Our recent breach in security involved our third party service provider. This is what happened, a small amount of our customers wrote checks to the same merchant, when the checks were written a "validity check" was done before each check was accepted. So if the third party service provider contracted with the merchant, not us, and the breach occured, do we still need to contact our regulator?