Go to:

March 2019
< Feb Apr >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Varying State Laws Make Data Breach Notification Challenging
Tuesday, November 18, 2014 6:35 AM

Legal experts speaking on data breach at the Credit Union Cybersecurity Symposium in Arlington last week said that while the data breach of a credit union brings with it a number of headaches for the institution and its members, proper notification can be a "legal nightmare" for credit unions due to the varying laws around the country.

A data breach is generally defined in the legal community as "the unauthorized acquisition of personally identifiable information that compromises the security, confidentiality or integrity of personal information or processes managing personal information," a definition built from the most common language used by states.

"The notification requirements are the fundamental difference between a breach and an incident," said Ian Harper, a cybersecurity professional and former chief information officer at Pentagon FCU in Alexandria, Virginia. "When we talk about a breach, what we talk about is an event that requires you to notify the individual whose private information has been compromised about the fact that their information has been not necessarily made public, but you've lost control of it."

According to Harper, a financial institution's vulnerability to legal action opens as soon as members are notified. "If you have to publicly announce or provide notification to an individual, expect a class action lawsuit, at least one," Harper said. "That's pretty much standard fare with a data breach."

The National Credit Union Administration's position on member notification is "if a credit union determines that misuse of its information about a member has occurred or is reasonably possible, it should notify the affected member as soon as possible."

The NCUA defines sensitive member information as "a member's name, address or telephone number, in conjunction with the member's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the member's account."

Forty-seven states, as well as the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have breach notification laws. Alabama, New Mexico, and South Dakota are the exceptions.

In addition, 24 have standard definitions of privacy information, 27 have additional privacy information definitions to consider, 41 allow for risk analysis prior to notification, 22 require notification of the state's attorney general, seven require notification within a given timeframe and each state has different required information required on a notification letter.

Randy Gainer, an attorney who represents victims of data breaches, estimated that credit unions that have been breached should be prepared to pay for notification costs (which average $2.3 million per breach), credit monitoring costs (which average $5.5 million per breach), regulatory fines, and more.