It was reported yesterday by TheDay in Connecticut that People’s United Bank recently experienced a data breach that may affect hundreds of thousands of their customers. An affiliated third party had created unencrypted backup tapes with personal information of their customers and a box of these tapes was misplaced.
This situation provides a great case example of the importance of prompt notification to individuals that are part of a data breach population. Per the article:
“Connecticut state law requires banks to immediately notify customers when such information is lost. Rell said the Bank of New York Mellon did not quickly notify People’s United Bank of Bridgeport of the security breach. ”
As a result of the lack of notification, combined with the publicity surrounding this event, the bank has been deluged with calls from concerned customers.
“People’s United Bank has been flooded with calls over the past two days, ever since Attorney General Richard Blumenthal revealed Wednesday that a data breach had affected hundreds of thousands of its customers, according to a bank spokesman.”
Best practices in coordinating and managing a data breach response effort reinforce the importance of timeliness of notification. The Ponemon Institute Study on “Consumers’ Report Card on Data Breach Notification” speaks to this issue based on a survey that, among other things, asks consumers who have been part of a data breach about whether rapid notification influences whether they remained a customer of the institution.
Needless to say, this situation illustrates the importance of communicating to your customers about a data breach before they read about it in the newspaper. By initiating the communication rapidly, prior to publicity, organizations can ameliorate some of the concern and confusion that surrounds a situation like this that is made public prior to formal notification by the organization.