toggle accessibility mode
bank card

Data Security Breach Notifications: Banks Get New Rules

By John DiGiacomo

If your business has experienced a data breach, most states have laws requiring various forms of notification. Typically, a business must notify law enforcement and/and designated state officials (but not always). Affected consumers must be notified if personal, unencrypted data has been accessed and/or exfiltrated.

For example, in Michigan, if there has been unauthorized access to personal information of Michigan residents, a business — wherever located — is not required to notify Michigan government officials, but must notify customers. As for timing, the notification must be given “without unnecessary delay.” See, generally, Mich. Comp. Laws § 445.72 et seq.

A data security breach is defined as the “… unauthorized access and acquisition of data that compromises the security or confidentiality” of personal information including a person’s name linked to their:

  • Social security number
  • Driver license number or state identification card number or
  • Financial account number, credit/debit card or other account number in combination with any required security code, access code, or password that would permit access to the person’s account

Notification must be in writing and, generally, must be made directly with the consumer. There are some exceptions and a number of other requirements. The Michigan statute provides for various penalties against businesses that violate the data breach notice requirements and affected consumers may sue for civil money damages.

The Michigan data breach notification law is an example of a data breach statute that is “consumer-focused.” However, there are other concerns when data security systems are compromised. As an example, recently, new regulations were authorized with respect to banks and financial institutions which experience a data security “incident.” These new regulations apply to a much broader type of “breach” than the Michigan statute and banks will be under very strict and short deadlines.

The new regulations were issued jointly by several bank regulators including the Office of the Comptroller of Currency and the Board of the Federal Reserve. National and state banks will need to begin complying with the new rules by May 1, 2022.

Unlike the Michigan statute, banks will be required to give notification of what is called a “computer-security-incident.” A computer security incident is defined to include a data breach that accesses and/or exfiltrates personal information and data on bank customers, but also includes other types of cybercriminal activities that cause harm to the “confidentiality, integrity, or availability of an information system or the information that bank uses. Examples include distributed denial of service attacks, hacking incidents that disable or interfere with bank operations, ransomware attacks and more. The justification for the broader applicability of the new regulations is that any disruptive cyberattack or “incident” can disrupt one bank’s ability to engage in its operations which can have a larger impact on the entire banking system. Put in perspective, these regulations are less concerned with protecting consumer data and privacy than with protecting the operational integrity of banks and the banking system.

As noted, banks have a short time window in which to comply with the new regulations. Banks must notify their primary regulatory agency as soon as possible, but not later than 36 hours after the bank determines that the “incident” meets the definition of a “reportable incident.” In practice, this will allow banks some latitude with respect to the timing since it may take time to make the determination that the incident must be reported. The new regulations add a new layer of notification requirements and do not replace other guidelines and regulations for banks and financial institutions. Banks have long been required to report criminal cyber-attacks to the FBI and banks are bound by state and federal laws with respect to consumer notifications.

As can be seen, any business that experiences a data breach or other cybersecurity incident must be prepared to act. Cybersecurity laws are aimed at protecting consumer confidential and personal data, but also the integrity of the economic system in general. Whatever your business, you must have state-of-the-art data and computer systems security. You also need to retain proven data security lawyers like those at Revision Legal. If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100. We have proven experience with these types of legal issues

Put Revision Legal on your side