Debit Card Breach: The No Disclosure Regime

In 2012, a U.S. based payment processing firm Global Payments identified and self-reported a breach that had affected approximately 1.5 million cards. The CEO issued a public apology and the company also set up a website -www.2012infosecurityupdate.com - that gave consumers information on the extent and nature of the breach and remedial measures taken.

In 2014, U.S. bank, JPMorgan Chase, disclosed to the Securities and Exchange Commission (SEC) that a cyber-attack had compromised its data, impacting approximately 76 million households and 7 million small businesses. The bank also disclosed that user contact information - name, address, phone number and email address - and internal JPMorgan Chase information relating to such users had been compromised.

Are Customers Not Entitled To Know?

In India, it’s been over two months since 32 lakh debit cards across 19 banks were hacked, as estimated by to National Payments Corporation of India Ltd (NPCIL)

Banks issued general advisories to customers to change pins and passwords but gave very little information on how and where the breach took place. And it was only last week that the Reserve Bank of India reacted and stated that a forensic audit is underway. Even after the forensic audit is concluded, it’s unclear if customers will get to know much and that’s because Indian law does not require this disclosure. It only requires banks to disclose unusual cyber security incidents to the RBI and Indian Banks – Center for Analysis of Risks and Threats (IB-CART).

Disclosure Requirement In The U.S.

In the United States, under the federal banking law - Gramm-Leach-Bliley Act - banks are required to disclose breaches to customers if a certain risk threshold is met. This threshold is a determination by a bank whether misuse of sensitive customer information has occurred or is reasonably possible, explained Peter Guffin, partner and chair of the privacy and data security practice at American law firm Pierce Atwood. Banks that are not federally regulated are required to make disclosures under state laws.

For publicly traded banks, there is an additional disclosure requirement under the Securities Exchange Act, 1934.

The disclosures need to be detailed. Peter explained that most breach notification statutes require banks to notify the affected customer about how the breach happened. If it is the bank’s network affected by a malware or an ATM machine or an employee who stole the information, the bank is obliged to explain to the customer how it happened and steps taken to fix that problem, he added.

Disclosure Requirement In Singapore

Unlike the U.S., Singapore has mandated disclosures on cyber-attacks and system disruptions not by way of a law but via guidelines. Under the Internet Banking and Technology Risk Management Guidelines (TRM), the Monetary Authority of Singapore (MAS) requires financial institutions to keep customers informed of any major incident. It also requires banks to assess the effectiveness of the mode of communication, including informing the general public, where necessary, said Ken Chia, principal and member of global privacy steering committee at international law firm Baker & McKenzie.

In addition to the TRM regime, guidelines by the Personal Data Protection Commission state that it is a good practice to notify individuals affected by a data breach. Ken points out that this is to encourage individuals to take preventive measures to reduce the impact of the data breach.

The guidelines also require affected individuals to be notified when the data breach is resolved, Ken added.

Back home however, the lack of a regulatory framework for disclosures in card breach cases may mean that customers will learn very little about India’s biggest financial cyber attack.