Facebook Twitter

Database Hacks - Are Banks Required To Notify You?

Posted on August 22, 2021 by Manuel Yoon

Ever wonder if banks are required to tell customers when their systems are hacked? You might be shocked to learn they're not. The sole exception to this standard has been database hacks that effect California residents. Companies doing business in California must provide such notice under the California Security Breach Information Act.

The situation is changing quickly on the national level.

Regulations have been issued by federal fund agencies that currently force banks to tell customers when their personal data has been subjected to unauthorized third parties. The regulations are issued pursuant to the Gramm-Leach-Bliley Act, which includes language requiring financial institutions to prevent unauthorized access and use of customer information.

The new regulations seem to be a response to several recent high-profile data flows. They include incidents like Bank of America losing data tapes containing data for over 1 million government employees and the breach of databases for LexisNexis and ChoicePoint. It's recognized that numerous other banks also have been hacked through time, but the information was hushed up.

The regulations require financial institutions to notify account holders if the organization becomes aware of unauthorized access to sensitive customer information. The directives apply to banks and savings and loan companies, but not credit unions.

There are two serious loopholes in the regulations. First, a financial institution that finds a database violation should only notify account holders if it is"reasonably possible"

that personal information will be misused. Secondly, the regulations only apply to personal data, not commercial or business accounts.

While these new regulations are a positive step, one could drive a truck through both loopholes. Deciding whether it is"reasonably possible" that your data will be misused is a vague standard that many financial institutions will use to withhold information. Put bluntly, the notification regulations are gutless.

The best way of keeping an eye on database breaches is to look for stories in the news. Under California law, companies must provide notice to California residents when breaches occur. If you find a story about your lender lending notice of a hack to California residents, your personal information might have also been subjected.