Data security and data breach notifications are—or should be—on everyone’s mind these days. Banks are certainly no exception. And banks, in general, are setting good examples for other businesses because banks’ data security systems and incident-response plans are usually up to date, tested for effectiveness, and the subject of board-level discussions.
But how many banks are up to speed on the various state-level data-security and data-breach notification laws that may apply to their operations? (Recall that certain federal regulations, such as the Gramm-Leach-Bliley Act (GLBA), are explicitly not preemptive of state laws that provide greater protection to consumers than the federal scheme.) And how many banks are continuing to keep up to date despite accelerated changes to state data-breach notification laws?
In light of several recent amendments to state-level data breach notification laws, banks should evaluate whether these amended rules apply, and then update their incident-response plans accordingly.
For example, Washington’s data breach notification law was recently amended to require notification of the state attorney general (within 45 days, unless an exception applies) if more than 500 Washington residents are notified of a breach. This state statute arguably provides protections greater than what is provided under the GLBA, and banks with Washington customers might therefore need to comply with Washington’s new law. (The Washington statute states that financial institutions are otherwise compliant with the Washington data-breach notification requirements if they provide “notice to affected consumers pursuant to the [federal] interagency guidelines and the notice complies with the customer notice provisions of the [federal] interagency guidelines.”)
Oregon’s data breach notification law was also recently amended to, among other things, greatly expand the definition of “personal information” and require notification of Oregon’s attorney general under certain circumstances. Yet in contrast to Washington, Oregon’s statute explicitly states that compliance with the GLBA is compliance with Oregon’s law. Banks with Oregon customers would therefore not need to comply with Oregon’s state-specific data breach notification law as long as they were compliant with the GLBA.
But the example set forth above covers only customer data, not other data that banks possess, such as employee data. Employee data is not covered by the GLBA, but is instead often covered by state law. And many state laws have recently been amended to expand the definition of “personal information,” thereby expanding the number of triggers for data-breach notifications. For example, Oregon recently amended its definition of “personal information” to include biometric data and health insurance policy numbers, health insurance subscriber identification numbers, and information about medical history, including diagnoses and treatments. As a result of this, and the fact that banks often possess employee health and insurance information, banks need to familiarize themselves with these newly amended laws to ensure that their data security systems and incident-response plans remain up to date. (Also, in its role as the plan sponsor of its employees’ group health plan, a bank may have privacy, security, and breach notification obligations under the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended.)
Using just Oregon and Washington as examples, it becomes clear that banks need to identify where their customers and employees are located and then take a hard look at recently amended state laws to ensure that their data security systems and incident-response plans remain compliant. Failure to do so could result in significant fallout, including enforcement actions by state attorneys general, lawsuits from customers and employees, and public-relations-related damage.