If a third party provider has a data breech and some of our customers are affected, do we need to complete a SAR? For example with the recent Heartland breech. Seems that if every bank that had a customer affected completed a SAR, the redundancy would not be valuable to law enforcement.