Data breach notification legislation: What info must be released?

EXPERT RESPONSE FROM: David Mortman, featured expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 20 July 2009
When a bank's credit card or ATM records have been compromised by a "merchant," does the bank have any obligation to inform customers as to the specifics of the compromise?

BROWSE BY TAG

Security Management, Network Intrusion Detection and Analysis, Enterprise Network Security, Information Security Incident Response, Security Event Management, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	How to prepare for a FERPA audit
	Why doesn't the CISSP cover information assurance and DIACAP?
	Risk management strategy for an information technology solution provider
	Are there guidelines to create a HIPAA-compliant data center?
	HHS HIPAA guidance on encryption requirements and data destruction
	Writing a patient identifier policy to prevent common HIPAA violations
	How to write technology outsourcing contracts
	The requirements for being a PCI DSS-compliant service provider
	The requirements needed to make an external penetration test legal
	How to create configuration management plans to install DLP

Information Security Incident Response

Incident response planning

Mature SIMs do more than log aggregation and correlation

New partnerships, creative thinking help security bust recession

Senators hear call for federal cybersecurity restructuring

Tying log management and identity management shortens incident response

Tabletop exercises sharpen security and business continuity

Security incident response 101

Firms muddle security breach response, expert says

Microsoft Conficker worm offers attack prevention lesson

Security book chapter: Applied Security Visualization

Information Security Incident Response Research

Security Event Management

Network traffic collection, analysis helps prevent data breaches

Best Security Information and Event Management Products

Understanding PCI DSS compliance requirements for log management

How to prevent a denial-of-service (DoS) attack

Mature SIMs do more than log aggregation and correlation

The top 5 network security practices

SIMs tools and tactics for business intelligence

SIEM: Not for small business, nor the faint of heart

Should IDS and SIM/SEM/SIEM be used for network intrusion monitoring?

Tying log management and identity management shortens incident response

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

incident response (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

To the best of my knowledge, there is currently no data breach notification legislation that requires this sort of disclosure by a bank. The legislation currently in place focuses solely on the initial person who lost the data and does not address anyone further up the chain. As a result, unless the bank is the one to lose the data, it doesn't have to notify customers; and if it doesn't have to notify customers about the existence of a breach, it certainly doesn't have to provide details of the breach. The closest thing to such a requirement is the Payment Card Industry Data Security Standard (PCI DSS), and while that mandate requires breach notification to the PCI Security Standards Council, it does not require notification to customers.

That being said, in the cases of larger breaches, such as the ones related to TJX Companies Inc. and Heartland Payment Systems Inc., the banks reissued credit and debit cards to customers whose data was lost and provided some customer data breach information.

Interestingly, after the fallout of the ChoicePoint breaches a few years ago and as more states have laws like California's SB-1386 (and now HITECH), it's more common for organizations to provide information about breaches to customers even when there is no requirement to do so! As it has been increasingly shown that a breach does not cause much customer turnover, the perceived risk of announcing a breach, even when a company doesn't have to, has gone down.

For more information:

What are the key provisions of Massachusetts' new data breach law? Read more.
During a data breach, how much information should be given out? Find out more in this expert response.

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy