Notification Requirements After a Data Breach

Article By: Ben Giumarra, Spillane Consulting Associates, Inc.

Scratching the surface of a much bigger issue.

What do we do when we discover a “security breach” or otherwise that some unauthorized person had access to a consumer’s personal information, such as a check or disclosure?

Because hey – it happens. Loan paperwork is sent to the wrong address, which happens (yet another good thing about electronic delivery, it’s password protected). Or maybe a record is sent to the wrong third party – the incorrect closing attorney, or to a 3rd party that wasn’t supposed to receive it. Maybe you meant to e-mail me (Ben G., your confidential advisor) information on a sensitive consumer complaint issue, but instead accidentally sent it to Ben C. (who works for Mass Bankers). Whoops!**

Remember the bar for “personal” or “sensitive” customer information is pretty low — even a personal check connecting the person’s name with an account number would qualify. Certainly a Loan Estimate or copy of an appraisal report would qualify.

**For anyone lacking a sense of humor, Ben Craigie is a friend and consummate professional, highly skilled in banking compliance issues, and it would be rare to come across someone with higher integrity. Consider yourself lucky if your only mistaken e-mail goes to him!

Notification Requirements

Numerous state and federal rules prevent us from staying quiet about a security breach and pretending it didn’t happen. These rules require us to notify someone about it – sometimes the affected consumer, sometimes our regulator, sometimes a different government agency. 

The rules surrounding timing, content, and whether a breach occurred at all vary depending on which jurisdiction is involved. To demonstrate this point, let’s go through Federal requirements and then Rhode Island and Massachusetts.

#1 – Federal 

Your Federal regulator most likely signed off on the joint federal guidance available here. This has 2 levels of notification: First to your regulator. Second directly to the consumer.

Regulator Notification

This Federal guidance requires you to notify your regulator “as soon as possible” when you discover “an incident involving unauthorized access to or use of sensitive customer information.” So you e-mailed a mortgage borrower’s Loan Estimate to 126 Main Street instead of 126 Main Lane. In other words – notify them immediately.

Consumer Notification

But under this guidance, the requirement to notify affected consumers is more relaxed, and is only required only when after “a reasonable investigation”, the institution has determined “that misuse of the information has occurred or is reasonably possible that misuse will occur.”  

So if your only problem is that you e-mailed one loan file to Ben Craigie instead of to me, then even though you might have to notify your regulator per this Federal guidance, you certainly do not have to notify the consumer directly–there’s no risk of misuse.

#2 – Massachusetts

Massachusetts has its own rules on notification upon a security breach (of course they do).

The key thing to look at here is what triggers a consumer notification. The rule, available here, says that notification of both consumer and regulatory bodies is required whenever, among other things, a company realizes that “the personal information of a [Massachusetts] resident was acquired or used by an unauthorized person.” So unlike the Federal guidance, consumer notification appears to be required even if it is not “reasonably possible that misuse will occur.” That’s pretty big.

If you have a data breach in this state, you’ll also want to carefully follow the content requirements for consumers – which are not intuitive, and require information about police reports but don’t allow you to provide an explanation to the consumer about what happened. This notice may cause a consumer to be more alarmed than they need to be.

One good thing about Massachusetts is their helpful webpage for submission of this information. You can notify most of the required agencies by filling this out online!

#3 – Rhode Island

Ah, welcome to the Ocean State. Rhode Island’s new data breach notification rules are different again – but not necessarily in a bad way.

First of all, don’t worry about notifying the AG or other government agency unless you have a breach that impacts more than 500 consumers. For any breach involving fewer consumers, the rules only require direct consumer notification.

Another good thing (I think), is that Rhode Island rules only require notification of a breach where the institution has determined there remains a “significant risk of identify theft.” So back to our Ben Craigie example, this is another time when we can avoid scaring consumers unnecessarily by providing notice of a data breach that actually poses no risk to them at all.

In Other News

  • How do you price a product? Fun-to-read article here on this topic. Starts off with an old Johnny Carson story, when he interviewed Zig Zigla:

“They say you’re the world’s greatest salesman,” said Carson.

“How about you sell me something – say this ashtray?”

“Before I can do that,” replied Ziglar, looking at the ashtray.  “I’d have to know why you want it.”

“I guess it’s well-made, it looks pretty nice, and it’s a good ashtray,” replied the talk show host.

“Alright,” responded Ziglar, “but you’ll have to tell me what you think it’s worth to you.”

“I don’t know,” thought Carson, “I guess $20 would be about right.”

“Sold!” Ziglar exclaimed, smiling.

On My Mind …

What are we supposed to be doing about/with physical branches? Should we be transitioning to digital infrastructure, closing branches, opening cheaper branches, keeping it same as usual? I don’t know. The correct strategy probably varies by institution. But one interesting idea – without giving an opinion on how smart it is – is a strategy based around a different type of branch.

Look at Citi for example. Back in 2008 (2010 in the U.S.) they started opening branches based off of the highly successful Apple Store. They even hired Eight, Inc., the same company who designed the Apple Store. Here’s a free article with a good background on this. They made the branches cool and innovative. According to this American Banker article, the branches have “a clean, spare look with open space, a central concierge desk, a high-tech lounge area, workstations where customers learn about online banking, and a video conferencing customer service kiosk. The wall-mounted marketing displays that provide product information and the time, data and weather sometimes remind customers of giant iPhones.”

But how successful has this been? Is this just an example of “old-school” bankers hoping against hope that physical branches are still relevant, and they only just need to update their looks? Well Brett King makes some good points in his book Bank 3.0: Why Banking is No Longer Somewhere You Go, But Something You Do. According to him, there’s been no evidence that Citi’s new branches have caused any net gain in retail activity. He claims Citi has generated more activity through its iPhone, iPad and Android apps than through the Apple Stores. “Here’s a little secret that bankers should really take note of. Apple customers simply don’t ever go back to the store to buy an app after they’ve bought an iPad or iPhone in-store.”

I think the point he’s making is that bankers should spend more time modeling Apple’s online “App Store” rather than model their physical Apple Stores.

“An embrace of simplicity offers another potent and liberating opportunity. It allows you to reduce the number of commitments, material possessions, and unsupportive relationships we burden ourselves with. These tend to clutter the mind and weigh you down.”

– Mark Divine, Unbeatable Mind

Thank you to Ben Giumarra, Spillane Consulting Associates, Inc., a member of our Education Committee, who with the support of other experts at SCA have put together this newsletter.

Leave a Reply