First, you need to determine if your state has a law that requires you to disclose this breach to your customers. At least 28 states have data breach notification laws in place and several others are in the process of drafting one. Based on the facts in your question, it does not appear you are required to make notifications under the FFIEC’s "Guidance for Unauthorized Access to customer Information." In order to qualify as a reportable event, you would have to satisfy the following:
- Loss of "sensitive Information" which includes the customer’s name, address, or telephone number, in conjunction with the customer's social security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account.
- Once an institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine promptly the likelihood that the information has been or will be misused.
If your institution determines that misuse of the information has occurred or is reasonably possible, you should notify affected customers as soon as possible. You should also notify your regulators as soon as you believe there is a problem so they are aware of the incident and can provide additional guidance.
First published on BankersOnline.com 6/19/06