Rocky Mountain Bank, of Wyoming, is feeling the sting of a whopper of an inadvertent email. Not an errant reply-to-all, but instead an email to the wrong person... which happened to contain social security numbers and account information for 1,325 of its customers. Their "response" begs the question: when must banks or other businesses disclose security breaches involving personal information?
As reported by The Register, problems began with an email to the wrong address -- a gmail account -- which for whatever reason had an attachment containing names, addresses, social security numbers and loan information for 1,325 account holders. (Actually, problems began somewhere further back, when someone had the zinger of an idea to send an attachment like that to a gmail account or anyplace outside a highly protected internal network.)
Next step? One might think: notify the people affected and see what we can do about restricting further disclosure of the information. Rocky Mountain opted against notification and for trying to put the toothpaste back in the tube by pulling the email back from the ether.
Unfortunately for Rocky Mountain, no response came from the mystery gmail account. Google then refused to turn over information to Rocky Mountain about the gmail account without a court order. So seek a court order Rocky Mountain did, with a request that everything filed be kept under seal, away from the public access of normal court filings.
This might make sense if the filings included customers’ private information, but not the case here. Rocky Mountain's argument for keeping it all secret? Its customers might find out. Seriously, they argued that in court filings. From Rocky Mountain’s point of view, why scare customers and have to deal with questions and all that mess if we don't know what happened with their confidential information?
A federal judge in Calfornia wasn't buying it and refused the request to file under seal.
All this begs the question: Is Rocky Mountain obligated by law to inform these people about the breach?
Well, maybe not.
It's largely a question of state law. Though 44 states and the District of Columbia have laws on the books requiring notification of security breaches involving personal information, the specifics vary widely.
For example, Rocky Mountain Bank serves Wyoming. Wyoming law requires that if a business discovers a security breach, it must conduct an investigation to find out if misuse of the lost personal information has occurred or is reasonably likely to occur. If all the customers involved were Wyoming residents, Rocky Mountain may not be obligated to notify them that their private information was disclosed until they find out what happened afterward. What happens if they are unable to conclude what might have occurred with these people’s information? That’s a question that might concern Wyomians.
California's notification law, on the other hand, which served as the model for many other states, goes further. It requires notification to California residents "whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person." This has the obvious benefit of not waiting until the business cyber-sleuths its way to a conclusion about what happened to data after they lost control of it.
What can you do? Look at the security breach notification laws of your state, and your bank's state if it's not local. You can also inquire with your bank as to when its notification policy kicks into action.