Problem solve Get help with specific problems with your technologies, process and projects.

Data breach notification legislation: What info must be released?

In the wake of a credit card data breach, what customer data breach information must be released per data breach notification legislation? David Mortman addresses the question in this expert response.

When a bank's credit card or ATM records have been compromised by a "merchant," does the bank have any obligation to inform customers as to the specifics of the compromise?

To the best of my knowledge, there is currently no data breach notification legislation that requires this sort of disclosure by a bank. The legislation currently in place focuses solely on the initial person who lost the data and does not address anyone further up the chain. As a result, unless the bank is the one to lose the data, it doesn't have to notify customers; and if it doesn't have to notify customers about the existence of a breach, it certainly doesn't have to provide details of the breach. The closest thing to such a requirement is the Payment Card Industry Data Security Standard (PCI DSS), and while that mandate requires breach notification to the PCI Security Standards Council, it does not require notification to customers.

That being said, in the cases of larger breaches, such as the ones related to TJX Companies Inc. and Heartland Payment Systems Inc., the banks reissued credit and debit cards to customers whose data was lost and provided some customer data breach information.

Interestingly, after the fallout of the ChoicePoint breaches a few years ago and as more states have laws like California's SB-1386 (and now HITECH), it's more common for organizations to provide information about breaches to customers even when there is no requirement to do so! As it has been increasingly shown that a breach does not cause much customer turnover, the perceived risk of announcing a breach, even when a company doesn't have to, has gone down.

For more information:

This was last published in July 2009

Dig Deeper on Information Security Incident Response-Information

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Being notified is good and should be mandatory. As far as how much info should be provided? I don't know. It's hard to say, but the consumer have all the info that they'll need in order to protect themselves.