Data breaches are not a new phenomenon impacting consumers, but based on the increased frequency reported in the media, the volume of reported breach incidents is likely to increase. The risks of a data breach are commensurate with the sheer volume of our digital footprints.
State Breach Notification Laws
As financial services companies embrace additional layers of technology to push the consumer experience, there may be an increase in reliance on third party vendors accessing and storing consumer personally identifiable information (PII). To this end, consumer data may be shared across multiple affiliated or unaffiliated businesses as part of the behind the scenes process to process a transaction.
The implications of a data breach aren’t limited to the reputational fallout. Nearly all states now have a data breach notification law, and while each state has different requirements, it’s important for both the financial services company and the third party vendor to be aware of each regulation. Check out your state's security breach notification laws here.
Failure to understand your regulatory commitments under these state regulations is worrisome. In one recent survey, it was disclosed that over 34% of organizations felt that their third party vendor would not disclose a data breach to them. This number increased significantly to over 70% as it related to the level of mistrust if a fourth party vendor suffered a breach and would most likely fail to report it.
It’s important to recognize that while a data breach is commonly associated with perhaps, a cyber attack, data breaches may occur for both intentional and unintentional reasons by internal staff. Sending an email to the wrong email address containing PII would warrant a review and accessing consumer data with the intent to resell the data is easily achieved at the internal level.
To put the dangers of a data breach into context, let’s look at the Commonwealth of Massachusetts. Based on our research, prior to 2007, there were no records maintained by MA regarding data breaches.
According to the Massachusetts AG Website it states:
Since November 2007, the AG’s Office has received notice of more than 21,000 breaches, with 3,821 breaches reported in 2017 affecting more than 3.2 million residents.
Earlier this year, MA implemented an online data breach notification portal so a business can more efficiently report data breaches. The Massachusetts Data Breach Notification Law M.G.L. c. 93H also requires that third parties not only report the breach to the state but to the impacted consumer. You can visit the data breach notification link for Massachusetts here.
Examples of Recent Data Breaches and Vendor Involvement
If we take the most recent Equifax breach for instance, this would require a wide spread notification effort and while notification efforts may be communicated electronically or via mail, there are other regulations which must be complied with such as the E-SIGN regulation, which requires a consumer to elect to agree to receive email notifications. Data breaches, therefore, can be a headache for the compliance department of any institution who must manage through this nightmare (and I think we can agree this is a nightmare scenario). It can result in changes in leadership, a hit to financial strength and reputational and increased litigation risk.
The Target breach in 2014, is another example of the increasing propensity of not only breaches, but how third parties are connected. The MN based retailer stated that approximately 70 million customers were impacted by the breach and was traced back to a third party vendor.
In both cases of the aforementioned data breaches, each incident was traced back to a third party vendor of the organization. This demonstrates the importance and responsibility that we must adopt in effective third party risk oversight programs.
The Notification Laws Are Changing
While more states in recent years have adopted data breach notification laws, it’s notable that several states are also amending the laws to include items as offering free credit identity theft protection. Much of this is in response to the fallout from the Equifax data breach, which impacted over 143 million consumers.
Other amendments include the "who" and "when" to report the data breaches. Some states require the breach to be reported to the state attorney general office, law enforcement or Internal Revenue Service prior to the individual.
Data breaches do not discriminate and, therefore, it’s important that each financial services company and third party understand the notification requirements. Failure to do so can have a catastrophic impact to both of your organizations.
As you know, it's important to verify your vendor's approach to cybersecurity to mitigate third party risk. Download our helpful infographic to learn how.