Skip to content
BOL Conferences
Thread Options
#670886 - 01/24/07 02:19 PM debit card compromise
dballard Offline
New Poster
Joined: Jun 2006
Posts: 10
MS
If a large amount of debit cards were compromised from our institution and it was decided not to re-issue these cards, are we still required to send out notification to our members that their card was on the compromise list and that their account will be monitored but no card will be issued?

Return to Top
#670910 - 01/24/07 02:44 PM Re: debit card compromise dballard
JD in JC Offline
Junior Member
JD in JC
Joined: Jan 2007
Posts: 35
Wisconsin
I'm not sure if notification requirements vary from regulator to regulator, but I know the FDIC put out FIL 27-2005 as an interpretive guidance of GLBA requirements. It stated:

"... a financial institution should provide a notice to its customers whenever it becomes aware of an incident of unauthorized access to customer information and, at the conclusion of a reasonable investigation, determines that misuse of the information has occurred or it is reasonably possible that misuse will occur."

http://www.fdic.gov/news/news/financial/2005/fil2705.pdf

Since, IMO, it is reasonable to think that misuse will occur, I would argue that you would have no choice but to notify those customers affected by the breach. Whether or not you decide to close or monitor is up to you, but I think you need to tell them what you plan to do in your letter.
_________________________
- Just because something is legal doesn't make it reasonable or right -


Return to Top
#670961 - 01/24/07 03:18 PM Re: debit card compromise dballard
JavaBanker Offline
Member
JavaBanker
Joined: Jan 2003
Posts: 54
The way that I understand the requirments is that you would still need to notify the customer(s).

Return to Top