a similar topic was posted under a different forum, but i think it will get more attention here. as im sure a few of you might have been, we were notified by our card provider that there was a breach back in mid-2007 and of course we just get our list of affected accounts yesterday. we are a small bank but have several hundred accounts that "might be affected" becuase they were used at "discount stores, grocery stores, service stations, etc. etc.". of course no specific names were listed.

we are calling our customers and will be sending out letters as well. anyone have a letter they'd like to share that they have sent their customers? i have tried to begin typing a letter, but it turns into more of a rant!

For those of you that have been affected by this, do you consider this breach as something that would fall under your Incident Response Program? Namely, are you notifying your regulator of this incident?

I suspect that if you call your regulator, you will find they are already familiar with the situation. That's what I did with the TJX incident. Then I could document in my files that they asked that I not formally report the incident. They did, however, want a final report of the actions we took to mitigate risk to our customers.

We are taking full precautionary steps. We are consulting our Incident Response Program. Closing and re-issuing cards of affected customers, notifying affected customers, notifying our regulator and filing a SAR. Is this overkill?

From the ABA:

From the ABA:
Hacker Responsible for Heartland Data Breach Reportedly Identified
The hacker responsible for last week's data breach at Princeton, N.J.-based Heartland Payment Systems has been identified and located outside of North America by the U.S. Secret Service, and the Justice Department has taken charge of the investigation, news reports said yesterday. There still is no exact information on how many Heartland customers were compromised by the malware attack.

The breached data, however, "did not contain merchant data or cardholder Social Security numbers, unencrypted personal identification numbers, addresses or telephone numbers, therefore making it highly unlikely it can be used for identity theft," Heartland Chairman and CEO Robert Carr said yesterday in an open letter to the public.

ABA, which has been monitoring the situation and working with the state bankers associations on the issue, has created a statement about the breach that banks may use for press or customer communications. Read and download the statement. Go to the ABA data security Web Page. Read ABA's data security talking points. Read Carr's letter. For more information, contact ABA's Doug Johnson.

I thought Incident Response Program was for a breach that occured at your institution. Since the breach occurred at Heartland do you need to use your FI's Incident Response program and do you need to notify your regulators since the breach did not occur at your FI? Help, I'm confused!

I posed this question to our regulator and they indicated we did not need to do a formal notification to them under our Incident Response Program. However, they still wanted me to email them with information on how we were notified, how many people were affected and what we were doing about it.

do we need to file a SAR if some of our members card information was affected? What if none have notified us of unauthorized charges due to the breach?