Data Security Breach Notifications: Banks Get New Rules featured image

Data Security Breach Notifications: Banks Get New Rules

by John DiGiacomo

Partner

Internet Law

If your business has experienced a data breach, most states have laws requiring various forms of notification. Typically, a business must notify law enforcement and/and designated state officials (but not always). Affected consumers must be notified if personal, unencrypted data has been accessed and/or exfiltrated.

For example, in Michigan, if there has been unauthorized access to personal information of Michigan residents, a business — wherever located — is not required to notify Michigan government officials, but must notify customers. As for timing, the notification must be given “without unnecessary delay.” See, generally, Mich. Comp. Laws § 445.72 et seq.

A data security breach is defined as the “… unauthorized access and acquisition of data that compromises the security or confidentiality” of personal information including a person’s name linked to their:

  • Social security number
  • Driver license number or state identification card number or
  • Financial account number, credit/debit card or other account number in combination with any required security code, access code, or password that would permit access to the person’s account

Notification must be in writing and, generally, must be made directly with the consumer. There are some exceptions and a number of other requirements. The Michigan statute provides for various penalties against businesses that violate the data breach notice requirements and affected consumers may sue for civil money damages.

The Michigan data breach notification law is an example of a data breach statute that is “consumer-focused.” However, there are other concerns when data security systems are compromised. As an example, recently, new regulations were authorized with respect to banks and financial institutions which experience a data security “incident.” These new regulations apply to a much broader type of “breach” than the Michigan statute and banks will be under very strict and short deadlines.

The new regulations were issued jointly by several bank regulators including the Office of the Comptroller of Currency and the Board of the Federal Reserve. National and state banks will need to begin complying with the new rules by May 1, 2022.

Unlike the Michigan statute, banks will be required to give notification of what is called a “computer-security-incident.” A computer security incident is defined to include a data breach that accesses and/or exfiltrates personal information and data on bank customers, but also includes other types of cybercriminal activities that cause harm to the “confidentiality, integrity, or availability of an information system or the information that bank uses. Examples include distributed denial of service attacks, hacking incidents that disable or interfere with bank operations, ransomware attacks and more. The justification for the broader applicability of the new regulations is that any disruptive cyberattack or “incident” can disrupt one bank’s ability to engage in its operations which can have a larger impact on the entire banking system. Put in perspective, these regulations are less concerned with protecting consumer data and privacy than with protecting the operational integrity of banks and the banking system.

As noted, banks have a short time window in which to comply with the new regulations. Banks must notify their primary regulatory agency as soon as possible, but not later than 36 hours after the bank determines that the “incident” meets the definition of a “reportable incident.” In practice, this will allow banks some latitude with respect to the timing since it may take time to make the determination that the incident must be reported. The new regulations add a new layer of notification requirements and do not replace other guidelines and regulations for banks and financial institutions. Banks have long been required to report criminal cyber-attacks to the FBI and banks are bound by state and federal laws with respect to consumer notifications.

As can be seen, any business that experiences a data breach or other cybersecurity incident must be prepared to act. Cybersecurity laws are aimed at protecting consumer confidential and personal data, but also the integrity of the economic system in general. Whatever your business, you must have state-of-the-art data and computer systems security. You also need to retain proven data security lawyers like those at Revision Legal. If you have legal questions about data security, how to respond to data breaches or about hacking and cybercrime, contact the data security lawyers at Revision Legal at 231-714-0100. We have proven experience with these types of legal issues

Extra, Extra!
Recent Posts

FTC Adopts Final “Click to Cancel Rule”

FTC Adopts Final “Click to Cancel Rule”

Internet Law

The Federal Trade Commission (FTC) has issued final amendments to its trade regulation rule concerning negative option plans, also known as the “click to cancel rule.” This rule aims to address widespread deceptive practices that prohibit customers from cancelling services in the same manner in which they signed up. Here’s a detailed summary of the […]

Read more about FTC Adopts Final “Click to Cancel Rule”

Understanding Product Liability Law for Ecommerce Merchants

Understanding Product Liability Law for Ecommerce Merchants

Internet Law

Introduction Being an ecommerce merchant is hard; you have to keep an eye on your advertising spend, control your inventory, and make sure your customers are happy. Additionally, you also have to navigate a complex landscape of legal responsibilities. One of these areas, which is often overlooked, is product liability. Product liability law holds manufacturers, […]

Read more about Understanding Product Liability Law for Ecommerce Merchants

Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Internet Law

Introduction In our increasingly digital world, the significance of internet privacy is paramount. Internet privacy attorneys are essential in safeguarding the rights of individuals and organizations against various privacy-related challenges. This blog post delves into the key issues these attorneys address. Data Breaches and Cybersecurity Data breaches occur when sensitive information is accessed or disclosed […]

Read more about Understanding the Role of Internet Privacy Attorneys: Key Issues They Handle

Put Revision Legal on your side