Banks and other financial institutions rely on a relatively small number of core service providers to process customer personal and financial information. The National Association of Federally-Insured Credit Unions (NAFCU), along with several news organizations, recently reported that a vulnerability in the web systems of a leading core service provider, Fiserv Inc., may have permitted cybercriminals to access contact information for customers who signed up for banking transaction alerts.
Although Fiserv reportedly has resolved the issue, the vulnerability may present a threat to bank customers that could require notice under the Gramm–Leach–Bliley Act and various state data breach notification laws. Some banks may be unaware of this vulnerability, as form contracts used by core service providers frequently lack a notice requirement. These form contracts typically include drastic limits on the service provider’s liability for data breach related damages. This situation serves as a reminder that banks need to be prepared in the event that there is a data breach at one of their service providers.
The Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice states that "a financial institution should provide a notice to its customers whenever it becomes aware of an incident of unauthorized access to customer information and, at the conclusion of a reasonable investigation, determines that misuse of the information has occurred or it is reasonably possible that misuse will occur." The guidance broadly defines customer information to mean nonpublic personal information about a financial institution's customer. The definition is not specifically tied to customer accounts, meaning that the notification requirement may be implicated even if a bank account number is not exposed. We note that as reported by NAFCU in the article cited above, the Fiserv vulnerability exposed contact information but only the last four digits of the customer's account.
Almost all states also have data breach notification requirements. Many of the state requirements are triggered by contact information paired with other identifiers, such as account numbers, that might be used to engage in identity theft or fraudulent transactions. Many require reporting to the state's Attorney General in addition to consumer notice.
Financial Institutions using a service provider that experiences a security vulnerability or data breach should demand a detailed report from the service provider on the incident. Under the Interagency Guidelines and most state data breach notification laws, the financial institution must conduct a reasonable investigation to determine whether misuse of the data subject to the breach is likely to occur.
Going forward, financial institutions should make sure to negotiate notification requirements and appropriate liability provisions for both data security vulnerabilities and known data breaches in their core service agreements and other contracts involving customer personal and financial information. Incidents like this should also be considered when evaluating the data security practices of third party service providers as required under the regulatory vendor diligence guidance applicable to financial institutions. Even if customer notification is not required, a data security vulnerability such as this one is relevant to a thorough data security review both prior to engaging a vendor and as part of ongoing vendor oversite and monitoring requirements.