36 NOVEMBER / DECEMBER 2018 COMPLIANCE CONNECTION Brett J. Ashton Partner Krieg DeVault LLP Submit Compliance Connection questions to Eric J. Augustus, Indiana Bankers Association: eaugustus@indianabankers.org Krieg DeVault LLP is a Diamond Associate Member of the Indiana Bankers Association. Cyberattacks and Security Breaches What are the bank’s responsibilities? Question: A bank customer recently reported being the victim of a “ransomware” attack, and indicated they had to notify their customers, the credit reporting agencies and the Indiana attorney general’s office about the incident. Are banks subject to these same disclosure requirements? What we are required to do under Indiana law in the event of a security breach? Answer: A cyberattack, whether involving ransomware, ATM skimmers or a compromised employee laptop containing customer files, is considered a breach of the security of data under Indiana law. Indiana law defines a data security breach as the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by a person.1 Indiana law does not consider the good faith acquisition of personal information by an employee or agent of the person for lawful purposes as a data security breach, if the personal information is not used or subject to further unauthorized disclosure. Indiana law also excludes the unauthorized acquisition of a portable electronic device on which personal information is stored from the definition of a data security breach, if all personal information on the device is protected by encryption, and the encryption key has not been compromised or disclosed and is not in the possession of or known to the person who, without authorization, acquired or has access to the portable electronic device.2 If the personal information involved is not encrypted, or if it is on a portable electronic device that has the encryption key with it, Indiana law requires disclosure only if the database owner knows, should know, or should have known that the unauthorized acquisition constituting the breach has resulted in or could result in identity deception, identity theft or fraud.3 In these cases, Indiana law provides specific requirements for when, what and how information about the breach must be disclosed.4 Financial institutions are provided an exemption from the data security breach disclosure requirements under Indiana law if they comply with the disclosure requirements prescribed by the Federal Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice,5 or if they maintain their own disclosure procedures as part of an information privacy, security policy or compliance plan under the federal Fair Credit Reporting Act6 or the federal Financial Modernization Act of 1999,7 and those procedures are at least as stringent as the Indiana law. In the event you are confronted with a cyberattack, you should immediately file a SAR. Additionally, contact your legal counsel, your regulator, your insurance carrier and law enforcement for assistance. HB 1 Ind. Code § 24-4.9-2-2(a) 2 Ind. Code § 24-4.9-2-2(b) 3 Ind. Code § 24-4.9-3-1(a) 4 Ind. Code § 24-4.9-3-1 5 12 CFR §§ 208, 225; 12 CFR § 364 6 15 U.S.C. § 1681 et seq. 7 15 U.S.C. § 6801 et seq. This information is provided for general education purposes and is not intended to be legal advice. Please consult legal counsel for specific guidance as to how this information applies to your institution’s circumstances or situation.
RkJQdWJsaXNoZXIy MTg3NDExNQ==